How to write a business continuity plan

Sharing buttons:

good afternoon everybody thank you for

joining us today we are going to be

running through how to write a business

continuity plan my name is James Watts

and to kick off I'm going to start with

a little bit of housekeeping so we are

scheduled today to be running for 30

minutes now hopefully that will include

some time for Q&A you should be able to

see on the right side of your screen

there is a section you can type in any

questions it is just myself here today

so I probably won't be able to answer as

I go what I'll try to do is if we have

some time at the end I'll run through

any of those questions and an answer as

best I can

if there is anything that I'm not able

to answer at the time or if we if we run

short on time one of the I guess one of

the downsides are trying to keep these

these webinars a nice and short is that

sometimes we do run long and I will make

sure that we we get back to everyone I

promise we always do respond to ever and

individually and if you have any

questions that are and we think might be

useful for for the for the rest of the

group what we'll do is we'll we'll post

those on our blog and we'll make that

available with the rest of the resources

and which is to say this section the

middle there slides will be a mail made

available after this session we are also

recording the session today so if

there's anything that you need to refer

to later on you certainly can do we'll

pull this together later on today and we

will send it out along with some of the

resources that were going to be talking

about during the session and in fact the

first thing that I want to mention is a

quick plug to a follow-up webinar that

we're going to be holding at the end of

this month and so as part of building a

business continuity plan there are lots

of models and tools that are very useful

in helping you build these out and one

of the things that we've been very hot

on in the last few years at data

Barracks is to try to build as many free

tools that we can distribute that will

assist in in providing some help on each

of those individual sections now I'll

make a note of when we're talking about

one of those tools today but we're not

really going to have a chance to go

through them in detail so we thought

what would be good is we'll have a

second webinar do this at the end of the

month and we'll really go through in

detail how you use each of those tools

and how you can get some benefit from

them but also how

can kind of put them all together to

help you build out your business

continuity plan the link to register is

is there it's dvd-audio forward slash

toolshed because we originally started

building a a toolbox full of tongues and

it grew so large we're now calling in

toolshed but we shall send out the link

following following this webinar so you

don't have that if you if you would like

to sign up so to kick off I'm going to

start with a couple of frequently asked

questions or perhaps even some common

misconceptions about business continuity

planning certainly and these are the

questions that I think we hear most

frequently and they are the reason that

we wanted to put put this webinar on so

the first question is what should a

business continuity plan look like now

we deal with a lot of folks in in the IT

space who are offered them being pushed

a business continuity project and very

often they will be the first time you

come to business continuity and I think

the first feeling is right I don't know

where to start where do I go about this

secondly what is a good business

continuity plan what does a good version

of a business continuity plan look like

should I be aiming to reach a really

short very actionable document that that

is a handful of pages of something

something very small that tells you

specifically what you need to be doing

in disaster or should I be looking for

something really really comprehensive

and a really big long detailed tome and

I think that unfortunately as is often

the case with with questions around

business continuity the answer is very

much that it depends in some cases you

may get away with something very very

small if you're a smaller business in

some cases you need something larger and

I personally have always hate when

they're the answer to any question is it

depends I'll try to give an example of

this now we we host the business

continuity podcast at data Barracks if

you're interested in that we will

include that in the links but it's and

you look it up on on iTunes or go to the

website which is the BCP cast comm and

one of the consultants said something

really interesting in the interviews and

he said in

in talking about some continuity

standards I actually he had a friends

company really small business based up

in the Lake District a 10-person

business that the printing business and

they suffered some issues around a flood

and said they were a textbook example of

how you can do business continuity

really really well they had systems

hosted elsewhere they were able to work

remotely they were able to source

alternate suppliers and alternate

facilities to continue production but if

you were to ask them about business

continuity they wouldn't know what that

was or you know and certainly wouldn't

pass any kind of ISO standard for

continuity on the flip side of that

we've got some folks that we spoke to

from the likes of BP so enormous

organizations you know not just

thousands of staff with 1,000 locations

and and the method for maintaining

continuity and having a plan set to keep

that in place is obviously far more

detailed you don't have the

organizational knowledge that can be

contained they're just looking after 10

members of staff and a small number of

suppliers so aside from the fact that we

would always say a plan should always be

as concise and succinct as possible it

very much is the case that it depends

which sort of leads to the following

question which is where do I get started

with this so I think probably a lot

we'll know a lot of the terminology

around business continuity they're heard

of things like a business impact

analysis or a risk assessment and a risk

register we're really nowhere to get

into it and very often what we'll see is

that some will jump sort of right in at

a relatively late stage in this process

and they will start writing the business

continuity plan or in this case it's an

example document one of the tools that

you can you can download from our site

which is a template IT disaster recovery

run book and very often the problem you

have here is that you're jumping

straight into the plan without having

done any of their legwork so this is a

bit of a an admission here and the name

how to write a business continuity plan

probably isn't entirely accurate what

we're going to be talking about today is

a little larger than that it's not just

about the plan what we're talking about

is a business continuity management

system it's how you put all those things

together so

the good news and the answer to where do

you start is you don't need to make all

of this up from from from scratch

although obviously it needs to be

specific to you there is a very mature

and well-defined process of how you can

go about doing this and so our first

piece of advice for today would be to go

and take a look at this document so this

is if anyone's been in mrs. continuity

for some time they'll certainly know


the BCI or the business continuity

Institute's good practice guidelines and

it's a so from from the folks that we

spoke to in the business continuity

podcast and they were incredibly

effusive about this document it's not a

dry style document that isn't useful

it's actually very very actionable and

very helpful if you are a member of the

BCI is that you won't get access to it

for free but if not you can purchase it

for 30 pounds will include the link in

in the resources at the end of the

session today and it really gives you an

outline of exactly what you need to go

about doing and that's what we're going

to be talking about today and so I'll

run you through exactly how how we

recommend doing this so here's a kind of

quick snapshot of the things that we'll

be talking about and you will notice

this is all sort of top to bottom you

know in a a very distinct order now that

isn't always the case what and this will

show this isn't a a start to finish

project isn't something you do once and

leave it is an ongoing cycle of

maintaining keeping up to date but

certainly for for folks coming to this

completely new there is a good process

that you can follow that will get you

from from A to B and so the first thing

you need to do is is set your policy and

that needs to happen at a very senior

level and it's the most important part

you need to if you don't get this part

right obviously everything that follows

thereafter is got is going to be is

going to be compromised so really

important that you set out your

management business continuity statement

what is it that you're trying to achieve

which of your services are in scope what

isn't in scope what what is it that you

want to achieve from your continuity

program secondly and I think again this

follows on is be incredibly important

you then need to select your teams and

determine their responsibilities and

it's an

another issue that we'll often see the

reason that the business continuity

management tends to fail is that it is

under-resourced there aren't the people

who have the time assigned to the Auto

Gallery and actually work through these

processes so getting that team in place

and making sure they have there is also

able to take it on once you've got your

team and you know what you're trying to

achieve then there's the the grunt work

and so sections three to four here are

about the analysis that you will do and

some of the tools that you'll be using

so going through and performing a risk

assessment cataloging your your services

and and doing dependency mapping of how

those services map to resources and

assets and so all of those sections

that's the planning this is you looking

internally and seeing what is it that we

need to achieve how do we do that all of

this has gone on and you see in terms of

the amount of work that would take place

it's probably well not perfect it's not

about indication that that is half of

the work that needs to take place now we

get on to the section that most people

jump ahead to so implementing your

mitigation strategy so this is once

you've decided how you need to get back

up and running are you able to do that

that could be a disaster recovery

contract it could be an alternate

premise it could be alternate suppliers

etc and then agreeing your activation

plants are actually writing the plans of

how you go about doing this so that's

your enacting and then finally you have

testing and exercising and then how you

maintain this how you make it part of

the business that you go about doing so

let's jump in policy so setting up your

policy now if anyone happened to be on a

webinar that we held probably a little

while ago I think last year when we

talked about an IT disaster recovery

plan I think I referenced my dislike for

this particular model but but since then

I think in speaking with a number of

people it's the it's the model that I

think helps people to understand how all

of this works visually so we have right

at the top your strategic priority so

this as I said is why it's vital to get

that policy set up correctly at the

front end because from there we have our

management processes and our operational

activities but the need on

laughter and I think as a good model it

helps us to understand what goes on so

we have status that would be escalated

in the event of a disaster and then

command to control that is pushed

downwards in terms of how we action

these things in a disaster itself but I

think the thing that really helps people

in understanding and looking at this

model is the relationship between IT

disaster recovery and business

continuity planning and very often we

might speak with the business to say do

you have a business continuity plan in

place and I say yeah definitely we have

that an actual fact once there is is a

what one would call a run book so and

descriptions of how to bring servers up

what order they must come up in

something really technical and which

often I mean will work perfectly but

potentially what you have in that

situation is a business that can be up

and running with all of their servers up

and flashing but but no way for the

business to actually carry on which is

why it's so vital to to carry out all of

these these activities that are India in

the earlier stages so you've set your

policy you've decided what is going to

be in scope who then do you need to be

involved so we've got a quick model here

of the different stages that take place

and during your business continuity

planning and and who's involved so as we

said it's vital that there is very very

senior management level buy-in in making

business continuity a priority they are

the people who are responsible for

setting that scope but then they're also

vital to make sure that continuity is

embedded in the culture to make sure

that it runs throughout everything that

you do they will work with we've got

here CMT so CMT in this case is crisis

management team or your business

continuity team now the number of people

who would be involved in that will vary

depending on the size of your

organization that could be just one

person and smaller organizations we

certainly have seen it been taken on by

by IT folks who can do a good job and I

think we certainly recommend that IT as

the function is one of those areas in

the business that if you are a small

business and you don't have

separate risk and continuity people

they're the best people who get that

all-encompassing view of the business

and know what what the vital services

are and how to deliver those but that

could be saying it in a larger

organization that could be including

risk it could being called including

continuity personnel and so in terms of

the order of how this all works so that

strategy is set by your your continuity

or your risk one sir and that's done in

collaboration with the crisis management

team but once that's set up then the

bulk of the planning work goes on in the

the business impact analysis the bia

consultation and that will be your

continuity team going out and working

with departmental heads to identify the

important business functions assign

recovery objectives and criticality this

is all of the planning and then finally

it's it's the management so it's putting

all of this in place and and that

predominantly won't happen in

collaboration with department heads but

but but being led by the the continuity

team and then there's the final part

which is to make sure that the wider

business all of the staff are aware of

what those processes are if there is a

disaster of what they would need to be

doing and then of course they're vital

to be involved in all of the testing and

exercising so this is probably the most

important part I think of what we're

talking about today the the big big bulk

of good business continuity planning

will happen here in the business impact

analysis so this is a it's it's that

this is doing all of the grunt work for

you this is the the most important part

of your planning now again depending on

the size of the organization you may not

need to use all of the analysis and

tools that we have in top right hand

corner here but ultimately you will have

the same objectives and the output that

you want from your business impact

analysis is the same so the quote that

we have from the VCR good practice

guidelines in the middle is it is the

process of analyzing activities that

affect that business disruption might

have on them so your objectives are to

identify the types of impact the

incident might have to identify the most

important business functions and the

services that then support

those functions to then assign

criticality to each of those services to

work out upstream and downstream

dependencies that affect your ability to

deliver that could be power that could

be suppliers that could be roads etc and

then to work out and set out your

recovery objectives with your

justification now as I say a small

business would probably be able to look

at that and and work all of those things

out relatively simply a larger business

it becomes more difficult and then it

becomes more important to apply some

analysis and tools and so we've got a

list of different tools that you might

use here you might set out initially

with working out a rating at your

maturity of your resilience function you

would almost certainly be using a risk

register and perhaps a matrix you'll

want to include some some cost of

downtime calculations and a figure for

what is your maximum tolerable periods

of corruption which is the maximum

length of time that you would still be

able to survive an incident and you're

one of the maps some of those

dependencies back now the other reason

I've named each of those tools is those

are all tools that we can provide we

have free tools that you can either use

online or download and work through say

which element which will pop the links

to that and then we'll go through those

in detail in the webinar at the end of

the month and but the ultimate output is

once you've done all of this big work in

your business impact analysis it has

passed out at the end of it all of the

recommendations you will then need to to

implement and then to write up your

business continuity plan your IT

disaster recovery plan crisis

communications plan your crisis

management plan etc all of the work will

be done here and those it will make

those following sections far far easier

for you to implement and so a really

quick word here on budgeting for

continuity which i think is probably one

of the other most frequent questions

that we would hear and and obviously

we've talked about that being a

management level objective to set that

budget but it's it is a fluid factors

there are there are some factors that

you need to weigh in and I think this is

what we're trying to show here on this

graph so the the red line is the cost of

business disruption so as we know at the

bottom left hand side you can have a


which certainly I'm of the opinion that

there are a lot of businesses who you

can have an hour or two of downtime and

actually the the impact may be

negligible in terms of real cost but as

that grows and that becomes becomes

longer and longer that curves going to

steepen and your costs are going to ramp

up and on the flip side we've got the

black line so that is the cost of your

continuity solution so on the far right

hand side at the bottom that is the cost

of putting nothing in place it will take

you a very very long time to recover

from an incident whereas on the left

hand side at the top that's just that

steepens sharply and around the tongue

twister and and I think probably to give

an example here if we were to talk about

an IT disaster recovery example you know

we might mark on this graph recovery

with a tape backup solution now that's

going to be a relatively low cost but a

relatively long time to recover versus

multi-site high availability which will

be high cost but will have very little

downtime and so what and and just to be

clear this this doesn't apply just to IT

we can apply it to premises you know the

cost of having a second site sits it's

about selectivity or perhaps some other

relationship with suppliers but what we

need to do is we need to set up where

where do we want to be on this now to

take this example a little further if we

were to look at IT disaster recovery

this won't be the case for the CERN

other aspects but we can say right when

we know this can then feed into our

decision-making we need a solution that

will give us a recovery time objective

of X and a recovery point objective of Y

and that then will that'll dictate what

our work recovery time is and what our

maximum tolerable downtime is there's a

lot on here and probably won't get

through all this and this session we can

you can kind of refer back to in the

slides and what you can do is you can

work this out and then you can map this

against you were half of where you want

to be and you can say right well

actually if we want to be here it's

going to cost us X amount if we want to

be here it's going to cost us at a

different amount and work through this

and get to a figure that you're


the tick shoeboxes in terms of recovery

but at the same time it ticks the boxes

in terms of the budget for continuity


this is a another section that is is

really important but I think it probably

probably under recognized and utilized

and that is to look at the mapping of

your important important functions

through to your services so here again

we've got a an IT example I tried to

make as many examples IT centric as

possible for today having looked through

the folks that we had who were

registered to attend it seemed we did

have a big bulk of IT focus on so one of

the things I think probably again if we

if we one things in OIT we're very good

at as we can say we know how long it

will take us to recover this very said

what's our one-stop what's our process

for recovering also right well this bit

of hardware I can get back in X number

of hours but obviously that's that's a

very technology centric and view of this

what we should be focusing on is what's

the service that we're actually

delivering here so this is one of the

tools again that you can you can work

through and we'll use it to map the IT

and the assets that power those services

through to the service that you were

delivering and then what we can do is

get an idea for the recovery times for

email as a service rather than an email

server or a hosted email service and any

other dependencies that it might have we

can extend this beyond IT you can look

at this as a manufacturer and say I

manufacture which it a for me to be able

to do that what I need is three

different supplies from three different

suppliers I need a production process

and then I need a X number of resources

internally for us to deliver that how

quickly do I need to bring that back and

what is my process for doing so if I

were to lose any of those things so

that's this is a whistle-stop tour and I

will so just throughout here obviously

this is an enormous subject to try and

get through in 30 minutes so we are

we're covering things that a bit of a

rate of knots but this so this first

section we've talked about that

was your internal cunning that was all

of the the work that you need to do to

get yourself set up and so by this point

what you will have is a good structure

in place you'll have the right people

doing this and then you will have a

business impact analysis that tells you

what you need to go out and implement

and then the next stage is to implement

so a handful of things here to talk

about so we're not just talking about IT

we are talking about people about

premesis about suppliers I said that the

most obvious example here might be your

business impact analysis will tell you

what we need to bring our systems back

in a shorter length of time than we were

able to do so at the moment so we need

to go in source and a new solution that

will allow us to do that it could be we

have we wouldn't have anywhere for our

people to work from in the event of a

disaster so we need to find some some

work area recovery not all of these

mitigation strategies need to be

projects that you go out and

commissioned and they don't necessarily

need to be something that costs money

but they need to be things that are then

planned now it could be planning out

what this process is and making sure we

can then educate the workforce and let

them know what it isn't they need to do

so this includes sort of the following

thing once you have then gone and

implemented those strategies now you can

write it all up I think hopefully

probably you can see from from where we

are in the length of time of the webinar

that we've gone through an awful lot at

this point just to get to the point that

I think most people dive into and start

writing their that their continuity

plans and their run books this is a

really easy process if you've been

through one of those earlier steps if

not and you've just come into a cold it

can be difficult and obviously they say

we can sometimes be either putting in

strategies that don't meet the need or

we can be overdoing it and providing

you're over providing for what's

required and I'm really quick kind of

notes here on agreeing a communication

plan and that's that's a few things so

you could this could be communication

externally at a media plan a press plan

of how you will communicate with them to

let them know what is going on and how

this is

and how you're handling it how you can

get with your customers but then also

how you communicate internally I think

we see a lot of examples of this is

really a really good one recently of

masks for the global shipping and

transportation company who suffered an

issue with not Petya ransomware and

their CEO came out and said the the the

the one thing that they've learned from

this is how you communicate internally

they ended up reverting to using

whatsapp for their internal

communications and now there are there

are lots of companies who I know who are

relatively small who will use whatsapp

as a method for them but that's not

something that you want to be working on

or deciding at the time of the incident

communications absolutely vital I think

we often say you don't much rather have

a recovery that doesn't go so well but

you can communicate well then a really

good recovery that is poorly

communicated with everyone who's

involved because that can sabotage how

well things will go so there's a handful

of methods you can use for this you can

use crawl trees you can use internal

contact cards ultimately the things that

you need to do is the staff need to know

where they need to go they need to know

what their next action is is it to call

into a telephone number to find out what

the status is and then finally the point

we've got here is you can use a mass

notification service now there's lots of

really really good national education

tools that you can you can you can by

often we find I think probably in our

conversations with with smaller

businesses is that they won't have

anything in place a lot of those tools

that are built for very large

enterprises or for councils etc so one

of the tools that we have is how you can

build build your own quickly and

effectively for a really low cost and

again we'll look on hangout the link to

that shortly and then once it's all in

place you've written up that document

you have it how do you then know all of

this works and there is only one way to

find that out and that is to exercise

and test usually at this point in the in

any session where we talk about testing

and exercising someone will will pop in

a question and say be really clear about

the semantics here so

a lot of folks don't like the term

testing because it's a test will imply

that you can fail so you don't test a

business continuity plan you exercise

that plan without being said there are

things that you can specifically test

that won't you know that will fail you

know the best example here is a you know

the recovery of the server didn't come

up wasn't working if not that's that's a

failure and then important to so you

from working through your business

impact analysis you have your objectives

you have recovery that you want to occur

in X number of hours does that work the

first the first metric that's most

important for any testing and exercising

is did you do it because the big issue

for a lot of people is finding the time

to do this so just being able to do that

is it's a really good start but then

have you met each of those objectives

that you set out in your business impact

analysis and and there's I think if

someone said in the business continuity

podcast it's only a failure if you don't

fix any issues no one expects any of the

exercising to go without a hitch this is

how you you find the new refine and you

work back and improve any of that

documentation and so a kind of quick

word here we have a because this issue

is is it's one of those areas where the

issue is having the time to do this

there's a number of different kinds of

tests that you can do obviously you can

have a full a full test you can have a

partial test that will have a certain

amount of user acceptance testing we've

built a tool that will help do tabletop

testing so it's a simulator that you can

run through with a handful of different

incidents such as IT failure power

failure and working through cyber

instant they take five seven and ten

minutes each really useful exercises I

think for particular larger teams to

work through and share without with

throughout the whole team so that

everyone gets an idea of what this

process is

and then hopefully it will give you

ideas for your own tabletop testing that

you can do internally that's a final

slide then of all of these sections is

this is what I was referring to at the

start I started with a long list of the

things that we would talk about today in

a table some top to bottom and but

that's not really what a business

continuity management system should look

like this is from business funds and

institutes good practice guidelines and

it's a circle and it's a circle because

it doesn't stop it it goes on and on so

there's design that feeds into

implementation and then validation and

then comes back to analysis and design

and and and goes round and round and the

really important part I think of making

sure this works properly one of the I

said one of the the biggest causes of I

think businesses to think that

continuity programs don't offer them

value is that they're looked at as point

in time exercises you do it as a project

which works it's great you get origin

documentation up to speed but then it's

left it's not updated I don't miss it

over time as things change that becomes

less and less valuable and you find that

you then are in a really bad shape and

need to come back to this the way that

you get around that is by making sure

that you are feeding all of these things

back in your staying on top of it

documentation is happening testing is

occurring and ultimately you

you're staying resilient not just

becoming resilient for one time every

every three to five years and that is us

for time today so I did say oh and erm

tries to get through and has some time

for questions but I'm always really keen

that we stick to the schedule I see that

we do have some questions so I will get

back to everyone individually for that

here are the list of the resources that

we talked about so if both room you need

to scribble these down right now we will

send these out to you afterwards along

with the slides and a link to the

recording and so I'd say thank you very

much for joining us I hope you will

learn you'll join us again at the end of

at the end of the month and the next

webinar and and I hope you enjoyed the

rest of your day

thank you very much