This document provides guidance on business continuity planning and disaster recovery. It discusses getting board approval, determining scope, carrying out risk analysis, creating a project plan and budget, developing the overall plan document, gathering supporting documentation, testing and reviewing the plan. Key aspects covered include defining the scope in terms of sites, systems, departments, personnel, business partners and risks. It also discusses risk management processes like identifying, quantifying, and mitigating risks. The document provides guidance on creating the actual business continuity plan, including specifying the purpose, scope, objectives and distribution list.
Sap MM-configuration-step-by-step-guideVenet Dheer
The document outlines the detailed configuration steps taken to set up the SAP system for ITZ according to their business requirements, including defining plants, storage locations, purchasing organizations, assigning these to company codes, and configuring materials management, purchasing, inventory, and other logistics areas. Fields are assigned to selection groups and screens. Material types, numbers, texts and other attributes are defined.
This document provides instructions for configuring taxation for procurement processes in India, including:
1. Basic excise tax settings like maintaining registrations, plant settings, excise groups, and series groups.
2. Determining excise duty by maintaining defaults, accounts, and assigning accounts to transaction types.
3. Processing incoming excise invoices by selecting fields, defining modes, documents, rejection codes, and more.
4. Creating necessary master data like materials, vendors, chapter IDs, and tax rates.
It also covers configuring service tax, withholding tax, and related settings for procuring external services in India.
This document provides an analysis of Eyona Educare & Nursery Centre, a South African early childhood education business. It covers the business's entrepreneurial core, including its owners Nomonde and Xolani and business concept. It also analyzes the business's internal operations, resources, and infrastructure. Finally, it examines the business's external relationships, activities, and deliverables focused on improving bookkeeping, fundraising, marketing, and achieving government approval for more children. The overall document presents a comprehensive overview and strategic plan for strengthening and growing the early education business.
This document provides guidance on depreciating property for tax purposes. It discusses which types of property can be depreciated, such as buildings, machinery, vehicles and equipment. It also discusses which types of property cannot be depreciated, such as land. The document provides an overview of determining the basis for depreciation, the various depreciation methods that can be used, and additional rules that apply to certain types of property.
This document provides a guide to key differences between C# and C++ for C# programmers. It discusses namespaces, fundamental data types, enums, classes vs structs, multiple inheritance in C++, unions, functions, constructors, storage duration, pointers, references, templates, and other important C++ concepts. Code examples are provided throughout to illustrate concepts.
This document contains excerpts from a training program on personality development conducted by L.R. Associates Pvt. Ltd. It includes sections on personality types, factors influencing personality, locus of control, introversion and extraversion. It also discusses personality theories, perceptual processes, learning theories, values, attitudes, conflict management, intellectual skills, emotional skills, interpersonal skills, managerial skills, the role of training and development, and determining training needs within an organization.
Sap MM-configuration-step-by-step-guideVenet Dheer
The document outlines the detailed configuration steps taken to set up the SAP system for ITZ according to their business requirements, including defining plants, storage locations, purchasing organizations, assigning these to company codes, and configuring materials management, purchasing, inventory, and other logistics areas. Fields are assigned to selection groups and screens. Material types, numbers, texts and other attributes are defined.
This document provides instructions for configuring taxation for procurement processes in India, including:
1. Basic excise tax settings like maintaining registrations, plant settings, excise groups, and series groups.
2. Determining excise duty by maintaining defaults, accounts, and assigning accounts to transaction types.
3. Processing incoming excise invoices by selecting fields, defining modes, documents, rejection codes, and more.
4. Creating necessary master data like materials, vendors, chapter IDs, and tax rates.
It also covers configuring service tax, withholding tax, and related settings for procuring external services in India.
This document provides an analysis of Eyona Educare & Nursery Centre, a South African early childhood education business. It covers the business's entrepreneurial core, including its owners Nomonde and Xolani and business concept. It also analyzes the business's internal operations, resources, and infrastructure. Finally, it examines the business's external relationships, activities, and deliverables focused on improving bookkeeping, fundraising, marketing, and achieving government approval for more children. The overall document presents a comprehensive overview and strategic plan for strengthening and growing the early education business.
This document provides guidance on depreciating property for tax purposes. It discusses which types of property can be depreciated, such as buildings, machinery, vehicles and equipment. It also discusses which types of property cannot be depreciated, such as land. The document provides an overview of determining the basis for depreciation, the various depreciation methods that can be used, and additional rules that apply to certain types of property.
This document provides a guide to key differences between C# and C++ for C# programmers. It discusses namespaces, fundamental data types, enums, classes vs structs, multiple inheritance in C++, unions, functions, constructors, storage duration, pointers, references, templates, and other important C++ concepts. Code examples are provided throughout to illustrate concepts.
This document contains excerpts from a training program on personality development conducted by L.R. Associates Pvt. Ltd. It includes sections on personality types, factors influencing personality, locus of control, introversion and extraversion. It also discusses personality theories, perceptual processes, learning theories, values, attitudes, conflict management, intellectual skills, emotional skills, interpersonal skills, managerial skills, the role of training and development, and determining training needs within an organization.
Kioti daedong ck20 hj tractor service repair manualfjjsekfxswzksmem
This document provides an overview and instructions for servicing a tractor. It begins with safety information and then provides a table of contents that lists the chapters and their contents. The chapters cover various systems of the tractor including the engine, clutch, transmission, rear axle, brakes, front axle, steering system, hydraulic system, and electrical system. Each chapter provides the structure and functions of the system and instructions for servicing, troubleshooting, specifications, disassembly and assembly. The document provides detailed maintenance and repair information for technicians servicing the tractor.
Kioti daedong ck20 h tractor service repair manualjfjkskemem
This document contains operation and maintenance instructions for a tractor. It includes sections on safety, identification and dimensions of the tractor, maintenance schedules and checklists, specifications for lubricants and fluids, and troubleshooting guides. Individual chapters cover the engine, clutch, transmission, and other systems. The document provides detailed guidance on inspection, disassembly, repair and reassembly of components.
Kioti daedong ck20 tractor service repair manualfjkskekkemmmd
This document provides an overview of safety information and maintenance procedures for a tractor. It discusses safety precautions for starting the engine, servicing, working on the tractor, avoiding fires, disposing of fluids properly, ventilating work areas, preventing acid burns, and preparing for emergencies. It also provides an overview of the safety decals installed on the tractor and care instructions for labels. The document directs the reader to subsequent chapters that describe the mechanisms, troubleshooting, specifications, and servicing procedures for various tractor components in detail.
Kioti daedong ch20 tractor service repair manualfjkskekemm
This document contains operation and maintenance instructions for a tractor. It includes sections on safety, identification and dimensions of the tractor, maintenance schedules and checklists, specifications for lubricants and fluids, and troubleshooting guides. Individual chapters cover the engine, clutch, transmission, and other systems. The document provides detailed guidance on inspection, disassembly, repair and reassembly of components.
Kioti daedong ck20 j tractor service repair manualfjjkekfksemmm
This document provides an overview and instructions for servicing a tractor. It begins with safety information and then covers general precautions, specifications, maintenance procedures, component servicing instructions, and troubleshooting guides for various systems. The document contains detailed maintenance checklists to perform daily, every 50 hours, 100 hours, and so on. It also includes chapters that describe the construction and servicing of major components like the engine, transmission, brakes, hydraulics and electrical systems. Tightening torques and specifications are provided for repairs.
Kioti daedong ck20 h tractor service repair manualfhjsekkemm
This document contains operation and maintenance instructions for a tractor. It includes sections on safety, identification/specifications, maintenance schedule, engine systems, clutch, transmission, and other components. The maintenance schedule outlines checks and services to perform daily, every 50 hours, 100 hours, and so on. Sections on engine, clutch, and transmission provide construction details and servicing instructions.
Kioti Daedong CK20 Tractor Service Repair Manualhjnnsemmm
This is the Highly Detailed factory service repair manual for theKIOTI DAEDONG CK20 TRACTOR , this Service Manual has detailed illustrations as well as step by step instructions,It is 100 percents complete and intact. they are specifically written for the do-it-yourself-er as well as the experienced mechanic.KIOTI DAEDONG CK20 TRACTOR Service Repair Workshop Manual provides step-by-step instructions based on the complete dis-assembly of the machine. It is this level of detail, along with hundreds of photos and illustrations, that guide the reader through each service and repair procedure. Complete download comes in pdf format which can work under all PC based windows operating system and Mac also, All pages are printable. Using this repair manual is an inexpensive way to keep your vehicle working properly.
Service Repair Manual Covers:
Chapter 1 General
Chapter 2 Engine
Chapter 3 Clutch
Chapter 4 Transmission
Chapter 5 Rear Axle
Chapter 6 Brake
Chapter 7 Front Axle
Chapter 8 Steering System
Chapter 9 Hydraulic System
Chapter 10 Electrical System
File Format: PDF
Compatible: All Versions of Windows & Mac
Language: English
Requirements: Adobe PDF Reader
NO waiting, Buy from responsible seller and get INSTANT DOWNLOAD, Without wasting your hard-owned money on uncertainty or surprise! All pages are is great to haveKIOTI DAEDONG CK20 TRACTOR Service Repair Workshop Manual.
Looking for some other Service Repair Manual,please check:
https://www.aservicemanualpdf.com/
Thanks for visiting!
8
This document provides an analysis of Greggs plc, a UK bakery chain company. It begins with an overview of the company and its history. It then analyzes the food and drug retailer industry using Porter's Five Forces model. There is strong competition among existing bakery firms. The threat of new entrants and substitute products is moderate to high. Buyers have high bargaining power due to price sensitivity. Supplier bargaining power is relatively low. It also provides strategic, financial, and prospective analyses of Greggs through ratio comparisons and forecasting. Overall, the document presents a comprehensive analysis of Greggs' position in the industry.
Vertex Configuration Guide. A to Z Steps with Description.Keyur Mistry
This document provides instructions for configuring SAP's tax interface system to calculate taxes using an external tax system. It outlines the basic tax calculation processes in SD, MM, and FI and lists the required configuration steps. These include configuring the communication between SAP and the external system, testing the tax data retrieval and calculation, activating the external tax calculation, and customizing various master data tax classifications and indicators. The document also covers pricing procedures, condition techniques, and setting up tax codes and accounts. Appendices provide additional details on topics like the external tax system audit file updates and using the tax interface user-exit.
Native Plant Revegetation Guide For ColoradoFiona9864
This guide provides information for selecting and establishing native plants in Colorado. It covers plant basics, natural communities in the state, and techniques for revegetation of upland and wetland habitats. The guide includes details on site planning, preparation, seed and plant selection, and monitoring for successful revegetation projects using native species.
This document contains a collection of over 120 tools for change management. It is divided into three sections: Self, Team, and Larger Systems. The Self section includes tools for personal goal setting, creativity, and mental mapping. The Team section covers topics like team learning, feedback, diversity, and conflict resolution. The Larger Systems section provides tools for analyzing organizations, stakeholder engagement, visioning, project management, and facilitating large-scale change. The document aims to equip change practitioners with a variety of methods and strategies to guide personal, team, and organizational development.
This document provides an overview and table of contents for a book on SQL Server interview questions. It covers topics such as database concepts, SQL, .NET integration, ADO.NET, notification services, service broker, XML integration, data warehousing, data mining, and reporting services. The table of contents lists over 180 questions organized under these topics to help readers identify which areas they need to focus on or feel uncomfortable with when preparing for SQL Server interviews.
This document provides information on purchasing the book "SQL Server Interview Questions" by Shivprasad Koirala from BPB publications, including contact information for bookstores in various cities in India and Pakistan. It also provides options for purchasing the book online from Amazon or directly from the publisher. The document lists other titles written by the same author and contact information for the publisher.
This document provides policies and procedures for configuration, change, and release management. It contains four main sections: an introduction that defines key terms and processes, policies that establish the overall policy statement and process owners, processes that describe the steps for identifying, approving, implementing, testing, and tracking changes, and procedures that provide detailed instructions for each process. The overall goal is to formally manage all changes to information systems through documentation, approval, testing, and auditing in order to maintain system integrity and stability.
This document provides an overview of the new MiFID II operational framework. It includes chapters on market structure, transparency requirements, position limits, organizational requirements, conduct of business rules, and the reporting framework. Key points covered include the types of firms subject to MiFID II, trading venues such as MTFs and OTFs, pre and post-trade transparency requirements, position limits for commodity derivatives, and new organizational and conduct standards for investment firms.
This report provides recommendations to improve the marketing of financial products in France. It identifies reasons for action such as a growing need for consumer advice, lessons from past incidents of misselling, and ensuring fair competition. Key recommendations include:
1) Simplifying product information for consumers and ensuring advertising accurately reflects risks and rewards.
2) Improving how retail networks target customers by refining segmentation, differentiating product ranges, and tiering advisor skills.
3) Clearly defining the scope of advice obligations and ensuring suitable recommendations by maintaining records of advisor-customer interactions.
4) Safeguarding advice impartiality by monitoring distributor compensation and ensuring neutral product recommendations.
5) Promoting responsibility across
Rethinking Business Continuity: Applying ISO 22301 to improve resiliency, man...Bryghtpath LLC
In this presentation, presented via Webinar to PECB members globally, Bryghtpath LLC Principal Consultant & CEO Bryan Strawser discusses how to apply the ISO 22301 business continuity standard to improve resiliency, manage risk, and drive profitability within your agency or corporation.
Topics discussed include emergency management, crisis management, crisis communications, project management, program management, business continuity, crisis leadership, and how to prepare your business for a disruption.
A Business Continuity Plan (BCP) is not a single plan but rather a set of specialized team plans that document backup and continuity strategies based on a company's needs. The BCP should include the individual default response for each team member during and after work hours. Wallet cards with critical contact information and action steps should be issued to each person. An automated notification system for broadcast and voice messages is recommended over call trees. Backup systems, people functions, and information should have triple redundancy and be geographically separated. Detailed offsite reference information, identification of all mission critical risks, and planning for high probability interruptions provide more immediate benefits than focusing only on worst case scenarios.
Implementing business continuity management provides several benefits:
1) It fulfills legal requirements for critical infrastructure and provides information for managing risk exposure and return on security investments.
2) It defines acceptable risk levels for critical business processes and identifies weaknesses to develop risk management strategies.
3) It allows for adjusting insurance plans and accurately estimating potential incident impacts to argue for reduced rates.
4) It enables supportive units to precisely define asset availability requirements and plan adequate backup solutions based on business needs.
A Program Management Approach to Business ContinuityBryghtpath LLC
In this presentation, Bryghtpath LLC Principal Consultant & CEO Bryan Strawser discussing using the principles of Program Management to take a different approach to business continuity strategies.
Business Continuity programs often grow organically within an organization based on need – or a single incident – rather than being planned and managed as a program from top to bottom. In this presentation, participants will learn how to design, implement, manage, and mature a business continuity program using the principles of program management.
Topics discussed in this presentation include the standards for Portfolio, Program, and Project Management; the strategic alignment of continuity & crisis management programs; using maturity models to chart the growth of your program, and governance. Additional topics will include business case development and program communication to senior executives and board members.
Business continuity planning and disaster recoverymadunix
The document discusses business continuity planning and disaster recovery. It provides definitions of business continuity planning, disaster recovery planning, and information systems business continuity planning. It outlines the tasks of an information systems auditor in evaluating business continuity plans, including assessing backup and restore provisions, disaster recovery plans, and the organization's ability to continue essential operations during disruptions. The document also discusses other planning issues like involving relevant organizational units, risk assessments, and documentation of plans.
ISO 21500: Generating Business Value through Strong Project ManagementBryghtpath LLC
In this presentation, Bryghtpath Principal Consultant & CEO Bryan Strawser, discusses how to generate business value through strong project management, highlighting the ISO 21500 Guidance on Project Management.
This presentation covers:
- Reducing the risk of project failure in your organization
- Overcoming obstacles and achieving project objectives within your budget and on-time
- Developing the necessary expertise to support your organization in implementing the Guidance on Project Management as specified in ISO 21500.
This presentation was prepared for PECB by Bryghtpath LLC.
Kioti daedong ck20 hj tractor service repair manualfjjsekfxswzksmem
This document provides an overview and instructions for servicing a tractor. It begins with safety information and then provides a table of contents that lists the chapters and their contents. The chapters cover various systems of the tractor including the engine, clutch, transmission, rear axle, brakes, front axle, steering system, hydraulic system, and electrical system. Each chapter provides the structure and functions of the system and instructions for servicing, troubleshooting, specifications, disassembly and assembly. The document provides detailed maintenance and repair information for technicians servicing the tractor.
Kioti daedong ck20 h tractor service repair manualjfjkskemem
This document contains operation and maintenance instructions for a tractor. It includes sections on safety, identification and dimensions of the tractor, maintenance schedules and checklists, specifications for lubricants and fluids, and troubleshooting guides. Individual chapters cover the engine, clutch, transmission, and other systems. The document provides detailed guidance on inspection, disassembly, repair and reassembly of components.
Kioti daedong ck20 tractor service repair manualfjkskekkemmmd
This document provides an overview of safety information and maintenance procedures for a tractor. It discusses safety precautions for starting the engine, servicing, working on the tractor, avoiding fires, disposing of fluids properly, ventilating work areas, preventing acid burns, and preparing for emergencies. It also provides an overview of the safety decals installed on the tractor and care instructions for labels. The document directs the reader to subsequent chapters that describe the mechanisms, troubleshooting, specifications, and servicing procedures for various tractor components in detail.
Kioti daedong ch20 tractor service repair manualfjkskekemm
This document contains operation and maintenance instructions for a tractor. It includes sections on safety, identification and dimensions of the tractor, maintenance schedules and checklists, specifications for lubricants and fluids, and troubleshooting guides. Individual chapters cover the engine, clutch, transmission, and other systems. The document provides detailed guidance on inspection, disassembly, repair and reassembly of components.
Kioti daedong ck20 j tractor service repair manualfjjkekfksemmm
This document provides an overview and instructions for servicing a tractor. It begins with safety information and then covers general precautions, specifications, maintenance procedures, component servicing instructions, and troubleshooting guides for various systems. The document contains detailed maintenance checklists to perform daily, every 50 hours, 100 hours, and so on. It also includes chapters that describe the construction and servicing of major components like the engine, transmission, brakes, hydraulics and electrical systems. Tightening torques and specifications are provided for repairs.
Kioti daedong ck20 h tractor service repair manualfhjsekkemm
This document contains operation and maintenance instructions for a tractor. It includes sections on safety, identification/specifications, maintenance schedule, engine systems, clutch, transmission, and other components. The maintenance schedule outlines checks and services to perform daily, every 50 hours, 100 hours, and so on. Sections on engine, clutch, and transmission provide construction details and servicing instructions.
Kioti Daedong CK20 Tractor Service Repair Manualhjnnsemmm
This is the Highly Detailed factory service repair manual for theKIOTI DAEDONG CK20 TRACTOR , this Service Manual has detailed illustrations as well as step by step instructions,It is 100 percents complete and intact. they are specifically written for the do-it-yourself-er as well as the experienced mechanic.KIOTI DAEDONG CK20 TRACTOR Service Repair Workshop Manual provides step-by-step instructions based on the complete dis-assembly of the machine. It is this level of detail, along with hundreds of photos and illustrations, that guide the reader through each service and repair procedure. Complete download comes in pdf format which can work under all PC based windows operating system and Mac also, All pages are printable. Using this repair manual is an inexpensive way to keep your vehicle working properly.
Service Repair Manual Covers:
Chapter 1 General
Chapter 2 Engine
Chapter 3 Clutch
Chapter 4 Transmission
Chapter 5 Rear Axle
Chapter 6 Brake
Chapter 7 Front Axle
Chapter 8 Steering System
Chapter 9 Hydraulic System
Chapter 10 Electrical System
File Format: PDF
Compatible: All Versions of Windows & Mac
Language: English
Requirements: Adobe PDF Reader
NO waiting, Buy from responsible seller and get INSTANT DOWNLOAD, Without wasting your hard-owned money on uncertainty or surprise! All pages are is great to haveKIOTI DAEDONG CK20 TRACTOR Service Repair Workshop Manual.
Looking for some other Service Repair Manual,please check:
https://www.aservicemanualpdf.com/
Thanks for visiting!
8
This document provides an analysis of Greggs plc, a UK bakery chain company. It begins with an overview of the company and its history. It then analyzes the food and drug retailer industry using Porter's Five Forces model. There is strong competition among existing bakery firms. The threat of new entrants and substitute products is moderate to high. Buyers have high bargaining power due to price sensitivity. Supplier bargaining power is relatively low. It also provides strategic, financial, and prospective analyses of Greggs through ratio comparisons and forecasting. Overall, the document presents a comprehensive analysis of Greggs' position in the industry.
Vertex Configuration Guide. A to Z Steps with Description.Keyur Mistry
This document provides instructions for configuring SAP's tax interface system to calculate taxes using an external tax system. It outlines the basic tax calculation processes in SD, MM, and FI and lists the required configuration steps. These include configuring the communication between SAP and the external system, testing the tax data retrieval and calculation, activating the external tax calculation, and customizing various master data tax classifications and indicators. The document also covers pricing procedures, condition techniques, and setting up tax codes and accounts. Appendices provide additional details on topics like the external tax system audit file updates and using the tax interface user-exit.
Native Plant Revegetation Guide For ColoradoFiona9864
This guide provides information for selecting and establishing native plants in Colorado. It covers plant basics, natural communities in the state, and techniques for revegetation of upland and wetland habitats. The guide includes details on site planning, preparation, seed and plant selection, and monitoring for successful revegetation projects using native species.
This document contains a collection of over 120 tools for change management. It is divided into three sections: Self, Team, and Larger Systems. The Self section includes tools for personal goal setting, creativity, and mental mapping. The Team section covers topics like team learning, feedback, diversity, and conflict resolution. The Larger Systems section provides tools for analyzing organizations, stakeholder engagement, visioning, project management, and facilitating large-scale change. The document aims to equip change practitioners with a variety of methods and strategies to guide personal, team, and organizational development.
This document provides an overview and table of contents for a book on SQL Server interview questions. It covers topics such as database concepts, SQL, .NET integration, ADO.NET, notification services, service broker, XML integration, data warehousing, data mining, and reporting services. The table of contents lists over 180 questions organized under these topics to help readers identify which areas they need to focus on or feel uncomfortable with when preparing for SQL Server interviews.
This document provides information on purchasing the book "SQL Server Interview Questions" by Shivprasad Koirala from BPB publications, including contact information for bookstores in various cities in India and Pakistan. It also provides options for purchasing the book online from Amazon or directly from the publisher. The document lists other titles written by the same author and contact information for the publisher.
This document provides policies and procedures for configuration, change, and release management. It contains four main sections: an introduction that defines key terms and processes, policies that establish the overall policy statement and process owners, processes that describe the steps for identifying, approving, implementing, testing, and tracking changes, and procedures that provide detailed instructions for each process. The overall goal is to formally manage all changes to information systems through documentation, approval, testing, and auditing in order to maintain system integrity and stability.
This document provides an overview of the new MiFID II operational framework. It includes chapters on market structure, transparency requirements, position limits, organizational requirements, conduct of business rules, and the reporting framework. Key points covered include the types of firms subject to MiFID II, trading venues such as MTFs and OTFs, pre and post-trade transparency requirements, position limits for commodity derivatives, and new organizational and conduct standards for investment firms.
This report provides recommendations to improve the marketing of financial products in France. It identifies reasons for action such as a growing need for consumer advice, lessons from past incidents of misselling, and ensuring fair competition. Key recommendations include:
1) Simplifying product information for consumers and ensuring advertising accurately reflects risks and rewards.
2) Improving how retail networks target customers by refining segmentation, differentiating product ranges, and tiering advisor skills.
3) Clearly defining the scope of advice obligations and ensuring suitable recommendations by maintaining records of advisor-customer interactions.
4) Safeguarding advice impartiality by monitoring distributor compensation and ensuring neutral product recommendations.
5) Promoting responsibility across
Rethinking Business Continuity: Applying ISO 22301 to improve resiliency, man...Bryghtpath LLC
In this presentation, presented via Webinar to PECB members globally, Bryghtpath LLC Principal Consultant & CEO Bryan Strawser discusses how to apply the ISO 22301 business continuity standard to improve resiliency, manage risk, and drive profitability within your agency or corporation.
Topics discussed include emergency management, crisis management, crisis communications, project management, program management, business continuity, crisis leadership, and how to prepare your business for a disruption.
A Business Continuity Plan (BCP) is not a single plan but rather a set of specialized team plans that document backup and continuity strategies based on a company's needs. The BCP should include the individual default response for each team member during and after work hours. Wallet cards with critical contact information and action steps should be issued to each person. An automated notification system for broadcast and voice messages is recommended over call trees. Backup systems, people functions, and information should have triple redundancy and be geographically separated. Detailed offsite reference information, identification of all mission critical risks, and planning for high probability interruptions provide more immediate benefits than focusing only on worst case scenarios.
Implementing business continuity management provides several benefits:
1) It fulfills legal requirements for critical infrastructure and provides information for managing risk exposure and return on security investments.
2) It defines acceptable risk levels for critical business processes and identifies weaknesses to develop risk management strategies.
3) It allows for adjusting insurance plans and accurately estimating potential incident impacts to argue for reduced rates.
4) It enables supportive units to precisely define asset availability requirements and plan adequate backup solutions based on business needs.
A Program Management Approach to Business ContinuityBryghtpath LLC
In this presentation, Bryghtpath LLC Principal Consultant & CEO Bryan Strawser discussing using the principles of Program Management to take a different approach to business continuity strategies.
Business Continuity programs often grow organically within an organization based on need – or a single incident – rather than being planned and managed as a program from top to bottom. In this presentation, participants will learn how to design, implement, manage, and mature a business continuity program using the principles of program management.
Topics discussed in this presentation include the standards for Portfolio, Program, and Project Management; the strategic alignment of continuity & crisis management programs; using maturity models to chart the growth of your program, and governance. Additional topics will include business case development and program communication to senior executives and board members.
Business continuity planning and disaster recoverymadunix
The document discusses business continuity planning and disaster recovery. It provides definitions of business continuity planning, disaster recovery planning, and information systems business continuity planning. It outlines the tasks of an information systems auditor in evaluating business continuity plans, including assessing backup and restore provisions, disaster recovery plans, and the organization's ability to continue essential operations during disruptions. The document also discusses other planning issues like involving relevant organizational units, risk assessments, and documentation of plans.
ISO 21500: Generating Business Value through Strong Project ManagementBryghtpath LLC
In this presentation, Bryghtpath Principal Consultant & CEO Bryan Strawser, discusses how to generate business value through strong project management, highlighting the ISO 21500 Guidance on Project Management.
This presentation covers:
- Reducing the risk of project failure in your organization
- Overcoming obstacles and achieving project objectives within your budget and on-time
- Developing the necessary expertise to support your organization in implementing the Guidance on Project Management as specified in ISO 21500.
This presentation was prepared for PECB by Bryghtpath LLC.
How to turn an incident into an opportunity for your business through effecti...Bryghtpath LLC
This document discusses effective incident management. It emphasizes the importance of advance planning, having clear roles and responsibilities, and effective communication. It outlines frameworks for private sector incident management that involve situational awareness, executive leadership teams, cross-functional incident teams, and incident management teams. It provides examples of effective leadership during real-world crises and emphasizes developing strong situational awareness during incidents.
Assessing the impact of a disruption: Building an effective business impact a...Bryghtpath LLC
Many organizations have adopted the ISO 22301 standard for their business continuity management systems. Recently, ISO has released the new ISO 22317 Standard for Business Impact Analysis. In this webinar, learn about several different strategies to build an effective BIA that will help you advance your business continuity strategies.
The instructor for this webinar is Bryan Strawser, Founder and CEO of Bryghtpath LLC, a strategic advisory firm specializing in crisis management, business continuity, global risk, crisis communications, and public affairs.
Globalization: Becoming a Global Business Continuity LeaderBryghtpath LLC
This document discusses strategies for organizations to become global business continuity leaders. It addresses challenges of working internationally such as cultural differences, political instability, and infrastructure issues. The document recommends expanding governance to include international leaders, providing global assignments, and encouraging networking. It also discusses global standards for business continuity and emergency management like ISO 22301 and professional certifications from DRII, BCI, and other organizations.
This document outlines how to create an effective business continuity program with the following key points:
1) It discusses why business continuity management is important to minimize potential losses and ensure essential services can resume following a disruption.
2) It provides an overview of the business continuity planning process which includes risk assessment, business impact analysis, solution design, plan implementation, and maintenance.
3) It describes the various components of an effective business continuity plan including identifying risks, assessing impacts, designing alternate response strategies, implementing and testing the plan, and maintaining updated documentation.
Business Continuity Plan (Introduction)Hafiza Abas
The document discusses business continuity planning and defines it as activities performed by an organization to ensure critical business functions remain available to customers, suppliers, and others during emergencies or disasters. Business continuity plans help businesses operate if disaster strikes by figuring out how to resume functioning quickly. The document also discusses disaster recovery planning and notes both aim to preserve business operations when major disruptions occur through preparing, testing, and updating actions to protect critical processes from system or network failures.
This document provides an introduction to the second edition of the book "Method in Social Science" by Andrew Sayer. It discusses the need to bridge the gap between philosophical debates and empirical social research. The introduction emphasizes that conceptualization and theorizing are important aspects of method that are often overlooked. It also argues that views of causation based on regularities have limited social science, and realist philosophy provides an alternative view of causation based on causal powers. The introduction presents social research as dealing with multi-dimensional objects that cannot be isolated experimentally, placing importance on abstraction to identify constituent processes. It advocates taking a broad view of method that incorporates social theory, philosophy of social science, and research practices.
The document discusses the history and development of the internet over the past 50 years, from its origins as a US military program called ARPANET to the commercialization of the world wide web in the 1990s. It grew exponentially from the 1980s onward and now billions of people use the internet for communication, information sharing, commerce, and entertainment on a daily basis. The internet has fundamentally changed how society interacts and conducts business.
Real Estate Management System in Vb.NetNafis Shaikh
This document outlines a project report for developing a property management software system. It includes sections on the present manual system and its limitations, the proposed computerized system and its features/advantages, a feasibility study analyzing operational, economic and technical feasibility, a Gantt chart project schedule, and documentation of the system requirements and design such as use case diagrams, entity relationship diagrams, and class diagrams to model the system.
Business continuity and disaster recovery are not the same but complement each other. Planning on BCP and DRP is necessary for all business. This slide contains information on how to achieve and maintain them.
This document provides an overview of currency markets and derivatives. It discusses key concepts such as:
1) Exchange rates are determined by the relative demand and supply of different currency pairs in the foreign exchange market. Major factors that affect exchange rates include economic performance, inflation rates, interest rates, and political stability.
2) Countries can adopt either a fixed or floating exchange rate regime to determine their currency's value. Under a fixed regime the rate is pegged, while under floating it is set by market forces.
3) Derivatives such as currency futures allow participants to hedge currency risk or speculate on exchange rate movements. These instruments are traded on exchanges and help facilitate currency risk transfer between hedgers and
Here are the key ways Inside Sales contributes to the SMS&P scorecard metrics:
- Revenue Generated by Tele (green) - Inside Sales directly generates revenue through sales of Microsoft products.
- Tele Revenue per Head (green) - Inside Sales revenue generation is measured per sales representative.
- Annuity Revenue (green) - Inside Sales helps grow recurring revenue through multi-year agreements.
- Tele ROI (green) - Inside Sales revenue generation is measured against costs to calculate return on investment.
- Red Carpet Execution (yellow) - Inside Sales supports customer transitions through the Red Carpet program.
- Account Discovery (yellow) - Inside Sales conducts account profiling to understand customer needs.
This document provides an overview of SAP Treasury and Risk Management software. It discusses key topics such as master data, transaction management, position management, integration with other modules, market data, hedge management, reporting, portfolio controlling, interfaces and enhancements. The book is intended to help readers understand all functional areas of SAP Treasury and provide guidance on working with the software.
Fraud risk managementA guide to good practice1Th.docxshericehewat
This document provides guidance on fraud risk management. It discusses the extent and causes of fraud, outlines the risk management process, and provides recommendations for fraud prevention, detection, and response. The guidance was updated by CIMA (the Chartered Institute of Management Accountants) with input from fraud experts. It is intended to help organizations effectively counter fraud and manage risks.
The Economics of Sustainability in the Comemrcial Real Estate Sectorscottbrooker
The goal of this white peper is to help real estate managers better understand the motivations behind management decisions, through qualitative and quantitative research and models, an provide recommendations to make the case for energy effeciency improvements. Questions answered with the paper include;
-How does energy effeciency improvement get implemented?
-Who is the driver behind the decision?
-What financial metrics are used to determine if an investment makes economic sense?
How does a real estate amanger choose one investment vehicle over another?
This instructor's manual provides guidance for teaching a course on client casework and providing emergency assistance. The manual includes:
1) An overview of the course purpose, objectives, schedule, materials, and responsibilities of instructors and host chapters.
2) Detailed content for teaching the key areas of client casework including an overview of the role, conducting interviews, documenting assistance, and assignment settings like offices, fields and shelters.
3) Instructions and forms for instructors to train participants on client registration, case records, assistance cards and disbursing orders to provide standardized disaster assistance.
Estrategias para el desarrollo sostenible OCDE CADAnibal Aguilar
Guia Mundial para la Planificación del Desarrollo Sostenible, aprobada por Ministros de la OCDE, FUI COORDINADOR POR AMERICA LATINA EN EJERCICIO MUNDIAL
The document provides an overview of Allianz Group's market consistent embedded value (MCEV) results as of December 31, 2008. Key highlights include:
1) Total MCEV was EUR 12,545 million, a 43% decrease from 2007, driven largely by the economic crisis which lowered equity values and interest rates.
2) Net asset value increased 5% to EUR 9,884 million due to a 44% rise in required capital.
3) Value of in-force business fell 79% to EUR 2,662 million as profit projections declined and costs of options and guarantees increased in a low interest rate environment.
This document provides an overview of IBM System Storage business continuity solutions. It discusses key business continuity principles and challenges companies face. It then describes IBM's portfolio of business continuity solutions, which are organized into layers: hardware infrastructure, core technologies, platform integration, and application integration. The solutions are further categorized into tiers for continuous availability and rapid data recovery. Specific IBM business continuity products are then outlined, including GDPS, GDOC, HACMP/XD, Copy Services for System i, and rapid data recovery options for System z and distributed platforms.
Project risk management training manualKarim El-Dash
This document provides an overview of project risk management. It discusses key concepts such as defining risk, when risk management is used, and the risk management framework. It also covers topics like stakeholder identification and analysis, qualitative and quantitative risk analysis techniques, developing risk responses, and establishing governance around risk. The document is a comprehensive guide to understanding and implementing project risk management.
Aon’s 2015 Global Risk Management Survey is designed to offer organizations the insights necessary to compete in
this increasingly complex operating environment
Second Revision Syria Regional Response PlanJesse Budlong
This document is a revised regional response plan for Syria with sections on Jordan, Lebanon, Turkey, and Iraq. It provides an executive summary with tables of financial requirements by agency and sector. The regional overview discusses population figures, strategic objectives, planning assumptions, coordination efforts, and information management. Each country section details the context, needs, response activities, coordination, strategic objectives, and financial requirements by agency and sector.
Do you know what resilience is and why it is so important in maritime-port logistics? In this article, we explain how resilience helps you adapt and overcome adversities, changes and crises that can affect your supply chain. Discover the factors that can put the resilience of your logistics at risk, from natural to socioeconomic phenomena, and how you can prevent and mitigate them with a holistic and strategic vision. In addition, we offer you resources and tools to improve the resilience of your logistics and increase your competitiveness and efficiency. Don't miss this article if you want to know how resilience can be your best ally in the maritime-port logistics environment. Click here and read on!
This document provides a baseline risk assessment of the information technology sector. It identifies 6 critical functions: producing and providing IT products and services, domain name resolution services, identity management and trust services, internet-based content and communication services, internet routing and connection services, and incident management capabilities. For each function, the document describes attack trees, assesses threats, vulnerabilities and consequences to determine relative risks, and identifies mitigation strategies. It also discusses interdependencies between critical functions and the sector's dependencies. The goal is to enhance cybersecurity through public-private collaboration.
Stroll Net will provide public internet terminals throughout Tech City for affordable internet access away from home or office. The business will be owned equally by Cam Piotr and Bob Green, with investors owning the remaining shares. Stroll Net aims to introduce an innovative product to meet the growing demand for internet access. Risks include whether there is sufficient demand and if people will pay for the service. The terminals will offer internet, email, advertising and prepaid services. Stroll Net expects to attract students and traveling business people in particular.
t was important for Yoli to come out of the gate with a formulation that represented what Yoli was truly all about. To do that, we needed to eliminate all of the bad and lock in only the good ingredients.
Incorporating wholesome Vitamin C and a proprietary blend of some of the most popular ingredients of the day: Pomegranate, Alkaplex®, Acia extract, Gogi Berry, Resveratrol, Oxyphyte™ White Tea extract, Probiotics, and Monatau®, Yoli Blast Caps® deliver to the market a healthy alternative to all of the nutrient-deprived, sweetened beverages most people are consuming every day.
The objective of these notes is to present a concise introduction to the fundamentals of investments. The notes take a risk-return valuation approach in an efficient markets
framework and do not delve into technical and fundamental analyses.
This document provides an introduction to transmedia storytelling. It discusses developing transmedia entertainment by focusing on the story-experience relationship, identifying target audiences, selecting appropriate platforms, and determining a business model and release schedule. It also covers documenting the storyworld, engaging audiences through various media, financing options like crowdfunding and branded sponsorship, and creating a viral video strategy. The overall goal is to help readers understand how to plan, develop and execute an effective transmedia story.
This document provides an introduction to transmedia storytelling. It discusses developing transmedia entertainment by focusing on the story-experience relationship, identifying target audiences, selecting appropriate platforms, and determining a business model and release schedule. It also covers documenting the storyworld, engaging audiences through various media, financing options like crowdfunding and branded sponsorship, and creating a viral video strategy. The overall aim is to help readers understand how to plan, develop and execute an effective transmedia story.
Cloud computing is the on-demand delivery of IT resources and applications via the Internet with pay-as-you-go pricing. Customers can access computing services like servers, storage, databases, networking, software, analytics and more without direct active management. This allows businesses to scale up as computing needs increase and avoid up-front infrastructure costs.
This certificate certifies that Michelle Solicito completed Advanced HTML5 Training through Infinite Skills Inc. It was issued on August 05, 2014 with certificate number 494070001407252397. The director of certification, J Holmes, confirms Michelle fulfilled all requirements.
This document discusses integrating Facebook API data into internal business systems. It begins by explaining the importance of social media for customer relationships. It then covers setting up a Facebook app, obtaining access tokens, and using the Graph API to retrieve posts from a Facebook group and page them to a database. Examples are provided in various programming languages. Key steps include registering an app, requesting necessary permissions, generating user and page access tokens, and using the page/group ID to make API calls to retrieve and work with social media data. The goal is to help businesses better monitor customer relationships and integrate valuable social media insights.
This document summarizes lessons learned from coordinating relief efforts on Facebook during the 2014 Atlanta snowstorm. It describes how the SnowedOutAtlanta Facebook group was started to share information about road conditions, shelter locations, and how to get assistance. The group grew rapidly to over 50,000 members and directly helped hundreds of people stranded by the storm in its first day. The document discusses how social media like Facebook and maps helped people coordinate rescue efforts and find emergency supplies when official responses were overwhelmed. It concludes that social connectivity and empowering people to help each other are key to survival in crisis situations.
Michelle Sollicito is applying to be a mentor for the Cobb Mentoring Matters program. Susan Gilbert, her former boss, completed the reference form. Gilbert has known Sollicito for over 10 years and describes her as smart, hard working, determined, and energetic. Gilbert saw Sollicito interact with children and says she is a loving and sensitive person. Gilbert does not see any reason Sollicito should not mentor and thinks she would do well in the role. Gilbert believes high achieving students would do particularly well matching with Sollicito but that she could mentor any child well.
Michelle Sollicito is a technical architect and senior C# developer with 25 years of experience in software development, mostly using Microsoft technologies. She has extensive experience in C#, ASP.NET, SQL Server, JavaScript, HTML5, and CSS. Michelle has developed e-commerce and mobile applications, and has written books and articles on various technology topics. She holds multiple technology certifications and has received awards for her work developing a popular Facebook group.
2. Page 2 of 116
CONTENTS
1 WHAT IS BUSINESS CONTINUITY PLANNING?.........................................4
1.1 Business Continuity Planning Defined............................................................................................ 4
1.2 Disaster Recovery Defined............................................................................................................... 5
1.3 Overall Steps..................................................................................................................................... 5
1) Get Board approval......................................................................................................................... 5
2) Determine scope ............................................................................................................................. 5
3) Carry out risk analysis / management (Business Impact Analysis) ................................................ 5
4) Create a project plan and budget .................................................................................................... 5
5) Create the plan (overall document)................................................................................................. 5
6) Gather / Create supporting documentation ..................................................................................... 5
7) Test / review /audit the plan and the process .................................................................................. 5
8) Change Manage any changes made to the plan / process / documentation..................................... 5
9) Formally approve the plan.............................................................................................................. 5
10) Return to 6 ...................................................................................................................................... 5
2 CONVINCING THE BOARD...........................................................................6
2.1 The Importance of Support from the Top...................................................................................... 6
2.2 Explaining Why it’s so Important................................................................................................... 7
3 DEFINING SCOPE .......................................................................................10
3.1 Which Sites?.....................................................................................................................................10
3.2 Which Systems?...............................................................................................................................10
3.3 Which Departments/Business Functions? .....................................................................................11
3.4 Which Personnel?............................................................................................................................13
3.5 Business Partner Relationships ......................................................................................................13
3.6 Which Types of Disasters and Risks? ............................................................................................15
3.7 Which Legislation/Standards need to be considered?..................................................................15
3.8 Interaction with Other Organizations ...........................................................................................15
3.9 Gap Analysis ....................................................................................................................................15
3.10 Questionnaires .................................................................................................................................16
4 RISK MANAGEMENT ..................................................................................21
1) Identify Risks.................................................................................................................................22
2) Quantify Risks (Probability and Impact) .......................................................................................22
3. Page 3 of 116
3) Risk Tolerance Levels ...................................................................................................................22
4) Allocate Risks to Appropriate Personnel.......................................................................................22
5) Risk Mitigation, Reduction and Response.....................................................................................23
6) Evaluation of Effectiveness ...........................................................................................................23
4.1 Benefits of Risk Assessment / Management ..................................................................................23
1) Cost Justification ...........................................................................................................................23
2) Facilitation of Communication between all departments in the Business .....................................23
3) Business Responsibility.................................................................................................................23
4) Business Continuity Awareness ....................................................................................................23
4.2 Risk Identification ...........................................................................................................................23
1) Environmental Disasters................................................................................................................26
2) Equipment/System Failure.............................................................................................................26
3) Serious Information Security Incidents .........................................................................................26
4) Organized/Deliberate Disruption...................................................................................................26
5) Loss of Utilities/Services...............................................................................................................26
6) Business Partners...........................................................................................................................26
7) Other Emergency Situations..........................................................................................................27
4.3 Risk Assessment...............................................................................................................................29
1) Cost Impact....................................................................................................................................29
2) Vulnerability Factors .....................................................................................................................31
3) Likely Loss ....................................................................................................................................32
4) Probability .....................................................................................................................................34
4.4 Calculations......................................................................................................................................40
4.5 Risk Mitigation / Risk Response.....................................................................................................42
1) Controls .........................................................................................................................................43
2) Risk Appetite.................................................................................................................................48
4.6 Risk Allocation.................................................................................................................................49
4.7 Scenario Grouping of Risks ............................................................................................................49
4.8 More on Risk Management.............................................................................................................50
5 CREATING THE PLAN ................................................................................51
5.1 Documents to use as Inputs to the Plan .........................................................................................53
5.2 Purpose.............................................................................................................................................54
5.3 Scope.................................................................................................................................................55
5.4 Objectives.........................................................................................................................................55
1) Category I - Critical Functions – Recovery Objective 2 hours......................................................56
2) Category II - Essential Functions – Recovery Objective 5 hours ..................................................56
3) Category III - Necessary Functions – Recovery Objective 24 hours.............................................56
4) Category IV - Desirable Functions - Recovery Objective 48 hours .............................................56
5.5 Distribution List...............................................................................................................................56
4. Page 4 of 116
5.6 Version Control ...............................................................................................................................57
5.7 Review Process.................................................................................................................................57
5.8 Strategies ..........................................................................................................................................58
1) Dual Site Method / Alternate Site Method ....................................................................................58
2) Bilateral Aid Agreement Method / Reciprocal Agreement Method ..............................................59
3) Dispersal Method...........................................................................................................................59
4) Deference Method .........................................................................................................................59
5.9 Functions, Responsibilities and Personnel Contact Info ..............................................................59
5.10 Lists...................................................................................................................................................60
1) IT Systems and Components .........................................................................................................60
2) List of key Documents...................................................................................................................62
A list of all key documents related to the BCP should be provided. This should include references to
Procedures, Policies and Guidelines as well as SLAs, contracts, insurance documents etc. .....................62
A key set of procedures to be included is the full set of backup and recovery documents for all IT
systems: .....................................................................................................................................................62
3) Info about all buildings/sites..........................................................................................................62
4) Key Personnel During Emergencies..............................................................................................62
5) Emergency Services Contact information .....................................................................................63
6) Roles and Responsibilities.............................................................................................................63
5.11 Policies and Procedures...................................................................................................................64
1) Notification Procedures, to include ...............................................................................................64
Description/diagram of the notification process (to include notification to external authorities)......64
Escalation Procedures........................................................................................................................64
Script (Telephone Guidelines) for Notification .................................................................................64
Organizational Structure for Notification..........................................................................................64
Recovery Team Personnel Notification.............................................................................................64
2) Emergency Procedures And Information, to include.....................................................................64
Alarm Systems information...............................................................................................................64
Evacuation Procedures ......................................................................................................................64
Local Emergency Telephone Numbers..............................................................................................64
Vital Records Retrieval Procedures...................................................................................................64
Vital Records Restoration Procedures ...............................................................................................64
Documentation Recovery Procedures................................................................................................64
Start-up Procedures ...........................................................................................................................64
Network Control Center Restoration Procedures ..............................................................................64
Applications Software and Data Restoration Procedures ..................................................................64
Other Mission Critical Procedures/Information.................................................................................64
Management of security and logistics during emergency situations .................................................64
Procedures for moving critical information to a secure site ..............................................................65
Procedures for keeping outside agencies, local government agencies etc. informed.........................65
Procedures for determining whether or not recovery / restoration should be attempted ...................65
Procedures for training, implementing, testing and maintaining the plan .........................................65
5.12 Contingency options/Redundancy..................................................................................................66
5.13 Key Timeframes...............................................................................................................................66
Category I - Critical Functions – Recovery Objective 2 hours..........................................................66
Category II - Essential Functions – Recovery Objective 5 hours ......................................................66
5. Page 5 of 116
Category III - Necessary Functions – Recovery Objective 24 hours.................................................67
Category IV - Desirable Functions - Recovery Objective 48 hours .................................................67
5.14 Legal Requirements.........................................................................................................................67
5.15 Best Business Practices (Standards) Requirements......................................................................67
5.16 Communications..............................................................................................................................67
1) Internal Communications...............................................................................................................67
2) Communications Plan....................................................................................................................68
3) Stakeholder communications.........................................................................................................69
5.17 Action Task Lists .............................................................................................................................69
5.18 Plan Testing and Maintenance .......................................................................................................69
5.19 IT-specific Considerations ..............................................................................................................69
1) Perform backups regularly. Keep information central, this will help control information backup
and help protect information integrity. Where information is decentralized (e.g. held on PCs), ensure
that this information is also regularly backed up.......................................................................................69
2) Increase physical security to server room to prevent Data loss. ....................................................69
3) Antivirus software should be in place on PCs, Servers (data, file and mail servers) and if possible
at network level also..................................................................................................................................69
4) Patch update and management, including patch management of operating systems, application
software, database software, middleware software, firewall software and other network management
software. ....................................................................................................................................................70
5) Change Management and Configuration Management procedures to ensure that it is easier to
restore applications and system components back to the most recent build and configuration (setup)
easily if the live (production) system is destroyed due to an incident. This should include procedures for
reapplying patches to software and components, recreating firewall rules and policies, operating system
settings etc. ................................................................................................................................................70
6) Internet facing systems are secured and maximum security is applied..........................................70
7) Remote access to data servers is controlled and strictly monitored...............................................70
8) Verify backups to ensure that they are not corrupt. .......................................................................70
9) Backups should be stored offsite. ..................................................................................................70
10) Replicate critical data in as close to real-time as possible .............................................................70
11) Use redundant hardware and software options wherever possible (e.g. RAID, hot failover servers,
alternative ISPs, alternative firewalls, etc.) ...............................................................................................70
12) Physical solutions like fire suppression environmental monitoring and access control are
implemented. .............................................................................................................................................70
13) Standardize the setups / configurations of all hardware, software and network components, and
where possible create scripts to recreate those setups / configurations .....................................................70
14) Document all changes to system and application configurations, patches, versions etc. using
proper change control................................................................................................................................70
15) Perform systematic scheduled restores that verify Tape or backup media integrity.............. Error!
Bookmark not defined.
16) Ensure the whole process is documented and can be followed by non-technical personnel. ........70
17) Use UPS backup power supply options for all servers, and any critical PCs ................................70
18) Ensure that Intrusion Detection Software, Intrusion Prevention Software and / or good Firewall
software is in place to ensure that hackers are either prevented from accessing systems, or are detected as
soon as they access them. Ensure that the alerts from such software are taken seriously, reviewed and
are followed up by key staff. .....................................................................................................................70
5.20 People-specific Considerations .......................................................................................................70
1) Reducing Impact of Personnel Loss ..............................................................................................71
6. Page 6 of 116
2) Reducing Impact of Perceived Events...........................................................................................71
5.21 Third Party Considerations............................................................................................................72
5.22 Sample Plans ....................................................................................................................................73
6 MAINTAINING, TESTING AND AUDITING YOUR PLAN ...........................74
6.1 Testing Plan......................................................................................................................................74
1) Planning.........................................................................................................................................74
2) Test Execution...............................................................................................................................75
3) Evaluating testing ..........................................................................................................................75
4) Frequency of testing ......................................................................................................................75
6.2 Proposed Testing Scenarios ............................................................................................................75
1) Scenario 1 ......................................................................................................................................75
2) Scenario 2 ......................................................................................................................................76
3) Scenario 3 ......................................................................................................................................76
4) Scenario 3 ......................................................................................................................................76
6.3 Auditing/Testing Documentation ...................................................................................................76
1) Evaluating Backup and Recovery Strategy Documentation ..........................................................77
2) Evaluating SLAs............................................................................................................................78
6.4 Training............................................................................................................................................80
6.5 Review / Maintenance Process........................................................................................................80
6.6 Change Control/Version Control ...................................................................................................82
7 FRAMEWORKS, METHODOLOGIES, TOOLS AND SERVICES................83
7.1 Why use a Framework/Methodology?...........................................................................................83
7.2 Which Framework/Methodology? .................................................................................................83
1) ITIL ...............................................................................................................................................83
2) COBRA .........................................................................................................................................84
3) NIST Risk Management Guide for IT Systems.............................................................................84
4) OCTAVE.......................................................................................................................................84
5) Six Sigma.......................................................................................................................................84
6) FISCAM (Federal Information System Controls Audit Manual) ..................................................84
FISCAM offers guidance to auditors of Federal Agencies’ systems in terms of integrity, confidentiality
and availability. Section 3.6 goes into great detail about the requirements for service continuity and
provides a framework for use by Auditors to assess compliance. .............................................................84
7) Other Methodologies and Frameworks..........................................................................................84
7.3 Why use Tools?................................................................................................................................85
7.4 Which Tools? ...................................................................................................................................85
1) Risk Evaluation Tools ...................................................................................................................85
2) Self-Assessment Tools ..................................................................................................................85
3) Change Management Tools ...........................................................................................................85
4) Documentation Generators ............................................................................................................85
7. Page 7 of 116
a) Policy and Procedure Generators.......................................................................................................85
b) SLA Generators.............................................................................................................................85
c) Questionnaire/Survey Generators......................................................................................................85
7.5 Which Services are Available? .......................................................................................................86
1) Web-based Services.......................................................................................................................86
2) Consultancy Services.....................................................................................................................86
3) Audits ............................................................................................................................................86
8 LEGISLATION, EXTERNAL STANDARDS AND THEIR EFFECTS ...........87
8.1 Legislation and Regulations in the US ...........................................................................................87
1) Sarbanes Oxley Act .......................................................................................................................87
2) HIPAA...........................................................................................................................................88
3) NASD ............................................................................................................................................88
4) GLBA ............................................................................................................................................88
5) Federal Information Security Act 2002 (FISM) ............................................................................88
6) OSHA 1970 (Occupational Safety and Health Administration) ....................................................88
7) Other relevant US legislation and regulations ...............................................................................89
41 Code of Federal Regulations 101.20.103-4, Occupant Emergency Program, revised as of July 1,
2000...........................................................................................................................................................90
36 Code of Federal Regulations, Part 1236, Management of Vital Records, revised as of July 1,
2000...........................................................................................................................................................90
Presidential Decision Directive 67, Protection Against Unconventional Threats to the Homeland
and Americans Overseas, dated May 22,1998...........................................................................................90
Homeland Security Presidential Directive 3, Homeland Security Advisory System, dated March 11,
2002...........................................................................................................................................................90
Homeland Security Presidential Directive 5, Management of Domestic Incidents, dated February
28, 2003.....................................................................................................................................................90
Homeland Security Presidential Directive 7, Critical Infrastructure Identification, Prioritization, and
Protection, dated December 17, 2003........................................................................................................90
Homeland Security Presidential Directive 8, National Preparedness, dated December 17, 2003 .....90
Federal Preparedness Circular 60, Continuity of the Executive Branch of the Federal.....................90
Government at the Headquarters Level During National Security Emergencies, dated November 20,
1990...........................................................................................................................................................90
8.2 Legislation in the UK.......................................................................................................................91
1) The UK Civil Contingencies Bill ..................................................................................................91
2) Data Protection Legislation ...........................................................................................................92
8.3 Other Legislation and Directives....................................................................................................92
1) EU Data Protection Directive 1995 ...............................................................................................92
2) WTO Government Procurement Agreement .................................................................................92
3) PIPEDA (Canada)..........................................................................................................................92
4) Singapore BC/DR Standard...........................................................................................................92
8.4 External Standards..........................................................................................................................93
1) ISO.................................................................................................................................................93
a) ISO17799 ( BS7799) standard mandates that in order to comply an organization must have solid
Business Continuity Management, and must take measures to: ................................................................93
prevent loss, damage or compromise of assets and interruption of business.....................................93
prevent compromise or theft of information and information processing facilities...........................93
prevent loss, modification or misuse of user data in application systems..........................................93
8. Page 8 of 116
protect the confidentiality, authenticity and integrity of information ................................................93
reduce risks of human error, theft, fraud or misuse of facilities ........................................................93
b) ISO9001 standard mandates Quality Management requirements of IT systems, including dictating
that the Business Continuity process is well-documented, personnel are trained effectively, etc. ............93
2) BSI PAS 56....................................................................................................................................93
3) BSI5000.........................................................................................................................................93
4) FIPS-PUB-87 Guidelines for Automated Data Processing Contingency Planning .......................93
5) ISF Standard for Information Security ..........................................................................................94
6) Visa CISP (Cardholder Information Security Program) and PCI (Payment Card Industry)
requirements ..............................................................................................................................................94
7) Other Standards .............................................................................................................................95
9 USEFUL RESOURCES................................................................................96
9.1 Websites............................................................................................................................................96
1) General ..........................................................................................................................................96
2) Guides and Templates ...................................................................................................................97
3) Risk Management/Impact Analysis...............................................................................................98
4) Training and Certification..............................................................................................................98
5) Change Management .....................................................................................................................99
6) Methodologies ...............................................................................................................................99
7) Tools..............................................................................................................................................99
8) Standards and Legislation............................................................................................................100
9) Useful Other Sites........................................................................................................................100
9.2 Papers .............................................................................................................................................101
9.3 Books...............................................................................................................................................101
10 SPECIFIC REFERENCES.......................................................................103
10.1 Retail / Supply Chain BCP ...........................................................................................................103
10.2 Banking / Finance Industry BCP .................................................................................................103
10.3 Human Security Issues..................................................................................................................103
10.4 IT Security Issues ..........................................................................................................................103
10.5 Database Recovery ........................................................................................................................104
9. Page 9 of 116
Acknowledgements
Michelle Sollicito would like to say thank you to all the friends and colleagues from Yahoo!, Earthlink,
Schlumberger Sema, Accenture, and other large companies for providing input, advice and support to help
me in completing this book.
About the Authors
Michelle Sollicito is an Ebusiness Consultant with Exceptiona.com in Atlanta Georgia. She has 16 years
IT and Ebusiness experience gained with many organizations across the world, having lived in the UK,
New Zealand and now in the USA.
Who is This Book For?
“Business Survival – a Guide to Business Continuity Planning and Disaster Recovery” is for experienced
and inexperienced, technical, and non-technical personnel who are interested in the need for Business
Continuity Planning within their organizations.
These personnel include:
Senior and Executive management, the decision-makers who make budgetary decisions
Business Continuity Managers and their teams
Chief Information Officers, who ensure the implementation of the Disaster Recovery elements of
the Business Continuity Plan and play a large role in (and perhaps even manage or oversee) the
Business Continuity Process
The IT security program manager, who implements the security program
IT managers and system owners of system software and/or hardware used to support IT functions.
Information owners of data stored, processed, and transmitted by the IT systems
Business Unit owners and managers who are responsible for the way in which their own unit fits
into the overall Business Continuity Plan, but especially
o Facilities Managers, who are responsible for the way the buildings are evacuated and
secured, providing floor plans and information to Emergency Services, etc.
o Human Resources Managers who are responsible for the “people” elements of the
Business Continuity Plan
o Communications and PR Managers who are responsible for the communications policies
that form part of the Business Continuity Plan
Technical support personnel (e.g. network, system, application, and database administrators;
computer specialists; data security analysts), who manage and administer security for the IT
systems
Information system auditors, who audit IT systems
IT consultants, who support clients in developing, implementing and testing their Business
Continuity Plans
11. Page 4 of 116
The driver for Business Continuity Planning should take into consideration natural disasters and
internal security breaches as well as Terrorism! Gartner 2002
1 What is Business Continuity Planning?
With the emergence of the internet as a place for doing business 24 hours per day, 365 days per year, it is
more and more important that organizations are able to continue to operate when unexpected events occur.
The events of 9/11 showed how deeply unexpected events can affect whole industries such as the Financial
Industry and the Airline industry, and the knock-on effect this kind of event can have across the whole
economy of the United States.
However, even in the midst of such a catastrophic disaster, Dow Jones and Co, publisher of The Wall
Street Journal, located very close to the World Trade Center, enacted its Business Continuity Plan so
effectively that it was able to provide its readers with the newspaper the very next day, despite having to
relocate all its editors, reporters and support personnel to alternate offices and installing 100 pcs at the new
location!
The tsunami of Christmas 2004 (and before that, the power blackout in New York, and the rolling
blackouts in California) showed the potential for disasters to affect whole regions at a time.
The Enron and Worldcom scandals (amongst others) illustrated how deeply companies can be affected by
bad PR events.
Taking into account all of these facts, the Federal US Government, investors, as well as many of the
organizations governing industry standards and regulations, recognized the need for improved Business
Continuity measures and increased controls to help prevent the impact of events such as these.
As a result, organizations (especially those in the United States) are coming under increasing pressure to
produce effective Business Continuity Planning measures in order to reduce/mitigate risks.
Many organizations had Disaster Recovery Plans already in place and assumed that these were sufficient to
meet the requirements of new laws, regulations and conformance requirements. However, they have now
discovered that Business Continuity Planning is about much more than simply ensuring that computer
systems come back up quickly and effectively after a disaster.
So, what exactly is the difference between Business Continuity Planning and Disaster Recovery Planning?
1.1 Business Continuity Planning Defined
Business continuity planning is concerned with optimizing organizational resilience.
As such, it is a business function aimed at developing, documenting and integrating procedures, processes
and technologies in order that in the event of a disaster, critical business functions can continue with
minimal disruption or downtime, providing at least the minimum level of acceptable service, while the
remainder of the organization is restored to “business as usual” status.
Business Continuity Planning (or BCP) is all-encompassing. It is the responsibility of each department or
business function to define the restoration requirements essential to continuing its operations as part of
12. Page 5 of 116
Business Continuity Planning, and thus BCP encompasses the complete restoration process required across
the whole organization, not only the IT systems.
Likewise, Business Continuity Planning should consider all kinds of disasters – natural ones (e.g. those
caused by flood or earthquake), system failures (e.g. caused by hardware failure or software failure) and all
other types of disasters (e.g. those caused by caused intentionally by viruses, hackers or terrorism or those
caused accidentally by fire, accidents etc.).
BCP does include IT recovery plans (Disaster Recovery), but also considers other aspects such as
communications, buildings, stationery, office equipment, water supplies, electrical supplies, etc. Done
properly, BCP is more about creating a Business Continuity culture rather than simply specifying a set of
procedures to follow in the event of an emergency.
In order to avoid some of the political issues commonly experienced within organizations having a Disaster
Recovery team and a Business Continuity team, it should be made very clear that the Disaster Recovery
team reports to the Business Continuity manager and is just one team making up the Business Continuity
team.
1.2 Disaster Recovery Defined
Disaster Recovery, however, is a subset of Business Continuity Management and is primarily an IT
function, aimed at restoring the organization’s IT systems to “business as usual” status in as efficient a
manner as possible.
Disaster Recovery Plans document the actions required to restore systems and data after a disaster or an
outage in such a way as to prevent, or at the least minimize, the impact that the disaster or outage has on the
organization.
Disaster Recovery Plans typically also document any precautions taken to minimize the effects of a disaster
or outage.
The key difference between Business Continuity Planning and Disaster Recovery is that BCP is proactive
(its aim is to avoid or mitigate the impact of a risk), whereas Disaster Recovery is reactive (it aims to
restore the business after the risk occurs).
However, Disaster Recovery is an integral component of a Business Continuity plan.
1.3 Overall Steps
In order to successfully create a Business Continuity Plan and Process, there are a number of steps that
need to be taken.
1) Get Board approval
2) Determine scope
3) Carry out risk analysis / management (Business Impact Analysis)
4) Create a project plan and budget
Establish a BCP group / team
Establish a Steering Committee
5) Create the plan (overall document)
6) Gather / Create supporting documentation
7) Test / review /audit the plan and the process
8) Change Manage any changes made to the plan / process / documentation
9) Formally approve the plan
10) Return to 6
13. Page 6 of 116
2 Convincing the Board
2.1 The Importance of Support from the Top
It is absolutely essential to gain top management approval and commitment to the development of a
Business Continuity Plan and Process. The aim of the BCP process is to create a Business Continuity
culture, to change the way that everyone in the organization thinks, and for a change of that magnitude, it
has to be perceived as being driven from the top downwards.
Without it, it will be almost impossible to motivate other players, who may see no direct financial return
from work carried out on such a plan. It will also be difficult to obtain resources and finances required to
make the Business Continuity Plan effective.
Luckily, corporate governance and preparedness is a hot topic in the Board Rooms of most organizations
these days, thanks to 9-11, Sarbanes Oxley Audits and public trials of corporate executives, so this should
make it much easier to gain the top-level approval required. Many companies are also already under
pressure to comply with international standards that require Business Continuity Plans as a key component
in the path to compliance.
The reason for the pressure to conform to corporate governance standards is, in essence, purely because
Business Continuity is good practice. Knowing that a BCP is in place reassures investors and potential
investors, employees and potential employees, customers and potential customers.
Some executives, however, will provide endless excuses for why they cannot commit resources to BCP
work – lack of time, resources and/or money being the most common excuse1
.
The best way to gain commitment from such executives is to ask probing questions about their level of
confidence in the event of a disaster – ask them how confident they are that the company’s vital records are
well protected, or how confident they are that a determined hacker could not get into the company’s
systems.
Ask them how much it would cost their organization (in terms of financial costs, as well as in terms of
consumer and investor confidence) if a key system went down for two weeks, and ask how sure they are
that this could never happen.
Ask them how confident they would be about producing the Year End Accounts if their CFO befell an
unfortunate accident a week before Accounts Close.
Point out that these days, an organization that does not provide at least a minimum level of service to its
clients (and /or business partners) following a disaster may not have a business worth recovering!
Customers are just one click away from a competitor in many cases, and, of course, if business partners
find out that they can function without your organization for one day, they may decide they can function
without you for longer!
This approach is likely to increase their attention level dramatically!
1
http://www.exceptiona.com/displaycategoryitems.asp?ArticleId=155 Ostrich Syndrome
14. Page 7 of 116
For more information on how the Board can be convinced of the necessity of a BCP plan, see Whats Wrong
With BCP? CPM's Advisory Board Sounds Off On the State of the Industry, Paul Kirvan
http://www.contingencyplanning.com/archives/2003/janfeb/1.aspx
2.2 Explaining Why it’s so Important
The US Federal government recognizes the impact upon the economy of organizations having insufficient
Business Continuity measures in place, and hence is putting increased pressure on organizations to put into
place (and to test) business continuity plans to reduce the impact on the economy, industry and the public
of major disasters. Government Agencies must now have BCPs in place, and most large organizations are
affected by one of the laws/regulations requiring that a BCP be in place now, or in the near future – such as
HIPAA2
and the Sarbanes Oxley Act3
.
Increasing emphasis on Corporate Governance means that key stakeholders are insisting upon effective
Disaster Recovery / Business Continuity Plans. This is because suppliers, employees, business partners,
shareholders and potential investors are acutely aware of the potential financial impact of not having such
plans – not only in terms of real financial losses, but also the potential loss of customers, poor public
image, falling share prices etc.
Not only is it a good idea to have an effective BCP to keep stakeholders’ minds at rest, but Business
continuity plans can be shown to be an excellent return on investment - research has shown that
organizations have a much better chance of remaining in business and suffering significantly fewer costs as
a result of a disruption if they have a Business Continuity Plan. Further, the alternative to having a BCP
can be financial ruin.
One study suggests that any organization that suffers a computer outage lasting more than 10 days never
fully recovers, and that 50% of such companies go out of business within 5 years of such an incident.4
Disaster Recovery Institute International (www.drii.org) research shows that –
More than 75% of US businesses have experienced some type of interruption
More than 80% of small businesses experiencing business interruptions go out of business
within 5 years
93% of all organizations who experienced a disaster with no recovery plan in place closed
within five years
50% of companies that lost critical business functions for more than ten days never recovered
the average cost of business and system downtime for Fortune 500 companies, is $96,000 per
minute.
Despite these figures, IDC found that although 80% of large companies have a BCP plan or process
underway, only 40-45% of small companies do.
Part of the reason that more companies do not have BCP plans in place is because there is clearly a
mismatch in communication between the IT function and Business functions within many organizations –
A Roper study shoed that while 52% of IT executives believe that their organizations are very vulnerable to
the possibility of losing critical data, only 14% of business executives in the same organizations were aware
of this vulnerability.
There are many other compelling reasons for creating an effective Business Continuity Plan
2
http://www.hipaadvisory.com/action/notes/vol3/may03.htm HIPAA and Business Continuity/Disaster Recovery Planning
3
http://www.itpapers.com/abstract.aspx?cid=66&docid=83814 Sarbanes Oxley and BCP
4
Jon Toiga, Disaster Recovery Planning: Managing Risk and Catastrophe in Information Systems, (Yourdon Press, 1989)
15. Page 8 of 116
Disasters are by their very nature, unexpected. They tend to occur at the most inconvenient times – the one
week in the year when all the experts on the critical systems are away at a seminar, the day after the most
recent system backup failed, just before “close” for End of Year Accounting functions, at the end of a long
day when all the network engineers are tired and confused.
Effective Business Continuity Planning enables all the key players to think carefully through all the
possible scenarios and determine the best way to tackle each, and then to document these in such a way that
the most tired, confused, inexperienced team member knows what is expected of him or her in each
situation.
Having an effective Business Continuity Plan ensures that a great deal of the critical employee knowledge
and expertise is captured on paper in policies, procedures and plans. This protects the organization in the
event of employee absenteeism and resignation, and reduces training costs when replacing critical
employees.
Compliance with many internationally recognized standards (e.g. ISO1799) - increasingly of great
importance to many organizations throughout all sectors of trade, industry and government (many
government agencies and organizations will not enter into contracts with companies who are not compliant
with one or other of the required standards) - requires appropriate business continuity management and
planning.
Furthermore, many organizations decide to implement BCP planning measures independent of any external
pressures from trade, industry and government, because of factors such as
Increasing dependency over recent years on computerization, leading to an increased risk of loss
of normal business operations
Increased security threats to IT systems (including viruses, hackers, trojan horses etc.)
Increased recognition of the impact that a serious incident could have on the business (and even
the whole industry/economy) in the light of events such as Y2k, 911, the New York power outage
(August 2003), the Rolling blackouts in California (2001), etc.
If the Board still doesn’t “get it” once you have listed all these reasons that Business Continuity Planning is
so important, it is time to get out your list of issues that you have found within the organization that could
cause potentially huge losses or embarrassment.
For example
A critical business function located on the ground floor of a building that is built within a
flood plain
Firewalls that are being bypassed, meaning that hackers could potentially gain direct access to
the systems containing credit card data
UPS backup power systems that are not maintained and therefore will not operate in the event
of power outages
Change management procedures being bypassed so that it would be impossible to recreate the
software set up on key web servers if one of them was lost due to hardware failure
A failover site that uses the same ISP as the main sites, so that in the event of ISP failure
neither site would be operational
SLAs that are out of date or insufficient to protect the business against loss of service
64-70% of business that have major fires never recover. The primary reason for failure is the loss of vital
business records. (Broder 1999)
16. Page 9 of 116
Also, point out that research shows that
The Power Grid in the US, built in the 19th
Century, is not able to support 21st
Century load
effectively
Demand for premium power will grow from 10% to 50% by 2010
The New York blackout and the Rolling Blackouts in California may be symptoms of this
problem
More and more organizations are looking at backup power options
Software bugs cost business $60billion per year
Ecommerce/ebusiness increasingly requires 24 x 7 x 365 availability of many systems
In 1999, a large US candy manufacturer missed candy deliveries worth approximately $200 million
because of system glitches in its new $112 million computer system.
An online trading company lost $2.5 billion in market value when its system crashed.
17. Page 10 of 116
3 Defining Scope
Assuming that the Board gives approval for the creation of a Business Continuity Process / Plan to be
developed, the first stage is to define the scope. Many BCP planners have skipped this step to their peril,
perhaps assuming that it is “obvious” what is within scope and what is not in scope. However, it is often
not until the detail is examined that it becomes clear how important scoping is within any BCP exercise.
An essential for the scoping phase of any BCP process is a database to contain all the lists that will be
obtained during this phase and then expanded upon and updated/maintained later in the process. Ensure
that this database is secure, is regularly backed up, its contents are available to authorized staff only within
the intranet, and that the BCP team and other authorized parties get an updated paper copy of all relevant
lists from that database regularly. Also, ensure that the backup of that database as well as the paper copies
are stored at multiple sites, including in a fireproof safe offsite at a document storage facility. It would be
most embarrassing for the BCP team not to be able to function during a crisis because they did not have
access to their own database, or information stored in it!
As a minimum, the BCP should cover all business processes within the organization – not only IT systems,
but also communications, business information, production, sales, accounts, customer service and public
relations etc. However, consideration should be given to which systems and sites span across
organizational boundaries, and which of these should be taken into account during the scoping exercise.
This chapter provides a guide to ascertaining which sites, systems etc. to consider when making scoping
decisions.
3.1 Which Sites?
For example, it is important to get a complete list of all sites that contain systems or personnel owned by or
related to the organization in any way. Start by assuming that all are in scope, and only eliminate sites
when you are sure that they are not in scope.
While it may be obvious that sites such as the organizational Headquarters, the Data Center Site and any
offices, warehouses and retail outlets owned by the organization should be included, sites that some
organizations might overlook if this approach were not taken include
Homes of employees who work from home some or all of the time
Business Partner sites (the sites of Suppliers, Wholesalers, even some Customers)
Offshore Outsourcing centers
Failover sites (it is amazing how many organizations assume that Failover sites will always be
operational and available, no matter when an emergency might materialize, and therefore
eliminate these from the scope of their Business Continuity Plans!)
Banks/Financial Institutions (how would your organization operate if its main source of finance
were not operational for a few days?)
The sites of Utilities on which the business is dependent
Offsite storage facilities for backup media
Once a list of all sites exists within your BCP database, the sites should be prioritized according to
criticality - e.g. the Data Center may be a criticality level 1 site, whereas the Bonded Warehouse may be a
criticality level 5 site.
3.2 Which Systems?
18. Page 11 of 116
A clear definition of which systems are covered within the Business Continuity Process is needed because
so many owners of smaller systems will otherwise assume that their system is not significant enough to
warrant inclusion.
It is often obvious that the larger IT systems should be included within scope however, the inavailability of
the smallest, single user spreadsheet just before the Accounts are due to close can potentially cause big
problems for an organization, so overlook nothing!
Also it is vital to consider systems that are not owned by the organization (and possibly located offsite) –
especially nowadays, with so many organizations reliant upon external systems for their own survival – e.g.
credit card software/shopping carts, business to business marketplaces/exchanges, bank automated
clearance systems, etc. The impact of losing access to these kinds of systems can be huge on an
organization, even for a short period of time, so examining SLAs and Failover options for those systems is
crucial to BCP planning.
Interdependencies between all systems (both internal and external) need to be clearly understood before it
can be determined that any system is not within scope.
It is also important to take into account that systems consist of many components, and each component is
within scope.
Hardware (servers, network cables, routers, hubs, firewalls, etc.)
Software (operating system software, system administration software, networking software,
database software, application software, office automation software, web server software, custom
software, packaged software, all single user software, spreadsheets, all development and test code
used to create any of these in house, etc.)
Interfaces with other systems
Data and information
It is easy to forget (or not realize) how interdependent these components often are, so it is key to identify
interdependencies clearly also. For example, in some organizations, if a key firewall, proxy or router goes
down, access to most of the organization’s systems is no longer available.
As input to the process of determining which systems and components are in scope, use network topology
diagrams, system architecture diagrams, etc. and be sure they are kept up-to-date with all the latest changes.
A wealth of automated scanning tools are available these days to enable you to double-check that the list of
systems you have identified is truly the full list – it is very easy to miss systems when carrying out a system
audit. Some tools are aimed at scanning routers and firewalls to identify all that are operational, while
some are aimed at scanning each PC or Server to find out which applications are installed (remember that
in many organizations, PC owners can install software on their own PCs without informing the Technical
Support personnel, especially by downloading from the internet).
List all systems in terms of priority/criticality within your BCP database, remembering that some systems
that may not seem to be critical may need to be brought up before critical systems can become operational,
due to interdependencies.
3.3 Which Departments/Business Functions?
Of course it is easy to say that all departments and business functions should be part of the Business
Continuity Planning Process, and so they should. However, it is important to recognize that some
departments will be more involved than others, while some will simply provide input to the process in
terms of which systems are essential to their continued operations.
19. Page 12 of 116
Recognize that some parts of the business may have a lot of the information needed for the BCP process
already at their fingertips - many organizations nowadays have an Internal Audit department (especially in
the US, since the Sarbanes Oxley laws have become operational) - and this department may have already
done a great deal of the legwork involved in obtaining lists of key systems, personnel and contact
information, as well as lots of useful documentation – procedures, guidelines and standards.
They may also have already identified some areas of BCP/DR which are weak within the company. All
this information will be very useful in reducing the workload of the BCP/DR team, and having the
information to hand will also help to prevent bad feeling within the company arising from two different
departments asking for exactly the same information!
Encourage team working, and lots of cross-communication and sharing of information with such a
department if your organization has one.
Of course, the IT department is another key ally essential to the success of the BCP effort. In most
organizations, a great number of the concerns of the BCP team are already concerns that have been
considered by the IT department in some detail, and it is likely that the IT department will already have
established Disaster Recovery plans and procedures, Failover sites for the IT department and Failover
hardware and software options for key IT systems. Learn everything you can from the IT department and
be sure to foster a close relationship – there is nothing more likely to make a BCP effort fail than a poor
relationship between the BCP team and the IT department.
List all departments and business functions and order them by priority (in order of importance to the
organization) within your BCP database.
Areas to be considered could include:
Ecommerce processes
Email-based communications
Other online real-time customer services
Production line / processes
Quality control mechanisms
Customer service handling
Sales / sales admin
Finance / treasury
Research / development
Maintenance and support services
Information technology services
Premises (Head Office and branches)
Marketing
Public Relations
Accounting and reporting
Strategic and business planning activities
Internal audit
Human resources management
20. Page 13 of 116
3.4 Which Personnel?
It is often best to allow the Business Functions or Departments to elect representatives to be involved in the
BCP effort from amongst themselves. However, there are some key players who really need to play some
part in the team.
At least one Board Member should have day-to-day knowledge about the work on the BCP effort, so that
the team has the full authority it needs in order to carry out its mission. In addition, at least one legal expert
is required in order to advise on laws which must be conformed to, and to help when examining contracts
and SLAs to explain the implications of different clauses within them.
The Emergency Operations Center Management team (or Help Desk in a smaller organization) should be
fully involved with all aspects of the BCP as it is their staff who will be implementing many of the
procedures in an emergency, and who will be the first point of contact in a disaster.
Ensure that for each department/business function listed within the BCP database, there are at least two
contact names/numbers (preferably each from a different site if possible) who are aware of the BCP
process.
It is imperative that one person is elected to be responsible overall for the BCP team, plan and process, and
is given full authority as BCP Manager. However, this person should have a strong backup partner
(preferably based at a different location) who is fully aware of all aspects of the BCP in case the BCP
Manager is unavailable.
This person must have full-time responsibility for the BCP plan and process in order to be most effective,
someone who is free from other responsibilities and who has the authority to confront other managers when
necessary.
3.5 Business Partner Relationships
From time to time it will be necessary to involve business partners in the BCP process. In some cases, this
will be purely to inform them of alternative contact numbers and locations in case of emergency or disaster.
However, in other cases, business partners may play a key role in getting the organization back up and
running – for example, if the business partner provides or shares a key system.
In the Ebusiness world, the boundaries between organizations is becoming more and more blurred – with
many companies involved in Joint Ventures, many organizations opening up a great deal of their IT
Infrastructure to one another via Extranets and public websites, and with many business processes crossing
organization boundaries. As organizations depend more and more upon the extended value chain of all
their business partners in order to produce a product or service, business partners become more crucial to
the overall Business Continuity of each organization. The BCP team should be aware of this, and be sure
to include Business Partners is whichever aspects of the BCP process are relevant to them.
A good way to determine which business partners the BCP team may need to focus on, is by sending out a
questionnaire to all Business Partners/Vendors such as the one below.
21. Page 14 of 116
For more ideas on third party questionnaires see the sample questionnaire provided at DRJ.com
http://www.drj.com/eab/q&a/bcpvendorquestions.doc
It should be mandatory that critical business partners, such as Banks, Financial Institutions, etc. have their
own “real” BCP plan – the organization should seriously consider the option of changing business partners
if one does not exist. In the US, public companies under the scrutiny of Sarbanes Oxley Auditors often
require SAS70s or other documentation (e.g. Systrust certification) to reduce the risk of critical business
partners having inadequate Business Continuity and Systems Management.
List all the organization’s business partners. Take into account Banks and Financial Institutions, Corporate
Customers, Suppliers/Vendors, ISPs, Wholesalers, any Business to Business (EBusiness) partners,
Auditors, Consultants etc. Ensure that their contact details are kept fully up to date in your BCP database.
Recognize that your organization may be required to provide reassurance to its business partners also.
More and more organizations are becoming acutely aware of how dependent they are upon their business
partners and are requiring periodic testing of business continuity or disaster recovery exercises. For
example, in the Financial Sector, the Nasdaq Stock Market (and SIA) currently requires members to
participate in such tests, see http://www.continuitycentral.com/news0894.htm.
Third Party Questionnaire on BCP
1. Has your organization recently (in the past year) been audited by an External
Auditor for any of the following standards? SAS70? Visa CISP? Sarbanes Oxley?
Yes/No
If yes, please provide the Auditor’s report or a copy of the Certificate.
2. Does your organization have a fully documented Business Continuity Plan or
Disaster Recovery Plan? Yes/No
If you answered No, please go to question 5.
3. Does your organization have a process to support the Business Continuity Plan /
Disaster Recovery Plan, which ensures that changes to the business or systems are
constantly assessed to determine whether or not the BCP needs to change?
4. Does your Business Continuity Plan / Disaster Recovery Plan cover:
•all sites?
•all business functions?
•all IT systems?
•emergency evacuation procedures?
•alternate site arrangements?
•data backup and recovery policy (including offsite storage of key data)?
•a number of different types of incident / disaster scenarios?
5. Please provide key contact information in the event of an emergency or incident.
6. Please provide the name, position and contact info of the person responsible for
BCP within your organization
22. Page 15 of 116
3.6 Which Types of Disasters and Risks?
At this point most disasters and disaster types should be considered to be in scope. It may be that your
organization determines that some potential disasters are excluded because they are so unlikely (e.g.
nuclear war, terrorist bomb), but if that decision is made, it is important to get sign off at Board level of any
threats that are excluded from scope.
3.7 Which Legislation/Standards need to be considered?
An initial meeting with the Board, IT Management and the Legal Department should identify most
legislative requirements, and standards the organization wishes to comply with, the most common being
HIPAA, Sarbanes Oxley, Visa CISP and Data Protection Act laws. However, anticipate others cropping up
during your investigations, especially if your organization is a government agency, financial institution or
in the Health industry.
3.8 Interaction with Other Organizations
Before determining the scope of your own incident response plans, it is important to know how local
authorities and government agencies will respond to incidents and how your organization should fit into the
overall picture.
There are a number of resources on the web to help you to assess how to respond to various different types
of incident, including bioterrorist incidents, disease outbreaks, natural disasters etc. Some useful resources
are listed here:
http://www.riskinstitute.org/ptrdocs/LocalGovernmentPreparationforBioterroristActs.pdf
Local Government Preparation for Bioterrorist Acts
http://www.bt.cdc.gov/Planning/
Public Health Emergency Preparedness and Response, CDC
http://www.fema.gov/library/bizindex.shtm
Emergency Management Guide for Business and Industry, FEMA
http://www.disastercenter.com/terror.htm
Counter-Terrorism – Terrorism and Security Information
http://www.cj.msu.edu/%7Eoutreach/CIP/CIP.pdf
Critical Incident Protocol – a Public and Private Partnership, Michigan State Uni
http://europa.eu.int/comm/environment/civil/pdfdocs/commission.pdf
European Union Strategy on Prevention, Preparedness, and Response to Natural, Man-made and other risks
http://www.dhs.gov/dhspublic/interapp/editorial/editorial_0566.xml
National Response Plan (Dept Homeland Security)
3.9 Gap Analysis
Which parts of the BCP are already in place, are not in place, and which parts need defining more clearly?
Review current policies and procedures and meet with key personnel to determine what needs to be done.
Work closely with the Internal Audit department in ascertaining the current situation - Internal Audit
departments should have a fairly clear idea of what is already in place, and what is missing.
23. Page 16 of 116
In many organizations, Disaster Recovery procedures are already defined but Business Continuity Plans are
not.
Knowing what already exists ahead of starting the BCP process can reduce workload and frustration!
A good way of determining the current position is by using questionnaires to gather initial information.
Some sample questionnaires are given below.
3.10 Questionnaires
Some useful fact-gathering questionnaires to use when trying to identify scope, and attempting to determine
the current position within the company are provided below.
24. Page 17 of 116
Questionnaire for Top Executives
1. Does your organization have a Business Continuity Plan in place? Yes/No
(if you answered No, go to question 5)
2. When was the Business Continuity Plan last tested?
3. Who is responsible for the Business Continuity Plan?
4. What is the most recent date on which the BCP was updated, reviewed, approved
and released?
a) Most recent six months
b) Most recent year
c) More than one year ago
5. If a 9/11 type event wiped out your whole data center today, what is your
confidence level that the organization would survive?
a) Low
b) Medium
c) High
6. When was the most recent Business Impact analysis/Risk analysis exercise
carried out?
a) Most recent six months
b) Most recent year
c) More than one year ago
7. Has your organization quantified the risks you face in financial terms? If yes,
please give details of documentation or contacts for further questions in this area
Y/N _______________________________________________________________
8. Has your organization prioritized systems and business functions according to
their criticality to business continuity? If yes, please give details of documentation
or contacts for further questions in this area Y/N
___________________________________________________________________
25. Page 18 of 116
Questionnaire for Top Executives Pt 2
9. Has your organization determined maximum tolerable outage times for each of
the INTERNAL systems used by your organization? If yes, please give details of
documentation or contacts for further questions in this area Y/N
___________________________________________________________________
10. Has your organization determined maximum tolerable outage times for each of
the EXTERNAL systems used by your organization? If yes, please give details of
documentation or contacts for further questions in this area Y/N
___________________________________________________________________
11. Does your organization have SLAs with third parties documenting these
maximum tolerable outage times? If yes, please give details of documentation or
contacts for further questions in this area Y/N
___________________________________________________________________
12. Does your organization have an alternate site to use for systems and / or business
functions in the event of an incident (a hot site, cold site, or reciprocal agreement)?
If yes, please give details of documentation or contacts for further questions in this
area Y/N
___________________________________________________________________
13. Are names and numbers in contact lists updated regularly and redistributed in
paper form? Y/N
14. Is there a published Security Policy which is given to every new member of staff
– whether permanent or contract?
26. Page 19 of 116
Questionnaire For Data Center Management
1. Which of the following physical security measures exist to protect the Data
Center?
•No windows / no windows that allow viewing of the inside of the Data Center?
•No signs advertising the fact that the Data Center is a Data Center?
•No access to the building through any door apart from the main door without an
access card and pin number?
•Security Guards on duty 24 hours per day?
•Closed circuit TV, monitored by Security 24 hours per day?
•Access control keypads requiring a pin to be entered and a security card to be
swiped before gaining access to secure areas?
•Access control lists indicating staff who are allowed to access different parts of
the building
•All Emergency exits are always clear and open?
•Alarm systems – both automated (fire detection, smoke detection, flood
detection) and manual?
•Are sprinkler systems in place where appropriate?
•Are air conditioning systems checked regularly?
•ID badges must be worn by all employees at all times?
•Are clear evacuation routes posted on all notice boards and at key locations?
•Are all visitors required to sign in and out and to be accompanied at all times by
authorized personnel?
•Located away from rail lines, airports, chemical plants, and other hazardous
locations?
2. Which of the following security procedures are in place to protect the Data
Center?
•Are fire drills / evacuation drills carried out regularly?
•Is the fire detection and extinguishing equipment tested / inspected regularly
(past 6 months)?
•Are all occupants trained in emergency procedures and security procedures?
•Is there a written termination procedure that includes a checklist of items to be
returned to the company, such as keys, ID badges, card access, etc.?
•Is there a policy to challenge visitors who are unknown, not accompanied, not
wearing a badge?
•Is there a no tailgating policy ensuring that employees do not hold the door open
for anyone they do not know is authorized to enter the building?
•Is this procedure followed by termination of all system access for the terminated
employee?
•Is there a no smoking, eating or drinking policy in effect in the most sensitive
areas of the Data Center?
3. Which of these further security measures are in place for protection of the Data
Center?
•Is one person responsible for Security of the Data Center?
•Is there a document / booklet of which all occupants are aware, providing
information about how to respond to different types of incidents? Bomb threats,
Fire, Security violations, power failures etc.?
•Are backup power generation facilities and UPS facilities on hot standby at all
times and available in case of power failure?
•Is backup air conditioning equipment available at all times?
•Is all computing equipment and all network components clearly
marked for identification purposes?
•Do all changes to the Data Center equipment, software, configuration
and layout require a full change management request and go through
full review before being implemented?
27. Page 20 of 116
A good source of further questionnaire questions for different groups involved in Business Continuity is
provided at http://www.drj.com/articles/drpall.html within the sample Disaster Recovery Plan.
28. Page 21 of 116
4 Risk Management5
Risk Management is defined as “the process of identifying risk, assessing risk and taking steps to reduce
risk to an acceptable level”6
. This is an ongoing process, and aims to continually identify, assess and
handle risks across the organization.
All organizations have to take risks in order to survive. In fact, the original definition of the term “Risk” is
simply “uncertainty of outcome”, and should neither imply positive nor negative impact. However, in day-
to-day use, the term has become synonymous with adverse outcomes and hence, will be used within that
context here.
Risk Management is about reducing the degree of “uncertainty” and reducing the number of surprises
involved in potential risks through more effective risk identification, mitigation and response as well as
more effective management of change, more efficient use of resources, and improved reporting and
communication within the organization.
Risk Management requires that:
All risks are identified, especially the key risks to critical business functions
Risks are quantified (in terms of probability and impact), and prioritized
Risk tolerance levels are clearly defined
Risks are allocated to the appropriate group / person
Appropriate mitigation or risk responses are identified
These responses and mitigation measures are reviewed for effectiveness
5
Some BCP practitioners (e.g. The Business Continuity Institute) prefer to call this phase of BCP
“Business Impact Analysis” and differentiate it from more traditional risk management and analysis. The
author believes the name is less important than understanding the process behind it.
6
as above
29. Page 22 of 116
1. Identify Risks
5. Identify Risk Mitigation,
Reduction and Response
Measures
6. Evaluate Effectiveness
of Measures
4. Allocate Risks
to Appropriate Personnel
3. Define
Risk Tolerance levels
2. Quantify Risks
(probability, impact)
1) Identify Risks
The first stage in Risk Management is to identify which risks exist that could possibly affect the
organization. The initial risk assessment process should include a thorough review of all possible risks, but
once the Risk Management process is ongoing, this identification process can be the work of a “Risk
Council” which meets regularly (monthly?) with the remit of looking at all recent changes to the
organization, the systems used by the organization or the environment within which the organization
operates (e.g. new legislation, changes to the supply chain, etc.) and identifying any new risks that should
be considered. The Risk Council should gain its input from the Change Management processes within the
organization, but also from the head of each business function, whose responsibility it should be to identify
changes and report them to the Risk Council. All risks identified should be recorded in a central risk log
and monitored by the Risk Council.
2) Quantify Risks (Probability and Impact)
Once risks have been identified, they need to be given a priority. Two factors determine the priority
assigned to a risk – the probability that it will occur and the impact it will have on the organization if that
risk materializes.
3) Risk Tolerance Levels
Once risks are identified and quantified, it can be determined what the organization’s risk tolerance level is
with regard to each risk. For example, the organization may determine that it can tolerate up to 25 pcs
being infected with a virus. After that point, it may be necessary to invoke incident management
procedures such as shutting off access to the internet from the internal network.
4) Allocate Risks to Appropriate Personnel
It is important to make a team or an individual ultimately responsible for monitoring for each risk,
responding to it etc. For example the PC system administrator might be the appropriate person to monitor
for virus attacks and to respond appropriately to such attacks.
30. Page 23 of 116
5) Risk Mitigation, Reduction and Response
Risk mitigation measures should be identified to determine to which extent the risk itself can be reduced or
eliminated, or to which extent the impact of the risk can be reduced or eliminated. For example, the risk of
a Virus Infection can be mitigated using Anti-virus software and Firewall software. In some cases, this
software can also provide automatic responses to infections, such as automatically “quarantining” infected
files, or preventing mail attachments from being opened if they are infected.
6) Evaluation of Effectiveness
The Risk Council should receive facts and figures indicating the effectiveness or otherwise of risk
mitigation / reduction measures put into place. These figures can be used to review the measures put into
place, and also to reassess the probability and impact figures used to assess the risk in the first place.
4.1 Benefits of Risk Assessment / Management
1) Cost Justification
Because Disaster Recovery Planning and Business Continuity Planning does not directly generate income,
it should be justified in financial terms. Risk assessment and impact analysis can be used to provide such
cost justification.
2) Facilitation of Communication between all departments in the Business
For example, Risk Assessment tends to get the IT Department talking to the rest of the business about their
requirements for availability, their most critical systems etc. It should not only direct appropriate
information/education at each group involved in disaster recovery/business continuity, but should play a
major role in enhancing the communication and understanding between each of these groups so that they
can work together more effectively – not only in the event of a disaster, but also in their normal day-to-day
business. It should bring all the groups involved closer together.
3) Business Responsibility
The Risk Assessment system should be simple enough to enable its use without IT or Security expertise.
Business Management should be able to take responsibility for their parts of the plan.
4) Business Continuity Awareness
Risk Assessment tends to make people more aware of the risks they face, and therefore is a good way to
gain commitment to the Business Continuity process. Widescale awareness of Business Continuity issues
enables everyone in the organization to know which role they should play in the event of a disaster, and
makes it a topic they will think about whenever changing anything that could impact the BCP (e.g.
hardware configuration, policy/strategy etc.).
4.2 Risk Identification
Risk identification is key to the BCP process. It is important to ensure that all parts of the organization
(including third parties, as appropriate, such as suppliers, customers, vendors etc.) are involved in
identifying risks to the organization and are very aware that risks can come from outside of the organization
(e.g. severe weather, earthquakes), from third party relationships (e.g. power failure) or inside of it (e.g.
internal employees hacking into systems).
Effective ways to identify such risks include:
31. Page 24 of 116
Interviews with Business Unit Managers
Questionnaires
Risk Surveys
Network scanning tools
Brainstorming sessions
Scenario walkthroughs
Audits (see http://www.informit.com/articles/article.asp?p=24608&redir=1 for an article on how
to carry out security audits)
A sample Risk Survey template is shown below:
Asset Risk Survey Template
Asset ID Asset
Name
Asset
Class
Threats Vulnerabilities Exposure
Level
(H,M,L)
Probability Existing
Controls
Missing
Controls
Ideally, Risk Assessment should aim to identify the 20% of risks that would have 80% of the potential
impact on the organization, as well as the 20% of risks that are most likely to occur, in order to use risk
management resources effectively.
In order to identify all the risks to an organization it is necessary to inventory all asset types and systems
and look at each one in turn with representatives of the users of those assets and/or systems.
Once all assets are identified, they can be categorized into groups / categories, which should include
tangible assets as well as non-tangible assets:
Tangible assets
o Physical (e.g. buildings, equipment, hardware)
o Financial (e.g. currency, bank deposits, shares)
Non-tangible assets (e.g. goodwill, reputation)
32. Page 25 of 116
LowRiskISP has listed all of its assets and given each asset a rating according to how crucial it is to the
organization’s continuance. Listed here is a subset of its asset register:
Asset Class Subclass Asset Name Asset Rating
Tangible Physical infrastructure Data center 5
Tangible Physical infrastructure Servers 3
Tangible Physical infrastructure Routers 3
Tangible Physical infrastructure Network switches 3
Tangible Physical infrastructure PBXs 3
Tangible Physical infrastructure Uninterruptible power
supplies
3
Tangible Physical infrastructure Fire suppression
systems
3
Tangible Physical infrastructure Air conditioning
systems
3
Tangible Physical infrastructure Power supplies 3
Tangible Physical infrastructure Server application
software
2
Tangible Physical infrastructure End-user application
software
1
Tangible Physical infrastructure Development tools 1
Tangible Physical infrastructure End user PCs 1
Tangible Physical infrastructure Fax machines 1
Tangible Physical infrastructure Removable media (e.g.
tapes, floppy disks,
CD-ROMs, DVDs,
portable hard drives,
PC card storage
devices, USB storage
devices, etc.)
1
7
The following list of possible threats (some of which will be far more likely than others in your
organization) may help in determining which risks to the organization should be considered within the BCP
7
A useful list of common Information System Assets is provided by Microsoft at
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/srappb.mspx
33. Page 26 of 116
1) Environmental Disasters
Fire
Severe cold (or hot) weather or drought (especially a risk for Water Utilities)
Tornadoes, Hurricanes, Storms, Strong winds, Snow, Floods
Landslides
Earthquakes, Volcanoes
Disease/Epidemic
Chemical Release or Contamination
Other Environmental Hazards (pollution, radiation, toxic waste etc.)
2) Equipment/System Failure
IT Equipment or System Failure
Air conditioning failure (especially to the Server room)
Telecoms Failure (many organizations ignore this possibility!)
Non-IT Equipment failure
Production line failure or Cooling plant failure, etc.
3) Serious Information Security Incidents
Loss of records or data (especially a risk for credit card companies or financial institutions)
Exposure of records or data (e.g. papers not shredded, read by outsiders, website bug allows
viewing of records or data)
Disclosure of personal / sensitive information (e.g. credit card details, health information)
Cyber crime (hacking, viruses, phishing etc. – particularly risky for ISPs, Ecommerce and
Ebusiness Organizations)
4) Organized/Deliberate Disruption
Theft, Arson, or other action by a disgruntled employee
Malicious / intentional Disruption or Sabotage
Serious Information Security Incidents (e.g. a virus that takes down the network or deletes all
critical data)
Terrorist bomb, plane crash, etc.
Labor Dispute/Industrial Action/Strike
5) Loss of Utilities/Services
Internal power failure (especially to the Server room)
Electrical power failure
Loss of water supply
Loss of natural gas supply
Loss of drainage or waste removal
Gas/oil shortage (in the UK, the fuel crisis of 2000 brought the whole country to a standstill8
)
Loss of communications (such as land or wireless telephone services, etc.)
6) Business Partners
Loss of key shared IT systems
8
http://www.guardian.co.uk/oil/story/0%2C11319%2C1361836%2C00.html
34. Page 27 of 116
Business Partner going out of business altogether
Natural disaster / Terrorism disaster or other serious disaster affecting business partner
Loss of third party supplied services (for any reason):
o ASP or ISP hosting services
o Mail delivery services / package delivery services
o Warehousing facilities, logistics services, transport services
o Outsourced services (payroll, technical support, customer services etc.)
Etc.
7) Other Emergency Situations
Aircraft accident (especially a risk for an Airline)
Other Major Accident / Explosion
Nuclear war (or other act of war)
Civil unrest or riot
Workplace violence
Disruption to public transport
Negative PR
Litigation and other legal problems
Regulatory problems (some Health and Safety inspection problems can lead to an operation being
closed down!)
Mergers/acquisitions (yes, the effects of these can be equivalent to a disaster!)
Industry-wide problems 9
Human error (often overlooked, but high on the list of risks causing system outages)
It should be clear that some of these risks may have interdependencies with one another. Also, recognize
that industries and organizations will have risks specific to their own environments. For example, in the
financial industry, some risks that might be identified include:
Tax increases
Inflation rates
Exchange rates
Political unrest
New standards / guidelines / legislation
For more risks specific to the financial industry, see http://www.olovconsulting.com/project_risks.htm
All risks identified should be entered into the organizational Risk Log (or Risk Register). This should be
stored in the BCP database and maintained within it.
Having identified all risks, it is necessary to determine from the list above which are the top 10 priorities in
terms of disasters most likely to adversely affect the organization and to carefully analyze the possible
impact of each. This process is known as Risk Assessment (and, in this context, is sometimes known as
Business Impact Analysis).
9
Microsoft provides a useful list of common threats, see
http://www.microsoft.com/technet/security/topics/policiesandprocedures/secrisk/srappc.mspx
35. Page 28 of 116
An imaginary organization, an ISP, “LowRiskISP”, has come up with the following possible risks that it is
concerned with:
Risk Type Risk Scenario
Environmental Fire
Flood
Disease
Cold
Strong wind/hurricane
Landslide
Chemical contamination
Equipment/system IT equipment or system failure
Air conditioning failure
Telecoms failure
Non-IT Equipment failure
Security Loss of records / data
Exposure of records / data
Disclosure of personal / sensitive
info
Hacking
Viruses
Phishing
Deliberate Disruption Theft
Arson
Terrorist bomb
Terrorist plane crash
Terrorist bioterror incident
Labor dispute
Utilities Internal power failure
Electricity power failure
Loss of water supply
Loss of natural gas supply
Loss of waste removal/drainage
Gas/oil shortage
Loss of all telecommunications
Business Partners Loss of shared IT Systems
Business Partner going out of
business
Natural disaster affecting
business partner
Terrorism disaster affecting
business partner
Loss of third party supplied
service
Other Human Error
Negative PR
Litigation issues
Major accident/incident
36. Page 29 of 116
4.3 Risk Assessment
Risk assessment seeks to identify “the net negative impact of the exercise of a vulnerability, considering
both the probability and the impact of occurrence”10
and forms part of the Risk Management process.
Ideally, the objective of risk assessment is to:
Translate damage predictions and impact predictions into financial terms if possible
Illustrate, if possible, by way of a diagram, how impact increases over duration
Risk assessment (or Quantitative Risk Analysis) is the process by which risks are quantified to provide
management with useful information in assessing which events are most likely to occur and which are
likely to have the greatest impact on the business, should they do so.
The process takes into account the identified risks, the probability and frequency at which they are likely to
occur, and the impact financially on the organization if they do occur.
1) Cost Impact
Using the list of risks identified in 4.2 above, for each asset (or asset group), identify all the undesirable
events that could occur, and estimate how much of that asset’s value the organization would lose should it
occur to its fullest extent. It is a good idea to be aware of the minimum the organization is likely to lose,
given an event, as well as the maximum, in order to provide a more balanced assessment. It is also a good
idea to have a picture of how the cost rises over time (for example, if the disaster prevents a system from
being operational for 1 hour the cost will be far lower than if it is out of action for 1 day, and still less than
if it is out of action for a week or longer).
These estimates must take into account the loss of customer confidence / damage to the organization’s
image and its effect on sales when the loss of asset value is considered. Also they should take into account
Regulatory effects – for example, fines imposed due to Data Privacy laws being breached.
Here is a list of some of the costs (both direct and indirect) that might be incurred as a result of a risk:
Direct revenue loss
Loss of cash flow
Reduced interest on overnight (or longer-term) balances
Increased interest costs due to lost cash flow
Loans called in or re-rated at higher levels due to drop in share prices (where share value
underpins loan facilities etc.)
Delays in customer accounting, Accounts receivable and billing/invoicing
Penalties due to delays in Accounts payable
Loss of credit control and increased bad debt (bad credit ratings make it more costly to get loans
etc.)
Loss of revenue (or payment of fines/penalties) related to Service Level Agreements due to failure
to provide service or meet service levels
Wages paid to unproductive personnel
Additional expenses and wages paid to personnel carrying out recovery work rather than business
as usual
Replacing personnel who may have been lost, sick or have resigned because of disaster
10
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf NIST Risk Management Guide
37. Page 30 of 116
Brand / Social / Corporate image loss (and recovery costs associated with restoring such)
Consumer / Market confidence loss (and recovery costs associated with restoring such)
Reduced share value due to reduced investor confidence
Cost of recreating / recovering data lost due to disaster
Loss of power/control over business partner relationships (e.g. ability to demand reduced price
deals from Suppliers etc.)
Lost ability to respond to opportunities (investments/new ventures etc.)
Cost of replacement of buildings, equipment, software etc.
Additional costs of working at a different site or under different conditions (e.g. admin costs,
travel costs and personnel expenses) etc.
Interest value on deferred billings
Loss of customers (lifetime value of each) and market share
Loss of profits
Additional advertising costs, PR costs and marketing costs to reassure customers/prospective
customers and investors/potential investors
Recruitment costs for new personnel lost due to disaster
Training / retraining costs for personnel
Penalties/fines resulting from failure to produce timely accounts figures and/or tax payments
Fines / penalties for non-compliance with laws and / or industry standards (e.g. Visa CISP)
Liability claims (e.g. by employees for accidents that were avoidable)
Potential costs due to prosecution for non compliance and contract adherence
Environmental Impact
Property loss (remember to include real estate, land, buildings, facilities, all assets etc.)
LowRiskISP has taken a few of the key scenarios it is interested in, and has evaluated the asset values
associated with them, see below:
Risk Type Risk Specifics Asset Value
Types
Low/High
Asset
Value
estimates
Asset Value
Equipment/system IT equipment
or system
failure
Key system is
down for less
than 1 hour
Direct revenue
loss, loss of cash
flow, wages paid
to unproductive
personnel,
additional
expenses paid to
recovery staff
$2000 -
$6000
$4000
Security Loss of records
/ data
Sales records
are lost for
one whole
day
Direct revenue
loss, loss of cash
flow, increased
interest cost due to
loss of cash flow,
cost of recreating
data where
possible
$10000 -
$50000
$30000
Exposure of
records / data
All credit
card records
Loss of brand
image/corporate
$50000 -
$400000
$200000