How is a business continuity plan used
How to write a business continuity plan
good afternoon everybody thank you for
joining us today we are going to be
running through how to write a business
continuity plan my name is James Watts
and to kick off I'm going to start with
a little bit of housekeeping so we are
scheduled today to be running for 30
minutes now hopefully that will include
some time for Q&A you should be able to
see on the right side of your screen
there is a section you can type in any
questions it is just myself here today
so I probably won't be able to answer as
I go what I'll try to do is if we have
some time at the end I'll run through
any of those questions and an answer as
best I can
if there is anything that I'm not able
to answer at the time or if we if we run
short on time one of the I guess one of
the downsides are trying to keep these
these webinars a nice and short is that
sometimes we do run long and I will make
sure that we we get back to everyone I
promise we always do respond to ever and
individually and if you have any
questions that are and we think might be
useful for for the for the rest of the
group what we'll do is we'll we'll post
those on our blog and we'll make that
available with the rest of the resources
and which is to say this section the
middle there slides will be a mail made
available after this session we are also
recording the session today so if
there's anything that you need to refer
to later on you certainly can do we'll
pull this together later on today and we
will send it out along with some of the
resources that were going to be talking
about during the session and in fact the
first thing that I want to mention is a
quick plug to a follow-up webinar that
we're going to be holding at the end of
this month and so as part of building a
business continuity plan there are lots
of models and tools that are very useful
in helping you build these out and one
of the things that we've been very hot
on in the last few years at data
Barracks is to try to build as many free
tools that we can distribute that will
assist in in providing some help on each
of those individual sections now I'll
make a note of when we're talking about
one of those tools today but we're not
really going to have a chance to go
through them in detail so we thought
what would be good is we'll have a
second webinar do this at the end of the
month and we'll really go through in
detail how you use each of those tools
and how you can get some benefit from
them but also how
can kind of put them all together to
help you build out your business
continuity plan the link to register is
is there it's dvd-audio forward slash
toolshed because we originally started
building a a toolbox full of tongues and
it grew so large we're now calling in
toolshed but we shall send out the link
following following this webinar so you
don't have that if you if you would like
to sign up so to kick off I'm going to
start with a couple of frequently asked
questions or perhaps even some common
misconceptions about business continuity
planning certainly and these are the
questions that I think we hear most
frequently and they are the reason that
we wanted to put put this webinar on so
the first question is what should a
business continuity plan look like now
we deal with a lot of folks in in the IT
space who are offered them being pushed
a business continuity project and very
often they will be the first time you
come to business continuity and I think
the first feeling is right I don't know
where to start where do I go about this
secondly what is a good business
continuity plan what does a good version
of a business continuity plan look like
should I be aiming to reach a really
short very actionable document that that
is a handful of pages of something
something very small that tells you
specifically what you need to be doing
in disaster or should I be looking for
something really really comprehensive
and a really big long detailed tome and
I think that unfortunately as is often
the case with with questions around
business continuity the answer is very
much that it depends in some cases you
may get away with something very very
small if you're a smaller business in
some cases you need something larger and
I personally have always hate when
they're the answer to any question is it
depends I'll try to give an example of
this now we we host the business
continuity podcast at data Barracks if
you're interested in that we will
include that in the links but it's and
you look it up on on iTunes or go to the
website which is the BCP cast comm and
one of the consultants said something
really interesting in the interviews and
he said in
in talking about some continuity
standards I actually he had a friends
company really small business based up
in the Lake District a 10-person
business that the printing business and
they suffered some issues around a flood
and said they were a textbook example of
how you can do business continuity
really really well they had systems
hosted elsewhere they were able to work
remotely they were able to source
alternate suppliers and alternate
facilities to continue production but if
you were to ask them about business
continuity they wouldn't know what that
was or you know and certainly wouldn't
pass any kind of ISO standard for
continuity on the flip side of that
we've got some folks that we spoke to
from the likes of BP so enormous
organizations you know not just
thousands of staff with 1,000 locations
and and the method for maintaining
continuity and having a plan set to keep
that in place is obviously far more
detailed you don't have the
organizational knowledge that can be
contained they're just looking after 10
members of staff and a small number of
suppliers so aside from the fact that we
would always say a plan should always be
as concise and succinct as possible it
very much is the case that it depends
which sort of leads to the following
question which is where do I get started
with this so I think probably a lot
we'll know a lot of the terminology
around business continuity they're heard
of things like a business impact
analysis or a risk assessment and a risk
register we're really nowhere to get
into it and very often what we'll see is
that some will jump sort of right in at
a relatively late stage in this process
and they will start writing the business
continuity plan or in this case it's an
example document one of the tools that
you can you can download from our site
which is a template IT disaster recovery
run book and very often the problem you
have here is that you're jumping
straight into the plan without having
done any of their legwork so this is a
bit of a an admission here and the name
how to write a business continuity plan
probably isn't entirely accurate what
we're going to be talking about today is
a little larger than that it's not just
about the plan what we're talking about
is a business continuity management
system it's how you put all those things
together so
the good news and the answer to where do
you start is you don't need to make all
of this up from from from scratch
although obviously it needs to be
specific to you there is a very mature
and well-defined process of how you can
go about doing this and so our first
piece of advice for today would be to go
and take a look at this document so this
is if anyone's been in mrs. continuity
for some time they'll certainly know
it's
the BCI or the business continuity
Institute's good practice guidelines and
it's a so from from the folks that we
spoke to in the business continuity
podcast and they were incredibly
effusive about this document it's not a
dry style document that isn't useful
it's actually very very actionable and
very helpful if you are a member of the
BCI is that you won't get access to it
for free but if not you can purchase it
for 30 pounds will include the link in
in the resources at the end of the
session today and it really gives you an
outline of exactly what you need to go
about doing and that's what we're going
to be talking about today and so I'll
run you through exactly how how we
recommend doing this so here's a kind of
quick snapshot of the things that we'll
be talking about and you will notice
this is all sort of top to bottom you
know in a a very distinct order now that
isn't always the case what and this will
show this isn't a a start to finish
project isn't something you do once and
leave it is an ongoing cycle of
maintaining keeping up to date but
certainly for for folks coming to this
completely new there is a good process
that you can follow that will get you
from from A to B and so the first thing
you need to do is is set your policy and
that needs to happen at a very senior
level and it's the most important part
you need to if you don't get this part
right obviously everything that follows
thereafter is got is going to be is
going to be compromised so really
important that you set out your
management business continuity statement
what is it that you're trying to achieve
which of your services are in scope what
isn't in scope what what is it that you
want to achieve from your continuity
program secondly and I think again this
follows on is be incredibly important
you then need to select your teams and
determine their responsibilities and
it's an
another issue that we'll often see the
reason that the business continuity
management tends to fail is that it is
under-resourced there aren't the people
who have the time assigned to the Auto
Gallery and actually work through these
processes so getting that team in place
and making sure they have there is also
able to take it on once you've got your
team and you know what you're trying to
achieve then there's the the grunt work
and so sections three to four here are
about the analysis that you will do and
some of the tools that you'll be using
so going through and performing a risk
assessment cataloging your your services
and and doing dependency mapping of how
those services map to resources and
assets and so all of those sections
that's the planning this is you looking
internally and seeing what is it that we
need to achieve how do we do that all of
this has gone on and you see in terms of
the amount of work that would take place
it's probably well not perfect it's not
about indication that that is half of
the work that needs to take place now we
get on to the section that most people
jump ahead to so implementing your
mitigation strategy so this is once
you've decided how you need to get back
up and running are you able to do that
that could be a disaster recovery
contract it could be an alternate
premise it could be alternate suppliers
etc and then agreeing your activation
plants are actually writing the plans of
how you go about doing this so that's
your enacting and then finally you have
testing and exercising and then how you
maintain this how you make it part of
the business that you go about doing so
let's jump in policy so setting up your
policy now if anyone happened to be on a
webinar that we held probably a little
while ago I think last year when we
talked about an IT disaster recovery
plan I think I referenced my dislike for
this particular model but but since then
I think in speaking with a number of
people it's the it's the model that I
think helps people to understand how all
of this works visually so we have right
at the top your strategic priority so
this as I said is why it's vital to get
that policy set up correctly at the
front end because from there we have our
management processes and our operational
activities but the need on
laughter and I think as a good model it
helps us to understand what goes on so
we have status that would be escalated
in the event of a disaster and then
command to control that is pushed
downwards in terms of how we action
these things in a disaster itself but I
think the thing that really helps people
in understanding and looking at this
model is the relationship between IT
disaster recovery and business
continuity planning and very often we
might speak with the business to say do
you have a business continuity plan in
place and I say yeah definitely we have
that an actual fact once there is is a
what one would call a run book so and
descriptions of how to bring servers up
what order they must come up in
something really technical and which
often I mean will work perfectly but
potentially what you have in that
situation is a business that can be up
and running with all of their servers up
and flashing but but no way for the
business to actually carry on which is
why it's so vital to to carry out all of
these these activities that are India in
the earlier stages so you've set your
policy you've decided what is going to
be in scope who then do you need to be
involved so we've got a quick model here
of the different stages that take place
and during your business continuity
planning and and who's involved so as we
said it's vital that there is very very
senior management level buy-in in making
business continuity a priority they are
the people who are responsible for
setting that scope but then they're also
vital to make sure that continuity is
embedded in the culture to make sure
that it runs throughout everything that
you do they will work with we've got
here CMT so CMT in this case is crisis
management team or your business
continuity team now the number of people
who would be involved in that will vary
depending on the size of your
organization that could be just one
person and smaller organizations we
certainly have seen it been taken on by
by IT folks who can do a good job and I
think we certainly recommend that IT as
the function is one of those areas in
the business that if you are a small
business and you don't have
separate risk and continuity people
they're the best people who get that
all-encompassing view of the business
and know what what the vital services
are and how to deliver those but that
could be saying it in a larger
organization that could be including
risk it could being called including
continuity personnel and so in terms of
the order of how this all works so that
strategy is set by your your continuity
or your risk one sir and that's done in
collaboration with the crisis management
team but once that's set up then the
bulk of the planning work goes on in the
the business impact analysis the bia
consultation and that will be your
continuity team going out and working
with departmental heads to identify the
important business functions assign
recovery objectives and criticality this
is all of the planning and then finally
it's it's the management so it's putting
all of this in place and and that
predominantly won't happen in
collaboration with department heads but
but but being led by the the continuity
team and then there's the final part
which is to make sure that the wider
business all of the staff are aware of
what those processes are if there is a
disaster of what they would need to be
doing and then of course they're vital
to be involved in all of the testing and
exercising so this is probably the most
important part I think of what we're
talking about today the the big big bulk
of good business continuity planning
will happen here in the business impact
analysis so this is a it's it's that
this is doing all of the grunt work for
you this is the the most important part
of your planning now again depending on
the size of the organization you may not
need to use all of the analysis and
tools that we have in top right hand
corner here but ultimately you will have
the same objectives and the output that
you want from your business impact
analysis is the same so the quote that
we have from the VCR good practice
guidelines in the middle is it is the
process of analyzing activities that
affect that business disruption might
have on them so your objectives are to
identify the types of impact the
incident might have to identify the most
important business functions and the
services that then support
those functions to then assign
criticality to each of those services to
work out upstream and downstream
dependencies that affect your ability to
deliver that could be power that could
be suppliers that could be roads etc and
then to work out and set out your
recovery objectives with your
justification now as I say a small
business would probably be able to look
at that and and work all of those things
out relatively simply a larger business
it becomes more difficult and then it
becomes more important to apply some
analysis and tools and so we've got a
list of different tools that you might
use here you might set out initially
with working out a rating at your
maturity of your resilience function you
would almost certainly be using a risk
register and perhaps a matrix you'll
want to include some some cost of
downtime calculations and a figure for
what is your maximum tolerable periods
of corruption which is the maximum
length of time that you would still be
able to survive an incident and you're
one of the maps some of those
dependencies back now the other reason
I've named each of those tools is those
are all tools that we can provide we
have free tools that you can either use
online or download and work through say
which element which will pop the links
to that and then we'll go through those
in detail in the webinar at the end of
the month and but the ultimate output is
once you've done all of this big work in
your business impact analysis it has
passed out at the end of it all of the
recommendations you will then need to to
implement and then to write up your
business continuity plan your IT
disaster recovery plan crisis
communications plan your crisis
management plan etc all of the work will
be done here and those it will make
those following sections far far easier
for you to implement and so a really
quick word here on budgeting for
continuity which i think is probably one
of the other most frequent questions
that we would hear and and obviously
we've talked about that being a
management level objective to set that
budget but it's it is a fluid factors
there are there are some factors that
you need to weigh in and I think this is
what we're trying to show here on this
graph so the the red line is the cost of
business disruption so as we know at the
bottom left hand side you can have a
disruption
which certainly I'm of the opinion that
there are a lot of businesses who you
can have an hour or two of downtime and
actually the the impact may be
negligible in terms of real cost but as
that grows and that becomes becomes
longer and longer that curves going to
steepen and your costs are going to ramp
up and on the flip side we've got the
black line so that is the cost of your
continuity solution so on the far right
hand side at the bottom that is the cost
of putting nothing in place it will take
you a very very long time to recover
from an incident whereas on the left
hand side at the top that's just that
steepens sharply and around the tongue
twister and and I think probably to give
an example here if we were to talk about
an IT disaster recovery example you know
we might mark on this graph recovery
with a tape backup solution now that's
going to be a relatively low cost but a
relatively long time to recover versus
multi-site high availability which will
be high cost but will have very little
downtime and so what and and just to be
clear this this doesn't apply just to IT
we can apply it to premises you know the
cost of having a second site sits it's
about selectivity or perhaps some other
relationship with suppliers but what we
need to do is we need to set up where
where do we want to be on this now to
take this example a little further if we
were to look at IT disaster recovery
this won't be the case for the CERN
other aspects but we can say right when
we know this can then feed into our
decision-making we need a solution that
will give us a recovery time objective
of X and a recovery point objective of Y
and that then will that'll dictate what
our work recovery time is and what our
maximum tolerable downtime is there's a
lot on here and probably won't get
through all this and this session we can
you can kind of refer back to in the
slides and what you can do is you can
work this out and then you can map this
against you were half of where you want
to be and you can say right well
actually if we want to be here it's
going to cost us X amount if we want to
be here it's going to cost us at a
different amount and work through this
and get to a figure that you're
comfortable
the tick shoeboxes in terms of recovery
but at the same time it ticks the boxes
in terms of the budget for continuity
now
this is a another section that is is
really important but I think it probably
probably under recognized and utilized
and that is to look at the mapping of
your important important functions
through to your services so here again
we've got a an IT example I tried to
make as many examples IT centric as
possible for today having looked through
the folks that we had who were
registered to attend it seemed we did
have a big bulk of IT focus on so one of
the things I think probably again if we
if we one things in OIT we're very good
at as we can say we know how long it
will take us to recover this very said
what's our one-stop what's our process
for recovering also right well this bit
of hardware I can get back in X number
of hours but obviously that's that's a
very technology centric and view of this
what we should be focusing on is what's
the service that we're actually
delivering here so this is one of the
tools again that you can you can work
through and we'll use it to map the IT
and the assets that power those services
through to the service that you were
delivering and then what we can do is
get an idea for the recovery times for
email as a service rather than an email
server or a hosted email service and any
other dependencies that it might have we
can extend this beyond IT you can look
at this as a manufacturer and say I
manufacture which it a for me to be able
to do that what I need is three
different supplies from three different
suppliers I need a production process
and then I need a X number of resources
internally for us to deliver that how
quickly do I need to bring that back and
what is my process for doing so if I
were to lose any of those things so
that's this is a whistle-stop tour and I
will so just throughout here obviously
this is an enormous subject to try and
get through in 30 minutes so we are
we're covering things that a bit of a
rate of knots but this so this first
section we've talked about that
was your internal cunning that was all
of the the work that you need to do to
get yourself set up and so by this point
what you will have is a good structure
in place you'll have the right people
doing this and then you will have a
business impact analysis that tells you
what you need to go out and implement
and then the next stage is to implement
so a handful of things here to talk
about so we're not just talking about IT
we are talking about people about
premesis about suppliers I said that the
most obvious example here might be your
business impact analysis will tell you
what we need to bring our systems back
in a shorter length of time than we were
able to do so at the moment so we need
to go in source and a new solution that
will allow us to do that it could be we
have we wouldn't have anywhere for our
people to work from in the event of a
disaster so we need to find some some
work area recovery not all of these
mitigation strategies need to be
projects that you go out and
commissioned and they don't necessarily
need to be something that costs money
but they need to be things that are then
planned now it could be planning out
what this process is and making sure we
can then educate the workforce and let
them know what it isn't they need to do
so this includes sort of the following
thing once you have then gone and
implemented those strategies now you can
write it all up I think hopefully
probably you can see from from where we
are in the length of time of the webinar
that we've gone through an awful lot at
this point just to get to the point that
I think most people dive into and start
writing their that their continuity
plans and their run books this is a
really easy process if you've been
through one of those earlier steps if
not and you've just come into a cold it
can be difficult and obviously they say
we can sometimes be either putting in
strategies that don't meet the need or
we can be overdoing it and providing
you're over providing for what's
required and I'm really quick kind of
notes here on agreeing a communication
plan and that's that's a few things so
you could this could be communication
externally at a media plan a press plan
of how you will communicate with them to
let them know what is going on and how
this is
and how you're handling it how you can
get with your customers but then also
how you communicate internally I think
we see a lot of examples of this is
really a really good one recently of
masks for the global shipping and
transportation company who suffered an
issue with not Petya ransomware and
their CEO came out and said the the the
the one thing that they've learned from
this is how you communicate internally
they ended up reverting to using
whatsapp for their internal
communications and now there are there
are lots of companies who I know who are
relatively small who will use whatsapp
as a method for them but that's not
something that you want to be working on
or deciding at the time of the incident
communications absolutely vital I think
we often say you don't much rather have
a recovery that doesn't go so well but
you can communicate well then a really
good recovery that is poorly
communicated with everyone who's
involved because that can sabotage how
well things will go so there's a handful
of methods you can use for this you can
use crawl trees you can use internal
contact cards ultimately the things that
you need to do is the staff need to know
where they need to go they need to know
what their next action is is it to call
into a telephone number to find out what
the status is and then finally the point
we've got here is you can use a mass
notification service now there's lots of
really really good national education
tools that you can you can you can by
often we find I think probably in our
conversations with with smaller
businesses is that they won't have
anything in place a lot of those tools
that are built for very large
enterprises or for councils etc so one
of the tools that we have is how you can
build build your own quickly and
effectively for a really low cost and
again we'll look on hangout the link to
that shortly and then once it's all in
place you've written up that document
you have it how do you then know all of
this works and there is only one way to
find that out and that is to exercise
and test usually at this point in the in
any session where we talk about testing
and exercising someone will will pop in
a question and say be really clear about
the semantics here so
a lot of folks don't like the term
testing because it's a test will imply
that you can fail so you don't test a
business continuity plan you exercise
that plan without being said there are
things that you can specifically test
that won't you know that will fail you
know the best example here is a you know
the recovery of the server didn't come
up wasn't working if not that's that's a
failure and then important to so you
from working through your business
impact analysis you have your objectives
you have recovery that you want to occur
in X number of hours does that work the
first the first metric that's most
important for any testing and exercising
is did you do it because the big issue
for a lot of people is finding the time
to do this so just being able to do that
is it's a really good start but then
have you met each of those objectives
that you set out in your business impact
analysis and and there's I think if
someone said in the business continuity
podcast it's only a failure if you don't
fix any issues no one expects any of the
exercising to go without a hitch this is
how you you find the new refine and you
work back and improve any of that
documentation and so a kind of quick
word here we have a because this issue
is is it's one of those areas where the
issue is having the time to do this
there's a number of different kinds of
tests that you can do obviously you can
have a full a full test you can have a
partial test that will have a certain
amount of user acceptance testing we've
built a tool that will help do tabletop
testing so it's a simulator that you can
run through with a handful of different
incidents such as IT failure power
failure and working through cyber
instant they take five seven and ten
minutes each really useful exercises I
think for particular larger teams to
work through and share without with
throughout the whole team so that
everyone gets an idea of what this
process is
and then hopefully it will give you
ideas for your own tabletop testing that
you can do internally that's a final
slide then of all of these sections is
this is what I was referring to at the
start I started with a long list of the
things that we would talk about today in
a table some top to bottom and but
that's not really what a business
continuity management system should look
like this is from business funds and
institutes good practice guidelines and
it's a circle and it's a circle because
it doesn't stop it it goes on and on so
there's design that feeds into
implementation and then validation and
then comes back to analysis and design
and and and goes round and round and the
really important part I think of making
sure this works properly one of the I
said one of the the biggest causes of I
think businesses to think that
continuity programs don't offer them
value is that they're looked at as point
in time exercises you do it as a project
which works it's great you get origin
documentation up to speed but then it's
left it's not updated I don't miss it
over time as things change that becomes
less and less valuable and you find that
you then are in a really bad shape and
need to come back to this the way that
you get around that is by making sure
that you are feeding all of these things
back in your staying on top of it
documentation is happening testing is
occurring and ultimately you
you're staying resilient not just
becoming resilient for one time every
every three to five years and that is us
for time today so I did say oh and erm
tries to get through and has some time
for questions but I'm always really keen
that we stick to the schedule I see that
we do have some questions so I will get
back to everyone individually for that
here are the list of the resources that
we talked about so if both room you need
to scribble these down right now we will
send these out to you afterwards along
with the slides and a link to the
recording and so I'd say thank you very
much for joining us I hope you will
learn you'll join us again at the end of
at the end of the month and the next
webinar and and I hope you enjoyed the
rest of your day
thank you very much
