Documentation
Support
In this article
1.0 Initial Response2.0 Activation procedures3.0 Crisis Management Steps4.0 Business Continuity PlansPayrollAccounts Payable5.0 Recovery Procedures6.0 Stand-down ProceduresAppendicesAppendix AInitial team meetingAppendix BAppendix C - Context to Business Continuity PlanPurposeScopeObjectiveAssumptionsCommunication
Home
Template Expansion Pack

Business Continuity Plan Template

Edited

BCSF's guidance for BCP is to build a simple plan and support it with robust incident procedures and an assortment of resources to build a recovery playbook.

Executive sponsor

 

Document owner

 

Document custodian

 

Version number

 

1.0 Initial Response 

Do not panic!  

Get a pen/pencil and some paper to write on. Note the following information: 

  • What exactly has happened? High level information needed only.

  • Is the situation life threatening? If yes, contact emergency services.

  • Have any staff members been injured?

After the call, plan who to contact. 

  • Notify one of the executives / senior management with the information you were able to collect as soon as possible.

Use this form to jot down some notes (or follow Security Incident Response Plan): 

1. Date and time of incident discovery?

____________________

2. Date and time incident occurred?

____________________

3. Name and contact information of the person calling?

____________________

4. High level incident summary?

____________________

5. Number of individuals or assets believed to be impacted?

____________________

6. Have any steps been taken to deal with the incident?

____________________

2.0 Activation procedures 

Any member of {{team}} and/or the {{name/role}} can activate the Business Continuity plan upon the notification of an incident that they believe requires the activation of the plan in order to respond effectively. Note that the Business Continuity plan can be activated in whole or in part depending on the nature of the disruption.

Upon notification of an incident, the{{team}} will schedule a meeting to discuss what actions need to take place and which team members should be part of the action plan.

For detail on what to cover in the meeting, refer to the initial meeting agenda found in Appendix A - Initial Team Meeting. 

Business Continuity contact details

The table below provides contact details of the {{team}}.

See Organization Chart for the communications tree. 

3.0 Crisis Management Steps

In the event of a disruption, the {{name/role}} will be tasked with overall direction and management of the team and overall response activities. The main objective is to take charge of the situation immediately and encourage the employees to work as a single unit.

Roles and responsibilities

  • lead the overall response to the incident

  • activate business units to perform business continuity activities

  • hold recovery meetings

  • take decisions & delegate tasks

  • ensure confidentiality of information

  • set recovery strategies and objectives

  • liaise with key stakeholders

  • act as media spokesperson, if appropriate

Key points of focus

  • Conduct the team meetings. For detail on what to cover in the meeting, refer to the initial meeting agenda found in Appendix A - Initial Meeting Agenda.

  • Activate staff callout to notify staff of the incident.

  • Setup command center or conference bridge for executives to operate from.

  • Approve sensitive communication and act as a media person, if required.

  • Notify clients and key partners, as appropriate.

4.0 Business Continuity Plans 

Once Business Continuity has been activated, the teams affected by the disruption should leverage their departmental plan to respond to a disruption affecting technology, people, facilities or third parties. 

For more information on the context of Business Continuity, including purpose, scope, objectives and assumptions, see Appendix C.

Note: Payroll continuity plan provided below is for guidance purpose only. The organization needs to create plans for all critical business functions identified through Business Impact Analysis exercise.

Payroll

Roles and responsibilities

  1. Maintain payroll activities in a timely manner.

Technology loss

 

Team 

Step #

Completed

Payroll 

1.     In the event of an extended system outage, revert to automatic payroll process which will activate if no changes are made. In this case, payroll will be processed using the previous week’s amount.

Scenario-based considerations:

●           Notify staff of technology outage, as required, and provide regular updates on how they should proceed. Consider notification of other stakeholders if an outage is likely to result in missed deadlines.

 

People loss

Team

Step #

Completed

Payroll

1.    If the Payroll clerk is unavailable, revert to technology strategy to run last week’s payroll. 

Scenario-based considerations:

●           Administer first aid in the event it is required. Contact Emergency services if the life and safety of a staff is threatened or at risk.

●           Work in tandem with Human Resources and or authorities to contact next of kin.

 

Critical 3rd party supplier loss

Team 

Step #

Completed

Payroll

1. If <Service Provider> are unavailable, revert to manual cheque writing process.  

 

2. In the event a local branch of <the Bank> is unavailable, call into another branch.

 

3. If the entire banking system is unavailable, obtain funds from another Bank Account. Consider processing payroll payment from this account as necessary.

 

 

4. Contact authorized signatory to sign the cheques.

Scenario-based considerations:

●           Notify staff as appropriate of an outage from a critical vendor.

●           Visiting banks to obtain counter cheques is contingent upon staff’s ability to transport themselves to the banking offices.

 

Facility loss

Team 

Step #

Completed

Payroll

1.     Payroll clerk is to work from home provided there is access to a laptop and required technology.

2.     Obtain signatures on manual cheques from authorized signatories.

 

Scenario-based considerations:

●           In the event of an extended outage, begin to think about seeking support from a workstation recovery vendor to restore office as soon as available, as required.

●           If needed, collect information required for a claim in the event of a facility loss with insurance company.

 

Accounts Payable

Roles and responsibilities

  1. Document key responsibilities of Accounts Payable team here.

 

Technology loss

 

Team 

Step #

Completed

Accounts Payable

 

 

 

People loss

 

Team 

Step #

Completed

Accounts Payable

 

 

 

Critical 3rd Party supplier loss

 

Team 

Step #

Completed

Accounts Payable

 

 

 

Facility loss

 

Team 

Step #

Completed

Accounts Payable

 

5.0 Recovery Procedures

Once response to the disruption has begun, begin to think about assigning recovery responsibilities to a staff member outside of the {{team}}. The process for recovery will support the organization in preventing the escalation of the incident, restoring the wellbeing of people, restoring targets, governance arrangements, financial management as well as recording opportunities created from the disruption (implementation of improvements). 

 

Key points of focus

Reintegration of staff 

●      Provide updates

●      Scheduling additional time/overtime to catch up

Conversion of manual workarounds

●      Is any critical information being processed manually, that requires a method to integrate it back into standard business operations?

●      How will quality assurance be performed?

●      How do you plan to handle the backlogged data collected during the disruption?  

Working with vendors

●      Have any vendors been impacted that will be required for recovery purposes?

●      Will Service Level Agreements (“SLA”) need to be reviewed?

●      Are there any penalties?

Communicating with staff and other stakeholders

●      How do you plan to communicate with staff and other stakeholders to inform them of return to normal operations?

●      Do any staff need to be rehabilitated into the workplace?

6.0 Stand-down Procedures

As the organization starts to recover from an incident and resume its operations, the disruption levels or impact thresholds can be used to decide when to declare an incident as resolved. 

The formal declaration that the incident has ended may only be communicated by the {{person/role}} or any member of the {{team}}. In the event the {{person/role}} is unable to do so, the other {{team}} member can begin the stand-down process. 

Key step

Responsible

Prior to stand down being agreed, confirm should recovery issues and actions are agreed and activated to assist in the return to normal working arrangements.

 

 

Decide when to stand down and activate the cascade of the stand down message to all staff involved using a notification/call tree.

 

Following stand down, arrange debriefing sessions as soon as possible after the incident. 

 

Create an incident report and review: 

●      Whether documented procedures were followed

●      How well staff and management performed

●      Determine what information or resources were required sooner

●      Steps and actions taken that may have inhibited the recovery

●      Reporting requirements

●      Financial losses

●      Recommendations

 

Host a lessons learned meeting with the appropriate stakeholders.

 

 

 

For a sample post-incident report, refer to Appendix B – Post Incident Report. 

Appendices

Appendix A

Initial team meeting

The purpose of this meeting is for the Executives to be briefed on the disruption, discuss the incident, review issues, make decisions, make assignments for action and establish priorities.

Key step

Complete

Responsibility

Upon activation of the Business Continuity, coordinate an initial team meeting.

 

At the initial meeting, the team should discuss the following: 

●      Update the team with details from initial response checklist and discuss expectations

●      Current availability of assets

●      Information from relevant stakeholders

●      Updated expected outage duration, if available

 

Determine frequency of status meetings.

 

Remind all staff not to talk to the media.

 

 

 Space for notes: 

 

Appendix B

Post-incident report form

Job: ____________________________ Date of incident: ___/____/___ Time _____am/pm

  1. Incident summary.

    • Basic description of the incident

    • Systems, services and/or user communities impacted by the incident

    • Whether service was not impacted, degraded, or interrupted

    • Duration of the incident (start to finish)

  2. Details of the incident.

    • What caused the incident (who, what, where, when, how)?

  3. The notification process.

    • Include every step in the notification process

    • Automated monitoring notification

    • An infrastructure team member noticed something out of the ordinary

    • A user called in

    • Detail the flow of the incident response (i.e. John -> Jim -> Mike)

    • Communication of resolution of the outage

 

  1. Technical details/fix actions

  • Communication of resolution of the outage

 

  1. Technical details/fix actions

  • What was the basic cause of the incident?

  • What could have prevented this?

  • Impact (none, degraded performance, downtime)

  • Business criticality (revenue producing, business critical, low)

  • Estimated cost (impact + business criticality)

  • What prevents the incident from reoccurring?

  • What additional actions or research need to happen?

Appendix C - Context to Business Continuity Plan

Purpose

This Business Continuity Plan (“BCP”) is intended to help the {{organization}} respond to a serious disruption to normal day-to-day business operations. It is not intended to provide a complete set of instructions, but rather a list of points of focus to guide the team members and facilitate their efficient response. The plan should only be used by team members that are familiar with  {{organization}}’s overall BCP response, and who have been trained in its execution.

Scope

  • Loss of single or multiple I.T. applications/services for an extended duration.

  • Mass Absenteeism

  • Critical 3rd Supplier Disruption

  • Facility inaccessibility to the offices at <Address>,

Objective

The objective of the plan is to provide guidance during the response to, and recovery from, a significant disruption.

Assumptions

The viability of this Business Continuity Plan is based on the following assumptions:

  • This plan is maintained and updated annually as well as when significant changes relating to Business Continuity occur. This maintenance schedule is set in accordance with the cadence set in the Business Continuity Management Policy.

  • That the teams deemed critical have their own BCP.

Communication 

A business’ crisis communication goal should be to provide timely, accurate, and clear information to prevent inaccuracies and rumors. To accomplish this objective, a message containing the following verified information should be sent to all stakeholders as soon as possible after a disruption has occurred:

  • What, when, and where a disruption has occurred

  • How serious the problem appears to be

  • How the business has been impacted (e.g. damage to facilities and operations)