ISO 22301-2019 BUSINESS CONTONUITY MANAGEMENT SYSTEM (BCMS)

Business Continuity Checklist

The?business continuity checklist?is the first step in the BCP process.? The checklist is not an exhaustive list, it is a simple tool that can be used to ensure that the basic BCP process has been initiated and the Division management has considered what needs to be done to keep essential functions operating if an adverse event occurs.? The checklist is somewhat “information centric” as organisation’s reliance on information is increasing and its successful management provides competitive advantage.

Planning and preparing for various types of unfortunate events represents a fair portion of what you do.? It is equally important that each United Way have its own viable plan for what to do if it is impacted in a crisis.?Every year crises take a toll on organizations – in both lives and dollars.? But organizations are not helpless.? Injuries and damage can be limited, and you can get back to normal operations more quickly by planning ahead.? That is what this document is about: planning to limit damage and resume operations as quickly as possible when you are caught up in a crisis. ?This is why it is important to prepare a detailed?business continuity checklist, below we go over a few points to think about when building your?business continuity checklist.

Business Continuity Checklist

Program Initiation and Management (Pre-Planning)

• Establish the need for Business Continuity Program

• Scope of legal and regulatory authority

• BCP Sponsor (Senior Management)

• Business Continuity Steering Committee (5-8 people)

• BCP protects core assets

?Risk Evaluation and Control (Pre-Planning)

• Prioritize planning and resource allocation

• Identify and mitigate exposures

• Identify the threats, risks and vulnerabilities

• Gather information

• Controls/Safeguards

• Annualized Loss Exposure (Ale) Risk=Frequency x Exposure

• Quantitative and qualitative

• Protecting physical property, information, company reputation

• Risk tolerance and probabilities

?

?

Business Impact Analysis (Pre-Planning)

• BIA determines critical, time sensitive, prioritized business processes

• Interdependencies of these functions (intradepartmental, interdepartmental and external)

• Establish RTOs (disaster and minimum acceptable level) and RPOs (last good data)

• Plan and coordinate data gathering and analysis

• Questionnaires

• Financial impact, customer impact, legal impact, regulatory impact

• Disruption<RTO

• Disaster >RTO

• Vital records management

• Data backup strategies

• Prepare and present BIA

?Developing Business Continuity Strategies (Planning)

• Assess strategies, maximum recovery impact in RTO window

• Support services/resources needed

• Alternate strategies? (combo, displacement, alternate site, work from home)

• Cost (advantages and disadvantages)

• Develop a cost/benefit analysis

• Other requirements

?Emergency Preparedness and Response (Planning)

• Types of emergencies

• Tactical and strategic planning

• Evacuation/SIP , Facility stabilization

• Identify and review existing emergency response procedures

• Life safety

• Command and control

• Crisis management

• Notification and protocols

?

Developing and Implementing Business Plans (Planning)

• Types of plans (crisis mgt, COOP, DRP, ERP, BCP, etc)

• Introduction, policy statements, scope, assumptions, essential business functions and processes)

• BCP structure (base plan)

• Checklists

• Disaster recovery management

• Critical continuity functions

• Human resource responsibilities

• Recovery communications

• Insurance/Emergency funds

• Plan implementation

• Plan distribution

?Awareness and Training Programs (Post-Planning)

• Importance of BCP

• Awareness activities

• Training activities

• Audience needs

• Delivery tools

?Business Continuity Plan Exercise, Audit, and Maintenance (Post-Planning)

• Exercise and test the plan

• Tabletop, walkthrough, backup, integrated, comprehensive, standalone, call trees, line of business, facilities)

• Timeline

• AAR/IP

• Maintain BCP

• Establish an audit process

?Crisis Communications (Post-Planning)

• Sources of communication

• Methods of communication

• Internal vs. external

• Stakeholders

• Media and role of spokesperson

• Key messaging

• Crisis communication plan

?Coordination with External Agencies (Post-Planning)

• Identify and establish the organizational emergency management procedures

• Coordination with external agencies

• Current laws and regulations

Business Continuity Checklist :MITIGATION PLANNING CHECKLISTS

?Mitigation Planning

?Generic planning tasks?(please add other business specific actions points)

Completed Y/N

Reference Sub- appendix

Identify minimum resource requirements

Appendix 1.1

Identify critical supplies – Ensure sufficient stocks are in place, source alternative suppliers and product

Appendix1.2

Contact critical suppliers to identify whether they have contingency plans in place. If applicable, refer external organisations to Cabinet Office Guidance available on UK Resilience website: ?UK Resilience

Appendix1.2

?Use more than one supplier, on a regular basis, for all critical services and materials

?Identify interdependencies between other businesses, business units, services and organisations, to ensure service delivery can be maintained

Appendix 1.3

Identify tasks that support business critical functions

Appendix 1.4

Identify all business critical services and tasks that must continue during a disruptive event

Appendix 1.5

Consider the impact of greater demand on the critical services you provide and the plan to manage the increased workload, if appropriate

Determine the potential impact of a disruptive event such as Influenza pandemic, on your business related travel

?

?

Staff Issues?(please add other business specific actions points)?

Completed Y/N

Reference Sub- appendix

?

Identify key members of staff in critical roles

Appendix 1.4

?

Prepare a skills matrix to identify transferable skills

Appendix 1.6

?

Provide and maintain cross-training

Appendix 1.7

?

Document operational procedures for all tasks supporting a critical service to enable tasks to be undertaken by other staff

Appendix 1.8

?

?Staff Issues – home-working

Completed Y/N

Ref. Sub- appendix

?

Identify which staff could operate from home

Appendix 1.9

?

Test home-working arrangements

Appendix 1.9

?

Check Human Resources working at home policy

?

Maintain staff contact details including home/mobile phone numbers and e-mail addresses

Contact details Annex D

?

Liaise with IT Services regarding IT requirements Hardware, Software, instructions, training etc.

?

Prepare Matrix of IT critical equipment requirements in emergency for Critical Tasks/Critical Users

Appendix 1.10

?

??Document Management?

Completed Y/N

Ref. Sub- appendix

Liaise with IT Services to set up shared directories for access to key documents. Prepare table of detail of directories

Appendix 1.11

Ensure key documents are stored in shared directories. Prepare list of key documents

Appendix? 1.12

?E-Mail Management

Completed Y/N

Ref. Sub- appendix

Liaise with IT Services to set up shared Outlook mailboxes for critical user groups. Prepare table of detail of shared mailboxes

Appendix? 1.13

Where appropriate set up secondary user access to personal Outlook mailboxes. Prepare table of detail of secondary users

Appendix? 1.14

Establish routine of sending e-mails/copies to shared Outlook mailboxes

??

Communications?

Completed Y/N

Ref. Sub- appendix

Collate and create mobile telephone directory

Appendix 1.15

???Service planning tasks?

Completed Y/N

Ref. Sub- appendix

Identify services which could be stopped or reduced during a disruption

Appendix 1.16

Identify staff from non critical task areas who could act as temporary support cover to assist in critical task areas

Appendix 1.17

Identify how internal resources could be reallocated to ensure those activities connected to critical tasks are maintained during a disruptive event

Appendix 1.18

Business Continuity Checklist:?RESPONSE ACTIONS

Plan Checklists of Initial Actions for each high risk threat (complete a checklist for each high risk threat)

Response Checklists

Loss of Staff (Temporary/Permanent)

Completed Y/N

Staff illness Staff absence due to illness of dependent children/closure of schools Loss of large numbers of staff Loss of small numbers of key staff (managers/specialists) Industrial action.

Liaise with Human Resources

Review staffing arrangements

Appropriate managers and staff to be re-deployed from other areas as required

Staff temporarily re-deployed? – cover by agency staff if appropriate

For industrial action – Human Resources to provide strategic guidance for managers

??Influenza Pandemic

Completed Y/N

Consider the impact of greater demand on the critical services you provide and?plan to manage the increased workload if appropriate

Determine the potential impact of the pandemic on your business-related travel

Consider planning for the use of audio or video conferencing as alternatives to traveling/attending meetings to reduce person-to-person contact

Forecast potential employee absence during a pandemic. For?Influenza?Pandemic?planning purposes, the estimated worst case scenario is for a cumulative clinical attack rate of 50% of the population over 15 weeks for each phase.

?????????? Damage to premises

Completed Y/N

Liaise with the Council building control department ?regarding dangerous structures, if appropriate

Notify utility companies (e.g. gas, water, electricity, telecommunications)

Consider impact on staff and public health and safety e.g.

• Loss of electrical power affecting fire detection and alarms, lighting, emergency lighting, heating, swipe card access, intruder alarms/security

• Loss of water supply affecting catering, sanitation, e.g. toilets and hand washing facilities etc

If structure is dangerous, take advice and reasonable action to remove/reduce immediate danger to staff and the public. Action may include:

• Barricade off

• Arrange for repair

• Removal of the hazard if appropriate.

• Scaffolding or shoring to make the building safe until permanent work can be arranged may have to be organised

• Have the premises secured to prevent unauthorised access

Identify alternative premises if required

Contact your IT department regarding implications for IT and communications infrastructure

Implement arrangements to maintain building security

?Loss of Premises/Access Denied?

Completed Y/N

Identify alternative premises if appropriate.

Notify staff:Advise of action to take for next working day (e.g. staff for high criticality functions go to alternative location, staff from lower criticality functions call in for further information)

Staff may need practical assistance e.g. to get home, obtain spare keys, notify relatives/friends to assist

If you are unable to contact all staff, (e.g. if incident occurs out of working hours) arrange for staff to be met on arrival at site on next working day and advise them what to do and where to go (as above)

Establish staff ‘information line’ number with recorded message of action to take (Use Reception until a dedicated line can be set up and details publicised to staff)

?

?

Loss of Utility Supply (Gas, Water, Electricity)

Completed Y/N

Contact service provider to establish:

• Extent of disruption.

• Remedial action being taken.

• Length of time before restoration of service

Consider impact on staff and public health and safety e.g.

• Loss of power affecting fire detection and alarms, lighting, emergency lighting, heating, swipe card access/security.

• Loss of water supply affecting catering, sanitation e.g. toilets and hand washing facilities

Contact your IT department regarding implications for IT and communications infrastructure

Identify alternative premises if necessary

?Loss of IT and /or Communications

Completed Y/N

Contact your IT department regarding impact on IT and communications infrastructure

Publicise alternative contact details to staff and public

Identify alternative premises if unable to

Prolonged incident consider alternative supply

?Loss of Supplier

Completed Y/N

Identify alternative material resources

Identify alternative human resources

Identify alternative service provider

?