Creating a Business

Continuity Plan

Micky Hogue, CRM

Sandia National Laboratories
Albuquerque, NM
505-844-6640
[email protected]

What We’ll Cover...

“ What is a Business Continuity Plan
“ Why create a BCP?
“ How is it used?
“ What should it contain?
“ What are the roles and responsibilities of
Recovery Teams?
“ Alternate Sites
“ Establishing Requirements
“ Vital Records
“ Final Reports & Documentation Needed

What is a BCP?
“ It is a plan that gives a recovery team
the information it needs to:
“ Recover from a disaster
“ Continue the business operations

“ Return to normal operations

1
How is the BCP Used?
“ As a ready reference for all information
needed during the recovery phase
following a disaster
“ Lists strategies & priorities for recovery
“ Lists contact information for recovery
assistance & personnel
“ Outlines the stages and flow of the
recovery process

What Should a BCP Contain?

“ A general overview of the recovery effort,
strategies and functions to recover
“ Initial response / escalation procedures
“ Alternate site information
“ Recovery procedures
“ Restoration / migration of information
“ Calling lists
“ Documentation needed at the time of the
disaster

General Overview
“ General Overview of the Organization
“ Managers & contact information
“ Assembly sites—evacuation & alternate
“ BCP coordinators & contact information

“ Recovery site information

“ Critical dependencies
“ Important deadlines
“ Important agreements

2
 General Overview (cont’d)
“ Recovery Strategies
“ Address the priority that you wish to use to
recover your information assets
“ Include the identification of the assets, their
location, and why important
“ Establish the strategy to follow for several
days during the recovery
“ Uses the Vital Records plan to establish
those priorities.

Initial Response / Escalation

Procedures
“ Notification checklist
“ Who do you call? What are their numbers?
“ In what priority do you call?
“ Security / 911
“ Building Management?
“ Department Manager?
“ Declaration Procedures
“ Initiate Evacuation Procedures
“ Account for all Personnel
“ Alert recovery site
“ Assess severity of situation
“ Activate Recovery Team

Initial Response / Escalation

Procedures – task check list
# TASK Responsi- Date / Done?
bility Time
1. Call local authorities.
Call local emergency number (911, or 9-911, as
appropriate.
2. Notify Security
Call the 24-hour number (XXX-XXX-XXXX)
3. Notify building management.
Notify building management office at XXX-XXX.

4. Notify the business unit manager.

5. Initiate evacuation procedures.

Evacuate the premises, if appropriate.
6. Account for personnel.
Assemble at a pre-designated assembly site for
the post-evacuation head count; ensure that the
business unit has updated home telephone
listings for all personnel.

3
Declaration Procedures
“ Determine procedures for when to
declare a disaster
“ Determine who can declare a disaster
“ Establish Authorities and contact info
“ If must activate a hotsite, make sure
these persons can also activate that site
through the vendor

Organizational Recovery Teams –

Roles & Responsibilities
“ Management Team --- Planning
“ Appoints business recovery coordinator to
oversee plan development & maintenance
“ Confirms essential functions & acceptable
downtime for recovery efforts
“ Approves alternate site / relocation decisions
“ Sets test objectives—requirements to be met
“ Reviews test results, ensures corrective measures
are detailed and actions taken

Organizational Recovery Teams –

Roles & Responsibilities
“ Management Team – Recovery
“ Assesses the level of disaster
“ Activates the disaster recovery plan
“ Monitors recovery process

“ Approves expenditures related to event

4
 Organizational Recovery Teams –
Roles & Responsibilities
“ Business Recovery Team - Planning
“ Coordinates plan development
“ Performs business impact analysis &
documents it to determine maximum time
you can be down
“ Ensures equipment & facilities are
available at alternate site
“ Ensures records & resources are protected
& available at alternate site
“ Tests & updates plan on a regular basis

Organizational Recovery Teams –

Roles & Responsibilities
“ Business Recovery Team – Recovery
“ Initiates disaster notification process
“ Serves as liaison between organization
and senior management team
“ Serves as a team leader for the
organizational recovery team
“ Tracks progress / completion of recovery
activities
“ Submits final disaster assessment reports

Organizational Recovery Teams –

Roles & Responsibilities
“ Organizational Recovery Team – Planning
“ Develops procedures to cover essential
business functions
“ Identifies resources needed to support
recovery
“ Works with tech support to plan & execute DR
exercises
“ Ensures all staff are familiar with plans
“ Develops & reviews test plans
“ Oversees corrective actions if necessary

5
Organizational Recovery Teams –
Roles & Responsibilities
“ Calling Trees
“ Allstaff – work & home contact information
“ Need 24 hour notification information

“ Establish individual responsibilities for

notifying others at the time of a disaster
“ Must be kept up to date!!

Alternate Site
“ Develop a Recovery Site Checklist
“ Confirm you can move to the site
“ Verify the site requirements
“ Facility
“ Telecommunications
“ Furniture

“ Equipment

“ Security

Alternate Site
“ Verify operating requirements
“ Staffingassignments schedules
“ Systems accessibility
“ Redirection of reports

“ Retrieval of vital records from offsite

“ Supplies / forms

“ Reroute phones / data lines

6
Alternate Site
“ Notification
“ Personnel
“ Applications support / tech support
“ Administrative areas (mail, etc.)
“ Key customers
“ Critical vendors

“ Periodically
report status to
management

Establish Requirements
“ Requirements Matrix – lists of what you need
“ How much staffing required?
“ Equipment needed? Make, Model & Speed
“ Computers, fax machines, data lines, printers
“ Desks, chairs, cabinets, etc.
“ Forms, office supplies
“ Software needed?
“ Any software critical to your function, not commonly
found in other departments
“ Help to bring it up and running – tech support people

Vital Records
“ Where are they located?
“ Can anyone find them– firemen, 1st
responders, etc.?
“ Can you contact off-site storage?
“ Do you know what to order?
“ Keep a list of your vital records,
locations, accessibility with your BCP
“ Keep it updated!

7
Establish Recovery Procedures
“ Procedures to Activate Teams
“ Establish new telecommunications
“ Voice recovery
“ Data recovery
“ Vendor connectivity
“ Platform restoration
“ Server applications
“ Desktop applications / WAN
“ Retrieval of Vital Records

Establish Recovery Procedures

“ Reconstruction Procedures
“ Interim operating procedures
“ Validating restored applications
“ Identifying & re-entering lost transactions
“ Processing backlogged work
“ Alternate processing procedures
“ Logon procedures
“ Voice mail instructions
“ Printer selections, etc.

Restoration & Migration

“ Establish a checklist of important steps
so nothing is missed.

8
No. Relocation Tasks Responsi- Date/ Don
bility Time e

Move to Interim Site/ Return to Home Site

1 Evaluate/Select interim sites

If unit cannot return to home site within six weeks, recovery team
leaders will work with Real Estate Services to find an interim site.

2 Plan the relocation.

Review requirements and plans for moving with your
Real Estate Services representative.

3 Furnish the interim Site.

Consider: space, special work area, telecom, security,
environmental requirements, furniture, office equipment,
special equipment, recovery plan, operation manuals,
other special needs and supplies.

4 Install the technology infrastructure.

Work with Telecom to ensure that the voice and data
infrastructure is in place.

5 Hire a moving company.

Obtain packing boxes at least one week prior to the
move date.

Develop Calling Lists

“ You will need help to recover—don’t be
afraid to ask for help
“ Applicationssupport – vendors, companies
own tech people
“ Personnel – others at your company who
might be able to help
“ Customers – need to be informed
“ Vendors – can supply needed materials,
equipment

Documentation Needed
“ Recovering a business costs money!
“ Be prepared to spend it!
“ Request a credit card increase—have
letters ready to go, and who to fax them
too.
“ Expense logs—these expenses may be
reimbursable by the insurance company
“ Recovery Hours – people want to get paid
for their hard work

9
Documentation Needed
“ Recovery Status Report
“ Lists location of disaster, personnel status,
recovery status, etc.
“ Discusses move to alternate sites or recovery in
place
“ How did event impact others in company /
customers, etc.
“ Where do you stand on backlogged work?
“ Was there legal or regulatory impact?
“ Was there impact to highly critical projects?
“ When do you anticipate move back to “home”?
“ What expenses have been incurred?

Summary
“ Plan, Plan, Plan
“ Gather as much critical information on what
you will need to recover before an event ever
happens
“ Establish procedures for recovery
“ Establish priorities for recovery
“ Keep people informed
“ Keep a record of what happened for a
“lessons learned” evaluation

Questions?

10