Develop a Business Continuity Plan

Streamline the traditional approach to make BCP development manageable and repeatable.

Unlock

This content requires an active subscription.

Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.

Speak With A Representative Sign In
or Call: 1-888-670-8889 (US) or 1-844-618-3192 (CAN)

Your Challenge

  • IT managers asked to lead BCP efforts are dealing with processes and requirements beyond IT and outside of their control.
  • BCP requires input from multiple departments with different and sometimes conflicting objectives.
  • Typically there are few, if any, dedicated resources for BCP, so it can't be a full-time resource-intensive project.

Our Advice

Critical Insight

  • As an IT leader, you have the skill set and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP. They know their processes and, therefore, their requirements to resume business operations better than anyone else.
  • The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.
  • Leverage the BCP methodology to not only identify current processes, but also review and optimize those processes.

Impact and Result

  • Position IT as the consultant for BCP, not the owner. Ultimately, the business needs to own the BCP to make it sustainable.
  • Execute a pilot BCP process to establish a methodology that can be repeated by the rest of the organization.
  • Achieve alignment between your IT DRP and overall BCP.


Contributors

  • Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
  • Patrick Potter, GRC Strategies, RSA Archer Organization
  • Ali Alidina, Information & Technology Manager, Canadian Patient Safety Institute
  • Rob Vandervelde, Director, Corporate Services, Canadian Patient Safety Institute
  • Michelle Swessel, PM and IT Business Analyst, Wisconsin Compensation Rating Bureau (WCRB)
  • R. Sheridan K. Smith (CISSP, CRISC, CBRM, CBRITP), Information Technology Manager, Arch Reinsurance Ltd.
  • Ray Mach, BCP Industry Speaker
  • Sean Seaber, Director Global Information Technology, MRI Software
  • Two additional organizations were interviewed but requested anonymity

Get the Complete Storyboard

See how all the steps you need to take come together, with tools and advice to help with each task on your list.

Download Now

Get to Action

  1. Define BCP pilot parameters

    Clarify IT vs. business roles, project objectives, and key milestones.

  2. Identify processes and dependencies

    Determine what would be required to recover from an incident and resume operations.

  3. Determine the desired recovery timeline

    Set appropriate recovery timeline targets based on business impact and business requirements.

  4. Determine the current achievable recovery timeline

    Identify the gap between achievable and desired recovery capability.

  5. Identify projects to close gaps and mitigate risks

    Create a business continuity project roadmap to achieve the desired recovery timeline.

  6. Document and validate the desired-state incident response plan

    Define a procedure to resume business unit processes after an incident, within the desired recovery timeline.

  7. Complete the BCP process

    Create a plan to develop a BCP for remaining business units and initiate ongoing BCM.

Guided Implementation icon Guided Implementation

This guided implementation is a seven call advisory process.

  • Call #1: Define the BCP pilot parameters

    Set project goals, select a pilot business unit, and define roles and responsibilities.

  • Call #2: Identify existing business processes, dependencies, and alternatives

    Identify, prioritize, and document processes to support BCP and process optimization, identify existing interim processes, and capture the current BCP status to establish a baseline metric.

  • Call #3: Determine the desired (target) recovery timeline

    Conduct a business impact analysis, and identify RTOs and RPOs.

  • Call #4: Determine the current achievable recovery timeline

    Conduct a tabletop planning exercise and document the results, assess RTO and RPO gaps, and assess known risks.

  • Call #5: Identify and prioritize projects to close recovery timeline gaps and mitigate risks

    Identify and prioritize projects to close RTO/RPO gaps and mitigate risks, and create a project roadmap.

  • Call #6: Document and validate the desired-state incident response plan

    Create incident response plans for the current and desired state, create a plan for returning to the primary site after the incident is resolved, and measure pilot success.

  • Call #7: Create a plan to complete the BCP process for remaining business units and initiate ongoing BCM

    Leverage pilot results to establish a BCM program, complete the BCP for remaining business units, and incorporate BCP outcomes into your IT DRP process.

Onsite Workshop

Module 1: (Pre-Workshop) Prepare for the BCP Workshop

The Purpose

  • Prioritize business units for BCP development.
  • Create a BCP pilot team.
  • Define BCP metrics.

Key Benefits Achieved

  • Select the pilot business unit and workshop participants.
  • Establish metrics to measure the benefits of completing the BCP pilot.

Activities: Outputs:
1.1 Determine the business units that are most in need of a BCP.
  • Prioritized list of business units for BCP.
1.2 Select the pilot business unit to follow the BCP methodology.
  • Seed success by identifying a good candidate for initiating BCP development.
1.3 Define roles for the BCP pilot.
  • BCP pilot team identified.

Module 2: Identify Business Processes and Dependencies

The Purpose

  • Determine process workflows.
  • Identify existing alternatives/interim processes.
  • Assess existing business continuity plans.

Key Benefits Achieved

  • Document your core business processes and dependencies.
  • Document existing alternatives/interim processes.
  • Determine your current BCP status (to enable the team to measure progress).

Activities: Outputs:
2.1 Identify business process workflows and dependencies.
  • Documented list of core business processes and dependencies.
2.2 Determine existing contingency planning.
  • Documented list of existing alternatives/interim processes.
2.3 Assess existing business continuity plans.
  • Baseline BCP status.

Module 3: Determine the Desired/Target Recovery Timeline

The Purpose

  • Define a scoring scale to measure impact.
  • Estimate the impact of downtime for each business process.
  • Determine the desired RTOs/RPOs.

Key Benefits Achieved

  • Define a scoring scale to estimate business impact.
  • Conduct a business impact analysis.
  • Define recovery time and recovery point objectives (RTO/RPO).

Activities: Outputs:
3.1 Simplify estimating business impact.
  • Business impact analysis (BIA) scoring criteria defined.
3.2 Determine business process criticality to prioritize BCP efforts.
  • Business impact analysis.
3.3 Determine an appropriate recovery timeline based on business impact.
  • Desired recovery timeline identified.

Module 4: Determine the Current Achievable Recovery Timeline

The Purpose

  • Determine your baseline business continuity capability (your current state). 

Key Benefits Achieved

  • Identify the gaps between current and desired business continuity capability. 

Activities: Outputs:
4.1 Identify current capabilities via tabletop planning.
  • Current state incident response plan defined.
4.2 Compare current to desired RTOs/RPOs.
  • RTO/RPO gaps defined.
4.3 Estimate likelihood and impact of failure of individual dependencies.
  • Additional vulnerabilities identified.

Module 5: Identify Projects to Close Gaps and Mitigate Risks

The Purpose

  • Determine what projects or initiatives are required to close the gap between current and desired business continuity capability.

Key Benefits Achieved

  • BCP project roadmap defined.

Activities: Outputs:
5.1 Identify projects that close recovery gaps.
  • Potential list of business continuity projects identified.
5.2 Prioritize projects based on cost and benefits.
  • Order of project implementation identified.
5.3 Create a project implementation timeline.
  • Project schedule identified.

Module 6: Document and Validate the Desired-State Incident Response Plan

The Purpose

  • Define and validate the desired incident response plan.
  • Document your incident response plans for the current and desired state.
  • Conclude the onsite workshop.

Key Benefits Achieved

  • Document your incident response plans for your current state (i.e. based on current capabilities) as well as your desired state (i.e. after BC projects are implemented that would enable you to meet desired RTOs/RPOs).
  • Ensure the BC project roadmap will achieve the desired goals (meet desired RTOs/RPOs).
  • Create a pilot summary presentation deck to communicate results to your executive team.

Activities: Outputs:
6.1 Determine what the incident response plan would be after the BC project roadmap is completed and ensure it achieves the desired RTOs/RPOs.
  • Desired-state incident response plan defined.
  • Updated BC project roadmap, if the desired-state planning process uncovers additional gaps.
6.2 Enable incident response coordinators to monitor and report status during an incident.
  • Incident response plan for the current and desired state.
6.3 Summarize pilot outcomes including BC metrics improvements.
  • Pilot results presentation PowerPoint deck.

Module 7: (Post-Workshop) Create a Plan for BCP Completion and BCP/DRP Alignment

The Purpose

  • Create a BC policy and BC management teams.
  • Define a workflow to develop a BCP for remaining business units.
  • Define a workflow for incorporating BCP outcomes into your IT DRP process.

Key Benefits Achieved

  • Create a BC policy to drive ongoing business continuity management.
  • Define a workflow to develop a BCP for remaining business units.
  • Define a workflow for incorporating BCP outcomes into your IT DRP process.

Activities: Outputs:
7.1 Establish corporate goals for ongoing business continuity management.
  • BC policy.
7.2 Enable the organization to repeat the BCP methodology for remaining business units, summarize results, and resolve discrepancies.
  • Documented workflow for completing BCP for remaining business units.
7.3 Update your IT DRP to meet new technology requirements defined by the BCP process.
  • Documented workflow for incorporating BCP outcomes into your IT DRP process.
7.4 Ensure ongoing alignment between your IT DRP and BCP.

Workshop Icon Book Your Workshop

Onsite Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn’t enough, we offer low-cost onsite delivery of our Project Workshops. We take you through every phase of your project and ensure that you have a road map in place to complete your project successfully.

Book Now
GET HELP Contact Us
×
VL Methodology