Develop a Business Continuity Plan

Streamline the traditional approach to make BCP development manageable and repeatable.

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

IT managers asked to lead BCP efforts are dealing with processes and requirements beyond IT and outside of their control.
BCP requires input from multiple departments with different and sometimes conflicting objectives.
Typically there are few, if any, dedicated resources for BCP, so it can't be a full-time resource-intensive project.

View Storyboard

Infographic

Our Advice

Critical Insight

As an IT leader, you have the skill set and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP. They know their processes and, therefore, their requirements to resume business operations better than anyone else.
The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.
Leverage the BCP methodology to not only identify current processes, but also review and optimize those processes.

Impact and Result

Position IT as the consultant for BCP, not the owner. Ultimately, the business needs to own the BCP to make it sustainable.
Execute a pilot BCP process to establish a methodology that can be repeated by the rest of the organization.
Achieve alignment between your IT DRP and overall BCP.

Contributors

Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
Patrick Potter, GRC Strategies, RSA Archer Organization
Ali Alidina, Information & Technology Manager, Canadian Patient Safety Institute
Rob Vandervelde, Director, Corporate Services, Canadian Patient Safety Institute
Michelle Swessel, PM and IT Business Analyst, Wisconsin Compensation Rating Bureau (WCRB)
R. Sheridan K. Smith (CISSP, CRISC, CBRM, CBRITP), Information Technology Manager, Arch Reinsurance Ltd.
Ray Mach, BCP Industry Speaker
Sean Seaber, Director Global Information Technology, MRI Software
Two additional organizations were interviewed but requested anonymity

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

Define BCP pilot parameters

Clarify IT vs. business roles, project objectives, and key milestones.
Identify processes and dependencies

Determine what would be required to recover from an incident and resume operations.
- Business Continuity Business Impact Analysis Tool
Determine the desired recovery timeline

Set appropriate recovery timeline targets based on business impact and business requirements.
Determine the current achievable recovery timeline

Identify the gap between achievable and desired recovery capability.
Identify projects to close gaps and mitigate risks

Create a business continuity project roadmap to achieve the desired recovery timeline.
- Business Continuity Project Roadmap Tool
Document and validate the desired-state incident response plan

Define a procedure to resume business unit processes after an incident, within the desired recovery timeline.
- Business Continuity Incident Response Management Tool
Complete the BCP process

Create a plan to develop a BCP for remaining business units and initiate ongoing BCM.
- Business Continuity Plan Pilot Results Presentation Template
- Business Continuity Policy Template

Guided Implementation

This guided implementation is a seven call advisory process.

Call #1: Define the BCP pilot parameters

Set project goals, select a pilot business unit, and define roles and responsibilities.
Call #2: Identify existing business processes, dependencies, and alternatives

Identify, prioritize, and document processes to support BCP and process optimization, identify existing interim processes, and capture the current BCP status to establish a baseline metric.
Call #3: Determine the desired (target) recovery timeline

Conduct a business impact analysis, and identify RTOs and RPOs.
Call #4: Determine the current achievable recovery timeline

Conduct a tabletop planning exercise and document the results, assess RTO and RPO gaps, and assess known risks.
Call #5: Identify and prioritize projects to close recovery timeline gaps and mitigate risks

Identify and prioritize projects to close RTO/RPO gaps and mitigate risks, and create a project roadmap.
Call #6: Document and validate the desired-state incident response plan

Create incident response plans for the current and desired state, create a plan for returning to the primary site after the incident is resolved, and measure pilot success.
Call #7: Create a plan to complete the BCP process for remaining business units and initiate ongoing BCM

Leverage pilot results to establish a BCM program, complete the BCP for remaining business units, and incorporate BCP outcomes into your IT DRP process.

Schedule Your First Call

Onsite Workshop

The Purpose

Prioritize business units for BCP development.
Create a BCP pilot team.
Define BCP metrics.

Key Benefits Achieved

Select the pilot business unit and workshop participants.
Establish metrics to measure the benefits of completing the BCP pilot.

Activities:		Outputs:
1.1	Determine the business units that are most in need of a BCP.	Prioritized list of business units for BCP.
1.2	Select the pilot business unit to follow the BCP methodology.	Seed success by identifying a good candidate for initiating BCP development.
1.3	Define roles for the BCP pilot.	BCP pilot team identified.

The Purpose

Determine process workflows.
Identify existing alternatives/interim processes.
Assess existing business continuity plans.

Key Benefits Achieved

Document your core business processes and dependencies.
Document existing alternatives/interim processes.
Determine your current BCP status (to enable the team to measure progress).

Activities:		Outputs:
2.1	Identify business process workflows and dependencies.	Documented list of core business processes and dependencies.
2.2	Determine existing contingency planning.	Documented list of existing alternatives/interim processes.
2.3	Assess existing business continuity plans.	Baseline BCP status.

The Purpose

Define a scoring scale to measure impact.
Estimate the impact of downtime for each business process.
Determine the desired RTOs/RPOs.

Key Benefits Achieved

Define a scoring scale to estimate business impact.
Conduct a business impact analysis.
Define recovery time and recovery point objectives (RTO/RPO).

Activities:		Outputs:
3.1	Simplify estimating business impact.	Business impact analysis (BIA) scoring criteria defined.
3.2	Determine business process criticality to prioritize BCP efforts.	Business impact analysis.
3.3	Determine an appropriate recovery timeline based on business impact.	Desired recovery timeline identified.

The Purpose

Determine your baseline business continuity capability (your current state).

Key Benefits Achieved

Identify the gaps between current and desired business continuity capability.

Activities:		Outputs:
4.1	Identify current capabilities via tabletop planning.	Current state incident response plan defined.
4.2	Compare current to desired RTOs/RPOs.	RTO/RPO gaps defined.
4.3	Estimate likelihood and impact of failure of individual dependencies.	Additional vulnerabilities identified.

The Purpose

Determine what projects or initiatives are required to close the gap between current and desired business continuity capability.

Key Benefits Achieved

BCP project roadmap defined.

Activities:		Outputs:
5.1	Identify projects that close recovery gaps.	Potential list of business continuity projects identified.
5.2	Prioritize projects based on cost and benefits.	Order of project implementation identified.
5.3	Create a project implementation timeline.	Project schedule identified.

The Purpose

Define and validate the desired incident response plan.
Document your incident response plans for the current and desired state.
Conclude the onsite workshop.

Key Benefits Achieved

Document your incident response plans for your current state (i.e. based on current capabilities) as well as your desired state (i.e. after BC projects are implemented that would enable you to meet desired RTOs/RPOs).
Ensure the BC project roadmap will achieve the desired goals (meet desired RTOs/RPOs).
Create a pilot summary presentation deck to communicate results to your executive team.

Activities:		Outputs:
6.1	Determine what the incident response plan would be after the BC project roadmap is completed and ensure it achieves the desired RTOs/RPOs.	Desired-state incident response plan defined. Updated BC project roadmap, if the desired-state planning process uncovers additional gaps.
6.2	Enable incident response coordinators to monitor and report status during an incident.	Incident response plan for the current and desired state.
6.3	Summarize pilot outcomes including BC metrics improvements.	Pilot results presentation PowerPoint deck.

The Purpose

Create a BC policy and BC management teams.
Define a workflow to develop a BCP for remaining business units.
Define a workflow for incorporating BCP outcomes into your IT DRP process.

Key Benefits Achieved

Create a BC policy to drive ongoing business continuity management.
Define a workflow to develop a BCP for remaining business units.
Define a workflow for incorporating BCP outcomes into your IT DRP process.

Activities:		Outputs:
7.1	Establish corporate goals for ongoing business continuity management.	BC policy.
7.2	Enable the organization to repeat the BCP methodology for remaining business units, summarize results, and resolve discrepancies.	Documented workflow for completing BCP for remaining business units.
7.3	Update your IT DRP to meet new technology requirements defined by the BCP process.	Documented workflow for incorporating BCP outcomes into your IT DRP process.
7.4	Ensure ongoing alignment between your IT DRP and BCP.