Policy Template for Business Continuity and Disaster Recovery

This document defines {{organization.name}}’s policy directive on business continuity activities, including business continuity and disaster recovery planning for all the critical business processes and services activities undertaken by {{organization.name}} for its business/customers in order to:

• Effectively manage any incident that may cause a business disruption to {{organization.name}}.

• Provide continuity of critical business processes and services managed by the {{organization.name}}.

• Minimize the potential impact that any business disruption would have on {{organization.name}} and its reputation.

This policy applies to all people, processes and systems of {{organization.name}} required to maintain normal business operations and to recover from disruptions.

• BIA - Business Impact Analysis (BIA) predicts the consequences of disruption of a business function and process and gathers information needed to develop recovery strategies.

• BCP - Business Continuity Planning is concerned with keeping business operations running perhaps in another location or by using alternative tools and processes following a disaster.

• DRP - Disaster Recovery Planning is concerned with restoring normal business operations after the disaster takes place.
   

All projects, internal departments, processes or any independent client business elements that are considered critical, and whose extended loss would have a significant impact on {{organization.name}}, must have a Business Continuity (BCP) and Disaster Recovery Plan (DRP) for its operations within an agreed strategy.

{{organization.name}} management shall regularly assess the impact of potential disasters on business operations as part of the periodic business impact analysis exercise.

Management shall designate respective department heads responsible for maintaining a minimum acceptable standard of service in case of disaster situations. In addition, all management personnel and employees shall be made aware of the business continuity and disaster recovery plans and their role and responsibilities in achieving the defined continuity and recovery objectives.

The business continuity and disaster recovery plans shall be tested and reviewed at regular intervals to ensure they remain relevant.

Contract with third party suppliers that provides critical  services to the {{organization.name}} must include:

• Communication and understanding of the relevant plans for the respective supplier’s role.

• Adequate contingency or recovery strategies, over the lifecycle of the product and service.
   

The organization should ensure that roles and responsibilities have been assigned for:

• Providing guidance and oversight for the management of business continuity and disaster recovery activities as well as improvements.

• Managing all areas of the BIA (Business Impact Analysis), BCP and DRP and understanding the business.

• Updating management on BCP and DRP readiness.

• Managing and improving BCP testing exercises through monitoring of schedules, reviews of assessment results and maintaining records.

• Training and educating the relevant individuals with necessary information on the organization's policies and procedures on business continuity and disaster activities.

• In the event of an actual or potential disaster, coordinating and managing the BCP and DRP plans including communication to relevant stakeholders.

{{organization.name}} shall define a formal process to determine the criticality of a given process, business units and the impact on {{organization.name}}’s business, if they are not operational in case of a disaster which may be an internal or external event. The output of this activity should be used to determine business continuity priorities and requirements. At a minimum, the following should be considered in the business impact analysis exercise:

• Maximum tolerable business downtime

• Operational disruption and productivity

• Financial consideration

• Regulatory requirements

• Contractual obligations

• Organizational reputation

Business Continuity Plans shall be documented and approved by management for projects, processes and business units (as applicable) that are identified as critical as part of business impact analysis.

Business Continuity Plan shall include the activities to be performed in various scenarios in case of incident /disaster which can occur due to internal or external events. BCP must include activities to be followed to protect personnel and assets following a disaster and how to function quickly for the resumption of services. A business continuity plan involves the following:

• Strategies to ensure the safety of personnel

• Analysis of potential threats

• Alternate strategies to continue business operations (alternate site of operations) in a defined time frame

• A list of the primary tasks required to continue the operations along with assigned responsibilities (recovery team)

• Easily located management contact information

• Explanation of where personnel should go if there is a disastrous event

• Information on data backups and organization site backup

• Communication strategies

• Buy-in from everyone in the organization

{{organization.name}} shall develop and establish Disaster Recovery Plans (DRP) that address the step-by-step process of recovering and reinstating the business operations to a pre-disaster state, including assessing the damage, estimating recovery costs, working with insurance companies, monitoring the progress of the recovery process, and transitioning the management of the business operations from the recovery team back to the regular managers.

A dedicated disaster recovery functional team shall be established for the management and implementation of the DR plan.

Periodic tests shall be performed by designated personnel authorized by {{organization.name}}’s management to test the execution of business continuity and disaster recovery plans through:

• Conducting disaster role-playing (“table-top”) sessions that allow participants to “walk through” the facets of the BCP, gaining familiarity with their responsibilities given a specific emergency scenario(s).

• Perform a simulation of a possible disaster scenario with different realistic scenarios that test the effectiveness of BCP.

• Wherever possible, accommodate any work stoppages due to the real testing of the BCP and DRP by appropriately scheduling simulations and other testing exercises.

After the completion of business continuity and disaster recovery plans, an assessment report shall be submitted to management. The results should clearly indicate whether the exercise/test was successful or not including corrective actions. Documented plans shall be updated based on the results of the tests performed.