The Binomial Bookstore

THE COMPREHENSIVE BUSINESS CONTINUITY MANAGEMENT PROGRAM:
BUSINESS IMPACT ANALYSIS, BUSINESS CONTINUITY PLAN AND CRISIS / RISK
MANAGEMENT PLAN DEVELOPMENT TEMPLATES ON CD-ROM
by Douglas M. Henderson

The Comprehensive Business Continuity Management Program is a complete program for
business that includes advice for all development steps from the Information Collection
Process, through the Business Analysis, to the actual Business Continuity and Crisis
Response documentation and finally with assistance for the ongoing exercising and
maintenance process.
PLANNING CAN BE EXTREMELY OVERWHELMING ... BUT WE'VE MADE IT EASY FOR
YOU!

- How can we protect our business assets?
- How do we recover business operations?
- How do we assist our employees?
- How do we respond to an emergency?
- What are the priorities?
- What actions do we take first?
- How do we get started?
- Where do we begin?
- How do we collect data?
- What analysis do we need to perform?

The Comprehensive Business Continuity Management Program identifies Step by Step
Solutions to these and other important questions. It contains a considerable amount of
standard language that enables the user to easily review and edit text. It guides the user (with
‘Author's Notes' and ‘Sample Reports & Plans') to create a Business Continuity
Management Program for your company.

All files use Fill-In-The-Blank format and Microsoft Word Templates that are EASY TO
UPDATE and require NO SPECIAL TRAINING!

The Comprehensive Business Continuity Management Program follows professional
standards as recommended by the Disaster Recovery Institute International, Business
Continuity Institute Good Practices Guide, NFPA 1600 Standard on Disaster/Emergency
Management and Business Continuity Programs as well as industry best practices.

- - - - - - - -
-

WHAT FILES ARE INCLUDED WITH THE TEMPLATES?

README FILE
1. DMI.BCMP.ReadMe.doc - Introduction, user & copyright information

BUSINESS IMPACT ANALYSIS FILES
1. InformationCollectionChecklists.doc - Forms for gathering information about the
business & physical environment
2. BusinessUnitQuestionnaire.doc - Forms to gather information about the activities
of the operational groups and support departments within the business
3. BusinessUnitQuestionnairebyWorkshop.doc - An alternate approach to collect
information by workshop rather than by individual manager meetings
4. DMI.BIA.doc - The Business Impact Analysis template that is designed to
become the actual BIA for your company
5. SampleBIA.Manufacturer.doc - A sample completed BIA for a hypothetical
manufcturing business
6. SampleBIA.ServiceIndustry.doc - A sample completed BIA for a hypothetical
service industry business

BUSINESS CONTINUITY PLAN FILES
1. DMI.BCP.doc - The Business Continuity Plan template that is designed to
become the actual BCP for your company
2. SampleBCP.Manufacturer.doc - A sample completed BCP for a hypothetical
manufacturing business
3. SampleBCP.ServiceIndustry.doc - A sample completed BCP for a hypothetical
service industry business
4. BusinessUnitResponsibilities.doc - The identification and assignment of
responsibilities to the business units
5. CommunicationsPlan.doc - A plan to maintain communications with employees,
clients, news media and other interested parties
6. FacilitiesDepartmentPlan.doc - Special building protection and recovery planning
for the Facilities Department
7. FinanceAccountingPlan.doc - A plan to maintain critical financial support for the
Finance & Accounting Department
8. HumanResourcesPlan.doc - A plan to maintain critical employee support services
for the Human Resources Department
9. InformationTechnologyDisasterPlan.doc - An comprehensive outline of critical
technology support services for the IT Department
10. SalesMarketing.doc - A plan to maintain new business operations for the Sales &
Marketing Department
11. Security.doc - A plan to maintain security before, during and after a disaster

CRISIS / RISK MANAGEMENT PLAN FILES
1. DMI.CRMP. doc - The Crisis / Risk Management Planning template that is
designed to become the actual CRMP for your company
2. HurricaneFloodPlan.doc - A special hurricane and flood plan supplement for
businesses that face a serious hurricane or flood threat
3. EmergencyResponsePlanEmployees.doc - An Emergency Response Plan for
distribution to your employees

BONUS MATERIALS
1. BonusFiles.doc - Articles, personal planning information, etc. files of educational
value

- - - - - - - -
-

EXCERPT

Executive Commitment

Before any project can commence and have a reasonable chance of success, a commitment
must be secured from the highest levels of the organization. A 'Management Committee' (or
'Steering Committee') with significant senior management level participation needs to be
assembled. Within the Management Committee an executive level individual needs to be
placed in charge of the entire project. A management level individual needs to be
designated as the 'Project Manager' to develop the actual documentation. Sufficient
authority and resources will have to be allocated to the entire project for it to be successful.

Projects

In order to develop and maintain a comprehensive Business Continuity Management
Program, Disaster Management, Inc. suggests a multi-project approach that parallels
industry best practices as follows:

Project 1 - After a commitment from management has been made; this first step involves the
Collection of Information needed to complete the necessary projects.

Project 2 - The development of a Business Impact Analysis (BIA). The BIA will include an
assessment of the natural and man-made risks that face the business. The BIA will also
analyze the recovery priorities and set objectives for the BCP and the need for other support
plans.

Project 3 - The development of a central or overarching plan or Business Continuity Plan
(BCP) for the business.

Project 4 - The development of a Crisis / Risk Management Plan is needed to define
emergency actions to respond to actual specific emergency situations.

Project 5 - The development or update of the Information Technology Plan needed to
maintain the systems and communication capabilities of the business.

Project 6 - The development or update of the plans in place for the operational groups and
support departments or the Business Unit Plans needed to maintain critical operational
activities.

Project 7 - Involves the Implementation of the entire program.

Project 8 - Involves the Exercising, Training and Ongoing Requirements of the entire
program.

1. Project 1 - Collection of Information

In order to assemble the information necessary to complete the planning process, the
following action steps should be taken:

1. Develop and confirm the details and projected timetable for the entire project.
2. Conduct a site inspection and gather information about the overall business.
- Identify risks & exposures
- Review safety & security issues
- Identify the level of planning in the technology area
3. Meet with representatives from each major 'business unit' (the support
departments, operational groups and other defined entities that comprise the business) and
assess the current level of planning.

2. Project 2 - Business Impact Analysis (BIA)

It is important to note that the Business Impact Analysis (BIA) is not a planning component;
rather the BIA establishes the guidelines (or 'road map') for the development of the BCP and
related plans. The BIA is a report subject to executive management review and approval.

An important component of the BIA is an evaluation of the natural and manmade risks that
threaten the organization. This is referred to as a Risk and Vulnerability Analysis and this
analysis is included as part of the BIA.

All critical areas of the business that must remain operational or rapidly recover for normal
activities to continue need to be identified. It is widely acknowledged that it is not practical
for most organizations to rapidly restore all normal operations following a disaster.
Therefore, a key component of the BIA is to establish and prioritize critical operations. For
most businesses, critical operations are either revenue-generating operations or activities
that directly support revenue-generating operations. Critical operations are also time
sensitive - the loss of these capabilities will have an adverse financial impact in the very short
term. For each critical operation a Recovery Time Objective (RTO) is established.

Once critical operations, process flows and interdependencies are identified, strategies can
be developed to ensure their ongoing function or rapid restoration. The BIA develops
strategic solutions to respond to potential disasters. Solution strategies focus on the
maintenance and restoration of critical services and/or products and do not necessarily
attempt to replicate existing procedures.

The BIA also reviews the level of existing planning both in the Information Technology
department and throughout the other business units. Recommendations regarding
additional planning or improvements to existing procedures are identified.

3. Project 3 - Business Continuity Plan (BCP)

The Business Continuity Plan (BCP) will develop the details of the response to a disaster
situation by the business. This is the overarching plan for the business and defines the
overall actions of the organization during an emergency. The central focus of a good BCP is
to identify and develop solutions to maintain or rapidly restore critical operations. Other
objectives of the BCP are to prevent manmade disasters, minimize the disruption of
business operations, mitigate damages, minimize legal exposures, comply with industry best
practices and assure the safety of employees and other individuals.

The Business Continuity Plan (BCP) is intended to establish policies, procedures and
organizational structure for response to emergencies that are of sufficient magnitude to
cause a significant disruption of the functioning of all or portions of the business. The BCP is
the official plan of the business and describes the roles and responsibilities of support
departments, operational groups and personnel during emergency situations.

4. Project 4 - Crisis / Risk Management Plan (CRMP)

Crisis response planning addresses the action steps to be taken to respond to specific
disaster events. The central focus of crisis response planning is first life safety and second
asset protection.

Planning should address all specific disasters of significance as identified in the BIA.
Planning includes steps to prepare for foreseen events (generally weather related events),
actions to be taken during the event (almost entirely life-safety-steps) and recovery after the
event. Recovery planning includes a time-phase process after a major disaster where there
is significant damage and the general environment also will likely be dangerous.

5. Project 5 - Information Technology Plans

The Information Technology Plan ('Disaster Recovery Plan') includes the need for planning in
the following areas:

- Project 5A - Critical Data Management. This is a formal plan to secure, classify
and retrieve electronic information and critical applications.
- Project 5B - Data Center Recovery. This is a formal plan to reconstruct systems
& communication centers.
- Project 5C - Alternate Site Plan. Management determines the type of Alternate
Site Plan that is needed based on the established recovery time objectives, levels of service
degradation and the response that is cost justified.
- Project 5D - Information Security Plan. The need for additional Information
Security Planning is based upon management's objectives, audit requirements, costs, and
the effectiveness of existing controls.

6. Project 6 - Business Unit Plans

The operational effectiveness of the entire Business Continuity Management Program will be
dependent on the proper actions being taken by all organizational business units (the
business's operational groups and support departments). The Business Continuity
Management Program will define the goals and objectives of each business unit. Templates
for Business Unit Plans are provided for critical support departments.

7. Project 7 - Implementation

Implementation includes the dissemination of information to the management team and to all
employees. Implementation also includes the actual assembly of all materials, contracts,
subcontractors, etc. (as specified in the plan) that are necessary to be in place and ready in
an emergency situation.

8. Project 8 - Exercising, Training and Ongoing Requirements

Although the entire Business Continuity Management Program is completed it is never
finalized. Periodic testing (or 'exercising'), training and update are required to maintain the
effectiveness of the plan. Meeting of the key teams should take place several times a year.
The BCP documentation defines maintenance and update procedures.

- - - - - - - -
-

ABOUT THE AUTHOR

Douglas M. Henderson, President of Disaster Management, Inc., has 20 years of experience
in management with major consulting firms. In August of 1992, Doug was the key associate
of the Emergency Response Team for a consulting firm located in South Miami-Dade
County. Inspired by the real life business experience with Hurricane Andrew and concerned
about the lack of preparation within the business community, Doug founded Disaster
Management, Inc. in 1993.

Doug has a Bachelor of Science Degree in Mathematics from the University of Arizona. His
professional credentials include FSA – Fellow, Society of Actuaries and CBCP – Certified
Business Continuity Professional. Doug is also a member of FEPA (Florida Emergency
Preparedness Association), the editor of DisasterALERT!, a member of the Miami-Dade
Terrorist Mitigation Committee, the author of the book Is Your Business Ready for the Next
Disaster? and numerous planning templates.

- - - - - - - -
-
2006, CD-ROM, 750+ pages. ISBN #1-931332-38-X
Rothstein Associates Inc., Publisher.
Order #DR789.
- - - - - - - -
-

The Binomial Bookstore

Software; CD/Diskette Products

Rothstein Associates Inc.