Business continuity procedures template

A business impact analysis will help you identify your business's core needs and determine the potential impact resulting from the disruption of business. Examples of impacts to consider include:. Identify your business processes and determine which would cause the most damage to the company if they were to fail. Classify each of these functions or processes as either:. Find out which business objectives they support, how often they occur, which departments they affect, and what other aspects of the business are dependent on these to function?

Your BIA report should document the potential impact resulting from business disruptions and provide information that can be used in your recovery strategies. This should be the most comprehensive section of your business continuity plan. You can break down operations activities into prevention strategies, response strategies, and recovery strategies. In this section, you should detail any preventative measures that should be taken before a disruption occurs. This may include creating remote work solutions for your employees, having backup utility providers, alternative network resources, data backups, and server backups.

Response strategies are needed when there is an emergency or sudden disruption of business. This section should detail what each member of your business continuity team should do in the event of an emergency. This includes evacuation procedures, safety protocols, and staff communications. Recovery strategies ensure that critical business processes are restored after an emergency event or major disruption in business.

Your plan should have a detailed description of the actions necessary to keep your business functional until all personal, systems, and facilities are operational again. Familiarize staff with recovery processes. Verify that personnel are adequately trained and knowledgeable of recovery plans and procedures. Identify any gaps between business continuity procedures and objectives.

Determine whether management established exercise and test plans, commensurate with the nature, scale, and complexity of the recovery objectives that address the objectives and expectations of the exercise or test and outline the scenario and any assumptions or constraints that may exist. Verify whether exercise and test plans include the following: Identification of roles and responsibilities for participants, support personnel, and observers.

Metrics to assess whether objectives are met. A consolidated exercise and test schedule that encompasses all objectives. Specific descriptions of objectives and methods. Roles and responsibilities for all test participants, including support personnel.

Identification of decision makers and succession plans. Exercise and test locations to be utilized. Escalation procedures and the ability to adjust for simulated scenarios. Contact information. Determine whether management developed reasonably foreseeable threat scenarios that simulate disruptions in business functions and the ability to meet both business requirements and customer expectations.

Management should: Identify and document assumptions used in developing each scenario. Develop scenarios that include threats that could affect third-party service providers, including communication processes with applicable stakeholders. Develop exercises that demonstrate not only the ability to failover to an alternate site but also validate recovery objectives.

Create scenarios that include only the data and systems that would be available for recovery. Verify that exercise and test scripts document the procedures for executing the exercise or test, which may include: Applications, business processes, systems, or facilities reviewed.

Sequential steps for employees or external parties to perform. Procedures to guide manual work-around processes. A detailed schedule for completion. Methods for participants to record results, quantifiable metrics, and any issues.

Assess whether exercise and test methods are commensurate with the size and complexity of the entity and the criticality of the function to the entity. Verify that exercises and tests are designed to do following: Validate personnel knowledge and skills, including backup responsibilities. Operate and perform duties e. Process transactions and assess system functionality. Test the viability of both full and incremental backups. Test network connectivity and interdependencies, including those with critical third-party service providers.

If management performs full-scale exercises, verify whether the exercise includes the following, where appropriate: Engaging personnel from all business units to participate and interact with internal and external management response teams. Verifying personnel knowledge and skills. Validating management response and decision-making capability. Demonstrating coordination among participants and decision makers. Validating communication protocols.

Conducting activities at alternate locations or facilities. Processing data using backup media or alternative methods. Completing actual transactional volumes or an illustrative subset. Performing recovery exercises over a sufficient length of time to allow issues to unfold as they would in a crisis. If management performs limited-scale exercises, verify whether the exercise includes the following, where appropriate: Implementing a plan appropriate to the scenario.

Executing on-the-scene coordination and decision-making roles. Verifying whether participants can connect to alternate system s. Testing communication and remote access capability e. If management performs tabletop exercises, determine whether targeted plans and procedures are reasonable, personnel understand their responsibilities, and different departmental or business unit plans are compatible with each other.

By themselves, tabletop exercises are likely insufficient to validate recovery capabilities because they are limited to a discussion-based analysis of policies and procedures.

Tabletop exercises may include the following: Engaging operational and support personnel who are responsible for implementing the BCP. Practicing and validating specific functional response capabilities. Demonstrating knowledge and skills, as well as team interaction and decision-making capabilities. Role playing with simulated responses, evaluating critical steps, recognizing difficulties, and resolving problems. Clarifying critical plan elements, as well as problems noted during exercises.

Creating action plans to correct issues. Demonstrating recoverability at peak volumes. Confirming that systems can support critical business processes e. Integrating technologies that support critical business activities, including data replication, recovery, and off-site storage. Testing backup data to assess integrity and availability. Certifying facility controls e. Verifying workspace restoration e. Ensuring that personnel are familiar with and are able to execute their responsibilities.

Assess the following: The process to rank third-party service providers based on criticality, risk, and testing scope. Coordinated exercises and tests that reasonably validate the abilities of both the entity and the third-party service provider to recover, restore, resume, and maintain operations after disruptions consistent with business and contractual requirements.

Evidence that exercises and tests of critical service providers include reasonably foreseeable significant disruptive events.

Documentation of the scope, execution, and results of exercises and tests in which the entity is unable to directly participate. Assess the execution of the exercises and tests and whether they included the following: End-to-end and, when appropriate, full-scale exercises.

Transaction processing and functional testing. Network connectivity and interdependencies to include those with critical fourth parties. Supply chain considerations. Determine whether testing scenarios with critical third-party service providers consider the following: An outage or disruption of the service provider.

An outage or disruption at the entity. Incident response plans. Crisis management plans. Communication processes with third-party service providers and other stakeholders.

Cyber events. Returning to normal operations. Backup sites are fully independent of the critical infrastructure components that support the primary sites. Trained employees are located at the backup sites at the time of disruption. Backup site employees are independent of the staff located at the primary site at the time of disruption. Backup site employees are able to recover clearing and settlement of open transactions within the time frames addressed in the BCM processes and applicable industry standards.

Determine whether the exercise and test assumptions are appropriate for core and significant firms and consider the following: Primary data centers and operations facilities that are completely inoperable without notice.

Whether personnel at primary sites, who are located at both data centers and operations facilities, are unavailable for an extended period. Whether other organizations are also affected, causing effects that have the potential to cascade from one organization across to the entire financial services sector. Infrastructure e. Whether data recovery or reconstruction to restart payment and settlement functions can be completed within the time frames defined by the BCM process and applicable industry standards.

Whether continuity arrangements continue to operate until all pending transactions are closed. Whether the significant firm participates in industry e. Tests should incorporate verifying the connectivity from alternate sites and include transaction, settlement, and payment processes, to the extent practical. Determine whether management accomplishes the following: Coordinate the execution of its exercise and test program to fully exercise its business continuity planning process.

Analyze and compare results against stated objectives. Raise issues with appropriate personnel and assign responsibility for resolution. Escalate issues that cannot be resolved in a timely manner to the appropriate level of management. Prioritize and track issues through final resolution. Analyze results and issues to determine whether problems can be traced to a common source. Document recommendations for future exercise and tests. Verify that test results are used to update the business continuity processes, enhance future testing, and evaluate whether risk mitigation strategies should be adjusted.

Objective Determine whether management continuously measures the progress and assesses the effectiveness of BCM and uses the information to improve the BCM process. Triggers that prompt maintenance and improvement of the BCM may include the following: Changes in enterprise strategies. New or reconfigured products, services, or infrastructure.

Changes in products and services offered by third-party service providers. Deficiencies identified in third-party service provider BCM processes. New legislation, regulatory requirements, or resilience practices.

Results of operational metric analysis e. Early warning indicators that may identify potential continuity events, crises, or incidents e. Variances between budgeted and actual BCM expenses.

Results from exercises and tests and lessons learned. Changes in the threat landscape e. Recommendations e. Determine whether management has documented, analyzed, and reviewed lessons learned from adverse events. Documented procedures for incorporating lessons learned may include: Identifying the failure s.

Determining the cause s. Evaluating potential solutions. Implementing corrective actions as appropriate. Recording and reviewing corrective actions taken. Verify that management documents, tracks, and resolves any changes when updating the BCP and the exercise and testing program s. Furthermore, verify that management maintains appropriate version control of key BCM documents. Determine whether management maintains backup copies of relevant BCM documentation in the event that the primary repository becomes inaccessible.

Objective Determine whether the board has established expectations for BCM reporting. Determine whether management provides the board with regular strategy updates based on changes in personnel, roles and responsibilities, and business operations. Verify that management documents the reasons e. Assess whether the board provides a credible challenge to management, when appropriate. Objective Discuss corrective action and communicate findings.

Review preliminary conclusions with the examiner-in-charge regarding the following: Apparent violations of laws and regulations. Significant issues warranting inclusion in the report of examination. Discuss findings with management and obtain proposed corrective action for significant deficiencies.

Document conclusions in a memorandum to the examiner-in-charge that provides report-ready comments for all relevant sections of the report of examination and clarifying guidance to future examiners. Organize work papers to show clear support for significant findings by examination objective. A Resilience IV. A Event Management V. B Continuity and Recovery V. C Facilities and Infrastructure V.

D Payment Systems V. This template, designed with schools, colleges, and universities in mind, allows you to prioritize operations and responses, identify important phases of recovery, design a restoration plan, and more. Record your business recovery priorities, identify alternate site locations to conduct business, create recovery teams, and assign recovery responsibilities to specific team members with this continuity plan for small businesses.

Ensure that you are able to maintain critical processes and minimize downtime so your business can keep moving forward.

Use this business continuity plan template to keep your SaaS business productive and efficient, despite any unforeseen events or disruptions. Identify risk strategies for specific areas of business, like clinical, finance and operations, and IT, designate specific recovery strategies, and prioritize the most important, mission-critical operations for your medical practice with this complete business continuity plan template. Some businesses, like healthcare organizations, rely on critical processes and procedures to maintain productivity and keep both patients and staff safe.

To ensure these processes are followed — even during a business disruption — use this business continuity plan template to identify all potential risks, create mitigation plans, and assign tasks to key team members. Certain steps can help you prepare to write a business continuity plan. See our article on how to write a business continuity plan to learn more. Every business continuity plan should include certain common elements.

Business continuity experts have gathered time-tested tips for business continuity planning. Empower your people to go above and beyond with a flexible platform designed to match the needs of your team — and adapt as those needs change.

The Smartsheet platform makes it easy to plan, capture, manage, and report on work from anywhere, helping your team be more effective and get more done. Report on key metrics and get real-time visibility into work as it happens with roll-up reports, dashboards, and automated workflows built to keep your team connected and informed.

Try Smartsheet for free, today. In This Article.