Business Continuity Plan TplateQueensland Government.doc
Business Continuity Plan Template© State of Queensland, 2013.The Queensland Government supports and encourages the dissemination and exchange of its information. The copyright in this publication is licensed under a Creative Commons Attribution 3.0 Australia (CC BY) licence.Under this licence you are free, without having to seek our permission, to use this publication in accordance with the licence terms.You must keep intact the copyright notice and attribute the State of Queensland as the source of the publication.Note: Some content in this publication may have different licence terms as indicated. For more information on this licence, visit http:/creativecommons.org/licenses/by/3.0/au/deed.enContentsINTRODUCTION1Developing a Business Continuity Plan1BUSINESS CONTINUITY PLAN1Distribution List1References and related documents1SECTION 11Executive Summary (optional)1Objectives1Glossary1SECTION 21Risk Management Planning1Insurance1Data security and backup strategy1SECTION 31Business Impact Analysis1Business Impact Analysis1SECTION 41Incident Response Plan1Immediate Response Checklist1Evacuation Procedures1Emergency kit1Roles and Responsibilities1Key Contact Sheet1Event Log1SECTION 51Recovery1Recovery Plan1Incident Recovery Checklist1Recovery contacts1Insurance claims1Market assessment1SECTION 61Rehearse, Maintain and Review1Training schedule1Review schedule1IntroductionThe purpose of developing a Business Continuity Plan is to ensure the continuation of your business during and following any critical incident that results in disruption to your normal operational capability. This guide will assist you to undertake a Risk Management Plan and Business Impact Analysis, and create Incident Response and Recovery Plans for your business.Developing a Business Continuity PlanThis template incorporates the Prevention, Preparedness, Response and Recovery (PPRR) framework. Each of the four key elements is represented by a part in the Business Continuity Planning Process.· Prevention - Risk Management planning- Incorporates the Prevention element that identifies and manages the likelihood and/or effects of risk associated with an incident.· Preparedness - Business Impact Analysis- Incorporates the Preparedness element that identifies and prioritises the key activities of a business that may be adversely affected by any disruptions.· Response Incident Response planning- Incorporates the Response element and outlines immediate actions taken to respond to an incident in terms of containment, control and minimising impacts.· Recovery - Recovery planning- Incorporates the Recovery element that outlines actions taken to recover from an incident in order to minimise disruption and recovery times.We have also included a section titled Rehearse, Maintain and Review, which encourages you to test, regularly review and update your Business Continuity Plan to ensure that your staff are familiar with it, and that it reflects your changing business needs.Business operators should use the following template as a guide to developing a Business Continuity Plan. Customise it to suit your business needs. The blue sample text is there to guide you and can be deleted after you have completed the template. Remember to save your document.Insert Your Business NameBusiness Continuity PlanDate: _Distribution ListTo assist in updating and revising the plan, an up-to-date list of all plan locations and persons supplied with a copy of the plan should be included. NameLocation001002003004005006References and related documentsInclude all documents that have a bearing on your Business Continuity Plan.Document TitleSection 1Executive Summary (optional)An executive summary is the plan in miniature (usually one page or shorter). It should contain enough information for a reader to get acquainted with the plan without reading the full document. Depending on the size of your business and the length of your document, you may choose not to include an executive summary.ObjectivesObjectives serve as a means of clarifying the purpose of your plan and should describe the intended result. An example of plan objectives are listed below:The objectives of this plan are to:· undertake risk management assessment· define and prioritise your critical business functions· detail your immediate response to a critical incident· detail strategies and actions to be taken to enable you to stay in business· review and update this plan on a regular basis.GlossaryThis table provides a consistent and commonly agreed set of definitions for terms used in the plan. You should customise this list to suit your business.Business Continuity Planninga process that helps develop a plan document to manage the risks to a business, ensuring that it can operate to the extent required in the event of a crisis/disaster. Business Continuity Plana document containing all of the information required to ensure that your business is able to resume critical business activities should a crisis/disaster occur.Business Impact Analysisthe process of gathering information to determine basic recovery requirements for your key business activities in the event of a crisis/disaster.Key business activitiesthose activities essential to deliver outputs and achievement of business objectives.Recovery Time Objective (RTO)the time from which you declare a crisis/disaster to the time that the critical business functions must be fully operational in order to avoid serious financial loss.Resourcesthe means that support delivery of an identifiable output and/or result. Resources may be money, physical assets, or most importantly, people.Risk Managementis the process of defining and analysing risks, and then deciding on the appropriate course of action in order to minimise these risks, whilst still achieving business goals.···············Section 2Risk Management PlanningYou need to manage the risks to your business by identifying and analysing the things that may have an adverse effect on your business and choosing the best method of dealing with each of these identified risks.The questions to ask yourself are: · What could cause an impact?· How serious would that impact be?· What is the likelihood of this occurring?· Can it be reduced or eliminated?An example is provided in the following table for you. Risk Management PlanPrepared by.:Date: Reviewed by: . Date: Key:VH=Very HighH=HighM=MediumL=Low Risk Description:LikelihoodImpactPriorityPreventative ActionContingency PlansInterruption to production processes-breakdown of key plant and equipment-damage to plant and equipment (e.g. fire)LVHH· ensure adequate insurance cover in place including business interruption and general property · set up agreement with suitable supplier for 24 hour repairs and replacement for key plant and equipment· source alternative production site (if location and equipment have been damaged)· immediate access to personal resources whilst waiting for insurance paymentsBurglaryHHH· ensure adequate insurance cover in place including business interruption and general property including theft· install alarm and video surveillance camera· keep a list of sources for replacement property/equipment .··InsuranceAs part of your risk management plan you need to determine what types of insurance are available and put in place the insurance your business needs.Insurance typePolicy coveragePolicy exclusionsInsurance company and contactLast review datePayments dueBusiness InterruptionBusiness interruption due to:· fire· flood· theft· terrorism· tsunami· landslideXYZ Insurance, A Person Ph: 07 3000 000000/00/00Amount you pay and frequency. e.g. Monthly, yearlyData security and backup strategyHow have you protected your data and your network (e.g. virus protection, secure networks and firewalls, secure passwords and data backup procedures)? Detail your backup procedures in the table below.Data for backupFrequency of backupBackup media/ servicePerson responsibleBackup procedure stepsCustomer databaseWeeklyExternal hard driveA Person · Remove external drive from fire safe· Copy data from Customer database · Return external drive to fire safeSection 3Business Impact AnalysisAs part of the Business Continuity Plan business owners should undertake a Business Impact Analysis which will use the information in your Risk Management Plan to assess the identified risks and impacts in relation to critical activities of your business and determine basic recovery requirements. Critical activities may be defined as primary business functions that must continue in order to support your business.You need to identify:· your critical business activities· what the impact to your business would be in the event of a disruption· how long could your business survive without performing this activity.As part of your Business Impact Analysis you should assign Recovery Time Objectives (RTO) to each function. The RTO is the time from which you declare a crisis/disaster to the time that the critical business function must be fully operational in order to avoid serious financial loss.The following questions may assist you to determine your critical activities. 1. In the following table, list the business activities that must be performed to ensure your business continues to operate effectively. If you have a number of business units/departments, complete one table for each.1Production services2342. For each business activity listed above, complete the following:Business Activity Name: Production ServicesBusiness Activity Description: Production of customised widgets for individual customer orders.a) What are the losses if this business activity could not be provided?Loss of Revenue: $7,500 per weekIncreased Costs: $N/AStaffing: Production staff numbers will need to be reduced.Product/service: Number of widgets available for sale will be reduced until production resumes.Fines or penalties due to missed deadlines: N/ALegal liability, personal damage, public harm: N/ALoss of good will, public image: Will occur if unable to meet current client orders.Comments:Current stocks will meet demands for up to 2 weeks. b) For what maximum amount of time could this business activity be unavailable (either 100% or partial) before the losses would occur?_ hrs_days2 weeks_monthsComments:If stock is not produced for more than 2 weeks the business will lose sales and customers will source alternative widget manufacturer.c) Does this activity depend on any outside services or products for its successful completion?q NO þ YES If yes, check one of the following: þ Sole Supplier q Major Supplier q Many Alternate SuppliersComments:If production is lost, standing order with the supplier will need to be adjusted to prevent build-up of excess widget material.d) On a scale of 1 to 5 (1 being the Most Important, 5 being the Least Important), where would this business activity fall in terms of being important to the operation of your department or business?þ - 1q - 2q - 3q - 4q - 5Comments:Widgets production is the primary activity of the business. Completed By: _Date: _Business Impact AnalysisCritical Business ActivityDescriptionPriorityImpact of loss(describe losses in terms of financial, staffing, loss of reputation etc)RTO(critical period before business losses occur)Production servicesProduction of customised widgets for individual customer orders.High· reduced $7,500 revenue per week· build up of stock and inventory related to slow down in orders for design and production services· customers will source alternate suppliers· unable to meet business overheads eg rent, staff wages· potential job losses (after 2 weeks).2 weeksSection 4Incident Response PlanThis is to prepare you for a timely response to critical incidents and reduce the impact of those incidents on your previously identified business operations. It also prepares key personnel to provide an effective response to ensure minimal disruption to operations in the event of emergency.The following provides an example of the type of information, including checklists, you might include when planning your response to a critical incident. These together would form your Incident Response Plan.Immediate Response ChecklistIncident ResponseüActions takenHave you:· assessed the severity of the incident? q· evacuated the site if necessary?q· accounted for everyone?q· identified any injuries to persons?q· contacted Emergency Services?q· implemented your Incident Response Plan?q· started an Event Log? q· activated staff members and resources? q· appointed a spokesperson? q· gained more information as a priority?q· briefed team members on incident?q· allocated specific roles and responsibilities?q· identified any damage?q· identified critical activities that have been disrupted?q· kept staff informed?q· contacted key stakeholders?q· understood and complied with any regulatory/compliance requirements?q· initiated media/public relations response?qEvacuation ProceduresYou need to have appropriate evacuation procedures that cater for both staff and visitors. These procedures should be stored in a place accessible to all staff.The objective of an evacuation plan is to provide a set of procedures to be used by site occupants in the event of a critical incident. You should:· start with a floor plan of the site· clearly identify the location of emergency exits· develop strategies for providing assistance to persons with disabilities· make sure that everyone knows what to do if evacuation is necessary· select and indicate a meeting place (evacuation point) away from the site · test the plan on a regular basis.Emergency kitIf there is damage to the building or if it must be evacuated and operation