Safety Statistics Analysis - North American Die Casting Association
advertisement
BUSINESS CONTINUITY GUIDANCE DOCUMENT November 18, 2014 © 2014 Kestrel Management LLC Prepared for NADCA Business Continuity Guidance Document SCOPE AND LIMITATIONS This Business Continuity Guidance Document provides guidance to NADCA member companies on business continuity planning. The guidance, templates, and examples provided within are intended for member companies to customize, add detail, and apply to their individual businesses to aid in incident response and business continuity efforts. This document serves only as a guidance manual and not as a complete Business Continuity Program/Plan. Kestrel Management does not guarantee that this guidance alone will result in sufficient incident response or ongoing business continuity/sustainability. © 2014 Kestrel Management LLC Page 1 Business Continuity Guidance Document Business Continuity Guidance Document Table of Contents SCOPE AND LIMITATIONS .......................................................................... 1 1. BACKGROUND .................................................................................... 4 Introduction to Business Continuity ................................................................................................. 4 Business Continuity Development Process ..................................................................................... 4 Purpose ............................................................................................................................................... 5 2. BUSINESS CONTINUITY ASSESSMENT ................................................. 6 3. THREAT/RISK ASSESSMENT................................................................. 7 Identifying Threats ............................................................................................................................ 7 Risk Assessment Form........................................................................................................................ 8 Contingency Plans............................................................................................................................. 8 4. BUSINESS IMPACT ANALYSIS (BIA) .................................................... 9 Objectives .......................................................................................................................................... 9 5. BUSINESS CONTINUITY PLAN ........................................................... 10 Business Continuity Team Responsibilities .................................................................................. 10 Incident Command System (ICS) ................................................................................................. 13 Emergency Response Contacts .................................................................................................... 15 Alternate Site Information ............................................................................................................ 15 Critical Vendors ............................................................................................................................. 15 Managing External Communications .......................................................................................... 15 Insurance Policies ........................................................................................................................... 16 6. TRAIN AND TEST ............................................................................... 17 7. IMPLEMENT AND MONITOR ............................................................. 18 APPENDIX A: SELF-ASSESSMENT.............................................................. 19 APPENDIX B: RISK ASSESSMENT .............................................................. 24 APPENDIX C: CONTINGENCY PLANS ....................................................... 28 APPENDIX D: BUSINESS IMPACT ANALYSIS (BIA) ................................... 31 APPENDIX E: BUSINESS CONTINUITY PLAN – KEY CONTACTS............... 38 APPENDIX F: EXTERNAL COMMUNICATION TOOLS ............................... 43 © 2014 Kestrel Management LLC Page 2 Business Continuity Guidance Document APPENDIX G: INSURANCE POLICIES ........................................................ 48 APPENDIX H: BUSINESS CONTINUITY STANDARDS ................................ 50 APPENDIX I: GLOSSARY OF TERMS ......................................................... 52 © 2014 Kestrel Management LLC Page 3 Business Continuity Guidance Document 1. BACKGROUND Introduction to Business Continuity Every organization is at risk from potential operational disruptions—natural disasters, fire, sabotage, information technology (IT) viruses, acts of violence: 43% of companies that experience disasters never re-open, and 29% close within 2 years (McGladrey and Pullen, October 4, 2008). 80% of businesses that suffer a computer disaster and have no disaster recovery plan will go out of business (IBM Business Recovery Service 1993). 90% of companies that experience a data loss go out of business within two years (Gartner, April 5, 2005). Weather and climate disasters racked up $110 billion in damages across the county in 2012 (National Climate Data Center (NCDC), June 13, 2013). When business is disrupted, the costs can be substantial. Business Continuity Planning helps ensure that companies have the resources and information needed to maintain service, reliability, and resiliency under adverse conditions. Sustainability means staying in business for the long term. While companies can’t plan for everything, they can take steps to understand and effectively manage events that might compromise their products/services, supply chain, quality, security, and future as an organization. Business Continuity Planning can help companies: IDENTIFY the human, property, and operational impacts of potential business threats. EVALUATE the potential severity of associated risks. ESTIMATE the likelihood of business threats occurring. CREATE strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future. Business Continuity Development Process Creating a Business Continuity Program is a systematic process that can be broken down into the fundamental steps shown in the graphic on the following page. A well-implemented program that addresses these steps helps companies: Protect the organization’s most important assets (e.g., people, technology, products, services, customers, community) Reduce disruption to critical functions in order to limit financial impacts due to loss of capacity or service Reduce adverse publicity, loss of credibility, and loss of customers © 2014 Kestrel Management LLC Page 4 Business Continuity Guidance Document Reduce legal liability and regulatory exposure Provide for an orderly and timely recovery by allowing critical decisions to be made in a noncrisis mode Purpose Kestrel Management has prepared this Business Continuity Guidance Document at NADCA’s request to provide guidance to member companies on the development of a Business Continuity Program. The Guidance Document contains information and procedures that are intended to help member companies appropriately respond to an incident, resume operations, and sustain their businesses. © 2014 Kestrel Management LLC Page 5 Business Continuity Guidance Document 2. BUSINESS CONTINUITY ASSESSMENT WHAT DOES YOUR EXISTING BUSINESS CONTINUITY PROGRAM ENTAIL? Business Continuity Management (BCM) is not concerned with plans and procedures for the everyday things that go wrong; rather, BCM involves managing the significant (and unplanned) incidents that may considerably impact the core activities of your organization, and ensuring that you respond in a planned and rehearsed manner. This encompasses planning; engaging appropriate personnel; writing, accepting, and owning your Business Continuity Plan; and conducting thorough testing—all of which are essential prerequisites of an appropriate response. A Business Continuity Assessment is designed to assess the "readiness" of your current, indevelopment Business Continuity Program. Kestrel has created a Business Continuity Self-Assessment (see Appendix A) designed to help member companies understand the business continuity work that your team has done thus far and to identify potential gaps and opportunities to complete/improve, standardize, and document the needed processes. The question set provided in Appendix A is designed to help you establish where your organization is in relation to your BCM readiness. Review and score each question, as suggested. Once you have completed the questionnaire and totaled your score, the included table provides a general summary of your score’s significance. Answers to the questionnaire and their associated scores should help in identifying needed improvements. © 2014 Kestrel Management LLC Page 6 Business Continuity Guidance Document 3. THREAT/RISK ASSESSMENT WHAT POTENTIAL THREATS ARE FACING YOUR BUSINESS? Regardless of the type of threat, the goal of Business Continuity Planning is to ensure the safety of personnel and assets during and after a disaster. With this in mind, one of the first steps in preparing a Business Continuity Plan is to complete a Threat/Risk Assessment to identify the areas of high exposure to the company in order to evaluate the existence and effectiveness of preventive controls and response actions. The Risk Assessment process will clearly: Identify internal and external threats and vulnerabilities Identify the likelihood of an event arising from such threats or vulnerabilities Define the controls in place or necessary to reduce exposure Identifying Threats Although it is not possible to determine the exact nature of potential disasters or their resulting consequences, the Risk Assessment identifies the threats posed to your company. For each threat, the relational probability of occurrence is determined. Items considered in determining the probability of the occurrence of a specific threat may include: Geographic location Population demographics Topography of the area Proximity to major sources of power, bodies of water, and airports Degree of accessibility to the office Hazards inherent in your processes, material handling, and production operations Age and condition of facilities and infrastructure History of local utility companies in providing uninterrupted services History of the area's susceptibility to natural threats (i.e., severity, frequency) Proximity to major highways or rail lines that transport hazardous materials, combustible products, etc. Proximity to nuclear power plants, oil refineries, chemical plants, and/or electrical power plants and substations Predictability of threats Controllability of threats © 2014 Kestrel Management LLC Page 7 Business Continuity Guidance Document Potential exposures are classified as natural, technical, and human threats. Rather than attempting to determine exact probabilities of each potential threat, a general rating system of high, medium, and low is used to identify threat probability levels. The Risk Assessment may also determine the impact of some types of potential threat on various functional areas of the company. These functional operational areas may include: Information Services Quality Customer Service Finance Production Raw Materials Human Resources Maintenance Risk Assessment Form The form in Appendix B can be used to complete your Risk Assessment. This form includes a number of potential threats that may impact your company. If any threats are missing, they should be added to the form for evaluation. The completed Risk Assessment will help guide your management team in prioritizing the various threats and in appropriately focusing your team's efforts to address those threats. For each type of threat you will need to determine the following: Probability of the threat – how likely it is that the threat will occur Speed of onset – how soon the threat may impact your operation Forewarning – whether you will have advanced warning of the threat’s occurrence Duration of impact – how long the threat may impact your functional or operational areas Impact the threat may have on your functional or operational areas Contingency Plans There are a number of Contingency Plans that you may want to develop to address your greatest business risks/threats as a result of conducting a Risk Assessment, including: Workforce shortage Energy emergency Key machine downtime Information systems failure Catastrophic customer delivery Natural disaster or catastrophic event Fire See Appendix C for summary examples of these Contingency Plans. © 2014 Kestrel Management LLC Page 8 Business Continuity Guidance Document 4. BUSINESS IMPACT ANALYSIS (BIA) WHAT ARE THE BUSINESS IMPACTS OF AN UNPLANNED INTERRUPTION TO THE BUSINESS OPERATIONS? The Business Impact Analysis (BIA) is the first step in defining the disaster recovery process. The BIA involves examining critical business functions, including those associated with business IT applications, platform(s), or systems. Additional critical infrastructure, production processes, customer service, and operational logistics also should be examined. The goal is to determine the effect that an outage or disaster could have on business functions. The results of the examination determine how critical these areas are to ongoing operations and, subsequently, their priority level in the restoration process. The BIA includes the following: Identifying activities that support your ability to provide products and services Assessing the impacts over time of not performing these activities Setting prioritized timeframes for resuming these activities, considering the time within which the impacts of not resuming them would become unacceptable Identifying dependencies and supporting resources for these activities, including suppliers, outsource partners, and other relevant interested parties Estimating relative cost impacts of supporting resources Objectives The purpose of completing the BIA questionnaire (see Appendix D) is to identify which business functions/departments and processes are essential to your company’s survival. The BIA will identify how quickly essential business functions and/or processes have to return to full operation following a disaster situation. The BIA will also identify the resources required to resume business operations. Business impacts are identified based on a worst-case scenario that assumes that the physical infrastructure supporting each respective business function has been destroyed and all records, equipment, etc. are not accessible for 30 days. Please note that the BIA will not address recovery solutions. The objectives of the BIA are as follows: Estimate the tangible (financial) impacts for each business function Estimate the intangible (operational) impacts for each business function Identify the company’s business unit processes and the estimated recovery timeframe for each business function © 2014 Kestrel Management LLC Page 9 Business Continuity Guidance Document 5. BUSINESS CONTINUITY PLAN WHAT ARE THE CRITICAL FUNCTIONS, ROLES/RESPONSIBILITIES, HIGH PRIORITY TASKS, AND RESTORATION TIMELINES IN THE EVENT OF AN INCIDENT? The Business Continuity Plan documents the critical procedures that will guide you in responding, recovering, resuming, and restoring the organization to a predefined level of operation following an incident. The Business Continuity Plan typically covers those resources, services, and activities required to ensure the continuity of critical business functions. The Business Continuity Plan also will identify and document roles and responsibilities for your Team Managers and teams, including the Emergency Management Team, critical work groups (functions), and critical support groups (e.g., IT, transportation, maintenance, EHS, salvage). Other items to integrate into the Plan may include communication processes and alternate site information (i.e., location, supplies, and personnel) to sustain continued operations. The Plan should address the following issues and concerns: An organizational disaster impacting your processing facility A worst-case scenario, allowing successful recovery from multiple types of disasters (e.g., tornado, fire, power outage, windstorm, explosion, hurricane, earthquake, flood) Restoration plans for the various business units and functions, which have any of the following areas of exposure: o Safety risks—people and environmental o Financial loss (i.e., lost revenue and additional expenses) o Legal responsibilities o Service or production interruptions o Customer information o Damaged brand reputation o Infrastructure equipment loss Business Continuity Team Responsibilities The organizational structure of the company after a disaster has occurred will not be the same as the normal organizational structure. Therefore, it is important to establish Business Continuity Teams to be implemented in the event of a disaster. You will need to identify your Team Managers and alternates for each of your recovery teams. Information on how all team members can be contacted (home or cell phone) needs to be populated in the tables provided in Appendix E. In small organizations, functional managers often fill these roles and, many times, fill multiple roles. The staffing assignments for teams need to be set and adjusted based on the size and complexity of the company. © 2014 Kestrel Management LLC Page 10 Business Continuity Guidance Document Emergency Management Team Commonly, this team is responsible for overall coordination of the business continuity effort, evaluating and determining disaster declaration, and communications with Senior Management. The Emergency Management Team will: Establish Command Center and related operations. Contact emergency services (first responders) about the disaster. Evaluate which recovery actions should be invoked and activate the corresponding recovery teams. Evaluate and coordinate damage assessment and business recovery tasks for affected operations. Set restoration priority based on the damage assessment reports. Provide Senior Management Team with ongoing status information. Act as a communication channel to corporate teams, major customers and outside agencies. Notify all Team Leaders and advise them to activate their plan(s), if applicable, based upon the disaster situation. Recovery Team Leader Responsibilities These key positions will be responsible for coordinating all recovery activities to re-establish operations to acceptable levels within the shortest timeframe. Coordinating with the Emergency Management Team, these individuals typically will perform the following duties: Serve as the prime decision maker, typically as directed by and in coordination with Senior Management. Activate his/her Business Continuity Team, as needed, depending upon the disaster circumstances. Motivate and direct the members of the team. Create additional recovery positions, as needed, to assist in recovery activities. Establish progress reporting times (hourly, every two hours, etc.) and work with all Team Managers to ensure that required activities are performed in a timely manner. Evaluate and critique initial disaster assessment reports and action plans. Submit final disaster assessment reports to the Senior Management Team. Track the actual progress/completion of recovery activities against the projected sequence of recovery events (i.e., function as a Team Manager for the recovery process). Work closely with all Team Managers to ensure the highest degree of customer service possible. © 2014 Kestrel Management LLC Page 11 Business Continuity Guidance Document Assign team members to the specific responsibilities. Educate and cross-train team members in special and critical skills, which can have a significant impact on the success of the Plan and the amount of time required to execute the Plan. Senior Management Team Responsible for the overall direction, decision-making, and approvals required to implement the Business Continuity Plan. The Plan can generally be activated only by the Senior Management Team. Business Continuity Coordinator (BCC) Responsible for the development of the Business Continuity Program and for assisting in the activation of the Plan. The BCC should be the most knowledgeable person on the details of the Plan. The BCC is frequently designated to provide emergency notification on the alternate or offsite operational facility locations. Logistics/Transportation Team Responsible for making emergency arrangements for personnel transportation and lodging. Damage Assessment/Salvage Team Responsible for the damage assessment of the company’s location and advising the Senior Management Team of the results. Works with the Facilities/Security Team to verify the building can be occupied after a disaster. After damage assessment is completed, this team will also be responsible for coordinating salvage operations, as required. PR/Communications Team Responsible for all public relations, crisis communications, and other communications (e.g., coordination with public authorities). Facilities/Security Team Responsible for the facility and its security. In a disaster, this team is also responsible for providing security to the alternate site, if required. Customer Communications and Service Team Responsible for communicating with customers and the key network of business partners, vendors, and suppliers who service those customers to assure continuation of services, as appropriate. Accounting Team Responsible for ensuring that critical accounting business functions are operational and accurate. © 2014 Kestrel Management LLC Page 12 Business Continuity Guidance Document Telecommunications Team Responsible for the restoration and maintenance of all voice communications and data communications. Also responsible for ensuring telephones are operational at the alternate site. IT Team Responsible for restoring all critical computer systems and workstations (except telephones). Incident Command System (ICS) The Incident Command System (ICS) is a standardized, on-scene incident management concept designed to allow responders to adopt an integrated organizational structure for responding to a single incident or multiple incidents without being hindered by jurisdictional boundaries. Some companies may consider integrating ICS into the existing Business Continuity Program to aid in responding to emergency situations. The purpose of the ICS is to assist the company’s business continuity Emergency Management Team in working together with public sector first responders (fire, police, etc.) to effectively respond to an incident. This involves establishing common objectives and strategies, using common terminology/roles, developing an Incident Action Plan, and leveraging resources (equipment and people) in the most effective way to respond to the incident. Effective application of the ICS can be instrumental in helping manage company risks and strengthen business continuity: Prepares the team to handle an emergency response when it happens Allows the team to manage incidents of any type/size Assists the business continuity Emergency Management Team in understanding and meshing with the actions and expectations of public sector emergency responders Allows the private sector to effectively communicate with public sector emergency responders Ensures the smooth transition from first responders to the company’s Business Continuity Teams Tracks costs for insurance reimbursement Integrates with the Business Continuity Plan to achieve business sustainability and continuity Whether using ICS or not, the functions shown in the diagram on the following page are important for successfully managing the incident and restoring the business once the incident is under control. © 2014 Kestrel Management LLC Page 13 Business Continuity Guidance Document INCIDENT COMMAND SYSTEM (ICS): WHO DOES WHAT? Finance/Admin: Monitors costs related to the incident. Provides overall fiscal guidance. Command: Overall responsibility for the incident. Sets objectives. Incident Commander Operations Section Operations: Develops the tactical organization and directs all resources to carry out the Incident Action Plans. Planning Section Planning: Develops the Incident Action Plan to accomplish the objectives. © 2014 Kestrel Management LLC Logistics Section Finance/Admin Section Logistics: Provides resources and all other services needed to support the incident. Page 14 Business Continuity Guidance Document Emergency Response Contacts It is important for companies to identify critical emergency contacts so you have a ready reference of contact information in the event of a disaster (see Appendix E). Some of these critical emergency responders may include fire, police, hospitals, Red Cross, utilities. Alternate Site Information In the event of a disaster, each facility should identify an alternate site where they would plan to go in order to resume critical operations (see Appendix E). By establishing these alternate sites, more accurate preparations can be made in the event that a disaster occurs. Critical Vendors You will also need to define vendors or suppliers that your organization may use in your day-to-day operations or that you may need support from in the event of a disaster (see Appendix E). These may include: Server and computer equipment suppliers Communications and network services Civil/structural engineers Electrical contractors Excavating contractors Emergency generators Mechanical engineering (HVAC, facilities) Plumbing Site security services Additional suppliers/contractors, such as HazMat, demolition, cleaning Managing External Communications To inform the public of the company’s situation and ongoing status updates, it may be necessary for the PR/Communications Team to contact radio stations, television stations, and newspapers or to respond to various social media outlets. Depending on the crisis, media may arrive at the corporate headquarters to get news footage and interviews. Information that may be asked may include: Description of emergency situation Personnel injuries and casualties (if any) Rescue and relief measures taken Amount of damage Company’s status (appropriate timeframe in which the company will be operating and open for business) © 2014 Kestrel Management LLC Page 15 Business Continuity Guidance Document Instructions for employees Assurance that the crisis is under control Some advisory suggestions in dealing with the media include the following: Be truthful with the media. Avoid shifting blame on another entity; take appropriate responsibility. Where possible, use common language descriptions rather than business or professional jargon. Avoid “No comment” statements. Do not speculate; instead, focus on facts and known information. Have one common voice for your company that conveys a consistent message. Working with an outside media consultant with specific expertise in crisis communication can be prudent depending on the type and extent of incident. Appendix F contains a variety of external communication tools/forms that may help you prepare to deal with the media, including: Situation report Media holding/standby statements News release News release approval Insurance Policies Business Interruption Insurance (also known as Business Income Insurance) covers the loss of income that a business suffers after a disaster while its facility(s) is either closed because of the disaster or in the process of being rebuilt after it. A Property Insurance Policy covers only the physical damage to the business. It is helpful to document the types of policies your company has coverage for, expiration dates of your policies, and contact information for your agent/carrier in your Business Continuity Plan so they are easy to locate in the event of a disaster (see Appendix G). © 2014 Kestrel Management LLC Page 16 Business Continuity Guidance Document 6. TRAIN AND TEST HOW ARE YOU MAKING SURE YOUR PLAN IS WORKING? Testing is critical in assuring an effective recovery in the event of a disruption. The first step in testing should be setting goals and expectations. Testing is designed to determine whether a certain crisis response process works and how it can be improved. Testing involves reviewing the activities performed to evaluate the effectiveness of your Business Continuity Plan relative to specified objectives or measurement criteria. Exercises can be designed to keep employees aware of their duties and to reveal any weaknesses in the Business Continuity Plan that need to be corrected before an actual incident occurs. Reasons for testing the Plan include: Determining the feasibility of the business continuity process Verifying the compatibility of alternate processing sites Identifying deficiencies in the existing procedures Identifying areas in the Plan that need modification or enhancement Ensuring the adequacy of procedures relating to the various teams involved in the recovery process Demonstrating the ability of the company to recover Managing changes that should be addressed Providing a mechanism for maintaining and updating the Business Continuity Plan You should establish a schedule for testing components of the Business Continuity Plan on a regular basis. © 2014 Kestrel Management LLC Page 17 Business Continuity Guidance Document 7. IMPLEMENT AND MONITOR ARE YOU CONTINUALLY MONITORING AND IMPROVING YOUR PLAN TO REFLECT CHANGES IN THE ORGANIZATION? Once the business continuity policies, procedures, processes, training, and testing are complete, the Business Continuity Program needs to be implemented and integrated throughout the company. It is important to note that implementation does not stop at this point; business continuity cannot be treated as a finite project. It requires continual review and improvement to be effective and to respond to organizational changes, modifications in your products and services, legal and regulatory requirements, and resource changes (e.g., people, data, facilities/equipment, IT, partners and suppliers). The Business Continuity Program needs to be regularly reviewed to ensure its effectiveness. Independent audits can help monitor the effectiveness and performance of your program and identify ongoing opportunities for improvement. Successful recovery operations depend on: Training assigned personnel on various aspects of the Business Continuity Program Completing and maintaining an up-to-date Business Continuity Plan Storing and securing adequate backup materials off-site Safeguarding vital records Performing comprehensive tests of the Plan Modifying the Plan as a result of the tests Restoring physical infrastructure and equipment Performing adequate cross-training and succession planning to reduce reliance on key personnel © 2014 Kestrel Management LLC Page 18 Business Continuity Guidance Document APPENDIX A: SELF-ASSESSMENT © 2014 Kestrel Management LLC Page 19 Business Continuity Guidance Document Business Continuity Management (BCM) Self-Assessment Die Casting Industry Every organization is at risk from potential operational disruptions—natural disasters, fire, sabotage, information technology (IT) viruses, or acts of violence. When business is disrupted, the costs can be substantial. Business Continuity Planning helps ensure that companies have the resources and information needed to maintain service, reliability, and resiliency under adverse conditions. What is Business Continuity Management (BCM)? The Business Continuity Institute (BCI) defines Business Continuity Management (BCM) as "the act of anticipating incidents which will affect mission-critical functions and processes for the organization and ensuring that it responds in a planned and rehearsed manner." BCM touches every aspect of an organization's operation—not just IT. It is not just about recovering from a disaster, such as one caused by fire or flood or the failure of your computer system. It can also be about the collapse of a key supplier or customer, loss of a key executive, fraud, or unethical operations. Why should your organization be concerned? BCM is moving rapidly up the Boardroom agenda. With the increase of incidents and disasters over the past few years—both natural and man-made—BCM has assumed a much higher profile. Corporate governance requirements and industry standards have insisted that both Board members and executive management take BCM seriously. Insurance is also a key driver, with many insurers now insisting that organizations demonstrate that they have reasonable risk reduction measures and a working Business Continuity Program implemented. What should you do about it? Your organization must examine all risks and threats to which it is exposed and consider how best to deal with them should an incident occur. BCM is not concerned with plans and procedures for the everyday things that go wrong; rather, BCM involves managing the significant (and unplanned) incidents that may considerably impact the core activities of your organization and ensuring that you respond in a planned and rehearsed manner. This encompasses planning; engaging appropriate personnel; writing, accepting, and owning your Business Continuity Plan; and conducting thorough testing—all of which are essential prerequisites of an appropriate response. Where does your organization stand? The question set on the following page is designed to help you establish where your organization is in relation to your BCM readiness. Review and score each question from 0 to 5, where 0 indicates that the topic has not been addressed at all, and 5 indicates that you are satisfied with the situation in relation to the main issues raised. Note: If you have reviewed the topic and made a conscious business decision that it does not need to be addressed, score the question as a 5. See glossary of key terms in Appendix I for your reference. © 2014 Kestrel Management LLC Page 20 Business Continuity Guidance Document Self-Assessment Questionnaire: Die Casting Industry Question Ranking: 0-5 Business Continuity Plan/Program 1. Have you developed a written Business Continuity Plan? 2. Have industry standards and/or supply chain requirements been determined in support of your Business Continuity Program (e.g., ISO 9001, ISO 14001, ISO 22301)? 3. Have you included in your Business Continuity Plan procedures to deal with emergency and evacuation for fire, tornado, bomb threat, severe weather, etc.? 4. Do you have a formal, written Business Continuity Policy? 5. Do you have a change management process implemented so that any changes to the organization (e.g., policies, business functions, new projects) consider the impact to Business Continuity? 6. Have Service Level Agreements (SLAs) been established for critical service providers that your company does business with to ensure they also have a tested Business Continuity Plan? 7. In the event of a disaster, do you know what your Business Interruption Insurance Policy will cover? 8. Have you addressed how to deal with a pandemic in your Business Continuity Plan to continue ongoing operations? 9. Is Senior Management supportive of your Business Continuity Program? Business Impact Analysis (BIA) 10. Has a Risk/Threat Assessment been performed to identify potential threats to your organization and the likelihood of the occurrence of the threat? 11. Has a Business Impact Analysis (BIA) been conducted to determine which critical functions and/or operational processes need to be restored in the event of an incident? 12. Have you established Recovery Time Objectives (RTOs) for all critical functions and/or operational processes that need to be restored? 13. Have you established Recovery Point Objectives (RPOs) for how much data can be lost? 14. Have you identified the critical resources that support your critical functions and/or operational processes (i.e., people, supplies, equipment)? 15. Do you have an inventory of the IT infrastructure (i.e., hardware, software, applications) that supports your critical business functions? 16. Have you identified your company’s vital records and documents, and are they stored at an off-site facility? 17. Do you have any type of critical equipment and, if so, a contingency plan in the event that it is destroyed? 18. Do you have backup and resilience features built into your voice and data communications? Alternate Facilities 19. Have you identified and documented the location of alternate office/processing facility(s) © 2014 Kestrel Management LLC Page 21 Business Continuity Guidance Document Question Ranking: 0-5 where you can resume business operations in the event of an onsite incident? 20. Have you determined what supplies would be needed at an off-site facility to continue operations in the event of a disaster? 21. Have you determined alternate locations to transfer phones in the event of a disaster? 22. Do you know where your employees would reside (alternate facility or home) in the event of a disaster? Roles & Responsibilities 23. Have you identified specific roles and responsibilities of your various recovery teams (e.g., IT, crisis management, critical functions, critical support) in your Business Continuity Plan? 24. Have you identified who in your organization has the authority to declare a disaster? 25. Have you established who within your recovery teams will be contacting employees, customers, suppliers? 26. Have you determined who within your organization will be dealing with the media? 27. Have you determined who will be responsible for dealing with family members in the event of an employee being injured or dying? 28. Has the role of and relationship with public authorities (local emergency management, fire, police) been defined in developing and testing your Business Continuity Plan? 29. Has there been adequate cross training to back up employees in the event critical employees were injured or death caused by the disaster? 30. Do you have a training plan for new/existing employees regarding your Business Continuity Program to define/explain their responsibilities in the event of a disaster? Communications 31. Have you identified and documented the process that will be used to communicate to your employees, customers, and suppliers in the event of a disaster? 32. Do you have a current phone listing of your employees, suppliers, and other critical parties (e.g., police, fire, hospitals, utilities)? 33. Have you documented media scripts that can be modified to fit the disaster that can be sent out to newspapers, radio, and television media organizations? 34. Do you have phone listings included in your Business Continuity Plan of the newspapers, radio, and television that a designated spokesperson needs to contact in the event of a disaster? Testing/Auditing 35. Is your Business Continuity Plan tested on an annual basis (at a minimum)? 36. Are you using results of testing to continually improve your Business Continuity Plan? 37. In testing your Business Continuity Plan, do you test different types of worst case scenarios? 38. To determine if your Business Continuity Plan is effective, do you use a third party to audit your plan? TOTAL SCORE © 2014 Kestrel Management LLC Page 22 Business Continuity Guidance Document Scoring Once you have completed the questionnaire and totaled your score, the table below offers a general summary of your score’s significance. Over 140 It is likely that you have implemented an effective BCM Program. 100-140 It is likely that your BCM Program is in place but that improvement opportunities exist. 50-100 You are probably not complying with good business practices for BCM. Less than 50 Considerable work is needed in implementing your BCM Program. It is recommended that you get support to create a sound BCM Program that: Broadens the scope of issues beyond mere emergency response Relies on a systematic approach to identify and critically evaluate risk/opportunities Ensures that all involved parties understand who makes decisions, how those decisions are implemented, and what the roles/responsibilities of participants are in an incident Helps the company stay in business through a time of crisis © 2014 Kestrel Management LLC Page 23 Business Continuity Guidance Document APPENDIX B: RISK ASSESSMENT © 2014 Kestrel Management LLC Page 24 Business Continuity Guidance Document Risk Assessment The form on the following page can be used to complete your Risk Assessment. This form includes a number of potential threats that may impact your company. If any threats are missing, they should be added to the form for evaluation. For each type of threat you will need to determine the following: Probably of threat – likelihood that the threat will occur H=High M=Medium L=Low Speed of onset – how soon the threat may impact your operation S=Sudden G=Gradual Forewarning – whether you will have advanced warning of the threat’s occurrence Y=Yes N=No Duration of impact – how long the threat may impact your functional or operational areas L=Longer than a week I=Intermediate - 1 or 2 days S=Short - 1 hour to 1 day Impact the threat may have on your functional or operational areas 0=No interruption in operations 1=Interruption up to 8 hours 2=Interruption for 8-48 hours 3=Interruption for over 48 hours The completed Risk Assessment will help guide your management team in prioritizing the various threats and in appropriately focusing your team's efforts to address those threats. © 2014 Kestrel Management LLC Page 25 Business Continuity Guidance Document Type Probability (H/M/L) Speed of Onset (S/G) Forewarning (Y/N) Duration (L/I/S) Impact (0/1/2/3) Natural Threats Flooding Hurricane Fire Earthquake Wind/Tornado Snow/Ice Storm Drought Human Threats Explosion Extortion Burglary (equipment theft) Embezzlement Vandalism Robbery (force) Civil Order Nuclear Hazardous Materials Work Stoppage Improper Handling of Sensitive Data Unauthorized Physical Access Malicious Damage or Destruction of Software or Hardware Terrorism Data Theft Technical Threats Power Failure/Fluctuations © 2014 Kestrel Management LLC Page 26 Business Continuity Guidance Document Type Probability (H/M/L) Speed of Onset (S/G) Forewarning (Y/N) Duration (L/I/S) Impact (0/1/2/3) Heating, Ventilation or A/C Malfunction of Failure of Mainframe or Network Hardware Failure of Application Software Failure of Telecommunications Pandemic Outbreak (e.g., Ebola) Loss of Critical Supplier Loss of Leadership/Critical Personnel © 2014 Kestrel Management LLC Page 27 Business Continuity Guidance Document APPENDIX C: CONTINGENCY PLANS © 2014 Kestrel Management LLC Page 28 Business Continuity Guidance Document Contingency Plans There are a number of Contingency Plans that you may want to develop as a result of conducting a Risk Assessment. The summary examples below are from the die casting industry. Every company will need to identify contingencies based on your greatest threats/risks. The following list is not all inclusive: Workforce Shortage In the event of a labor shortage, the company needs to include a designated employment agency, which will provide qualified individuals for workforce needs. Energy Emergency Electrical – In the event of a brownout and/or an entire blackout, the company needs to contact a designated provider for a back-up generator. Natural Gas – In the event of accidental supply loss of natural gas, the company needs to contact a designated provider so natural gas can be redirected to establish service. Key Machine Downtime In the event that die casting machines are damaged, the company needs to contact a designated die casting company, who can assist in providing spare parts, back-up die cast machines, and/or machining centers to perform necessary work that would assist in fulfilling customer orders. Information Systems Failure In the event of an infrastructure failure to computer hardware, software, and data, the company needs to contact a designated company to ship new computer and software to the identified alternate facility. Backup data and records will need to be accessed. Catastrophic Customer Delivery Issue Electronic Data Interchange Emergency – In the event of an EDI transmission outage, it will be necessary to contact a designated company as the backup EDI vendor. Natural Disaster or Catastrophic Event Tooling Contingency -- In the event that customers’ spare parts of casts and trim dies are damaged, the company needs to contact a designated provider, who has tooling suppliers that are capable of maintaining and building new tooling. Tool Crib Perishable and Durable Cutting Tools Contingency - A designated company has spare parts to maintain the customers’ machined castings. Additionally, this company has a supply base of tool grinding and sharpening vendors that can quickly repair damaged tools. Fire In the case of a fire, emergency management procedures will be invoked immediately. Because fire hazards are such a critical exposure in the die casting industry, it is advisable to focus on preventive measures and training. For more information, review Kestrel’s 2014 report, Fire © 2014 Kestrel Management LLC Page 29 Business Continuity Guidance Document Incident Prevention for NADCA, and webinar, NADCA Study: Fundamental Steps for Preventing a Fire Incident. © 2014 Kestrel Management LLC Page 30 Business Continuity Guidance Document APPENDIX D: BUSINESS IMPACT ANALYSIS (BIA) © 2014 Kestrel Management LLC Page 31 Business Continuity Guidance Document Business Impact Analysis (BIA) Objectives The purpose of the Business Impact Analysis (BIA) is to identify which business functions/departments and processes are essential to the survival of your organization. The BIA will identify how quickly essential business functions and/or processes have to return to full operation following a disaster situation. The BIA will also identify the resources required to resume business operations. Business impacts are identified based on a worst-case scenario that assumes that the physical infrastructure supporting each respective business function has been destroyed and all records, equipment, etc. are not accessible for 30 days. Please note that the BIA will not address recovery solutions. The objectives of the BIA are as follows: Estimate the tangible (financial) impacts for each business function. Estimate the intangible (operational) impacts for each business function. Identify the organization’s business function processes and the estimated recovery timeframe for each business function. Process Each function or department manager should perform a BIA based on a worst-case scenario for all business processes to determine the criticality of these processes to your organization and to determine what the impacts are to your organization if their processes were interrupted. You need to identify the business process availability Recovery Time Objectives (RTOs), business process Recovery Point Objectives (RPOs), key business processes, and the associated risks if these processes were not available. See glossary of key terms in Appendix I for clarification. © 2014 Kestrel Management LLC Page 32 Business Continuity Guidance Document This information is important in developing a Business Continuity Plan for the entire organization and should be filled out in as much detail as possible. Business Function/Department Name: Description of Business Function/Department Purpose in the Organization: Name of Function/Department Manager/Director: In the following table, list the business processes performed by the Business Function/Department. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. For each business process listed above, fill out the following questionnaire sheet. Completed by: © 2014 Kestrel Management LLC Date: Page 33 Business Continuity Guidance Document Business Function/Department Name: Business Process Name: Business Process Description: 1. Does this process have to be performed at a specific time of the day/week/month/year? No 2. Is this process dependent on any IT application or systems? No 3. Yes- If yes, list: Is this process dependent on any outside service providers for its successful completion? No 5. Yes- If yes, list: Is this process dependent on any other business function(s)? No 4. Yes- If yes, state the requirement: Yes- If yes, list: Is this process dependent on any products for its successful completion? No Yes- If yes, list © 2014 Kestrel Management LLC Page 34 Business Continuity Guidance Document 6. Is the process dependent on any vital records? No 7. Is this process dependent on any specific equipment? No 8. Yes- If yes, list Are there regulatory requirements that are impacted if a disruption impacted your critical function or process? No 9. Yes- If yes, list them and their location: Yes- If yes, list What is the number of staff in support of your business process? 10. In the event of a disaster, how many staff would be needed to continue operations? 11. What is the maximum amount of time this business process could be unavailable? 0-24 hours 24-48 hours 48-72 hours 3-5 days © 2014 Kestrel Management LLC Page 35 Business Continuity Guidance Document Business Impact Analysis Worksheet The BIA worksheet may assist you in identifying some of the tangible and intangible exposures your organization may be exposed to in a worst-case scenario situation. For your tangible impacts (i.e., loss of revenue, additional expenses, and regulatory/legal), you will need to calculate costs using the loss ranges shown in Table A. Record those scores in the first three rows of Table C for the cumulative days of impact (1, 3, 5, etc.). For intangible exposures (i.e., customer service and goodwill), you will need to determine the severity of impact by using Table B, and then record those scores in last two rows of Table C. Note: The impact categories in Table C are only examples that you may want to consider. If you feel additional impacts are missing, they should be added to the table for analysis. Scoring and Prioritizing Once you have completed your BIA worksheet by estimating your tangible and intangible impacts, the next step is to prioritize for Senior Management which business functions/departments and processes are essential to the survival of your organization. This may also assist your organization for determining the priority of restoration in the event of a critical outage. Table A. Cumulative Dollar Loss Ranges (Tangible) Score Loss Range Table B. Customer Service & Goodwill Loss Ranges (Intangible) Score Effect 0 None 0 None 1 < $1,000 2 Minimal 2 ≥ $1,000 < $5,000 4 Moderate 3 ≥ $5,000 < $10,000 6 Moderately Heavy 4 ≥ $10,000 < $25,000 8 Heavy 5 ≥ $25,000 < $50,000 10 Severe 6 ≥ $50,000 < $100,000 7 ≥ $100, 000 < $150,000 8 ≥ $150,000 < $250,000 9 ≥ $250,000 < $500,000 10 ≥ $500,000 © 2014 Kestrel Management LLC Page 36 Business Continuity Guidance Document Table C. Impacts Using the impact categories to classify the type of loss incurred and the loss ranges identified in Tables A and B above (0 through 10), specify your estimated amount of exposure during each time period below: Cumulative Impact after Days Impact Category 1 day 3 days 5 days 10 days 20 days 30 days Total Loss of revenue (Table A) Additional expenses (Table A) Regulatory and legal (Table A) Customer service (Table B) Goodwill (Table B) Other (Table A/B) Table D. Impact Definitions Impact Category Definition Loss of revenue Loss of income received from selling goods or services Additional expenses Temporary staffing, overtime, equipment, services Regulatory and legal Fines, penalties, compliance issues, contractual obligations, financial liabilities Customer service Reduced service level and activities impacting customer satisfaction Goodwill Public image, shareholder relations, market share Completed by: © 2014 Kestrel Management LLC Date: Page 37 Business Continuity Guidance Document APPENDIX E: BUSINESS CONTINUITY PLAN – KEY CONTACTS © 2014 Kestrel Management LLC Page 38 Business Continuity Guidance Document Team Responsibilities You need to identify your Team Managers and alternates for each of your recovery teams. Information on how all team members can be contacted (home or cell phone) needs to be populated. Teams may include: Name Emergency Management Team Senior Management Team Logistics/Transportation Team Damage Assessment/Salvage Team PR/Communications Team Customer Communications/Service Team Facilities/Security Team Accounting Team Telecommunications Team IT Team Address © 2014 Kestrel Management LLC Home Mobile/Cell Phone Page 39 Business Continuity Guidance Document Emergency Response Contacts You need to identify your critical emergency contacts in the event of a disaster. Some of these may include fire, police, hospitals, Red Cross, utilities. Organization Contact Person © 2014 Kestrel Management LLC Phone Number(s) Description Page 40 Business Continuity Guidance Document Alternate Site Information In the event of a disaster, each facility should define an alternate site where they would plan to go in order to resume critical operations. By establishing these alternate sites, more accurate preparations can be made in the event that a disaster occurs. Company Plant/Location Alternate Site © 2014 Kestrel Management LLC Alternate Site Contact Information Page 41 Business Continuity Guidance Document Critical Vendors You need to define vendors or suppliers that your organization may use in your day-to-day operations or that you may need support from in the event of a disaster. These may include: Server and computer equipment suppliers Communications and network services Civil/structural engineers Electrical contractors Excavating contractors Emergency generators Mechanical engineers (HVAC, facilities, etc.) Plumbing Site security services Additional suppliers/contractors, such as HazMat, demolition, cleaning Vendor Name Contact © 2014 Kestrel Management LLC Work Mobile/Cell Phone Page 42 Business Continuity Guidance Document APPENDIX F: EXTERNAL COMMUNICATION TOOLS © 2014 Kestrel Management LLC Page 43 Business Continuity Guidance Document Situation Report The Situation Report assists in gathering the necessary information to prepare statements and releases to the media. It is very important to document the sources of information and when/by whom the information was gathered. Description of the event (What happened, where, when – time/date?) Who is involved? (Injuries/deaths, property damage estimate) How will it affect products/services to customers? How/why did it happen? (Causes, if known) What is the company doing? (Rescue/relief efforts; cleanup; restoring operations; legal actions) Who else is involved in recovery efforts? (Red Cross; law enforcement; insurance regulatory groups) Other confirmed information? Form prepared by: Name: Date/Time: © 2014 Kestrel Management LLC Source of Information: Page 44 Business Continuity Guidance Document Media Statements (Examples Only) These drafted media statements may be helpful in formulating your prepared statements to the media in response to questions about the incident. Media Holding Statement Until the formal news release or response statement can be prepared, you may use a holding statement to respond to inquiries from the media or other callers. You may use this holding statement or your own words. We are in the process of preparing a statement based on the information we have at this time. We expect it to be used shortly. I do not have an exact time but expect it to be in about one hour. If appropriate: We will also be scheduling a briefing for the news media. Media Standby Statements In response to questions about the cause of the accident: It is much too early to talk about the cause of the incident. It will take days or weeks of investigation to determine why this happened so that we can prevent this kind of thing from ever happening again. The investigation will be conducted by , and we will cooperate fully in that investigation. We will not speculate about what may have been the cause, and we encourage others not to speculate. When you have no more information to release: We have released all of the confirmed information that we have at this time. As soon as we have additional facts, we will share them with you. In response to questions about victims: Confirming identities of victims is one of the most difficult and sensitive matters we face after an incident like this. We are working as rapidly and as accurately as we can. This does not mean that we are ignoring the needs of the families; in fact, we are working closely with them. As names are confirmed, we will notify relatives first before we release any names to the public. This can be a timeconsuming process, but we want to avoid errors. We know that this process appears slow, but we hope you will understand. An expression of sympathy: All of us extend our deepest sympathies to the families and friends of those (affected, injured, killed) in this tragic disaster. As a member of the community, we will do our part to help those affected rebuild their lives. © 2014 Kestrel Management LLC Page 45 Business Continuity Guidance Document News Release This form identifies the requirements of a news release (e.g., description, assurances that crisis is under control, instruction to employees). NEWS RELEASE Company Name Address For Immediate Release Contact (Name) (Title/Department) (Phone, Email) Date (Description of emergency situation. Personnel injuries and casualties, if any. Rescue and relief measures taken. Damage estimate.) (Assurances that the crisis is under control. Explain that the disaster recovery plan is already in effect. Give timeframe in which the company will be operating and open for business.) (Provide instructions to employees. Provide instructions to clients.) Note to the editor: Include a brief company description at the end of the press release. ### © 2014 Kestrel Management LLC Page 46 Business Continuity Guidance Document News Release Approval This form is to obtain and document approval for all releases of information to the media. The Team Manager will determine whose approvals are needed depending on the type of information. Date: Time: Release #: Draft # Headline: To be released on (date & time): Source (s) of information/information in the attached news release was obtained from: Name: Name: Ok – (initial) Approved by: Chief Executive Officer: Senior Executive or Regional VP: Marketing Communications Manager: Communications Manager/Spokesperson: Corporate Legal, if necessary: Human Resources (employee information): Other: Sources(s) of information (see above): Name: Name: Item Supplied By (Initial) Approved By (Initial) Picture (s) Drawing, Diagram, Map Charts, Tables Other Attach this approval form to the final news release and store for further reference. © 2014 Kestrel Management LLC Page 47 Business Continuity Guidance Document APPENDIX G: INSURANCE POLICIES © 2014 Kestrel Management LLC Page 48 Business Continuity Guidance Document Insurance Policies Using the form provided, document types of policies your company has coverage for, expiration dates of your policies, and contact information for your agent/carrier in the event of a disaster. Type of Coverage Agent © 2014 Kestrel Management LLC Policy Number Expiration Carrier Page 49 Business Continuity Guidance Document APPENDIX H: BUSINESS CONTINUITY STANDARDS © 2014 Kestrel Management LLC Page 50 Business Continuity Guidance Document There are a number of guiding standards that may assist your organization to prepare for, respond to, and recover from disruptive incidents. ISO 22301: Societal Security – Business Continuity Management Systems International standard designed to help organizations protect against, reduce the likelihood of occurrence, prepare for, respond to & recover from disruptive incidents Specifies requirements for setting up & managing an effective Business Continuity Management System (BCMS) Applies the Plan-Do-Check-Act (PDCA) model for continual improvement Ensures consistency with other ISO management system standards potentially in place within an organization: o ISO 14001: Environmental Management Systems o ISO 9001: Quality Management Systems ASIS Business Continuity Management System Standard 11.1.2 Perform Risk Assessment 11.1.3 Conduct Business Impact Analysis 11.2.2 Develop Mitigation Strategies 11.3.5 Execute the Plan NFPA 1600: Standard on Disaster/Emergency Management & Business Continuity Programs 5.3 Risk Assessment 5.5 Mitigation In addition, the private sector has a number of regulations/standards on incident management and response that may include the use of the Incident Command System (ICS): Superfund Amendments and Reauthorization Act (SARA) – 1986 Occupational Safety and Health Administration (OSHA) Rule 29 CFR 1910.120 – Hazardous Materials DOT Regulation 49 CFR 192.615 – Pipeline & Hazardous Materials Safety – October 2011 Presidential Policy Directive 21 – Critical Infrastructure Security & Resilience – February 2013 Public Law 110-53 and PS-Prep™ Certification Program o NFPA 1600 Standard on Disaster/Emergency Management & Business Continuity Programs – Updated May 2014 o ASIS International - SPC.1-2009 - Organizational Resilience: Security, Preparedness, and Continuity Management Systems o ISO 22301 – Business Continuity Management Homeland Security Presidential Directives (HSPD) 5, 7, 8, 9, 10, 12, 14, 20, 23 Presidential Executive Order 1360 – Improving Chemical Safety & Security – May 2014 © 2014 Kestrel Management LLC Page 51 Business Continuity Guidance Document APPENDIX I: GLOSSARY OF TERMS © 2014 Kestrel Management LLC Page 52 Business Continuity Guidance Document Term Definition Business Impact Analysis (BIA) The process of interacting with functional managers and staff to determine the financial and operational impacts on an organization if its business offices, data center, production or distribution facilities and service centers are not available for an extended time (usually at least one month). The objective of the BIA is to provide a management-level analysis that specifically documents the daily financial impact and Recovery Time Objective (RTO) for each business unit and associated processes. Business Continuity Plan An approved (usually by Senior Management and/or a Board of Directors) set of arrangements, resources, and sufficient procedures that enable an organization to respond to a disaster and resume its critical functions within a pre-defined timeframe without incurring unacceptable financial or operational impacts. Business Continuity Policy Established by Senior Management to provide a framework for setting business continuity objectives. The Policy includes a commitment to satisfy applicable requirements and a commitment to continually improving the Business Continuity Program. The Policy needs to be communicated within the organization, available to interested parties, and reviewed for ongoing suitability at defined intervals and when significant changes occur. Business Function A separate, discrete function or process performed by a business unit. For example, the accounting business unit in a smaller organization may include accounts payable and accounts receivable as business functions while a larger organization may have separate business units that perform these business functions. Critical Functions Essential business functions that are time-sensitive and must be restored first in the event of a disaster or interruption to avoid unacceptable financial, customer loss or operational impacts. Restoring critical functions ensures the ability to protect the organization's assets, meet organizational needs, and satisfy regulations. Disaster A sudden, unplanned event causing great damage or loss. In the business environment, any event that creates an inability on an organization's part to provide essential products and/or services for an indefinite period of time. Equipment List An inventory list of all equipment and associated vendors that are required for the recovery of a business unit or an entire company. Equipment includes, but is not limited to, fax machines, printers, computer systems, monitors, cables, scanners, mail processing hardware, etc. The equipment list is an essential part of an organization's Business Continuity Plan. Financial Impact A tangible impact, measured in dollars and usually negative, resulting from the unavailability of an organization's business office, data center, production facility and/or service center. Infrastructure The basic supporting installations and facilities upon which the continuance and growth of a community and businesses depend, such as power plants, water © 2014 Kestrel Management LLC Page 53 Business Continuity Guidance Document Term Definition supplies, transportation systems, IT systems, and communication systems, etc. Loss Unrecoverable business resources that are impacted or removed as a result of a disaster. Such losses may include loss of life, revenue, market share, competitive stature, public image, facilities, or operational capability. Operational Impact An intangible impact resulting from the unavailability of an organization's business office, data center, production facility and/or service center. An operational impact cannot be quantified in dollars, but may be critical because of its effect on an organization. Examples of operational impacts include, but are not limited to customer service, stockholder confidence, industry image, regulatory, financial reporting, employee morale, vendor relations, cash flow (that cannot be quantified), and increases in liability. Recovery Time Objective (RTO) The maximum length of time, in hours or days, that can elapse before the loss of a business function, the business offices, data center, production facilities, and/or service centers causes unacceptable financial and/or operational impacts to an organization (i.e., 0-24 hrs, 24-48 hrs, 48-72 hrs, 3-5 days). Recovery Point Objective (RPO) Measures how much data loss, in hours or days, is acceptable to an organization; the point in time at which backup data must be restored and synchronized by IT to resume processing. Most IT organizations usually have an RPO of at least 1 day (24 hours) because backups are usually performed after daily processing at night and transported to an offsite storage location early the following day. Resource Requirements The resources (e.g., people, equipment, supplies, vendors, telecommunications, vital records) required for the recovery of a business function, unit or entire company. Software List An inventory list of all software and associated vendors that is required for the recovery of a business unit or entire company. Vendor List An inventory list of all primary vendors (supplies)—including name, address, telephone number, and vendor representative—that provide an essential service or product required for the recovery of a business unit or entire company. Vital Records A critical business record required for recovering and continuing an organization's business operations. This may include employee information, financial and stockholder records, business plans and procedures, customer data and the Business Continuity Plan. Vital records may be contained on a wide variety of media, including, but not limited to, electronic (e.g., disk, CD-ROM), hard copy, microfilm, and microfiche. © 2014 Kestrel Management LLC Page 54
