Business Contintuity

BUSINESS CONTINUITY MANAGEMENT – GOOD PRACTICE GUIDE

BUSINESS CONTINUITY INSTITUTE

BUSINESS CONTINUITY MANAGEMENT :
GOOD PRACTICE GUIDELINES

Editor: Dr. David J. Smith FBCI
Version BCI DJS 1.0
01/11/02

© The Business Continuity Institute 2002

0

BUSINESS CONTINUITY MANAGEMENT – GOOD PRACTICE GUIDE

Acknowledgements.
The Business Continuity Institute acknowledges the positive contribution to the development of these Business Continuity Management Good Practice Guidelines by the following individuals and their organisation’s who have given freely of their time, effort and expertise.
Work Group:
Fred Bell MBCI
Nigel Bridger FBCI
Mark Bryce MBCI
Tim Chadwick MBCI
Chris Green MBCI
Albert Horan MBCI
Phil Slate MBCI
Dr. David J. Smith FBCI
Graham Vingoe MBCI
Pamela White MBCI

Editor:
Dr. David J. Smith FBCI
Readers:
Lyndon Bird FBCI
Chris Rigby-Smith FBCI
Rolf von Roessing MBCI
David Green FBCI
John Worthington MBCI
The Business Continuity Institute also thanks all copyright holders for permission to reproduce copyright material. If any copyright holders have been inadvertently omitted the
Business Continuity Institute will be pleased to make the necessary amendments to acknowledge copyright at the earliest possible opportunity.

Version BCI DJS 1.0
01/11/02

© The Business Continuity Institute 2002

1

Contents.
Acknowledgements

1

-

Contents

2

-

Overview

3

18

Stage 1: Understanding Your Business
Introduction
Business Impact Analysis
Risk Assessment

19
19
24
37

47
23
36
47

Stage 2: Business Continuity Management Strategies
Introduction
Organisation (Corporate) BCM Strategy
Process Level BCM Strategy
Resource Recovery BCM Strategy

48
48
51
62
71

79
50
61
70
79

Stage 3: Develop and Implement a BCM Response
Introduction
Business Continuity Plan(s)
Resource Recovery Solutions and Plans
Crisis Management Plan

80
80
86
105
124

145
85

References: Australian National Audit Office (2000) ‘Business Continuity Management - Keeping the wheels in motion: A Guide to Effective Control’, Australian National Audit Office, Canberra. ISBN 0-644-390182-2 Australian and New Zealand Standards (1995) ‘AS/NZ 4360 Australian/New Zealand Risk Barnes, J.C. (2001) ‘A guide to business continuity planning’, John Wiley and Sons Ltd, Chichester Bland, M. (1998) 'Communicating out of a crisis ', Macmillan Press Ltd, London. ISBN 0-33372097-0 Business Continuity Institute Business Continuity Institute. (2002) 'Business Continuity Management: A strategy for business survival ', BCI, Worcester. Central Computer and Telecommunications Agency. (1995) 'A guide to Business Continuity Management, HMSO, London Elliott, D., Swartz, E. and Herbane, B. (2002) 'Business Continuity Management: A crisis management approach ', Routledge, London Fink, S. (1986) ‘Crisis management: Planning for the inevitable’, Amacom, New York. ISBN 0-8144-5859-9 Flin, R, (1996) 'Sitting in the hot seat: Leaders and teams for critical incident management ', Hiles, A. (2000) ‘Business Continuity: Best Practices’, Rothstein Associates Inc, Connecticut. 13 Home Office, (2002) 'Dealing with Disaster ', (5th Edition), HMSO, London. Institute of Chartered Accountants in England and Wales. (1999) ‘Internal Control: Guidance for directors on the Combined Code’, Accountancy Books, London. Jones, M.E. and Sutherland, G. (1999) ‘Implementing Turnbull: A boardroom briefing’, Centre for Business Performance, The Institute of Chartered Accountants in England and Laye, J. (2002) 'Avoiding Disasters : How to keep you business going when catastrophe strikes ', (Due for publication in December 2002) London Emergency Services Liaison Panel. (1999) 'Major Incident Procedure Manual ', (5th Edition) Metropolitan Police, London. Mitroff, I.I. And Pearson, C.M. (1993) 'Crisis Management : A diagnostic guide for improving your organisation crisis preparedness ', Jossey-Bass, San Francisco Pauchant, T.C. and Mitroff, I.I. (1992) 'Transforming a crisis-prone organisation ', JosseyBass, San Francisco. ISBN 1-55542-407-4. Schein, E.H. (1985) 'Organisational culture and leadership ', (2nd Edition) Paul Chapman Publishing, London Schwartz, p. and Gibb, B. (1999) ‘When good companies do bad things’, John Wiley and Sons Ltd, Chichester Seymour, M. and Moore, S. (1999) 'Effective Crisis Management ', Cassell. ISBN 0-30470328-1 or 0-304-70329-X. Smith, D. (1993) ‘Crisis Management in the Public Sector: Lessons from the Prison Service’, in Wilson, J Smith, D. (1995) ‘The dark side of excellence: Managing strategic failures’, Centre for Risk and Crisis Management, Liverpool Business School, Liverpool John Moores University, pp.139. Toft, B. and Reynolds, S. (1997) ‘ Learning from Disasters : A management approach’, (2nd Ed), Butterworth-Heinemann Ltd, Oxford Toigo, J.W. (1996) 'Disaster recovery planning for computers and communication resources ', John Wiley von Roessing, R. (2002) 'Auditing Business Continuity Management: Best Practices ', Rothstein Assoc Inc, New York. Wieczorek, M., Naujoks, U., Bartlett, R. (2002) ‘ Business Continuity Management: IT risk management for international corporations’, Springer-Verlag, Berlin.