Business Continuity Toolkit Plan Development – Guidance

Version 1.4 – November 2010

Acknowledgement

• The University of Exeter’s Business Continuity Toolkit has been developed in collaboration with Back2business Ltd.

• We are grateful to Mark Nicholas, (Commercial Director, Stem Group) for sharing his expertise and providing the framework for these toolkit resources.

Introduction & Context

Business Continuity Planning

Plan Template

Recovery Priorities & Requirements

BC Strategies

1

Contents

2

3

4

5

Introduction & Context

• This slide deck is intended to accompany the Business Continuity Plan for additional guidance purposes, in order to assist with the development of departmental plans.

• It also references the ‘Risk, BIA & Strategy’ spreadsheet which once completed, should provide sufficient levels of detail to populate the relevant plan areas.

1

The Business Continuity Process

• Risk & BIA Framework– Agree timeframes, metrics (RTO, RPO),

define critical functions

• Discuss & explore potential strategies and solutions – IT

– Office & Admin Functions

• Framework for Incident Response and Continuity Plans

• Other– Review provided data – e.g. IT DR

Statement

1

Introduction & Context (3)

• Where we are now

• What we need you to do– Complete Risk, BIA & Strategy

information to cover gaps in the plans

– Provide Recovery Timeframes (RTO)

– Provide recovery profile for people over time

– Identify Applications & Systems

1

BC Planning is defined as…

• Business Continuity Planning is the process of advanced planning and preparation to protect against potential loss by formulating and implementing viable strategies and to document them in the form of a plan.

• A BC plan is a documented collection of resources, procedures, tasks, strategy and information that is developed, compiled and maintained in readiness for use following an incident, or crisis situation.

• Remember, this is a living document!

2

Where does my Business Continuity Plan fit in? Structure, Roles and Responsibilities (An example)

Gold Incident Response Plan

Silver Business Continuity Plans

Bronze Operational/Business As UsualProcesses

See slide notes for more information

2

INCIDENT RESPONSE TEAM LEADER

DIR COMMS DIR AS DIR PERS DIR CaS SNR DPTY VC ED

DEPTY DIR COMMS

LEGAL ASST DIR IT H o PROPY SERVS

LIBRARY

STUDENT SERVS

INTERN’L OFFICE

TECH & INFRASTR

SECURITY CONFS & RETAIL

H&S

ELEC ENGR LAB TECH’NS

FACILITIES NETWORKS HELP DESK TRANSP’RT

ACCOMMO-DATION

ACAD’MICSREGISTRY

STRATEGIC

TACTICAL

OPERATNL

Business Continuity Plan – Roles

• BC Team Leader/Plan Owner• Deputies, possibly 1 or 2 depending on number of

functions/activities• BC Team Members• There is no need to include all recovered staff in

the team plan, just those involved in the recovery activities

3

Business Continuity Plan – Template Guidance

• Text within template which is currently in Italics will need to be

– Replaced with your own information– Or deleted, as it is for guidance purposes only

• Plans need to exist for the most appropriate business critical activities

– Guideline should be from ‘Immediate’ to 5/8 days. Anything beyond this will be a judgement call on whether strategies or recovery procedures are required by you

– Simplify or combine Activities or Processes where appropriate (there is no need to list every process/activity as per the BIA feedback – be sensible, as this plan needs to be meaningful and usable!)

– Collaborate and collude with other depts & functions where necessary, e.g. where a process crosses several functions

3

Business Continuity PlanRecovery Priorities & Requirements

• Section 3 of the Plan Template. List Business Critical Activities for function/dept – here you should reference the ‘Risk, BIA & Strategy’ spreadsheet where you should find completed;

– RTO’s & RPO for Colleges / Departments critical functions & activities

– Application and Systems for each critical activity

• (Delete Italic directions in plan once finished)

• Note: any resources, procedures or strategies which are put forward by plan owners will be considered by Insurance & Business Continuity Services to ensure that there are no grey areas or overlaps.

4

Business Continuity Plan – Strategy Development

• From ‘Do Nothing’ to ‘Do Everything’• Which Strategies are cost effective?

– Will require time to implement, cost more or a lot, easy wins

– Consider the sliding scale from localised problems to Worst Case Scenario (e.g. Denial of Access to Campus/College/Building)

• Consider staff, IT (applications & data), lecture resources, facilities, specialised equipment

• For more strategy options – please refer to next slide

5

Business Continuity Plan – Recovery Strategies

• What Strategies could you employ for people?– Working from home?– Working from 3rd party? (supplier, partner, specialist provider)

• What Strategies could you employ for IT?– Broadband, Dongle, telephony, VPN, Laptop– Backup/replicated systems, remote access, cold start up

• What Strategies could you employ for Processes/Activities?– Manual workarounds, paper based systems – Outsource, reciprocal agreements

• Consider running a strategy workshop to develop viable options

Populate Section 4 of the Plan with these options and those derived in the Risk, BIA & Strategy options spreadsheet.

See Crisis Definition table overleaf >

5

Business Continuity Plan – Recovery

Strategies

• As defined for Incident Declaration purposes.

• Consider if your plan would address the relevant scenarios for Levels 2 & 3

• Challenge any assumptions

5

Next Steps

• Start the BIA• Come to the clinics in December and January for support• Complete your plans• Carry out an exercise (this can be fun!)• Review content

– Strategies, requirements and resources– Feasibility– ‘Fitness for Purpose’

For further guidance and support,please email or call:

Sue Dummettbuscont@ex.ac.uk

01392 72 5768