BCM Questionnaires 6: Plan Development

BC Plan Development

A Plan Development is a process to determine the procedures for notifying the right people, assessing the operational impact. It is also to develop specific steps for minimizing the risks of an outage and restoring normal operations after the outage. The output from this step is the BC Plan or DR Plan.

Review of BC plan Documentation

These audit steps are developed for reviewing the templates provided in the book “Implement Your Business Continuity Plan.”

Review Authorization by the BU Head

• Does the ‘Table of Contents’ accurately reflect the stages contained in the document?
• Are the items in the ‘Plan Distribution List’ appropriate?
• Is there any evidence of a management sign-off?
• Does the date print on the document comply with the BCM policy?

Review of Recovery Procedures

• Are the latest procedures on ‘Fire’ and ‘Bomb Threat’ evacuation procedures in the document?
• Is priority being given to the safety of the staff during an evacuation reflected in the BC plan?
• Are only hand-carried items that will be useful in a recovery situation listed in the ‘Grab List’?
• Are the locations and contact numbers of the Crisis Management Team and Command Centre clearly stated?
• Are the recovery steps in a logical sequence?
• Is the sequence of events and tasks appropriate for the business unit?
• Are all the required contact numbers and names listed?
• Are names and job titles clearly assigned to each task?
• Does the ‘Call Tree’ list the correct key people to be contacted first?
• Does the ‘Call Tree’ limit each call to three people?
• Are those named in the ‘Call Tree’ aware of what to do if a person they call is not available? (i.e. call the next person on the list requesting them to continue with the calls)?
• Are all staff members aware that only the CEO or appointed public relations officer may speak to the media and make statements?
• Is the address of the alternate site stated?
• Are the addresses of the entire off-site storage locations stated?

Recovery Resources

• Are the work area requirements realistic?
• Does the number of furniture items listed match the BIA resource needs?
• Are all the IT application software needs stated?
• Are the network and communications available at the alternate site?
• Has the number of requested stand-alone PCs been reduced accordingly?
• Are any unique software listed?
• Have the unique software systems been tested in the last twelve months?
• Can the items listed in the ‘Salvage List’ be hand-carried?
• Can the items in the ‘Salvage List’ be easily located by a third party?
• Is a floor plan attached?
• Are there items listed in the Salvage List that are so critical to recovery that they should be stored off-site?       

Recovery Procedures

• Have all the critical business functions and processes identified in the BIA and Business Continuity Strategy been included in the List of Critical Business Functions?
• Have all the 4 “W” and 1 “H” questions in the List of Critical Business Functions been answered?
• Are all the critical functions prioritized for recovery purposes?
• Do the internal/ external providers agree with the data line re-routing needs and have confirmed this in writing?
• Do the internal/ external providers agree with telephone re-routing needs and have confirmed this in writing? Has the courier’s ability to collect from alternate locations been determined?
• Are the important customer contacts listed?
• Do the staff members know which customers they are expected to call?
• Have the schedules showing who will move the desks in the event of a disruption been completed?
• Are the recovery procedures directly related to specific recovery tasks?
• Are they clear and understandable to members of the recovery teams?
• Are the equipment, software and procedures needed for recovery currently available?

Copies of Plan

• How many copies of the BC plan are there, and where are they located?
• Is there one for the whole business unit, perhaps locked in the Organization BCM Coordinator’s cabinet?
• Do the rest of the staff members have access to the plan, and should they have access?
• Does the BC plan contains material of a sensitive nature and is considered confidential?
• If so, is it treated properly like a confidential document?
• Should a disaster occur in the absence of the Organization BCM Coordinator, is there an alternate coordinator?
• Does this alternate have a copy of the plan?
• Do both the Organization BCM Coordinator and the alternate have copies off-site for the eventuality that they are unable to get into the original site?
• Is a copy maintained at the recovery site?
• Are all the available copies of the same version?
• How is the movement of the copies controlled?
• Are they numbered, and are the number of copies and their location recorded?
• Is a process of transferring the copies when there is a change in the Organization BCM Coordinator or the Alternate in place?
• Is it necessary for the copies to be so controlled?

Business Continuity Plan

• How has the BC plan been designed to fit the needs of key parts of the organization?
• Is the business unit BC Plan aligned with the overall organizational recovery objectives?
• Has the organization set clear priorities for business functions that must be maintained whilst operating under the BC?
• Are the things that must continue to be done, things, which can be stopped, and things that should be started in accordance with the plan been identified?
• On which key assumptions is the BC planning based?
• Are human resources considered and included in the BC Plan?
• What is the outline of the post-disaster internal and external (customers, suppliers, shareholders etc.) communications plan?
• Is the BC Plan coordinated with the outsourcing service providers’ plans?
• In a crisis does the organization have a policy and procedures for dealing with the media? Are these reflected in the BC Plan?
• Does the BC plan take account of the possibility of transport disruption that may prevent key staff from reaching the recovery site?

Content of BC Plan

• Are the staff members familiar with their roles in the event that they have to evacuate their workplace and recover at another location?
• Are there sufficient details in the BC Plan to enable each business function/process to promptly commence recovery of its business?
• Is the documentation of the BC plan well structured and easy to read/ follow in a disaster?                
• Are all the action steps stated in each phase of the BC plan clear and unambiguous?    
• Is the evacuation site/ assembly point suitable?
• If used by a number of business units will the evacuation site/ assembly point be overcrowded?                
• Does the proposed assembly site allow ease of communication between the Organization BCM Coordinator and the business units coordinators?
• Have the staff been instructed not to wander off from the assembly point until they are dismissed?                
• Are the alternate sites adequate for accommodating the affected business unit(s) and do they fully provide the utilities and system connectivity required?
• Does the entire BC Plan follow the standard BC plan template provided?
• Have alternates been nominated for all staff required to undertake tasks?
• Have advices been exchanged between host and evacuee business units to confirm the relocation arrangements in the event of a disruption?
• Are the estimates of the time required for recovery realistic?
• Have the internal/external providers of products and services agreed with the estimates of time in writing?
• Have business units reduced the list of computer reports they will require in a disaster situation?
• Does the BC Plan reflect the decisions stated in the Business Continuity Strategy documents?
• Do all key people have the required number of copies of the BC Plan on-site and off-site?
• Are the BC Plans stored off-site kept up to date?
• Do all CMT members carry with them at all times a list of team members’ contact numbers in ‘wallet’ sized format?
• Are all members of the CMT sufficiently familiar with their roles, without having to refer to their respective BC Plan?
• Are all the Heads of Business Units fully familiar with BC Plan and the recovery process?
• Are the staff members aware of BC Plan and fully familiar with the evacuation procedures?
• Have the processes/functions in each BC plan been prioritized for recovery purposes?
• Are business units aware of their position on the priority list for recovery of systems/ IT applications?
• Are business units aware of the timing required to set up their systems/ IT applications?
• Have the critical steps to be followed in recovering each process/function been clearly stated?
• Has a summary Business Continuity Strategy document for each business unit been produced?
• Where paragraphs are not applicable to a particular business unit, has ‘N/A’ been used?
• Where appendices are used, have they been properly referenced in the BC Plan?
• Do the non-critical staff members who do not have a BC plan know what to do should they be unable to access their workplace?
• In order to avoid duplication, have intended calls to government departments, local authorities and business exchanges been centralized?
• Have all BC Plan been marked ‘Confidential’?
• Are all ‘Version’ numbers changed when major revisions take place and new pages dated when small amendments are made?
• Would the business unit assessed have a reasonable chance of surviving an incident that prohibits access to the normal working environment, by recovering their business at the predetermined alternate site?

Disaster Assessment Guidelines

Are the following disaster assessment guidelines clearly identified?

• Who are the personnel involved in the disaster assessment?
• What is the notification process for those involved in the disaster assessment?
• What is the timeframe for the disaster assessment?
• Are the safety procedures for disaster assessment in line with Occupational Health and Safety (OHS) requirements?
• What are the steps for informing all relevant insurance companies?

Emergency Response

• What criteria must be met before declaring an emergency?
• Describe the escalation process?
• Is there an agreed definition of a disaster?
• How does the business differentiate between an interruption and a disaster?
• Have the roles and responsibilities of the Emergency Response and Recovery teams been defined?
• Is there an established procedure to shift from an emergency response plan to a BC plan?

Emergency Response and Recovery Teams

• Are the telephone numbers of the government, civic and emergency response teams up to date?
• Do the police and fire department have a copy of the floor plans of the unit’s building?
• Do they have the telephone numbers of the Organization BCM Coordinator and alternate?
• The authorities may not want to keep these numbers on file because of the need for them to be maintained on a regular basis, but these questions should be raised.
• Are members of the various recovery teams aware of their responsibilities and functions?
• Do they have a copy of the action plan?
• Are their telephone numbers, business, home, emergency, mobile, pager on file and up to date?
• Are these numbers randomly spot checked?

Evaluating the Level of Communication in the BC Plan

• Is the objective to ensure that the communication and information flow in the service area recovery plan is adequate?
• Are the BC Plan communication flows which enable the Organization BCM Coordinator to be kept adequately informed by the service area recovery teams throughout the recovery process ensured?
• Do the BC Plans ensure service area recovery team members are kept adequately informed of what stage of the recovery process the organization is in?
• Is the service area recovery team working to recover interrelated business processes kept properly informed of the recovery process and were they keeping other teams informed of their progress?
• Are the appropriate external parties and stakeholders kept informed of the recovery process by the service areas?
• Are procedures in place to ensure external and internal parties included in BC Plan are informed immediately when their assistance needs to be called upon?
• Are procedures in place to ensure all human resource needs are properly addressed?
  • Occupational health and safety
  • Counselling
  • Other support lines of communications
• Does the recovery process address re-implementation of routine controls
  • Physical?
  • Logical?
  • Environmental?

Resource

Goh, M. H. (2016). A Manager's Guide to Auditing and Reviewing Your Business Continuity Management Program. Business Continuity Management Series (2nd ed.). Singapore: GMH Pte Ltd.

Extracted from "BCM Questionnaires 6: Plan Development"

Singapore Government Funding for BCM-8530 Course

The next section applied to Singaporean and Singapore permanent residents.  Click button "Government Funding Available" to find out more about the funding that is available from the Singapore government.  This include the CITREP+, SkillsFuture Credit and UTAP.

Find out more about Blended Learning BCM-8530 [BL-A-5] & BCM-8030 [BL-A-3]

	Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org