Business Continuity and Disaster Recovery Plan Template
Organizations should have a highly structured and well-defined Business Continuity Plan (BCP) that leverages recognized industry standards and best practices, such as ISO 22301 and Disaster Recovery Institute International. The BCP provides a roadmap to prepare for and respond to a range of potential emergencies/disasters relating to the people, data and facilities that comprise an organization's business assets.
The BCP provides a description of the overall business continuity response management structure, identifies specific roles and responsibilities, designates coordination and communication between entities, and describes a general concept of operations for efficiently and effectively addressing the life cycle of an incident.
The BCP and associated Disaster Recovery Plans are tested annually. The results are documented and evaluated for Plan updates.
A key part of the BCP process is the assessment of potential risks to the business that could result from disasters or emergency situations. The purpose of hazard identification and risk assessment is to determine:
- the events and environmental surroundings that can adversely affect an organization’s facilities by disruption as well as disaster
- the damage such events can cause and the controls needed to prevent or minimize the effects of potential loss
The hazards and threats facing an organization and its data centers are those common to companies of a specific size and location. These include, but are not limited to, the following:
- Natural events (e.g., pandemic) and other weather-related natural occurrences
- Technological events such as power utility, and computer hazards
- Human caused events such as accidents or intentional acts designed to appropriate, modify, or destroy company and data center resources, their operating environments, and support staff
The risk assessment process is used to determine what can go wrong, the likelihood it will go wrong, and the impacts if it does go wrong.
Business Impact Analysis (BIA)
Organizations should perform BIAs. A BIA is the process of analyzing activities and the effect that a business disruption may have upon them. The BIA enables an organization to:
- Identify critical systems, processes, functions, and their interdependencies
- Assess the impacts of incidents and disasters
- Develop recovery time objectives
Recovery time objectives vary by product, service, or process.
The governing backbone of business continuity planning at an organization is the Business Continuity Management Team (BCMT). The BCMT is comprised of the Executive Management Team (EMT) and the Situation Management (SMT) Team, who are responsible for activating and coordinating Functional Area Recovery Management (FARM) Teams and supporting Field Location Business Continuity Teams (BCTs). The Employee Disaster Assistance Team (EDAT) integrates into the SMT.
BCP in Action
In the event of a disaster, the BCMT provides management support; the BCTs address continuity issues at the field locations, while the FARM Teams are concerned with resources and tasks integral to running and restoring their respective functional areas. All teams work in concert during an incident to respond, recover, and restore operations in a timely manner. The following paragraphs provide additional details.
Response activities are implemented following the discovery of an incident. The focus of a BCMT response is protecting all employees and resources, and continuing mission critical operations. Response activities involve notifications and team activations; establishment of command and control; incident assessment and disaster declaration; implementation of protective actions (e.g., evacuation, shelter-in-place); identification of response priorities and objectives; and initiation of response management procedures and business continuity and IT disaster recovery procedures.
The Executive Management Team assesses company-wide and stakeholder impacts and determines executive support and strategies. Additionally, the EMT provides high-level strategic guidance to the SMT; addresses requests for assistance, resources, and decisions from the SMT; communicates with appropriate stakeholders; and acts as company spokesperson, if needed.
The Situation Management Team is composed of management level personnel whose primary responsibility is to provide guidance, resources, and support during a disruptive event. Specifically, the SMT assesses the situation and establishes response priorities and objectives. The SMT ensures safety of personnel; prevents further damage; notifies and coordinates with local support services; manages incident response and recovery and ensures implementation of business continuity and disaster recovery plans as needed; communicates with the EMT, staff, governing bodies, partners, service providers, and media as necessary; activates FARM Teams; and provides support to site-specific BCTs.
Field Locations maintain an onsite Business Continuity Team, as part of their emergency operations/business continuity plans. Field Location BCTs can be composed of representatives from a variety of functions. BCT responsibilities include managing an incident at the remote site; integrating into the organization's overall response management structure; and reaching back to the BCMT for support and guidance as needed.
Functional Area Recovery Management Teams, under the overall direction of the SMT, provide support to assist with a functional area's recovery. These teams contain members of all technical support groups, including applications support, database administration (DBA), system administration (SA), network engineering, information security, and telecommunications; administrative support teams such as facilities preparation, purchasing and supplies, and insurance and salvage; and business operations teams. During a disaster, different FARM teams may be activated by the SMT to respond and recover from the incident. A FARM Team activation may include implementation of various disaster recovery plans.
The Employee Disaster Assistance Team (EDAT) is a cross-functional team that convenes to address the needs of employees and their families affected by an emergency or unforeseen event. The EDAT integrates into the SMT during an incident.