Develop a Business Continuity Plan
Streamline the traditional approach to make BCP development manageable and repeatable.
This content requires an active subscription.
Access this content by logging in with your Info-Tech Research Group membership or contacting one of our representatives for assistance.
View Storyboard
Contributors
- Bernard Jones (MBCI, CBCP, CORP, ITILv3), Owner/Principal, B Jones BCP Consulting, LLC
- Patrick Potter, GRC Strategies, RSA Archer Organization
- Ali Alidina, Information & Technology Manager, Canadian Patient Safety Institute
- Rob Vandervelde, Director, Corporate Services, Canadian Patient Safety Institute
- Michelle Swessel, PM and IT Business Analyst, Wisconsin Compensation Rating Bureau (WCRB)
- R. Sheridan K. Smith (CISSP, CRISC, CBRM, CBRITP), Information Technology Manager, Arch Reinsurance Ltd.
- Ray Mach, BCP Industry Speaker
- Sean Seaber, Director Global Information Technology, MRI Software
- Two additional organizations were interviewed but requested anonymity
Your Challenge
- IT managers asked to lead BCP efforts are dealing with processes and requirements beyond IT and outside of their control.
- BCP requires input from multiple departments with different and sometimes conflicting objectives.
- Typically there are few, if any, dedicated resources for BCP, so it can't be a full-time resource-intensive project.
Our Advice
Critical Insight
- As an IT leader, you have the skill set and organizational knowledge to lead a BCP project, but ultimately business leaders need to own the BCP. They know their processes and, therefore, their requirements to resume business operations better than anyone else.
- The traditional approach to BCP is a massive project that most organizations can’t execute without hiring a consultant. To execute BCP in-house, carve up the task into manageable pieces as outlined in this blueprint.
- Leverage the BCP methodology to not only identify current processes, but also review and optimize those processes.
Impact and Result
- Position IT as the consultant for BCP, not the owner. Ultimately, the business needs to own the BCP to make it sustainable.
- Execute a pilot BCP process to establish a methodology that can be repeated by the rest of the organization.
- Achieve alignment between your IT DRP and overall BCP.
1. Define BCP pilot parameters
Clarify IT vs. business roles, project objectives, and key milestones.
2. Identify processes and dependencies
Determine what would be required to recover from an incident and resume operations.
3. Determine the desired recovery timeline
Set appropriate recovery timeline targets based on business impact and business requirements.
4. Determine the current achievable recovery timeline
Identify the gap between achievable and desired recovery capability.
5. Identify projects to close gaps and mitigate risks
Create a business continuity project roadmap to achieve the desired recovery timeline.
6. Document and validate the desired-state incident response plan
Define a procedure to resume business unit processes after an incident, within the desired recovery timeline.
7. Complete the BCP process
Create a plan to develop a BCP for remaining business units and initiate ongoing BCM.
Guided Implementations
This guided implementation is a seven call advisory process.
Call #1 - Define the BCP pilot parameters
Set project goals, select a pilot business unit, and define roles and responsibilities.
Call #2 - Identify existing business processes, dependencies, and alternatives
Identify, prioritize, and document processes to support BCP and process optimization, identify existing interim processes, and capture the current BCP status to establish a baseline metric.
Call #3 - Determine the desired (target) recovery timeline
Conduct a business impact analysis, and identify RTOs and RPOs.
Call #4 - Determine the current achievable recovery timeline
Conduct a tabletop planning exercise and document the results, assess RTO and RPO gaps, and assess known risks.
Call #5 - Identify and prioritize projects to close recovery timeline gaps and mitigate risks
Identify and prioritize projects to close RTO/RPO gaps and mitigate risks, and create a project roadmap.
Call #6 - Document and validate the desired-state incident response plan
Create incident response plans for the current and desired state, create a plan for returning to the primary site after the incident is resolved, and measure pilot success.
Call #7 - Create a plan to complete the BCP process for remaining business units and initiate ongoing BCM
Leverage pilot results to establish a BCM program, complete the BCP for remaining business units, and incorporate BCP outcomes into your IT DRP process.
Info-Tech Academy
Get Info-Tech Certified
Train your staff and develop a world-class IT team.
New to Info-Tech Academy? Learn more here
Business Continuity Course
Streamline the traditional approach to make BCP development manageable and repeatable.
This course makes up part of the Security & Risk Certificate.
Course information:
- Title: Business Continuity Course
- Number of Course Modules: 6
- Estimated Time to Complete: 2-2.5 hours
- Featured Analysts:
- Frank Trovato, Research Director, Infrastructure Practice
- Eric Wright, SVP of Research and Advisory
- Now Playing: Executive Brief
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: (Pre-Workshop) Prepare for the BCP Workshop
The Purpose
- Prioritize business units for BCP development.
- Create a BCP pilot team.
- Define BCP metrics.
Key Benefits Achieved
- Select the pilot business unit and workshop participants.
- Establish metrics to measure the benefits of completing the BCP pilot.
Activities
Outputs
Determine the business units that are most in need of a BCP.
- Prioritized list of business units for BCP.
Select the pilot business unit to follow the BCP methodology.
- Seed success by identifying a good candidate for initiating BCP development.
Define roles for the BCP pilot.
- BCP pilot team identified.
Module 2: Identify Business Processes and Dependencies
The Purpose
- Determine process workflows.
- Identify existing alternatives/interim processes.
- Assess existing business continuity plans.
Key Benefits Achieved
- Document your core business processes and dependencies.
- Document existing alternatives/interim processes.
- Determine your current BCP status (to enable the team to measure progress).
Activities
Outputs
Identify business process workflows and dependencies.
- Documented list of core business processes and dependencies.
Determine existing contingency planning.
- Documented list of existing alternatives/interim processes.
Assess existing business continuity plans.
- Baseline BCP status.
Module 3: Determine the Desired/Target Recovery Timeline
The Purpose
- Define a scoring scale to measure impact.
- Estimate the impact of downtime for each business process.
- Determine the desired RTOs/RPOs.
Key Benefits Achieved
- Define a scoring scale to estimate business impact.
- Conduct a business impact analysis.
- Define recovery time and recovery point objectives (RTO/RPO).
Activities
Outputs
Simplify estimating business impact.
- Business impact analysis (BIA) scoring criteria defined.
Determine business process criticality to prioritize BCP efforts.
- Business impact analysis.
Determine an appropriate recovery timeline based on business impact.
- Desired recovery timeline identified.
Module 4: Determine the Current Achievable Recovery Timeline
The Purpose
- Determine your baseline business continuity capability (your current state).
Key Benefits Achieved
- Identify the gaps between current and desired business continuity capability.
Activities
Outputs
Identify current capabilities via tabletop planning.
- Current state incident response plan defined.
Compare current to desired RTOs/RPOs.
- RTO/RPO gaps defined.
Estimate likelihood and impact of failure of individual dependencies.
- Additional vulnerabilities identified.
Module 5: Identify Projects to Close Gaps and Mitigate Risks
The Purpose
- Determine what projects or initiatives are required to close the gap between current and desired business continuity capability.
Key Benefits Achieved
- BCP project roadmap defined.
Activities
Outputs
Identify projects that close recovery gaps.
- Potential list of business continuity projects identified.
Prioritize projects based on cost and benefits.
- Order of project implementation identified.
Create a project implementation timeline.
- Project schedule identified.
Module 6: Document and Validate the Desired-State Incident Response Plan
The Purpose
- Define and validate the desired incident response plan.
- Document your incident response plans for the current and desired state.
- Conclude the onsite workshop.
Key Benefits Achieved
- Document your incident response plans for your current state (i.e. based on current capabilities) as well as your desired state (i.e. after BC projects are implemented that would enable you to meet desired RTOs/RPOs).
- Ensure the BC project roadmap will achieve the desired goals (meet desired RTOs/RPOs).
- Create a pilot summary presentation deck to communicate results to your executive team.
Activities
Outputs
Determine what the incident response plan would be after the BC project roadmap is completed and ensure it achieves the desired RTOs/RPOs.
- Desired-state incident response plan defined.
- Updated BC project roadmap, if the desired-state planning process uncovers additional gaps.
Enable incident response coordinators to monitor and report status during an incident.
- Incident response plan for the current and desired state.
Summarize pilot outcomes including BC metrics improvements.
- Pilot results presentation PowerPoint deck.
Module 7: (Post-Workshop) Create a Plan for BCP Completion and BCP/DRP Alignment
The Purpose
- Create a BC policy and BC management teams.
- Define a workflow to develop a BCP for remaining business units.
- Define a workflow for incorporating BCP outcomes into your IT DRP process.
Key Benefits Achieved
- Create a BC policy to drive ongoing business continuity management.
- Define a workflow to develop a BCP for remaining business units.
- Define a workflow for incorporating BCP outcomes into your IT DRP process.
Activities
Outputs
Establish corporate goals for ongoing business continuity management.
- BC policy.
Enable the organization to repeat the BCP methodology for remaining business units, summarize results, and resolve discrepancies.
- Documented workflow for completing BCP for remaining business units.
Update your IT DRP to meet new technology requirements defined by the BCP process.
- Documented workflow for incorporating BCP outcomes into your IT DRP process.
Ensure ongoing alignment between your IT DRP and BCP.
After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.
Client
$ Saved
Days Saved
Testimonial
City of Lethbridge
N/A
N/A
On behalf of the City of Lethbridge participants, many thanks for the awesome Business Continuity Planning (BCP) workshop and for having Frank and David as our Info-Tech Consultants. I really appreciated their attention to content details, for having a keen understanding of the BCP material, and ensuring that our business audience understood the BCP process requirements as part of their deliverables. I would recommend Info-Tech without hesitation.
Rend Lake College
$6,562
15
Best - gaining additional understanding of department operations. Worst - cumbersome process of printing copies of deliverables.
TRAC Intermodal
N/A
N/A
Too soon to tell.
Client
Facilitator(s) effectiveness
INFO & materials effectiveness
Overall experience
Understanding of next steps
Testimonial
Cahill Gordon & Reindel LLP
9.0
8.0
9.0
8.0
Cheshire Medical Center
9.0
8.0
9.0
8.0
