1. The document outlines a nine step process for developing a tactical business resumption plan, including identifying critical functions, dependencies, recovery time objectives, and continuity strategies for different disruption scenarios. 2. It provides an example of a company that was recommended to develop a more comprehensive business continuity plan after an internal audit found issues. 3. The nine steps include admitting risk, identifying critical functions, setting recovery objectives, mapping dependencies, prioritizing scenarios, developing strategies, testing the plan, and regularly updating it.

1. Business Continuity
The nine step process to develop a tactical
business resumption plan

2. Do you know…
y
What your business critical functions and
y
dependencies are to deliver your products and
services?
Who are your key resources to support these
critical functions? And at what level?
What’s the threshold before it impacts your
business? Wh t’ your plan after th
b i ? What’s l ft the
threshold has been passed?
The t ue impact to you bus ess To the
e true pact your business? o t e
company?
What’s your appetite for risk? Is there a plan in
place?
2

3. The business need…real example
p
In 2007, internal audit finding recommended
, g
that Treasury develop a more comprehensive
BCP to cover critical cash and FX related
functions.
functions
During the FY09 fiscal year end a key
end,
Treasury file server was unavailable
The cash positioning system (
p g y (Chase Insight) was
g )
unavailable
Key spreadsheets to make cash flow decisions was
inaccessible
3

4. The scenarios (the by-product of a disaster)
Loss of technology
gy
Systems, applications, equipment, etc.
Loss of resource
Internal staff
Internal business partner
External business partner (vendor)
Loss of communication
Phone, fax, email
Loss of facility
Inability to get to or into the office
There could be cases where a disaster could result in multiple combinations of these scenarios
4

5. The nine step p
p process
1. Admit there is a risk to the company and you need a
p y y
continuity plan
2. Identify and rank the top business critical functions
3.
3 Identify recovery time objectives for each function
4. For each business function, break it down into 3 to 5
main activities
5. For each activity, identify the dependencies:
People (staff, internal business partners, external business
partners or vendors)
Tools (forms, data, spreadsheets, etc.)
Technology (systems, applications, equipment, etc)
5

6. The nine step process (continued)
6. Rank the scenarios based on likelihood
Loss of technology
Loss of resources
internal staff
internal business partners
external business partner (vendor)
Loss of communication
Loss of facility
7. For each scenario and dependency, identify:
The continuity / resumption strategy (minimal requirement)
Any pre requisites and action items (with owners and target
pre-requisites
dates)
Identify any potential costs associated for the resumption
strategy
6

7. The nine step process (continued)
8. Test the plan and review and update accordingly
p p gy
Select scenarios and schedule tests
Refine plan based on test results
9.
9 Schedule
S h d l regular on-going updates
l i d t
Define events and develop process to keep plans
up to date. For example:
Organization changes
System changes
7

8. Session output template (per function)
From here, the department created detailed documents outlining procedures
and steps and created a bi d and CD th t was di t ib t d t k resources.
d t d t d binder d that distributed to key
8

9. Lessons learned
The business has to want to have a business
continuity plan
ti it l
Don’t plan for each type a disaster, but plan for the by-
product of the disaster (scenario)
Keep it simple (don’t get to granular on processes,
activities or combine scenarios, etc)
Keep focused (don’t cross processes, activities and
dependencies) )
Keep the resumption plan to the minimal. Just what’s
needed to keep the business running
Let the business use their own terminology
You don’t need a official project, it can be done weekly
across several months
9

10. Key findings
y g
Process and system improvements
opportunities
Processes have many more dependencies
y p
(people, technology and tools) than you
realized
Many of the mitigation activities are simple –
hard copy back-ups, documentation, training
and communication / awareness
d i i
And a real appreciation on how all this works!
10