|
RISKVUE ARCHIVE | RISK BITES
A Business Continuity Planning Checklist
By Nathan Rum
Some companies feel that the chances of a catastrophic event are unlikely, and therefore it is not justifiable to put together a recovery plan. Some feel it is too costly, but all too late may find out “an ounce of prevention is worth a pound of cure.” Other companies feel comfortable enough knowing their insurance coverage will pay for damages. Such companies may be surprised when a catastrophic event strikes and their insurance does not keep them from going out of business.
Insurance coverage may pay for property damage, extra expenses and business interruption, but will not retain clients, employees, vendor relationships or return the business to normalcy. Even when insurance provides funds, sometimes the payments come too late. The correct insurance coverage and insurance resources should be part of the overall disaster recovery plan, not a substitute.
A disaster recovery plan helps put a company back in operation in the shortest amount of time with the greatest degree of efficiency. A properly constructed written plan may help:
- Reduce downtime
- Maintain acceptable cash flow
- Preserve or grow customer base
- Continue supply of services/products
- Maintain employees
- Maintain reputation and public confidence
- Mitigate loss of investor/creditor confidence
- Mitigate legal liability
- Maximize insurance recovery and reduce insurance costs, etc.
The following checklist may be helpful when putting together your own disaster recovery plan.
Step 1: Finding The Right People
Identifying in advance what key tasks must be completed and assigning key personnel and outside resources to those responsibilities prevents bad decisions from being made under the duress of an emergency and helps speed up the process. This process also establishes senior management commitment and authority.
Create a Crisis Committee
The project manager should identify key areas of operations and assign individuals familiar with these areas to a crisis committee. The Crisis Committee should contain:
- Crisis Committee chairperson
- Information technology manager
- Telecommunications manager
- Human resources manager
- Security manager
- Public relations manager
- Insurance recovery manager
- Any additional executives and managers identified for a given risk
Recovery Support Teams
After the Crisis Committee is created, the first order of business should be to identify the key personnel, resources and suppliers needed in the event of a crisis. Those identified should be assigned specific tasks in the event of a crisis
Step 2: Business Impact Analysis
The process of building the plan is as important as the plan itself. Executives and managers may become familiar with recovery issues by playing a role in the business impact analysis and building the recovery plan. The process alone may reduce the likelihood of a crisis by identifying and correcting vulnerabilities in policies and procedures that could lead to a business disruption. The team needs to fully assess the vulnerabilities of each operation to all risks (hazards, emergencies, etc.) identified. Steps in the business impact analysis include:
- Identifying “Super-Critical” business functions
- Identifying all risks or emergencies
- Assessing the impact of these risks on operations, including time cost and probability
- Assessing and evaluating the resources needed to correct, mitigate and recover
Step 3: Developing the Disaster Recovery Plan
Identify Critical Business Functions
Managers must identify and establish hierarchy of the most important business functions of each operation, such as:
- Computer dependent functions
- Manual functions
- Emergency contingencies (i.e., Can computer functions be performed manually?)
Create an Alternate Site Contingency Plan
Alternate site concept lays the groundwork to develop your business recovery plan. In the event of a crisis you need to determine in advance from where you will operate.
- “Hot-site” — company owned or subscription
- “Warm-site” — secondary corporate location
- “Cold-site” — empty commercial space, mobile trailers
Develop I.T./Computer Documentation
Take a “snapshot” of all critical assets and procedures of the Department including:
- Network system: LAN, WAN, etc.
- Application software
- Back-up procedures
- Policies and procedures documentation, etc.
Develop Telecommunications System Documentation
Take a “ snapshot” of all critical assets and procedures of the Telecommunications System including
- Mission critical personnel equipment and lines
- Voice and data lines
- Receptionist console
- Owned cellular phones, etc.
Examine “Hard Copy” Files
The project team needs to examine typical documents in each critical hard copy file and to indicate for each whether the document is available on the computer network. Documents not on the computer network should be identified as possibly inaccessible or destroyed in a disaster scenario.
Create a “Backup Box”
Create a company “safe deposit box” for storage of items critical to recovery after a disaster at a location that will not be damaged in a crisis. Through the interview process, have your personnel determine their own critical contents necessary for them to be in operation immediately after a disaster, including:
- Client lists
- Employee emergency numbers
- Insurance policies
- Contracts & lease agreements
- Corporate letterhead & envelopes
- Company checks and deposit slips, etc.
- Business recovery plan
Determine Action Steps — Key Event Chart
Specify the recovery events that are necessary to restore company operations. The above steps will help in determining the hierarchy of important steps. A timeline should then be established, such as:
- Emergency response — first 24 hours
- Interim activities — next 48 hours
- Restoration & normalization ̵ next 48 hours and beyond
Step 4: Proofing and Maintaining the Disaster Recovery Plan
Proofing the Plan — Department Simulation Meetings
- The project manager should determine which departments have complicated recovery issues that require separate simulation meetings to test their department’s response to their aspect of the recovery plan
- Following the “simulation meeting,” a written report should be sent to the Crisis Committee to be included in the overall recovery plan
- Once the initial plan draft is prepared, the Crisis Committee members should meet to “proof” the plan by way of a disaster emergency simulation led by the project manager
- Any changes should then be incorporated into the final plan document
Maintaining the Plan — Periodic Meetings
- Establish a periodic and formal review of the plan and procedures
- Update at anytime for changes in operations or procedures
- Train and communicate to new employees
For more information on Business Continuity Planning, please contact Nathan Rum at NateRum@aol.com). He is Director of Marketing for Essential Services & Programs (ES&P) in Woodbury, NewYork, a firm that provides risk management services to regional clients including TPA, workers compensation cost containment, claims and loss control services. Visit Nathan’s personal Web site at http://members.aol.com/NateRum/nathanrum.html
riskVue | The webzine for risk management professionals
November 1999
|
