The Business Continuity Management Desk Reference

By Jamie Watters

Guide to Business Continuity Planning, Crisis Management & IT Disaster Recovery with tools, techniques and templates for preparing your own DR & Business Continuity Plans (BCP).
A practical how to guide to Business Continuity that explains exactly what you need to do in the real world.
Written by an experienced consultant with 25 years industry experience of DR and Business Continuity.

• Language: English
• Publisher: Jamie Watters
• Release date: Nov 7, 2010
• ISBN: 9781907820014

Jamie Watters

I've had a varied management career working in programming, project management, programme management and operational management roles. A consistent theme over 25 years has been leading Business Continuity, DR and Data Centre remediation programmes. I've written books on Business Continuity, writing, self publishing and happiness. I have set up my own publishing company (Leverage Publishing) that focuses on non-fiction, business and self help titles. Specialties: Business Continuity, Disaster Recovery, Crisis Management, Business Continuity Planning, Business Impact Analysis, Disaster Recovery Testing, Work Area Recovery Testing, Incident Management, Risk Management, Prince 2, MSP, ITIL, COBIT, Project Management, Programme Management, Data Centre Migrations, Server Consolidations, Vitual Storage, Infrastructure Projects, Office Relocations, Desk Top Rollouts, Supplier Negotiation, Supplier Management, Print on Demand, POD, Lightning Source and e-books.

Book preview

The Business Continuity Management

Desk Reference

Guide to Business Continuity Planning,

Crisis Management and IT Disaster Recovery.

24th October 2010

Business Leverage Ltd

Jamie Watters

Published by Leverage Publishing at Smashwords

Copyright 2010 Jamie Watters

www.LeveragePublising.com

All rights reserved. No part of this publication may be reproduced or distributed in any form or by any means without the prior permission of the author / or publisher.

The material in this book is provided for educational purposes only. No responsibility for loss occasioned to any person or corporate body acting or refraining to act as a result of reading material in this book can be accepted by the author or publisher.

All trademarks are the property of their respective owners. Business Leverage is not associated with any product or vendors mentioned in the book accept where stated.

Unless otherwise stated; any third party quotes and images are included under fair use for comment, news reporting, teaching, scholarship and research.

Contents

1. Introduction

2. Business Continuity Management (BCM)

3. Kick start your Business Continuity

4. Getting started – First things first

5. Preparing the plan

6. IT Disaster Recovery

7. Business Recovery

8. Testing

9. Maintenance

10. Education and Awareness

11. Managing a Disaster

12. Return to Normal Operations

13. Governance and Reporting

14. Selecting and Managing Continuity Suppliers

15. Managing Supply Chain Continuity

Appendix

Appendix A – Criticality Levels

Appendix B – Roles and Responsibility Matrix (RACI)

Appendix C – Suggested BCM Timetable

Appendix D - Useful sources of reference & contacts

Appendix E – Continuity Assessment Questionnaire

Appendix F – Crisis Management Team Roles & Responsibilities

Appendix G - Call Cascade

Appendix H – Basic BCP template

Appendix I – BIA Questionnaire

Appendix J – BCM Standards

Appendix K – Severity Levels

Appendix L – Mapping Severity Levels to Criticalities

1. Introduction

Key Points of this chapter:

• Discusses how Business Continuity has evolved and where it is now.

• Explains why you should read this book

• Set out why you should listen to me

• Provide you with an overview of the book as a whole

Audience

This chapter should be of interest to everyone. It’s especially useful as a roadmap if you want to dip into the book rather than reading it cover to cover.

Business Continuity Now

Business Continuity has emerged in the last few years. It was born in high risk and highly regulated industries, but is spreading rapidly into all sectors and every type of organisations.

Originally, it was the domain of a few elite consultants; now having moved into the mainstream, it’s become a business as usual activity that’s performed by everyday people.

Historically, consultants charged a premium for their skills and knowledge to organisations that had no choice but to pay up for bespoke consultancy engagements. Now, with its proliferation and the multitude of practitioners embedded inside organisation continuity has been commoditised. This commoditisation is a good thing, as organisations need Business Continuity Management in place quickly, at the lowest cost and without pain.

This book covers the key aspects of Business Continuity and is written so that anyone can pick it up, read it then go and do it. It tells people what they have to do, it gives them simple tools to use and tells them what questions they need to ask and who they should be speaking to.

Purpose – why read this book?

I want to help people avoid the trial and error experience that my peers and I had to suffer as we gained knowledge and experience. I want to pass on my learning and save my readers the pain and anxiety that I had to go through.

So if you want to avoid the pain and learn all the essential aspects of Business Continuity, then this book is for you.

The aim of this book is to explain (in simple terms) all the key elements of Business Continuity for people that need to:

• Learn the basics of Business Continuity fast;

• Get something in place today so they’ll have a chance if disaster strikes tomorrow;

• Avoid the principle mistakes and be able to challenge issues that may exist;

• Prepare solid plans that people find easy to use and maintain;

• Identify and fix contingency related gaps in their systems, processes or people;

• Test their continuity plans and the people, suppliers and technology that they depend on;

• Make sure that all their staff know what to expect if disaster strikes and what they will need to do;

• Be compliant with the demands of internal auditors, external regulators and business partners that expect them to have solid Business Continuity that they can demonstrate;

• Extend Business Continuity into their suppliers and business partners so that third parties are able to meet their needs;

• Keep all the plans, scripts, solutions, etc. up to date without making it into a full-time job.

If you need to do any of these things read on, this book is for you!

Who should read this book?

This book is relevant to anyone that is in anyway involved in Business Continuity, Crisis Management and DR.

This list includes:

• Business Continuity Managers

• Business Continuity Co-ordinators that look after local plans and do the day to day administration and testing for their department.

• Executives that are accountable for the continued smooth running of their business, funding Business Continuity and making sure it meets the underlying business need.

• Technicians that support Business Continuity or DR solutions and are involved in testing or have responsibility for some element of the recovery of their business.

• Staff that have a role to play in preparing plans, testing or who have responsibilities in disaster recovery situation.

• Auditors who are responsible for making sure that the organisations Business Continuity arrangements meet business needs.

• Sales people that may sell Business Continuity or need to include an element of Business Continuity in their offerings. e.g. DR for their services, etc.

• Suppliers that need to meet their customers’ needs in regard to Business Continuity and DR.

• Suppliers that sell Business Continuity or DR services.

Practices to underpin frameworks

There are many excellent BCM frameworks like BS25999 and AS / NZS 5050. They all set out what you have to do and to some extent what you should learn, but in general they don’t tell you how. How do you analyse a BIA, how do you plan and deliver a DR test, how do you keep your staff informed, how do you keep your plans updated? In writing this book, I’m trying to plug that gap by sharing my experience and what I actually do.

BCM is an emotive subject; many practitioners are precious about what they do. To be frank, I don’t care what we do. I only care about getting results efficiently, effectively and doing it well.

For this reason, if you read anything in this book and think of a better way of doing things don’t think badly about me; think, Jamie should know this and take the time to gather your thoughts and lets me know so I can, improve what I do and improve this book too!

Why listen to me?

First, I’ve spent most of the last 25 years working in Business Continuity and IT Disaster Recovery related roles and have learnt much of what there is to know.

To be frank, it’s not been 25 years experience, it’s been more like a year here and there repeated for many years before the penny finally dropped. So, like most people that boast about years and years of experience I have something more like 2 years experience that’s taken me 25 years to get.

Now, what I’m offering you is the chance to exploit my mistakes and gain my insight in days, not months or years!

One of the key issues I’ve faced, and an issue that will probably concern you too, is how to deliver Business Continuity through people that have other full time roles that are nothing to do with Business Continuity; people for whom Business Continuity is a pain and a distraction from their main role.

I’ve come to realise that when creating a Business Continuity Programme it’s essential that it’s built with this reality in mind. It must address the deeper technical issues but without needing full time experts to make it work.

In short, I’ve had to learn the art of making Business Continuity simple and suitable for people that only look at their Business Continuity Plans once or twice a year. Wherever possible I’ve demystified it, so that when people come back to their plans nine months down the line, it’s like a hot knife through butter. If you want to learn to make it simple, then I hope I’m your man. If you want to immerse yourself in lots of bleak and mindless terminology then good luck, you’ll need it.

Structure

The book is structured so that you can either dip in as you need to or read it section by section. The section are organised as you should approach Business Continuity.

If sections don’t apply, for example, you might not have any third parties, feel free to skip them!

I’ve tried to highlight the relevance of each chapter at the beginning so you can decide in a few moments if it’s worth reading on.

Each chapter contains:

• Key Points – sets out the main points of the chapter to help you gauge its relevance.

• Audience - try to make it clear if you should read it.

• Main body – explores the key points of the chapter in detail

• Action plan – re-iterates the steps that will help to get you started

There are appendices that include useful things like checklists, templates and processes that you can use to get your own Business Continuity up and running.

These can also be downloaded from the web site.

The following gives a brief description of each chapter:

2. Business Continuity Management (BCM)

Explains a Business Continuity life cycle, introduces the various Business Continuity roles and outlines some key concepts that underpin Business Continuity.

3. Kick start your Business Continuity

This chapter is for people that currently have little or no Business Continuity in place. Its purpose is to help these people to get the basics in place very quickly; so that they’ll have a much better chance of surviving if disaster strikes tomorrow.

4. Getting started – First things first

In Business Continuity, like every discipline we start by establishing the requirements. In particular, we normally start by establishing what is critical in your business, so that you can be sure to recover the business if disaster strikes. This process is called Business Impact Analysis (BIA) and is the focus of Getting Started.

5. Preparing the plan

The Business Continuity Plan describes what you’ll need to do in a disaster to keep your business running or if it’s stopped, what you’ll need to do to get it back up and running. It sets out the structure of a Business Continuity Plan and gives you the help you’ll need to get yours correctly populated.

6. IT Disaster Recovery

IT Disaster Recovery or DR for short; is how you protect and recover your critical IT services. This chapter explains the basic concepts of DR and tells you what you’ll need to do to get it up and running in your organisation and how to know if the DR you currently have is any good?.

7. Business Recovery

Business Recovery explains how to keep your critical business processes running during and after a disaster. This chapter explains the key aspects of business recovery and how you can get them in place as quickly as possible.

8. Testing

Once you have your plans and solutions, you have to make sure that they work. Testing is the principle way of providing assurance about your Business Continuity and DR. This chapter explains testing and describes how to go about it:

9. Maintenance

Maintaining your plans, solutions and skills is essential if your Business Continuity and DR is going to work on the day you need it. This chapter covers exactly what things you’ll need to maintain and the best way to go about maintaining them.

10. Education and Awareness

Having people that understand their responsibilities and are ready to perform in stressful situations is key to an organisations survival if disaster strikes. This chapter set out how you go about understanding your organisations educational needs. It also explains how to deliver a programme that informs every one of their responsibilities and prepares all key staff to act appropriately in potential disaster scenarios.

11. Managing a Disaster

The other decisive factors in business survival are: 1. how you respond to the incidents; 2. how you make decisions; 3. how you communicate information; and 4. how you monitor that your actions are working.

This chapter explains command and control in a disaster situation and helps you to set up a Crisis Management team that will get you out of the tightest squeeze

12. Return to Normal Operations

Getting your business back to normal operations can be a challenge. This chapter sets out what you need to do in order that you can revert from a disaster mode of operation to normal operations, and how to do it while minimising the risks of something else going wrong.

13. Governance and Reporting

Making sure that everything is under control is an essential business practice and something that every manager is keen to demonstrate. This chapter sets out policy, process and the key reports you’ll need for appropriate governance of Business Continuity. It also sets out how you can have all these elements of governance without creating a cottage industry.

14. Selecting and Managing Continuity Suppliers

If you work with suppliers who help you to deliver Business Continuity and DR, this chapter explains how to select the right partner and make sure that they deliver what’s been agreed.

15. Managing Supply Chain Continuity

With many businesses depending on third parties to provide critical services, products or resources it’s essential to make sure that suppliers have adequate contingency arrangements. You need to insure that they can continue to deliver your critical services if they experienced an interruption.

If they can’t provide this assurance, you need to ensure that alternative suppliers are available in time to prevent a supplier interruption becoming a disaster for you. This chapter explores this issue and sets out some simple actions that will expose the risks and make sure that you get them covered.

Acknowledgements

Before going further, I have to thank a few people. First, I have to thank my wife Janet for her enduring support and patience. Thanks also to my three children: Libby, Freya and Ben, who inspired me. Finally thanks to my dad Doug for making me a better person.

I’d like to thank all the people that have helped with their council, insight, wise words, criticism, innovation, support and good practice over the years; in particular: Ian Francis, David Thompson, Kamlesh Parmar, Ray Trapnell, Ann Freeman, Sam Fox, Martin Kavanagh, Karen Duggan, Mary Shearer, Karen Payne, Lee Hawkins, David Tomlinson, Alison Fitzgerald, Richard Bridgford, Tim Armit, Andy Tomkinson, John Tucker, Mark Liddington, Keith Tilley, Adrian Jenkins, Julia Graham, Luke Bazzard, Lee Webb, Vicki Gavin, Andrew McCracken, Linda Hall, Chris Keeling, David Shaw, Jeremy Burns, Ken Clarke, Paul Ingham, Tony Hulse, Pele Johnson, Keith Oldham, Mark Dignum, Christine Shevlin, Karla Covington, Tim Musson, Bill Nadakow, Lauren Mayle, Dan Bridge, Paul Cowan, Nick Simms, Jane Hamill, Karen Woodward, Nigel Fenton, Kerrie Smith, Howard Goodman, Catherine Edwards, Martin Byrne, Rebecca Roberts, Phil Cloke, Neil Elkins, Mike James, Martin Nowokowski, Andrew Hartley, Sanjeel Raza, Ravi Raveendran, Andy Todd, Soterios Papayiannis, Karen Azzopardi, Cath Stringer, Karen Fogarty, Derek Mason, Peter Lightfoot, James Swansborough-Smith, Jane Swansborough-Smith and Howard D’Silva.

I have to say a final thanks to Aaron Shepherd and Dan Poynter without whose generosity there’d be no book, no Leverage Publishing and I’d be on the train reading instead of writing.

2. Business Continuity Management (BCM)

In this chapter we introduce the key concepts of Business Continuity, explain how an organisation should approach Business Continuity and explore the roles that underpin Business Continuity.

Key Points:

• Explains why we have Business Continuity

• Describes how Business Continuity is delivered

• Introduces some basic concepts and vocabulary

• Introduces the key roles for people involved

• Outlines some key standards for Business Continuity & DR

• Identifies further sources of reference, services and support

Audience

This is basic grounding and is relevant for everyone; though if you’re familiar with the key concepts feel free to skip ahead.

What is Business Continuity Management

Business Continuity Management is both a process and a discipline. It exists to avoid any interruptions that could lead to either significant losses or a failure to achieve the organisations principle objectives.

Business Continuity as a Process

The process or Business Continuity Life Cycle describes how any organisation should go about Business Continuity i.e. ensuring that critical activities are performed no matter what else is happening.

The process is cyclical, and follows the same basic steps as most processes of continuous improvement. See Figure 1 - Business Continuity Process Life Cycle

The process first understands what constitutes a critical process, then plans how this will be maintained, then designs and delivers supporting solutions, then tests it all, until ultimately it keeps it all maintained and repeats itself ad-infinitum.

Figure 1 - Business Continuity Process Life Cycle

Business Continuity as a Discipline

The discipline is the collection of people and teams in your organisation that are responsible for the various steps that make up the Business Continuity life cycle. Business Continuity is also responsible for monitoring incidents