Checklist Description
This checklist describes the actions that organizations should take to prepare for events that may curtail their ability to function.
Definition
In order for a company to be prepared to recover from the impact of a disaster such as a fire, flood, or explosion, it has to identify its key functions and the risks that are faced. Critical activities and resources can be identified through a business impact analysis (BIA), while a concurrent risk assessment will aid recognition of threats.
The aim of analysis is to create two types of plan, which may overlap. An incident management plan covers the initial impact, including procedures such as evacuation. The longer-term business continuity plan prepares an organization to keep delivering key products and services afterwards.
Plans have to be tested to ensure that they work. Staff also have to be trained in the procedures. The frequency of planning exercises depends on the speed of change within an organization and the outcome of previous drills where weaknesses have been identified.
The British Standards Institution (BSI) has developed a standard BS 25999 for business continuity management. In North America the equivalent is the National Fire Protection Association NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity Programs. Globally, the International Organization for Standardization (ISO) has published the ISO/PAS 22399:2007 Guideline for Incident Preparedness and Operational Continuity Management.
Advantages
-
Having a continuity plan in place gives peace of mind. You may never need it, but it’s there if the worst happens.
Disadvantages
-
Failing to prepare for disaster could result in serious financial loss or even bankruptcy if there is a major incident.
Action Checklist
1. Undertake a business impact analysis
-
Identify the products and services that will suffer the greatest impact as a result of disruption.
-
Break the results down to analyze the impact on output from disruptions lasting 24 hours, up to two days, up to a week, and up to two weeks.
-
Identify the so-called “maximum period of tolerable disruption” of service and product delivery that the organization can cope with before its viability is threatened.
-
Set a recovery time for each of the key products and services, allowing for unforeseen difficulties.
-
Create a document listing the activities required to deliver the key products and services.
-
Ensure that the necessary resources are allocated to meet the requirements.
2. Carry out a risk assessment
-
Identify the risks to the organization, including loss of staff, key suppliers, utilities, access to premises, IT, and telecommunications systems.
-
Establish the likelihood of each risk.
-
List existing arrangements for dealing with the risks.
-
List arrangements that should be put in place to deal with the risks.
-
Assign a likelihood score to each risk.
3. Decide what action the organization should take for each of the identified risks; for example:
-
Deal with the risk by planning to continue service and product delivery at an acceptable minimum level.
-
Tolerate the risk if the cost of its reduction outweighs the potential benefits.
-
Transfer the risk to a third party or take out insurance.
-
Terminate the activity. In some circumstances, particularly where an item is time-sensitive, it may be appropriate to suspend delivery.
4. Develop, publish, and circulate plans
-
Establish an overall plan then decide how many plans are required within that. This will depend on the size and scope of the organization.
-
State the purpose and scope of each plan.
-
Identify who owns each plan and is responsible for its maintenance.
-
List the individuals and their roles within the plan.
-
Describe the circumstances, methods, and who is responsible for invoking the overall plan and its individual components.
-
List appropriate contact details.
-
For the initial response to an incident, list the tasks, responsibilities, and methods by which they are to be communicated.
-
For business continuity, outline critical activities, the process by which they are to be recovered, and the timescale.
5. Test, maintain, and review plans
-
Parts of the plan can and should be tested, such as back-up power, contact lists, and the process of activation.
-
Staff should be brought together for training to discuss plans and identify weaknesses.
-
Scenario-based desktop exercises can be used to validate plans and train key staff.
-
Live exercises can cover one aspect of a plan, such as evacuation, or to test a full plan.
www.qfinance.com