This is the process we went through with one of our major customers last year to define their business continuity requirements. In this case, the client already had plans in place but knew there were deficiencies in them. We were working to a pre-agreed budget but suggested we launch the process with a scenario exercise for the managment team to focus on the issues they might face.
Client-led brief, project requirements, budget, time scale and scope
Incident Management Exercise
Commercial Initiatives wrote a bespoke and applicable exercise scenario for the management team
This was delivered to the management team, who was asked to implement its current Business Continuity measures
An analysis of the exercise indicated a need for:
a defined control centre for the incident
additional recovery space for departments, particularly after the first week of an outage
contingency planning for working without a key supplier (e.g. call centre)
off-site storage of key customer contact information required to restart the business
Business Impact Analysis & Risk Assessment
Interviews conducted with managers to confirm recovery requirements tolerable
We have found the questionnaire the best way to prepare staff for the Business Impact Analysis interviews to establish recovery requirements.
Questionnaires were sent to key managers to assess the impact of loss of key capabilities
Maximum tolerable period of disruption (MTPD) for major business functions
Minimum staff facilities and IT required for each department over 30 days
Who can work from home and for how long?
How much lost data can staff cope with (the Recovery Point Objective)
What hard copy documents do staff use and how would their loss would affect the business
Departmentís main functions
Critical third party suppliers and how their loss might affect business
Financial & non-financial affect of each department being able to operate
What IT system each department uses and how long they can manage without it (the Recovery Time Objective which would then drive the IT Disaster Recovery Plan)
An Incident Management Team is formed normally around the executive team of the organisation. Its role is to manage the business through what will be a very unsettling, often critical time for everyone, especially your customers.
The recovery plan must cover staff required to remain at work until further notice as well as those required on site.
Each and every department must then be covered by a Recovery Plan. Each plan would include solutions to the problems outlined such as:
Critical internal and third party contacts
Actual recovery location
Facility and IT requirements
Hard copy document storage
Key task list