predict every possible incident. Instead, the goal here is one plan that can be adapted to different scenarios, which also reduces the effort to maintain your BCP.
a. Policies and procedures manuals, if they exist, are often out of date or incomplete. Use these as a starting point, but don’t stop there. Identify the “go-to” staff members who are well-versed in how the business unit runs and interview them to identify the informal and undocumented processes.
b. “Working from home” is a common contingency plan, but validate that it is a realistic option during an incident. For example, if there is a regional power or network outage, employees’ homes may also be affected. If their homes are not affected, is there a process to cover long-distance or data charges? Are they dependent on inputs from other staff and is there a means to facilitate that workflow from home?
c. If processes are not documented, use this as an opportunity to create standard operating procedures (SOPs) to drive consistency and process optimization, as described in the Info-Tech blueprint “Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind.”
a. Account for hard copy files as well as electronic data. For example, case files that lawyers carry in their briefcases are information necessary to carry out their tasks. If that information was lost, is there a backup? To meet the RPO for that information, you may need to formalize copying case files on a regular basis (e.g. creating an electronic case file that can be backed up).
b. Expect that the RTOs/RPOs will need to be adjusted after determining the cost of projects required to achieve desired recovery objectives, especially if the cost is greater than the resulting impact of downtime. This is part of the process of finding the balance between the cost to prevent downtime and the potential cost and impact of downtime much like an ROI analysisTabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs) among survey respondents.
Be the turtle – improving business continuity capabilities is a long-distance run, not a sprint. Even if budget is not a concern, understand that change for the better is still change, and introduces risk; and massive changes introduce massive risk. Make incremental changes to minimize disruption.
a. Define an incident response plan for an event that requires at least temporary relocation so it is comprehensive enough to also cover other scenarios. The goal is one plan that can be adapted to multiple scenarios, not a separate plan per scenario.
b. Organizations often fail to put the same effort into their procedures for “returning to normal.” However, many of the same risks apply – including data loss and downtime for the business. Apply the same rigor to your “return to normal” procedures as you do for the initial recovery.
a. Expect to find conflicting priorities and uncover new dependencies as you complete the BCP for remaining business units. Assign the same BCP Coordinator to each business unit to identify and resolve these issues as they come up.
b. Incident response team leaders are not necessarily those with the most senior title on each BC/DR team. It’s more important that the team leader has the appropriate skill set than the bigger title.