Contents
Contents
ENDORSEMENTS by Two Leading Industry Professional Associations:
- Larry Kalmis, FBCI, Chairman, The Business Continuity Institute (see Excerpt tab for full text)
- Belinda Wilson, CBCP, Vice Chairperson, Disaster Recovery Institute International (see Excerpt tab for full text)
PREFACE by Melvyn Musson, FBCI, CBCP, CISSP (see Excerpt tab for full text)
PREFACE by Philip J. Rothstein, FBCI
PREFACE by Andrew Hiles, FBCI (see Excerpt tab for full text)
INTRODUCTION (see Excerpt tab for full text)
- WHY SHOULD YOUR BUSINESS PREPARE FOR A DISASTER?
- What Disaster Might Hit You?
- It’s Too Much Work! Why Shouldn’t We Just Take the Risk?
- Legal Reasons for Having a Plan
- Statutory Example
- Determining Liability
- GETTING STARTED
- Basic Considerations
- An Alternate Business Location
- Vital Records
- Key People
- A Plan
- How Many Plans?
- Types of Plans
- The Planning Steps You Will Take with this Book
Step 1 – Writing the Purpose, Objectives, Scope and Assumptions
- Purpose of the Plan – Sample Text
- Plan Objectives – Guidelines
- Scope of the Plan – Guidelines
- Planning Assumptions- Guidelines
Step 2 – The Plan Coordinator and Development Team: Job Descriptions
- The Plan Development Team
Step 3 – Assigning Action Items, Coordination of Responsibilities and Timeframes
- IT’S TIME TO ROLL UP YOUR SLEEVES AND TO ASSESS YOUR CURRENT RISK
Step 4 – Where Do You Stand Right Now?
- Begin by Reviewing Internal Plans and Policies
- Meet with Outside Groups
- Identify Codes and Regulations
- Identify Critical Products, Services and Operations
- Identify Your Internal Resources and Capabilities
- Identify External Resources
- Conduct an Insurance Review
- Assess Your Vulnerability
- Begin by Listing Potential Threats
- Estimate Probability
- Assess the Potential Human Impact
- Assess the Potential Property Impact
- Assess the Potential Business Impact
- Assess Internal and External Resources
- Add the Columns
- Hazard-Specific Information
- Hazardous Materials Incidents
- Floods and Flash Floods
- Hurricanes
- Tornadoes
- Severe Winter Storms
- Earthquakes
- Technological Emergencies
- Analyzing the Risk Assessment
Step 5 – Doing Your Business Impact Analysis
- Identifying Critical Systems, Applications and Vital Records
- Using Your Business Impact Analysis
- What’s Your Staying Power?
- Timing Your Defense
- What Immediate Resources Do You Need?
- Develop Recovery Priorities
- Identify Preventive Controls
- Develop Technical Recovery Strategies
Step 6 – Selecting Your Recovery Teams
- Roles and Responsibilities
- Team Leaders
- Team Members
Step 7 – Developing Your Recovery Strategies and Action Plans
- Recovery Strategy Overview
- Sample Action Plan Task List
- PUTTING IT ALL TOGETHER
Step 8 – Documenting Your Business Continuity Plan
- Background Information
- Action Plan
- Plan Appendices
Step 9 – Testing Your Plan
- Preparation of Testing Procedures
- Checklist Testing
- Non-Business-Interruption Test
- Parallel Testing
- Business Interruption Testing
- Frequency of Test
- Evaluating Your Test Results
- The Checklist Worksheet
- The Test Evaluation Form
Step 10 – Distributing Your Plan
- CONGRATULATIONS! – BUT DON’T LET IT COLLECT DUST
Step 11 – Maintaining YourPlan
- APPENDIX A: SAMPLE RISK ASSESSMENT
- APPENDIX B: RISK ANALYSIS CHECKLIST
- APPENDIX C: GUIDELINES FOR DEVELOPING YOUR DATA SHEETS
- APPENDIX D: BUSINESS CONTINUITY GLOSSARY (125 business continuity terms)
- APPENDIX E: SELECTED BUSINESS CONTINUITY ARTICLES
- Pitching Preparedness
- Why Assess? A Case Study
- Slow-Motion Disaster
- Managing Management: A Case Study
- “Almost” Disasters
REFERENCES (20 books, articles, Web sites)
ABOUT THE AUTHOR
Excerpts
Endorsements by Two Leading Industry Professional Associations
- THE BUSINESS CONTINUITY INSTITUTE
Larry Kalmis, FBCI, Chairman
Kenneth Fulmer, CBCP, has produced an important and useful guide for the business continuity planning novice. This clear, concise work will also be a valuable reference for the advanced practitioner.
Mr. Fulmer upholds many of the principles you will find promoted and supported by the Business Continuity Institute and encouraged as part of Business Continuity Management good practices.
In more than thirty years as a business continuity practitioner, I have seen many small and medium-size businesses pay the penalty for lack of preparedness. Often, overwhelmed by the jargon employed by many practitioners and the mistaken concepts that business continuity is too costly, that it is only for the “big boys,” and that they do not have the resources or knowledge base, they choose to take the risk instead. For many, it is an unfortunate choice because much can be done with reasonable commitment to avoid business disruptions or mitigate the impact for those that are unavoidable.
In this excellent primer, Mr. Fulmer sets out a simple, concise, and, most of all, logical roadmap both for developing the justification for a business continuity/disaster recovery program as well as for developing and maintaining the resultant plan. He starts by leading you through the assessment of potential risks and impacts establishing the business case, which, after all should be the ultimate driver for any commitment of staff and other resources to business continuity. Mr. Fulmer then, using straightforward, jargon-free, checklists, tables, and worksheets, takes you step-by-step through generally accepted “good practices,” enabling you to construct an appropriately sized recovery plan.
This book clearly puts forth the rationale, concepts, and mechanics for business continuity planning in an easy-to-use format for the business continuity initiate. The advanced practitioner will also find this book a practical reference and its checklists, tables, and worksheets a useful toolkit.
~Larry Kalmis, FBCI Project Executive, Virtual Corporation and Chairman, Business Continuity Institute
2. DISASTER RECOVERY INSTITUTE INTERNATIONAL
Belinda Wilson, CBCP, Vice Chairperson
In today’s business environment, change is the norm. The path to your business goals is seldom marked, and never direct. Success in this world demands agility and resilience, and relies on its ability to easily adapt and be flexible in a world of uncertain times. An adaptive infrastructure that tightens integration and synchronization between IT resources and business processes while delivering a level of interoperability that supports the requirements for a new infrastructure ecosystem. An adaptive infrastructure delivers virtualized resources as services in response to business process requirements. It scales or redeploys resources quickly and efficiently as the business requires, in a single department or across the entire enterprise. To adapt effectively to change in the business environment, the infrastructure itself must deliver services continuously, secure against attack and threat.
But continuous, secure operations are more than a step toward somewhere else: they are a destination of their own. It is time to begin the journey toward an infrastructure that can serve as a dependable foundation for your business today, and the engine of quick, smooth adaptation to business requirements in an unpredictable future.
Businesses build cultures of business continuity by planning, then overcoming everyday threats and obstacles, until continuity is no longer optional but rather is built into the company’s corporate culture. Never complete, the process cycles through analysis, building, integration, management and evolution. With every turn, your business becomes more secure, efficient and agile in its response to both challenge and opportunity.
The continuity and security of your business are not isolated destinations. Even your first steps will bring you toward a broader, more integrated operational vision. And efficiencies will only improve as employees move together toward common objectives. As you go, the path will get easier. Protecting and organizing information systems helps you pick up speed-moving ahead with new sophistication and efficiency. Your systems will become not just safer, but easier to use and manage for employees, partners and customers.
No destination is final, but the journey toward continuous operations brings its own practical, measurable rewards along the way. And with every step, your business grows more resilient, more agile and better prepared to take advantage of the next business change.
This book demonstrates the changing focus of business continuity moving it outside of IT and into the boardroom. Decisions surrounding business continuity are no longer involving only the technical provisioning but are business driven to help ensure companies are “always on” and thus competitive. The book supports the processes and guidelines set forth in DRI International’s (DRII) approach to ensure a successful implementation of a business continuity program and is a good starting point for someone new to the industry.
Excerpt from the Preface by Melvyn Musson, FBCI, CBCP, CISSP
One of the first things that one needs to do when asked to write the preface to a book is to determine what you feel the book’s niche will be. In this case, the book has a very specific niche as a down-to-earth, practical “primer” or introduction to Business Continuity Planning, particularly for small and medium-sized firms.
It will also help answer the questions “what have I got myself into?” and “what is covered by Business Continuity Planning?” These are questions which someone with little or no Business Continuity Planning experience will ask themselves immediately after they are informed that they are now responsible for such planning within their firm, or that they are now charged with developing such a plan for the firm.
Other books can provide more depth of detail that may subsequently be needed, but this book will enable someone with little or no experience to start to put together a project plan, determine what they need to include in the initial structure of the plan and identify those areas that they may need to research further. Someone with more experience will find this book a useful resource to make sure they have covered all the bases. Worksheets, forms and action items are located throughout the book to provide that initial information base on which to build a plan.
This book provides the basic information to enable firms to start the development of their plans in the “classical” business continuity planning manner. Alternatively if one wishes to approach the plan in a different manner, possibly due to corporate culture issues, the book still provides an information base that can assist one in developing your own project and plan documentation.
One other advantage of starting with this book is that the reader starts from a simple beginning and can build to more detail, as that becomes necessary. This point is a key consideration. There is a tendency when developing a Business Continuity Plan to make it more complicated and detailed than may be necessary, particularly in small or medium-sized firms.
The Rt. Hon. David Blunkett, presently the Home Secretary in the United Kingdom Government, said recently in the Foreword to a new booklet “Expecting the Unexpected: Business Continuity in an Uncertain World” that Business Continuity and planning is just as important for small firms as it is for large corporations and that plans need to be simple but effective, comprehensive but tailored to the needs of the organization.
This book will put those, particularly in small and medium-sized firms, on the track to develop simple but comprehensive plans tailored to the needs of their organizations. Although written with an IT bias, one can extrapolate from the IT to determine what needs to be done by the business units or from an overall business perspective.
For those wanting to research Business Continuity Planning further, the Disaster Recovery Institute International (www.drii.org) and the Business Continuity Institute (www.thebci.org) have developed a set of Professional Practices for Business Continuity Planners. These comprise 10 subject areas of a common body of knowledge that characterizes the profession. Each subject area contains a description of the area, the role of the professional and an outline of the knowledge that the professional should demonstrate within that subject area.
~ Melvin Musson, Fellow, Business Continuity Institute (FBCI) Business Continuity Planning Manager, Internal Audit Edward Jones St. Louis, Missouri, USA
Excerpt from the Preface by Andrew Hiles, FBCI
We had an international prospect in a financial district. He had been talking about implementing a business continuity project for around eighteen months – but there was no real sign of movement on it. We had one final try to persuade him to go ahead with the project, identifying disasters that had happened in the district and to similar organizations. At the meeting, he said, “Yes, we ought to get round to it. But it will never happen to us.” The following month there was an explosion in the area, damaging his offices. I telephoned him and asked him if he was now convinced of the case for business continuity. “Yes,” he said. “We have just authorized spending $15 million on a second site.”
We do not all have the luxury of a budget of that size. But there is always something meaningful that we can do to reduce risk, protect our assets and plan for continuity and recovery. Time is the crucial element. The first few hours following a disaster is the time when recovery success or failure is decided. A plan is vital to put order into chaos and to make the most of those crucial early hours – and the days that follow.
This book provides practical advice, easy to follow formats and checklists that will help its readers to understand, reduce and manage the risks to their organization. It gives step-by-step guidance on how to develop, test and maintain plans to handle emergencies, protect people and ensure business continues – come what may.
~ Andrew Hiles, Fellow, Business Continuity Institute (FBCI) President, Kingswell International Limited Oxford, United Kingdom
Excerpt from the Introduction
Devastating acts like the September 11, 2001 terrorist attacks in New York and Washington, D.C. have left many businesses and individuals concerned about the possibility of future threats and their potential impacts on us. Recent PricewaterhouseCoopers research from public sources has revealed that the financial impacts from these attacks were staggering:
- An estimated 14,600 businesses inside and around the World Trade Center were impacted by the disaster.
- 13.4 million square feet of space in six buildings in and surrounding the WTC complex were destroyed.
- 36 miles of new cable had to be installed by the New York electric utility, Consolidated Edison.
- 652 companies occupying 28.6 million square feet of space were temporarily or permanently displaced by the destruction.
- 200,000 communication lines were knocked out by network failures.
- 12,000 Con Edison customers had their electric power fail.
In addition to the direct impacts of the attacks on September 11, the indirect impact to U.S. businesses has been estimated at $151 billion in the first year” – Fortune, February 18, 2002.
However, there are things you can do to prepare for the unexpected that will give you a measure of control over the effects of a disaster.
Whether it is caused by terrorist activity, nature, technical problems or human error, any emergency can force catastrophic consequences and enormous costs on your business. The result: property damage, interruption of operating procedures, lost profits and even your competitive standing.
In emergencies, it is critical that you make the right decisions and bring the immediate threat to your company and your employees under control quickly. Your company must resume its most important functions in an emergency mode as quickly as possible. At the time of a disaster, the one thing that all companies have working against them is time. Lost time translates into dissatisfied customers, lost revenue, and more.
Many existing Business Continuity Plans today are too complicated and have not been well maintained. The 9/11 attacks have caused us to question more than ever, how useful our plans would really prove to be.
Traditionally, disaster recovery planning has focused on computer systems. However, recovering business operations includes more than just the computer system. Thought needs to be given to such issues as long distance service, secure locations where employees can work, and the salvage or replacement of building contents. Because mission-critical functions usually depend on technology and telecommunications networks, rapid recovery of these is very important, but is of little value without also recovering enterprise-wide business operations.
Many organizations have mainframe and minicomputer recovery plans in place. However, it is important for us to recognize that over time, many of our applications may have migrated to distributed decentralized environments with fewer controls and less security.
A plan for business continuity will be worth your effort and can be considered an asset, but only if you follow through on these essential steps:
- Before a disaster strikes, identify all computer systems, applications, people, equipment and supplies needed for recovery.
- Have a back-up procedure for critical files and systems, and a secure off-site storage facility.
- Have one or more alternate places to go for data processing and business operations.
- Be able to maintain effective control over the recovery effort.
- Identify outside resources that can assist you in the recovery process.
- Test your plan to evaluate its capability to provide the required level of support for your core business process and ultimate recovery.
- Maintain the plan. Depending on a plan that is out-of-date can be worse than having no plan at all.
While this book and accompanying Downloads provide a comprehensive approach to business continuity and recovery, it is not intended to be a substitute for professional, legal or financial advice. It is designed to help planning coordinators focus on key points to explore while developing Business Continuity Plans for their companies.
Contact Phil to see if you qualify to receive a complimentary copy.
