Implementation - About
Implements the solutions agreed in the Design stage.
Achieved by developing BC plans to meet the organisation’s agreed BC requirements and solutions identified in the Analysis and Design stages.
Also includes the development of a response structure that defines the necessary roles, authority and skills required.
Aim is to identify and document the priorities, procedures, responsibilities, and resources.
Should achieve continuity of prioritised activities and ensure recovery of disrupted activities to a pre-defined level of service (the MBCO) within the planned time frames.
Response Structure - About
The purpose of establishing a response structure is to ensure that the organisation has a clearly documented and well understood mechanism for responding to an incident, regardless of its cause.
The response structure establishes command, control, and communication systems to help the organisation manage the incident and minimise the impact of the disruption.
Response Structure - General Principles
The response structure identifies:
- The individuals and teams responsible for response activities.
- The roles and responsibilities of the individuals and teams.
- The relationships between the individuals and teams.
- The documented procedures to support the individuals and teams.
Each organisation should develop a structure that meets its own needs.
The response structure should be closely aligned with the existing management structure as this will help embed business continuity into the organisation.
An effective response structure includes mechanisms that enable information to be communicated quickly and accurately to relevant individuals and teams throughout the organisation.
It should also recognise and include external suppliers related to prioritised activities.
Response Structure - Process
Each organisation should develop a response structure that meets the requirements of the BC Policy, and supports the agreed continuity solutions.
The key steps when establishing a response structure are as follows:
- Identify, understand, and work within the organisation’s existing management and leadership structure.
- Identify the responsible individuals and roles in any existing response teams or plans.
- Understand the requirements and scope of the business continuity programme.
- Consider the continuity solutions agreed in the Design stage of the business continuity management lifecycle.
- Develop a draft response structure.
- Present the response structure to top management and seek feedback.
- Update the response structure based on top management feedback.
- Obtain top management approval for the updated response structure.
- Document and publish the approved response structure.
- Implement the approved response structure in any existing business continuity plans.
- Rehearse the response structure as part of business continuity exercising.
Response Structure - Outcomes
The outcome from establishing a response structure is an organisation that has the capability to implement an effective response to a disruption.
The response structure should define:
- The required number and type of individuals or teams.
- The relationships between the individuals and teams.
- The roles and responsibilities of the individuals and teams.
- The documented plans required to support the response.
The response structure is necessary to support the development of the detailed response plans which should document how to implement the organisation’s continuity solutions.
Developing & Managing Plans - About
Business continuity plans can be created to address the strategic, tactical, and operational requirements of an organisation.
The number and type of plans to be put in place should be determined by the response structure and the business continuity solutions agreed in the Design stage of the lifecycle.
This should reflect the existing management structure as well as the size, complexity, and type of organisation.
Developing & Managing Plans - General Principles
Plans are intended to be used in high pressure, time-limited situations.
A user-friendly plan should be concise and easy to read.
Plans are not reports and should not contain unnecessary information that is not needed during an incident.
To make the plan focused, specific and easy to use, it should be:
Direct - Adaptable - Concise - Relevant
The business continuity plan should be kept up-to-date and documented in a way that enables personnel to quickly access the information relevant to them.
Plans should be owned, coordinated, and maintained appropriately.
Developing & Managing Plans - Process
The key steps when developing and managing a plan should include the following:
- Appoint an owner or sponsor of the plan.
- Define the objectives and scope of the plan.
- Create a plan development process and budget, and obtain approval.
- Create a planning team (if appropriate).
- Agree the responsibilities of the response team and their relationship with other plans and response teams (at a strategic, tactical and operational-level if appropriate).
- Establish the response team with the relevant authorities and competencies.
- Define the structure, format, components, and contents of the plan.
- Gather information to populate the plan.
- Draft the plan.
- Circulate the draft plan for consultation and review.
- Gather feedback from the consultation and review stage.
- Amend the plan as appropriate, based on feedback.
- Agree and formally approve the plan.
- Develop, implement, and plan the exercise programme to regularly rehearse team response capabilities and validate the plan content.
- Agree a maintenance schedule for the plan to ensure it remains current and response team information remains up-to-date.
Plan Contents
Plans at all levels should contain the following:
- Purpose and scope.
- Objectives and assumptions.
- The response structure which is specific to the organisation.
- Plan activation criteria, procedures, and authorisation, including implementation procedures:
- Invocation of continuity solutions.
- Team mobilisation instructions.
- Response team roles and responsibilities (with alternates as appropriate).
- Individual responsibilities and authorities of team members.
- Prompts for immediate action and any specific decisions the team(s) may need to make, for example whether to activate an alternate site.
- Communication requirements and procedures concerning relevant interested parties, for example, personnel, suppliers, customers, and the media.
- Internal and external interdependencies and interactions, including contact details (usually held as appendices).
- Summary information (at a level of detail appropriate to the plan) of the organisation’s prioritised activities and resource requirements as identified in the Analysis stage of the business continuity management lifecycle, with reference to the continuity time frames within which they are required.
- Assumptions defining the limitations of the plan relating to extent, duration, or impact of the incident.
- Decision support checklists.
- Details of meeting locations.
- Information flow and documentation processes.
- Procedures for standing down the team and organisation once the incident has been resolved.
- Appendices with relevant information capture templates, for example, an Action Log.
- Plan approval and distribution information.
Strategic Plans - About
A strategic-level, or Crisis Management Plan is a high-level plan that defines how strategic issues resulting from a crisis or incident should be addressed and managed by top management.
It has some special characteristics which differentiate the document from the tactical and operational plans.
Some crises or incidents do not involve physical disruption to the organisation and may not require invocation of a business continuity plan, however, they still require a strategic-level response, for example, fraud or negative media exposure that threatens the organisation’s reputation.
This type of incident may result in the mobilisation of the teams with responsibility for managing the area of the business affected and the potential reputational damage.
In these situations, it is almost always necessary to involve the strategic-level team, if only to make them aware of the situation in case it escalates.
Strategic Plans - General Principles
A strategic-level plan should provide high-level information and guidelines to support top management, or the Crisis Management Team.
It should address strategic issues that impact the organisation’s core objectives, and its prioritised products and services.
The strategic-level plan should also address the need to communicate with, and control activity between, all involved, or impacted interested parties.
The content of a strategic-level plan should be relevant to the size, complexity, and type of organisation.
The strategic plan should be designed as a high-level, generic plan.
It should contain summary information on different parts of the organisation and generic, organisation-wide response procedures.
The aim is not to encourage micro-management of an incident but to provide the strategic team with summary information to assist assessment and decision making.
Strategic Plans - Concepts & Assumptions
During a crisis or incident, the strategic-level team is accountable for the organisation’s stability, continuity, and reputation.
They are responsible for implementing and adapting response activities to achieve the best possible outcome for the organisation.
Specific responsibilities of the strategic-level team that should be captured in the plan include:
- Establishing the strategic objectives of the crisis or incident response.
- Devising short, medium, and long-term strategies, depending on the type of crisis or incident.
- Managing communications with all involved interested parties, including the media.
- Approving external statements before they are issued and monitoring and adjusting the communications strategy, as necessary.
- Monitoring the overall response to the crisis or incident.
- Resolving implementation issues or resource conflicts during the response.
- Ensuring the response and recovery is in line with the long-term objectives of the organisation and meets the organisation’s legal and regulatory requirements.
- Identifying and maximising opportunities or advantages arising from the crisis or incident.
- Approving significant expenditure.
- Monitoring the financial health of the organisation.
- Identifying and declaring when the incident or crisis is over, directing the individuals and teams to stand down, and clearly communicating the end of the incident or crisis to all interested parties.
Strategic Plans - Outcomes
The outcomes of developing the strategic-level business continuity plan include:
- A plan that can support top management during an incident or crisis.
- A plan for managing interested parties and media communications during an incident or crisis.
- Documented evidence of the organisation’s preparedness which is available to interested parties.
- A plan that complies with legal and regulatory requirements.
Tactical Plans - About
Tactical-level plans focus on coordinating the response to an incident and facilitating the continuity of prioritised activities.
Tactical plans should provide guidelines to help the Tactical Team analyse the impact of the incident, implement the appropriate solutions from those available in the plans, ensure the continuity of prioritised activities, and provide progress updates to the Strategic Team (Crisis Management Team).
Tactical Plans - General Principles
Tactical plans should be based upon the agreed business continuity solutions, and address the incident response from the initial alert to the point at which disrupted activities are restored.
Tactical plans should focus on co-ordinating the activities of the involved response teams to ensure they work together effectively.
Where resources are limited, the tactical plan should provide information to help the Tactical Team allocate available resources to the prioritised activities identified in the Analysis stage.
Tactical Plans - Concepts & Assumptions
Tactical plans should contain assumptions relating to the scale of the incident in terms of extent, duration, and operational or personnel impact.
If the scale of the incident exceeds the assumptions, then this should be escalated to the strategic-level team and a crisis management response should be considered.
Specific responsibilities of the response teams to be included in the tactical plans include:
- Co-ordinating and monitoring the response of the operational teams involved in the incident.
- Monitoring the support services provided to the operational teams, such as ICT, human resources, facilities, and finance.
- Allocating available resources based on quantities and time frames agreed in the Analysis stage.
- Amending the agreed priorities and response actions to take into account the current situation, business conditions or based on direction from the strategic-level team.
- Requesting or receiving progress updates and other information from the operational teams.
- Reporting to the strategic-level team.
- Mobilising specialist service providers, for example, damage management or salvage companies, data recovery, or counselling services, as required.
- Ensuring the individuals and teams stand down when directed.
Tactical plans should include detailed information about the resources required by the organisation, the time frames and quantities in which they are needed, and how they are sourced (as identified in the Analysis stage).
Relevant resources may include:
- Personnel.
- Welfare services.
- Alternate locations.
- Security services.
- Technology, communications, and data.
- Transportation and logistics.
- Alternate suppliers of priority services.
- Contact information to access those resources.
- Resource requirements for the continuity of each prioritised activity.
- Other details to be included in the tactical plan might include:
- Organisation contact information.
- Key interested party information and contact details, including customers, clients, and service providers.
- Secure location of legal documents, for example, contracts, service level agreements and insurance policies.
- Details of contracted work area recovery space, and how and when it will be made available to response teams.
- Procedures for obtaining emergency funds.
Tactical Plans - Outcomes
The outcomes of developing the tactical-level business continuity plan include:
- Documented business continuity plans to support tactical teams during an incident or crisis.
- A framework for coordination of response activities and resource allocation between the strategic and operational teams.
- Guidelines for co-ordinating continuity solutions and response activities with interested parties.
Operational Plans - About
Operational-level plans determine the individual departments or business units involved in the incident response.
Lower-level plans are likely to become complicated if all continuity procedures for an organisation are included in a single document.
When this is the case, the response procedures of each business unit may be separated into one or more plans that become the responsibility of the related business unit.
Operational Plans - General Principles
Operational-level plans should support the continuity of the organisation’s prioritised activities, from the beginning of the incident through to the recovery of agreed levels of service and the return to business as usual.
They should be based on the agreed continuity solutions and identified resource requirements identified in the Analysis stage of the lifecycle.
Operational-level plans should include departments that manage the organisation’s infrastructure, for example, ICT services and other specialist support services that support the organisation during an incident.
These operational-level plans provide a structure for restoring key support services or providing alternate facilities that support the continuity of other departments.
Operational Plans - Contents
Operational-level plans may include a wide variety of detailed information regarding:
- Human resources and people welfare.
- Access to, and use of, facilities.
- Departmental activities (listed in order of priority).
- Liaison with ICT service continuity teams.
- Mobilisation of teams and allocation of resources.
- External support.
- Building evacuation and shelter-in-place procedures.
- Location and layout of evacuation points.
- Security.
- Accounting for personnel.
- Health and safety.
- Escalation procedures to advise top management about unexpected issues.
- Initial response and activation.
- Methods to contact team members.
- Resolving work-in-progress issues.
- Special or non-standard procedures.
- Redeployment of personnel and visitors.
- Personnel contact numbers.
- Other key interested party contacts.
- Communications with personnel following plan activation.
- Space, seating, and resource requirements.
- A list of ICT equipment and software required.
- Details of off-site data with document storage and access instructions.
- Restoration instructions that a technical person unfamiliar with the system(s) can use.
- Methods to contact team members.
- Salvage arrangements and contracted assistance.
- Stand down procedures.
- Counselling and rehabilitation resources.
Operational Plans - Outcomes
The outcomes of developing the operational plan include:
- Documented business continuity plans to support the continuity of prioritised activities by department following an incident.
- Documented business continuity plans for the continuity of the organisation’s infrastructure and other specialist support services.
