The document provides an overview of business continuity planning (BCP), detailing its purpose of maintaining critical business processes during interruptions or disasters. It outlines the steps involved in BCP, including risk assessments, business impact assessments, and recovery strategies, emphasizing the importance of regular reviews and updates. Key elements include identifying critical processes and assets, establishing recovery time objectives, and ensuring effective communication and resource management during a crisis.

1. Overview of
Business Continuity Planning
Chris Greenhill
Greenhill Consulting Limited

2. What is a Business Continuity Plan?
• A plan which provides for the continuation of
critical business processes in the event of significant
business interruption or disaster
– Identify key processes and assets
– Minimise impact of their loss
– Effective back up and recovery strategies to mitigate the
impact of disruptive events
– A formal process to be followed if disaster occurs

3. BUSINESS
STABILISED OR BACK
IN BUSINESS
NORMAL
BUSINESS
OPERATIONS
SIGNIFICANT UNEXPECTED &
UNWANTED INCIDENT
(beyond normal operating
structure of the business/site)
BUSINESS CONTINUITY PLAN IMPLEMENTATION
MANAGE INCIDENT MANAGE RECOVERY- STAY IN BUSINESSPLANNING & PREVENTION
Business Continuity Interfaces
BUSINESS FULLY
RESTORED
NORMAL
OPERATIONS
INCIDENT
CONTAINED
& STABILISED
Crisis management
(Manage impact of incident)
Emergency Response
(Contain incident)
Business recovery
(Actions to fully restore business)
DANGER BUSINESS UNSTABLEBCPBCPBCP
BCP
Critical
Business
Processes and
Asset Risk
Assessment

4. What is a business process?
• Any set of activities performed by a business that is
initiated by an event, transforms information,
materials or business commitments, and produces
an output
• A series of interrelated activities which convert
inputs into results (outputs)

5. For example….
Receiving and
allocation to account
Cash and cheque management
Customer deposit
TRANSFORMATION
(The input is processed)
OUTPUT
(To another process in your
business)
INPUT
(From another process)
Secure storage and
Enhanced balance

6. Risk Assessment
Consider ways to make your
critical business processes
more resilient to interruption
Risk
M H H
L M H
L L M
Severity
Likelihood
H
HL
Same activity
High RiskLow Risk

7. 1 Hour 1 Day 1 Month 1 Year1 Week
Gap analysis What would extend time to crisis?
What would accelerate reinstatement?
What key issues are creating GAP?
Any residual risks?
What is the RTO?
Time before loss of process
becomes critical to the business
Time before process
can be restored
GAP
Time to Crisis Time to Reinstatement

8. Identify critical
process(s) and
assets plus risk
assessment
Business Impact
Assessment
(BIA)
Business
Recovery
Strategy
Business
Recovery
Plan
Exercise and
maintain
Five stage procedure
Enables the resumption
of critical process within
the recovery timeframe
objectives
• Who to contact and how
• How we organise
ourselves – recovery
teams
• What resources are
required
Describes the tactics
used to restore capability
to perform minimum
essential processes
Consider ways to mitigate
the effect of an
interruption to processes
and loss of assets
Consider these
interruptions or losses:
• Workforce
• Facilities
• IT
• Business partner or
supplier
Assessment of the impact
of the loss of the business
and its critical processes.
Consider the following:
• Customer Service
• Revenue/Cash Flow
• Public Image
• Regulatory
• Product Development
• Competitive Advantage
• Financial
Control/Reporting
• Increases in Liability
Includes an agreed
Recovery Time Objective
for the business
Identify the critical
business processes only
Identify vital assets
relating to them
Assess the risk attaching
to them
Annually, undertake a
tabletop walkthrough to
give the opportunity to
think through a disaster
scenario and evaluate
the business recovery
plan against it. It helps
to validate overall
completeness and
accuracy of the
recovery plan.
Review plans regularly
and update information

9. Plan contents
1. Process description
– Critical processes
– Related assets
– Business impact
– Plan-related documents
2. Recovery Time Objective
– RTO
– Assumptions (availability
of upstream and
downstream processes)
3. Resource requirements
for 4 scenarios
– Workforce impact
– Facility loss
– IT loss
– Business partner loss
4. Continuity strategies
– Risk mitigation
– Business recovery
strategies

10. Think about...
• Which assets really are crucial to continuing the critical business
processes?
• Could a business partner provide mutual cover for an important
process/asset?
• Does remote working play a role in the BCP?
• Are there any related documents that the plan needs to reference?
• For an IT loss, what is the Recovery Point Objective at which point all data
needs to be recovered?
• Who needs to be notified in an emergency?
• How are people notified and by whom?
• Who will be in the business recovery team?
• What resources will the recovery team need and at what point in the
recovery?