Business Continuity Planning Services.

Free Tools

Free Tools for Developing Continuity Plans and Programs.

Monday, March 24, 2014

Tackling the Business Impact Analysis

A new business continuity analyst will need to create and/or update the organization's Business Impact Analysis (BIA). If this is a task that is new to the organization, then the analyst will need to scope the document and set out the definitions that will be used. Ideally the entire organization will be represented in one or more BIAs. The analyst should present to the sponsoring executive the plan for accomplishing the BIAs. The analyst will need to:

a) describe the objectives of the BIA,

b) show that the focus will be on the business processes,

c) introduce the concepts and terminology such as (RTO), and

d) identify the planned sources of information and validation.

It is important to focus on processes rather than procedures. There should be relatively few processes, however each process can have many procedures. To use an example common to many organizations, the Human Resources Department may have four processes: hiring/termination, benefits, periodic reviews, and payroll. The procedures for each of these processes may change repeatedly due new software, regulations or vendor requirements. Therefore the analyst should not try to capture details of the procedures but reference their location within the department. Depending on the organization, BIAs may be reviewed and updated on a periodic basis. In addition to periodic updates, any significant changes to business process(es) should prompt a BIA review.

Given resource or budget constraints, if BIAs can not be done for the entire organization, then the analyst needs to work with the sponsoring executive to determine which departments and processes are to be considered core to the organization’s mission.

For each process the BIA will identify the needed resources. These include people (do not forget any on premise long-term consultants), facilities, equipment, and supporting information technology. The analyst will need to note any unique features of the facility that the process uses (e.g. loading dock, clean rooms, vaults). A roster of staff and roles is important to understanding the scale of the process and the relative impact should members of the staff become unable to work. Regarding the IT resources needed, be sure to include required reference databases with applications. Also query the business for any specialized communications gear or production equipment such as check printers. Remember any handheld devices which are needed to generate sales or manage logistics. While business moves relentlessly to electronic formats, an inventory of required paper-based documents and supplies needs to be inventoried.

Once the who, what, and where have been established, the next step is determining the impact to the organization if the process can not be done. Various metrics and units of measure can be used; the analyst needs to assimilate what has been learned so far and determine the outage time frames to be used in the discussion and analysis.

What are the time frames of a business or transaction cycle? Are tasks and deliverables accomplished in weeks, days, hours, minutes, or seconds? Depending on what the business timeframes are, construct an appropriate scale for determining impacts over time. Impacts can have various dimensions: financial, reputational, legal, regulatory plus any dimension that may be important to the organization. Again, need to determine the scales for each dimension you use. The disaster may also involve the loss of data. The analyst must determine with management how little data can be lost and the associated time frame(s).

The result will be a series of RTO values that need to be coupled with RPO values.

As an analyst, you will now have a wealth of data. It is up to you to turn this data into Information that can be used in the subsequent steps towards the goal of a robust business continuity program. You will need to clearly identify the processes that are necessary for the business to carry out its mission and provide management with an understanding as to the impact should a given process stops. This will provide the inputs to the risk assessment and the basis for the business continuity plans to follow.
Tom Ryan has worked as the global business continuity manager for RBS Sempra Commodities, starting their program from a scratch to cover six trading locations with two recovery sites with data centers.  He has done business impact analysis and emergency management consulting work with Datalink, Inc.  Previous to his roles in business continuity, Tom managed a software QA testing department and was an auditor for major investment banks.

Monday, March 10, 2014

BS ISO 22301 in 17 Easy Steps

I normally shy away from long blog posts, but this one is critical if you are considering getting your business continuity program certified.  BS ISO 22301 seems very hard to implement at first, but if you understand the requirements of the standard, it becomes very clear, almost too easy to implement across the organization.

There are only a handful of organization worldwide that have been certified in BS ISO 22301.  Right now is a great time to get on the certification calendar be one of those organizations who set the gold standard in Business Continuity.

Below are the 17 steps you will need to do reach program certification.

Step 1: Management support

Business Continuity will not work if the leadership of the organization or business does not support the effort.  Therefore, it’s critical that leadership understand and support the program continuously.  Your job as a practitioner is to show them why Continuity planning is necessary, not through scary stories and photos, but through showing the value the program brings to the organization.  Getting their support and commitment is the first critical step in any Business Continuity effort, but especially in the certification process.

Step 2: Identification of requirements

This is an easy one.  Identify the requirements of the Business Continuity Program.  It’s similar to identifying the business requirements for a large scale project.  If fact, it’s exactly like that.

But in all honesty, there is really only one requirement for Business Continuity.  If you own, run or manage a business, you have a requirement.  Business Continuity IS the requirement.

If you need a more detailed requirement, you can use BS ISO 22103 as the requirement and make certification a goal of the program.  This will cover everything.

Step 3: Business continuity policy & objectives

Developing clear Business Continuity Policy is critical to getting the support and resources you will need.  In fact, here is the one I use every time.

“[Organization name] will develop, implement and maintain an actionable Business Continuity Program based on the BS IOS 22301 standard with support for internal divisions and departments”.

Simple, to the point and it covers everything that Business Continuity is and needs to be.  This will need to be signed off on by the leadership of the business or organization and disseminated throughout.

Create goals and objectives that are in line with the BS ISO 22301 standard.  Make BS ISO 22301 certification a primary goal.

Step 4: Support documents for management system

This is a heavy lift.  You will need to get to writing documents that support the program.  These support documents include incident response plans, lifecycle management plans, measurement and continuous improvement plans, concept of operations, and other documents that support the overall management of the program.

Step 5: Risk assessment & treatment

Despite me wanting to leave risk management to the risk management folks, you will have to conduct and annual risk assessment to meet the IOS 20301 standard.  This is not hard to do, but getting everyone to agree on the risks and mitigations is another story.  Everyone has their own perspective on what is risk and how it should be handled.

However, it has to be done and the best way to do it is to use the ISO 27001 Risk Assessment and Treatment standard.  It can be applied to both IT systems and BCP Critical Services.

I have a very simple, but useful template you can use.  If you are interested in getting a free copy, let me know.

Step 6: Business impact analysis

The Business Impact Analysis is a very useful tool if you don’t use it the way you are supposed to.  Trying to assess impact before it has occurred is prediction and I leave predictions to fortune tellers, weather people and economists. But, again it’s part of the ISO standard, so it has to be done on an annual bases at the very least.

But I have modified it a bit to serve the Business Continuity Program better.  What I need to know through the BIA are 4 critical elements for each division or department in the organization.

By division or department:
  1. What Critical Services does it provide to the organization?
  2. What are the Essential Functions that support those Critical Services?
  3. Who are Critical Staff or what are the Critical Staff Roles (internal and/or external) that support those Essential Functions?
  4. What is required to support the Critical Staff (IT Systems, Alternate Facilities, Communications, etc.)?
Armed with this information, you can continue to the next step.

I have a very simple, but useful template you can use for this too.  If you are interested in getting a free copy, let me know.

Step 7: Business continuity strategy

This is the section where you determine the Continuity Strategy you are going to use.  The one I have had the most success with I will share with you.

1)    Have the leadership assign (done during Step1 ) from within the organization a Business Continuity Lead (BCL) and an IT Disaster Recovery Lead (IT DRL).  These two roles are the program leads.

2)    Have the leadership assign (done during Step 1) someone from each division and/or department the Department Recovery Coordinator (DRC) role to work with you doing the program development process.  The DRCs are responsible for developing plans and recovery strategies for their division or department.  The people in these roles need to have a clear and good understanding of the products and services their division or department provides.

3)    Have the IT leadership assigned IT DR Recovery Teams to support the recovery of critical IT systems

4)    The BCL and the DRCs are the Incident Response Team for divisions and department and the DRL and DR Recovery Teams are the Incident Response Team for Critical IT Systems

5)    The Organizational Leadership and the BCL and DRL make up the Crisis Management Team

6)    If you have a communications department in the organization, they become the Crisis Communications Team.  If not, then the Crisis Management Team is also the Crisis Communications Team.


The 8.4.2 section of BS ISO 22301 requires establishing an Incident Response structure and framework.  I create one for Business Continuity and one for IT Disaster Recovery.  This is the process of responding to incidents, tracking and managing them and it ties into post incident reviews.

I have templates for incident response.  If you are interested in receiving free copies, let me know.

Step 8: Business continuity plan

This is another heavy lift, however it doesn’t have to be time consuming.  Once you have the information from step six, you can begin populating plans.  Each division and/or department needs to have a unit plan, or Continuity of Operations Plan.  The combination of these plans along with the Crisis Management Plan, the Crisis Communications Plan, and all of the support documentation that is created in step 4 makes up the Business Continuity Plan.  There are several templates that you can use to make things easier.  I prefer a modified version the Continuity of Operations template developed and provided free of charge from the Federal Emergency Management Agency (FEMA).

If you are interested in getting a free copy of the modified version of the template, let me know.

Step 9: Training & awareness

Training and awareness is a key requirement for all of this to function properly.  FEMA offers free awareness training.  IS-546.A: Continuity of Operations Awareness Course:

FEMA also offers Independent study courses here:

This will get the organization part of the way.  The remaining training must be tailored to the organization.  Here is a list of training courses you will need.

  • Crisis Management Training
  • Crisis Communications Training
  • Incident Response Training

Step 10: Documentation maintenance

The best way for meet this requirement is to follow the ISO 9001:2008 standard of the section concerning document control.  There is going to be quite a bit of documentation generated by the program and the 9001:2008 standard will help control it.  I also use document management systems like Microsoft SharePoint to manage documents and version control.

Step 11: Exercising and testing

Exercising and testing is the cornerstone of Business Continuity.  A plan not tested and exercised is not a plan.  The Homeland Security Exercise and Evaluation Program (HSEEP) is, by far, the most comprehensive program out there.  And it’s free.  But first, it would be wise to take the free exercise training and development courses provided by FEMA

IS-130: Exercise Evaluation and Improvement Planning:

FEMA HSEEP: Website:

Step 12: Post-incident reviews

Post-incident reviews are necessary to review the response to an incident and identify gaps.  An After Action/Corrective Action report needs to be developed, corrective action tasks assigned and suspense dates for corrective actions defined.  You can modify the HSEEP AAR/IP template to meet this requirement.

Step 13: Communication with interested parties

This deals with communication as a whole.  Communicating the program, statuses, incident reporting and communications with external resources and 3rd party vendors.  Constantly communicate what you are doing, how you are doing it and why is has to be done.  You can do this in the form of status report, newsletters, leadership reviews, awareness training, video information and other forms of communicating during the Business Continuity Lifecycle (Plan, Do, Check, Act model).  Communicate up and down the organizational structure often and clearly.

Step 14: Measurement and evaluation

You will have to establish a Lifecycle Management program that includes performance metrics and evaluation criteria.  This is much more simpler than it seems.  Some people think you can only measure Business Continuity when the plan is activated, but that is only a very small portion of what can be measured.  Instead of going into the details of what can be measured (there are hundreds of metrics), I can provide you two free templates that cover the most important things in Business Continuity Measurement and Evaluation.  Let me know if you would like the templates.

The Lifecycle Management Plan is part of the Continuous Improvement Process.

Step 15: Internal audit

Internal auditing is necessary to ensure the program is accurate and continues to meet the requirement of the BS ISO 22301 standard.  Please note that this is an “Internal’” audit team.  This team and their review criteria are established in the Business Continuity Lifecycle Management Plan.  I have a template for this.  If you are interest in a free copy, let me know.

Step 16: Corrective actions

Corrective actions are part of the Plan, Do, Check, Act model, however it needs to be integrated into every step in the BS ISO standard.  The Lifecycle Management Plan takes on the role of evaluating and developing corrective actions across the entire program, from development to implementation, activation and incident response to review and internal audit.  I also have a template for this.  If you are interest in a free copy, leave a comment. This is also part of the Continuous Improvement Process.

Step 17: Management review

This relates back to the very first step.  Management  must have insight and continuous review ability.  Invite them to exercises and plan review sessions.  Invite them to review all of the Business Continuity documentation and strategies.  Invite them to be a part of the working groups.  And as always, schedule management review meetings regularly so they can gain better insight, ask questions and offer suggestions before the documents and strategies become active.  A monthly In Process Review is the best way to review the entire program with Management and Leadership. And as always, generate an After Action Report of the corrective actions that need to be taken and present the status of open action items results of closed action items at the next In Process Review.  This is also part of the Continuous Improvement Process.

Another idea is to have management be members of the Document Review Team for Lifecycle Management.  This way that will have detailed insight into the documents themselves.  I use this method for every review team I have ever established and it is very effective.

Note: State and federal regulated industries and governments have additional requirements that you will have to consider in addition to the 17 steps above.  The federal government alone has many additional rules and requirements related to Business Continuity in Federal Government and federal agencies, so be sure to include those in your certification process.

Additional Information

1)    Purchase a copy of BS ISO 22301 from the BSI store:

2)    If at all possible, purchase copies of the ISO 27001 and the ISO 9001:2008 standards for the same store.

3)    If you intend to submit the Business Continuity Program for certification (highly recommended), be sure to visit the FEMA PS-Prep website for information, details and certification requirements.

I also have a BS ISO 22301 auditing template if your Business Continuity Program is already established and you want to evaluate it against the standard.  If you would like a free copy, let me know.

Template requests should be sent to Mike Minzes at

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET .

Monday, March 3, 2014

7 other Uses For The Tabletop Exercise

A few weeks ago I wrote a post on 4 other uses for the tabletop exercise.  You can read it here.

Several people have added their suggestions and I wanted to gather their ideas in one post.

There are certainly several other uses for the tabletop exercise.  What do you use them for?

Below is a video that offers some suggestions.

Mike Minzes is the Founder and CEO of INEVOLVE SB, a Business Continuity and Disaster Recovery Planning and Implementation company located in Kennesaw, Georgia. Mike has over 20 years of experience in the Business Continuity and Disaster Recovery Industry. For more information on INEVOLVE SB, please visit them at GOBCP.NET.