279 11 Emergency Planning for Continuity of Business Operations As with the biblical story of Noah’s Ark, ample physical and documentary evidence shows that throughout the course of human history, different forms of planning have been undertaken to pro- tect communities from natural disasters. Today, in an increasingly crowded and conicted world, all organizations, regardless of their size, face risks to their facilities and business operations. While a small organization may consider itself to be uncomfortably vulnerable to an incident or disaster, a very large organization might face truly unacceptable risks due to its sheer size and complexity. The process of assessing and managing the business of continuing operations, also known as business continuity planning (BCP), has thus become a crucial and necessary reality for ensuring the conti- nuity and survival of government and business organizations. In an effort to demonstrate this need, the following discussion outlines the reasons why a business continuity program should be imple- mented, explains its benets, and describes the processes that support its management throughout the lifetime of an organization. In the past, conventional forms of business continuity might have included buying adequate re insurance, having sufcient re extinguishers on hand, and routinely conducting re drills. However, in the current environment, several factors have combined to make insurance and passive deterrents inadequate for dealing with continuity issues. These factors include tougher legislation in certain areas, increased health and safety concerns, privacy and security issues, rise in insurance costs and insurance industry mandates for organizations to actively manage their business risks, a greater likelihood of liability exposure due to legal action, and a high reliance on technology and sometimes its disparate infrastructure. Understandably, the importance of business continuity has changed over time. Operational risks are many and varied, ranging from terrorist incidents to natural disasters and pandemics. Because of the rapid changes taking place within today’s operating environment, the process of assessing and managing business risk and operational continuity needs to be both continuous and ongoing. Many organizations have not yet fully embraced the procedure of developing a business conti- nuity program. Some organizations still rely solely on the “it won’t happen to me” concept. Evidence that organizations do not invest sufcient time and resources to BCP preparations is demonstrated by disaster survival statistics. For instance, res permanently close 44% of affected businesses. 1 Among the 350 businesses affected in the 1993 World Trade Center bombing, 150 failed to survive. In contrast, the rms affected by the September 11, 2001, attack were back in business within days of the attack because of their well-developed and tested BCP manuals. 2 Risk should be identied, assessed as to its importance, and remedied by the development of preventive measures to mitigate its effect. For operations where mitigation efforts would be too costly or unfeasible, contingency, response, and resumption processes should be established to deal with any problems that may arise. Ultimately, the responsibility for introducing a business continuity program lies with the execu- tive management of the organization. A successful program should be driven down from the top. This support should include an agreement based on the need to implement such a program, a com- mitment for the necessary allocation of resources to operate it once approval is obtained, and the CRC_7559_CH011.indd 279CRC_7559_CH011.indd 279 1/7/2008 9:59:06 PM1/7/2008 9:59:06 PM © 2008 by Taylor & Francis Group, LLC 280 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners development of policies that include directing the top management to become actively involved in all its aspects. A completed BCP cycle results in a formal printed manual that is available for refer- ence before, during, and after a disruption has occurred. 11.1 ESSENTIAL CONCEPTS AND BENEFITS The three terms discussed throughout this chapter are: BCP: a methodology used to create business continuity processes and plans for how an organization will assess the risk, mitigate the risk, and resume partially or completely interrupted critical function(s) within a predetermined time after a disruption or disaster. Risk: the possibility of the occurrence of an undesirable event. Essential functions: those services or products that an organization offers. A business continuity program is dened as A program supported and funded by executive management to ensure business continuity requirements are assessed, resources are allocated, mitigation is implemented, and contingency planning, response, recov- ery, and continuity strategies and procedures are completed and tested. Continuity strategies are a process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that essential functions continue with planned levels of interruption or essential change. 11.1.1 DEVELOPING THE BUSINESS CONTINUITY PLAN As with all plans, a business continuity plan includes ve critical elements: its people, processes, technology, facilities, and infrastructure. The sustainability aspect of planning is often ignored. Sustainability means simply that the organization has the resources, motivation, and focus of the management to follow a plan, make necessary updates to that plan, and practice its use. Table 11.1 depicts an outline of the stages and processes of the program typically involved. 11.1.2 BUSINESS RISK Probability and severity are two of the primary factors used to measure and quantify the risks that need to be managed. Many environmental planners and safety engineers can play an important part in devel- oping a BCP as they have extensive experience of working with these two concepts. With respect to the discipline of environmental impact assessment, these concepts were described in detail in Chapter 10. The use of severity and probability factors provides a practical way to initially assess and pri- oritize risk. For example, some risks are low in severity and happen frequently, such as minor workstation failures. Though these risks are very probable, they have a low severity impact. On the other hand, a more serious event such as the disruption of electrical power from a key supplier has a higher severity impact that could impede mission-critical business operations, but may also have a lower probability of occurrence. If some kind of event had occurred in the past, probability and severity ratings can be more accurately determined. 11.1.3 BENEFITS OF BUSINESS CONTINUITY Although business continuity applies to all organizations, the benets are not easily quantied. Some organizations are thus more likely to benet from implementing business continuity pro- grams, but they are particularly necessary to any organizations with the following characteristics: Multiple sites Size that precludes any single individual knowing the details of every risk • • • • • CRC_7559_CH011.indd 280CRC_7559_CH011.indd 280 1/7/2008 9:59:07 PM1/7/2008 9:59:07 PM © 2008 by Taylor & Francis Group, LLC Emergency Planning for Continuity of Business Operations 281 Widely diversied business processes Uses many contractors, suppliers, or business partners who are not under the direct control of the organization Generally, the larger or more complex the organization or program, the more it benets from a formal business continuity program management process. Table 11.2 provides some potential benets from implementing a proactive program. • • TABLE 11.1 Outline of the Typical Program Stages and Processes Business Continuity Program Stages Processes Organized by Phases Staff Involvement Project management • Preproject phase • Program manager • Start-up phase • Project manager • Business analyst Risk management • Inventory phase • Project manager • Risk assessment phase • Business analyst • Business impact analysis phase • Inventory compiler • Database administrator Mitigation • Mitigation strategy phase • Project manager • Mitigation planning phase • Business analyst • Auditor • Facilitator • Test process manager • Testing resources Contingency • Contingency identication phase • Project manager • Contingency planning phase • Business analyst • Facilitator • Trainer Response operations • Detection phase • Project manager • Response phase/crisis management • Business analyst • Facilitator • Test process manager • Testing resources Business resumption • Recovery phase • Project manager • Resumption phase • Business analyst • Personnel training phase • Human resources • Facilitator • Test process manager • Testing resources TABLE 11.2 Potential Benefits from Implementing a Business Continuity Program Areas of Impact Benefit of Business Continuity Health and safety Avoid worker litigation; reduce insurance premiums; ensure public safety Business interruption Avoid loss of service, business failure, and legal liability (where applicable) for not planning for such an event; gain operational reliability Technical Avoid failures of obsolete methods or technologies; avoid a service stoppage Computer Prevent inability to communicate; avoid lack of access to information Theft and fraud Prevent loss of money, assets, or intellectual property CRC_7559_CH011.indd 281CRC_7559_CH011.indd 281 1/7/2008 9:59:07 PM1/7/2008 9:59:07 PM © 2008 by Taylor & Francis Group, LLC 282 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners 11.2 FOCUSING ON CONTINUITY OF OPERATIONS This section focuses on those aspects of business continuity that are concerned with managing risks related to operations. It ensures that if a serious incident occurs, the organization will continue to function at a level acceptable to the executive management. With that focus in mind, the question becomes not one of “Do we need to have a business continuity program?” but rather one of “To what extent do we need a business continuity program?” Fundamentally, business continuity is about avoiding loss of business operations. To accom- plish it, two questions should be answered: 1. What can be done to eliminate a risk before it occurs? 2. If a risk cannot be eliminated, what can be done to minimize the impact after it occurs and to restore normal operations quickly after an interruption? Executive management has a responsibility for ensuring that essential functions under its control are adequately protected. To that end, a cost-effective business continuity strategy should be devel- oped that is consistent with the organization’s current business strategies. It should focus on risks related to unplanned interruptions of mission-critical business operations. In the event of a serious incident, it should also enable essential functions to continue at a predetermined level acceptable to the management. In many cases, acceptable protection can be achieved through the proactive formulation of pre- ventive measures and the strengthening of system and equipment reliability. Mitigation planning is the process of developing a plan that can either prevent or reduce the likelihood of the occurrence of a performance failure or that is designed to reduce the impact of a performance failure. In case a disastrous event occurs, the organization should be prepared to respond and recover from its impact. Contingency planning is the process of developing a plan to ensure the continued availability of essential functions, programs, and operations, including all the resources necessary to operate the organization at a predetermined level, in response to the loss of operational capability. This process contains procedures for emergency response, backup, postdisaster recovery, reconsti- tution, and resumption to ensure the continuity of mission-critical business operations. 11.2.1 GETTING STARTED If the business continuity philosophy is being introduced to an organization for the rst time, it needs support at the executive management level. Awareness of the need for business continuity can be raised by highlighting potential risks to the organization, possibly by drawing comparisons with other organizations that have suffered serious business disruption and have successfully weathered the crisis; illustrating potential impacts to the organization in terms of key performance indicators, such as customer (interorganizational and outside customers) service levels, costs, staff turnover, and revenues generated; and drawing attention to commitments to business continuity made by comparable organiza- tions, federal, state, and local governments, and industry. Table 11.3 outlines the essential steps necessary to establish and operate a successful business continuity program. 11.2.2 PLANNING AND COMMUNICATING THE PROGRAM An organization-wide business continuity team must be formed to monitor and guide the program. This team will be responsible for ensuring that any potential problems likely to cause operational • • • CRC_7559_CH011.indd 282CRC_7559_CH011.indd 282 1/7/2008 9:59:07 PM1/7/2008 9:59:07 PM © 2008 by Taylor & Francis Group, LLC Emergency Planning for Continuity of Business Operations 283 failures and revenue reduction are minimized. Organizations should form teams and subteams with personnel who possess business expertise and skills in such areas as business analysis, environmen- tal management, communications, legal and contract administration, strategic and tactical plan- ning, nancial management, project management, information technology, and staff training. All the employees of the organization should be made aware of the program and provided with a general introduction to the issues and risks that the organization intends to address. They should be educated regarding the business implications of these risks, who the contact person of the business continuity program is within each organization, and the development of a plan to deal with identied risks. Initial employee communication should include a description of the resources employed to support the business continuity program and a general outline of how the program is expected to proceed. Ongoing awareness can be accomplished in many ways such as by including a busi- ness continuity program column in the organization’s internal newsletter, developing a specialized business continuity program newsletter, sending out periodic electronic mail messages from the program’s sponsor, establishing a collaborative business continuity web site, or publishing progress information on an intranet Web page. 11.2.3 GATHERING INFORMATION The next step in the business continuity program is to develop a strategy for conducting an enterprise-wide inventory of business operations and essential elements that support the operations. • • • • • TABLE 11.3 Essential Steps Necessary to Establish a Successful Business Continuity Program 1. Form an enterprise-wide business continuity team 2. Form subteams within each organization 3. Communicate the purpose of the business continuity program to employees 4. Create an enterprise-wide inventory of assets and business operations 5. Conduct a high-level risk assessment and report the results 6. Create an enterprise-wide inventory of essential elements that supports business operations 7. Conduct a legal assessment 8. Conduct interviews with key staff from each functional area 9. Collect, store, and analyze the risk data and report the results 10. Plan, develop, and budget for risk prevention measures with mitigation and event-detection processes 11. Test, train, and implement preventive measures and processes 12. Monitor results of preventive measures and revise new processes as necessary 13. Develop contingency plans for risks that cannot be provided with adequate protection 14. Implement event warning, detection, and response processes 15. Develop resumption plans to resume business as usual 16. Train, test, and audit the contingency plans CRC_7559_CH011.indd 283CRC_7559_CH011.indd 283 1/7/2008 9:59:07 PM1/7/2008 9:59:07 PM © 2008 by Taylor & Francis Group, LLC 284 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners This strategy will establish general objectives concerning the risk exposures on which the orga- nization intends to focus its efforts. Risks that are inherent to an organization typically originate from three sources: Mission, structure, and culture of the organization Assets and resources either owned by or under the control of the organization Business partners of the organization 11.2.3.1 Inventory of Essential Elements For each of these business operations, an inventory of the essential elements that provide direct or indirect support should be conducted. Generally, an inventory of essential elements in the following categories is necessary to facilitate an effective risk assessment and business impact analysis (BIA) (Table 11.4). An inventory strategy describes the level of inventory detail that should be collected prior to a risk assessment is being performed. The selected inventory approach should provide data essential for enabling the more specic identication of potential risks to mission-critical business opera- tions. Results of this inventory process will help establish scope of the business continuity program, overall strategy of the organization’s business continuity program, and impact on the organization. Inventory Approaches. Multiple approaches for collecting these inventory data should be examined, such as performing only a high-level (macro) inventory; performing a complete and detail-level (micro) inventory; and performing a combination of both a high-level and, as needed, a detail-level inventory. In a situation where limited time and nancial resources are available for commitment to the business continuity program, an approach for developing an inventory of essential elements, to perform only a high-level inventory, might be followed by a risk assessment (that will be described later) based on the summarized inventory data. This approach has the advantage of enabling the expeditious collection of inventory, which can then be used to begin the risk assessment process. However, it has the disadvantage of introducing the possibility of overlooking critical operations or inventory elements, resulting in an incomplete baseline from which the assessment is conducted. • • • • • • • • • TABLE 11.4 An Inventory of Essential Elements Normally Involves Seven General Categories • Business partners, including suppliers, vendors, customers, or other third-party organizations that regularly provide services or products • Organizational structure • Organization-based performance measurements • Facilities and ofce equipment • Telecommunication systems • Computer software and equipment • Contracts, agreements, insurance, and investments CRC_7559_CH011.indd 284CRC_7559_CH011.indd 284 1/7/2008 9:59:08 PM1/7/2008 9:59:08 PM © 2008 by Taylor & Francis Group, LLC Emergency Planning for Continuity of Business Operations 285 The organization should therefore be diligent in weighing the advantages and disadvantages of each inventory approach before making its decision. 11.2.4 RISK ASSESSMENT Once the inventory is complete, a high-level risk assessment is performed. Its purpose is to assess and prioritize essential functions and their associated risks. If necessary, the different organizations and each of their respective divisions should complete their own risk assessment report. These should then be amalgamated to form the enterprise-wide report. Thereafter, the risk assessment should be updated on an annual or alternate year basis. A risk assessment typically takes about 1–2 months to complete depending on the size of the organization. As detailed in Table 11.5, a BCP risk assessment typically involves six discrete steps. Throughout the mitigation process, risk management should include risk assessments and busi- ness impacts for each mitigation strategy. These assessments and impacts should be completed specically for the particular body of work and should be limited to the scope of the project. Project risk management should also identify project risks and impacts to the organization. 11.3 BUSINESS IMPACT ANALYSIS A full-scope BIA should be performed to ensure that both dependencies and interdependencies of mission-critical business operations are identied and where necessary to employ preventive meas- ures for mitigating impacts and disruptions. When performing a BIA, the mission-critical business operations are dened and evaluated together with their respective essential elements, including dependent and interdependent variables. The impact analysis can be performed by 1. identifying all business operations, processes, and elements; 2. developing a questionnaire that will help identify, dene, and prioritize the mission- critical business operations and their respective essential elements; 3. meeting with management to approve the questionnaires; 4. collecting and tabulating questionnaire responses with business and technical personnel; and 5. producing a prioritized list of essential elements and processes, including their dependen- cies and interdependencies based upon tabulated questionnaire responses. An impact analysis is a way to quickly pinpoint those areas that would suffer the greatest nancial and operational impact in the event of a disruption. Using the severity of impact (of an TABLE 11.5 Steps Performed during a Typical Risk Assessment 1. Identify, dene, and prioritize the organization’s essential functions (services or products) 2. Identify mission-critical business operations and associated risks 3. Perform a high-level analysis that highlights the severity of impact on the organization, given the loss of a mission-critical business operation(s) 4. Identify immediately apparent areas of vulnerability, such as the use of single-source suppliers or an outdated technology infrastructure 5. Prioritize mission-critical business operations 6. Estimate the scope and cost of proceeding with recovery strategies, risk mitigation, and contingency planning CRC_7559_CH011.indd 285CRC_7559_CH011.indd 285 1/7/2008 9:59:08 PM1/7/2008 9:59:08 PM © 2008 by Taylor & Francis Group, LLC 286 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners operation’s interruption) as the primary rating factor, the management should rate the impact that an interruption of an operation would have on the critical success factors that enable the success of the organization. These critical success factors include, but are not limited to, the following: Safety and security: Would the safety and security of the staff or the physical assets of the organization be in danger? Service and/or product fulllment: Would the organization’s ability to generate revenue and to service its customers be affected? Legal: Would the organization be in violation of regulatory requirements or contractual agreements? External reporting: Would this affect the organization’s ability to generate external reports, such as nancial statements, tax reports, and so on? Communications: Would the organization’s ability to communicate by e-mail or telephone (e.g., electronic data interchange) with its partners be interrupted? Internal controls: Would the organization’s internal controls, measurements, and reporting be jeopardized? It can be seen from the above factors that the management of risk related to essential functions of the organization becomes the primary focus of the business continuity program. The estab- lishment of the best and most practical priorities for mitigating risk associated with the essential functions is the ultimate goal of this process. Accomplishing it means the realization of the most effective and efcient use of the organization’s resources (staff, time, and money). 11.3.1 REGULATORY, LEGAL, AND CONTRACTUAL REVIEW In some cases, due to poor planning, the management of an organization can be held personally liable for its failure or poor performance in carrying out response and recovery operations. For this reason, a legal assessment of potential liability related to an interruption of mission-critical business operations is an important part of any business continuity program. Mandated legal requirements that involve environmental, health, safety, security, and emergency management are all possible risk areas. These requirements include a detailed review of all con- tracts, agreements, and documented performance standards, as well as the management’s liability to service level agreements, contracts, and customer services. The latter requirement encompasses a review of mandated requirements and of all contractual relationships with third parties, includ- ing vendors and suppliers. It also includes identifying obligations related to maintenance or other outsourced services that are being delivered to the organization. 11.3.1.1 Legal Risk Management Strategy After a risk-reduction mitigation strategy has been prepared to respond to issues discovered during the legal review, it should be presented to the management for its approval. The aim of the legal risk management strategy is to provide executive management with sound advice and viable alternatives as they strive to make responsible business decisions relative to the goals of the business continuity program. During the development of the legal risk strategy, special attention should be paid to the fol- lowing conditions: Areas where the impact of an interruption to the organization far outweighs the remedies available Whether the odd occurrences of such a problem seem likely Whether recovery from the potential problem is difcult and costly to the organization Where specic legal mandates are required • • • • • • • • • • CRC_7559_CH011.indd 286CRC_7559_CH011.indd 286 1/7/2008 9:59:08 PM1/7/2008 9:59:08 PM © 2008 by Taylor & Francis Group, LLC Emergency Planning for Continuity of Business Operations 287 11.3.1.2 Potential Recommendations To validate the efforts of the organization and to ensure that current activities and plans achieve the goals of the program, an operational audit of the business continuity program could be one of the recommendations of the legal risk strategy. Other recommendations could include 1. an outline of the policies and procedures related to business partner management, 2. changes to insurance coverage, 3. operational and procedural changes required to avoid injury and improve safety risks, 4. business continuity program activities required for regulatory compliance, 5. nancial practices required to comply with reporting and disclosure guidelines, and 6. ongoing legal activities required to support the business continuity program. 11.3.2 ASSESSING AND ANALYZING RISKS As soon as mission-critical business operations have been identied and prioritized, and an inven- tory of essential elements that support those operations has been collected, the team can proceed with the next step of the project. At this stage, practical alternatives and guidelines should be dened that will be used to gather risk assessment and business impact information; store the accumulated data in a manner (electronic database) that allows impact analysis and reporting to be performed; and assess, quantify, and evaluate risk. 11.3.2.1 Severity and Probability Developing a model that can be used to assess risk involves the identication of risk measurement criteria. These criteria consist of factors used to assess the severity and probability of a business operation or essential element failure. The factors described in Table 11.6 should be considered in rating the impact severity of a performance failure. Severity. A precise and easily understood rating scale is needed for assigning severity impact to the interruption of an operation or an essential element failure; for example, 1 = negligible impact (on the organization or supported operation), 2 = minor impact, 3 = moderate impact, • • • • • • TABLE 11.6 Factors That Should Be Considered in Rating the Impact Severity of a Performance Failure • Impairment level of the failure represents the maximum impact resulting from the failure if it is not quickly resolved. • Time horizon from failure to full impairment, where there could be a time difference between the event of failure and the full realization of its effects. For example, failure of the general ledger system may ultimately cause severe impair- ment to an organization’s ability to produce nancial budgets, but the full effect of the loss of that system might take weeks to be fully realized. • Failure tolerance is an indication of the maximum length of time that the loss of an essential element or operation can be reasonably tolerated. • Mitigation implies reducing the impact (e.g., changing a process, failover, backup, or other strategies). Those that can- not be mitigated are passed on to contingency planning. • Contingency planning serves to reduce the ultimate impact experienced by a performance failure involving mitigated and nonmitigated processes that require human intervention. CRC_7559_CH011.indd 287CRC_7559_CH011.indd 287 1/7/2008 9:59:08 PM1/7/2008 9:59:08 PM © 2008 by Taylor & Francis Group, LLC 288 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners 4 = considerable impact, and 5 = total impairment. The application of severity ratings to business operations and essential elements provides the input data needed to conduct a performance failure impact analyses. In many cases, severity impact ratings may provide enough information for the management to make informed decisions regarding mitigation and contingency strategies. The impact of a business operation or the failure of an essential element provides a clear indica- tion of their importance to the organization. However, the likelihood of a failure actually occurring should not alter the level of their importance. Therefore, a rating model based upon severity of impact can provide a straightforward means to establish a prioritized list of business operations and supporting essential elements. Probability. In addition, rating the probability of a performance failure helps to highlight poten- tial failures that pose real or very likely threats to an organization. This separate and distinct rating measurement helps to focus on appropriate levels of resources on mitigation and contingency plan- ning efforts. As previously stated, some risks are low in severity but occur quite frequently, while other risks may be severe but rarely occur. Gathering failure frequency data from staff, vendors, or suppliers responsible for an essential element can usually provide failure probability estimates for most items under their scope of responsibility. 11.3.2.2 Developing a BIA Process After the BIA process has been established, it is used to guide the development and use of an effective assessment survey tool. A set of comprehensive and business-unit-specic questions is developed for use during a series of BIA interviews that are conducted with key staff from each functional area of the organization. These interviews help identify and quantify risks related to the potential for failure of an essential element, and also provide insight concerning dependencies that exist between mission-critical business operations and supporting essential elements, and provide information on which to base mitigation and contingency-planning activities. Database. Ideally, a database application should be developed that would serve as the master data repository for the business continuity program, storing data from the inventory lists, risk assessment surveys, BIA surveys, and other project-related information. Database Reports. The database should provide reporting and query capabilities to support risk assessment and BIA as well as mitigation and contingency-planning efforts. The assessment and analysis reporting requirements should specify a set of metrics for assessing, selecting, and develop- ing mitigation and contingency plans. For example, reports might be structured in the following manner: 1. Identify business operations and assess their severity impact on the critical success fac- tors of the organization (e.g., safety and security, service or product fulllment, revenue generation, legal issues, communications, and so on). 2. Identify essential elements (e.g., suppliers, vendors, customers, information technology systems, documents, data, stafng, equipment, and facilities) and assess their severity impact in the event of the failure of any of these elements. • • • • • • • • CRC_7559_CH011.indd 288CRC_7559_CH011.indd 288 1/7/2008 9:59:08 PM1/7/2008 9:59:08 PM © 2008 by Taylor & Francis Group, LLC [...]... LLC CRC_7559_CH 011. indd 289 1/7/2008 9:5 9:0 8 PM 290 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners Cost and benefit guidelines and constraints must be clearly defined with stated procedures for justifying mitigation and contingency planning efforts (such as service levels, product delivery, or trust impact) If the scope of the project is too broad for the resources... Group, LLC CRC_7559_CH 011. indd 295 1/7/2008 9:5 9:0 9 PM 296 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners 11. 7.1 RESPONSE AND RESUMPTION RESOURCES A response and resumption strategy for each service and facility supporting an essential function can be developed at this time These resources typically fall into one of the following categories: 1 Facilities—include... time 11. 5.1 TESTING AND ACTION PLANS Test planning and the testing of mitigation action plans either during or after implementation are a critical part of the business continuity program Formal acceptance testing guarantees the functional © 2008 by Taylor & Francis Group, LLC CRC_7559_CH 011. indd 291 1/7/2008 9:5 9:0 9 PM 292 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners. .. SOLUTIONS As depicted in Table 11. 10, the team should consider a wide range of possible solutions to deal with the failure of a business operation, process, or an essential element © 2008 by Taylor & Francis Group, LLC CRC_7559_CH 011. indd 293 1/7/2008 9:5 9:0 9 PM 294 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners TABLE 11. 10 Possible Solutions for Dealing with a Business... be saved for future comparisons? • What organization is responsible for conducting the tests? • Who will create test documents and test scripts? • Is there a standard database(s) for system-wide testing? • What types of tests are required? • What constitutes acceptable test results? performance of each action plan The formal test plan for each action plan is unique and specific to a mission-critical... interruption, and consequently fail when a disaster of a different © 2008 by Taylor & Francis Group, LLC CRC_7559_CH 011. indd 294 1/7/2008 9:5 9:0 9 PM Emergency Planning for Continuity of Business Operations 295 nature occurs In addition, the plan for each function to be recovered and the plan for the enterprise as a whole should both incorporate the costs of implementation in terms of personnel and financial... distribution of a training document to be used by staff, or formal classroom training presented by the organization’s training department staff © 2008 by Taylor & Francis Group, LLC CRC_7559_CH 011. indd 292 1/7/2008 9:5 9:0 9 PM Emergency Planning for Continuity of Business Operations 293 TABLE 11. 9 Contingency Planning Objectives • Ensure that threats to the safety of the organization’s employees and visitors are... the command and control structure of the IMT and the relationship of its members to the organizational structure Members of the IMT are identified, and their roles and responsibilities are defined by establishing standard operating guidelines for each of the team’s assignment This ensures that the organization has a command and control structure in place that can successfully respond to an event 11. 7.2... authorization for their funding and execution, provided certain conditions exist Necessary agreements, letters of © 2008 by Taylor & Francis Group, LLC CRC_7559_CH 011. indd 296 1/7/2008 9:5 9:0 9 PM Emergency Planning for Continuity of Business Operations 297 intent, and memos of understanding should be signed and put in place so as not to impede the business continuity program efforts Developing the initial... systems, and • the number of operations dependent on or supported by the essential element or operation The risk assessment and impact analysis process should be fully documented and presented to the management for their approval 11. 4 MITIGATION STRATEGIES Now that the essential functions, mission-critical business operations, and supporting essential elements of the organization have been identified and . 1/7/2008 9:5 9:0 9 PM1/7/2008 9:5 9:0 9 PM © 2008 by Taylor & Francis Group, LLC 296 NEPA and Environmental Planning: Tools, Techniques, and Approaches for Practitioners 11. 7.1 RESPONSE AND RESUMPTION. risk. • • • • • • • • • • • • CRC_7559_CH 011. indd 289CRC_7559_CH 011. indd 289 1/7/2008 9:5 9:0 8 PM1/7/2008 9:5 9:0 8 PM © 2008 by Taylor & Francis Group, LLC 290 NEPA and Environmental Planning: Tools, Techniques, and Approaches for. interruption CRC_7559_CH 011. indd 293CRC_7559_CH 011. indd 293 1/7/2008 9:5 9:0 9 PM1/7/2008 9:5 9:0 9 PM © 2008 by Taylor & Francis Group, LLC 294 NEPA and Environmental Planning: Tools, Techniques, and Approaches for