2015-01- BCP Assessment QA.pdf

Business Continuity Management Assessment - 2015
1
Control #
Management Practice
Questions
Management
Response
Recommendation
1. ORGANIZATION & STRUCTURE
SENIOR MANAGEMENT COMMITMENT
Does the Board of
Directors/Trustees/Audit
Committee annually review
and approve the Business
Continuity Plan?
Does the review include:
Scope of the BCP Program?
Frequency of testing?
Test results?
NO
The Board is responsible to the shareholders and stakeholders for the
ongoing performance of the company and should approve key elements
of the business continuity program. The approval process should include
the scope of the program, the frequency of testing and the test results.
Has senior management
published a policy statement
indicating their commitment to
BCP?
NO
Senior management should approve a policy statement to provide
guidance on how to implement business continuity mandates. Create a
corporate policy that addresses how the company’s business units are
required to address business continuity issues.
Is management evaluated
based on compliance to the
BCP policy statement? NO
Management should have incorporated in their performance metrics a
measure for adherence to the business continuity policies and
procedures. . Develop a program where senior and middle management
can be evaluated based on BCP policy compliance.
Are the company’s
suppliers/vendors required to
comply with the BCP policy
statement?
NO
Today’s business models incorporate key vendors whose interruption
could cause financial, operational and business impacts in cases where
they represent single points of failure to the business unit or enterprise.
Vendors should be required to comply with the company’s business
continuity policy.

2
Control #
Management Practice
Questions
Management
Response
Recommendation
Does senior management
annually approve key elements
of the BCP Program?
the incident management
model;
corporate recovery priorities;
corporate support plan;
business units/processes to be
included; and
business impact analysis
results
NO
Senior management is responsible for the company’s ability to recover
from a business interruption. Management should annually approve the
major components of the BCP. Some components warranting annual
approval include: 1) the incident management model; 2) corporate
recovery priorities; 3) the corporate support plan; 4) business
units/processes to be included in the program; and 5) the results of the
business impact analysis.
Approval can be in written form, or appear in meeting minutes.
Has senior management’s roles
and responsibilities been
identified, documented and the
appropriate members been
trained accordingly on their
particular role in the incident
management model?
NO
It is important that senior managers and their direct reports know their
roles and responsibilities in a situation that could require the
implementation of the BCP. The impact of business interruptions is
compounded when leadership does not act according to their defined
scope of responsibility. Management should train senior managers
annually on their roles and responsibilities for incident management.
appointed a management
group/person to oversee the
development and
implementation of the business
continuity program?
NO
There is a significant risk that effective plans cannot be developed
without the active support of senior management. Senior management,
preferably the Executive Committee, should designate a
multidisciplinary team responsible for development and implementation
of the business continuity program.
Management should also consider assigning a senior manager,
empowered with the corporate responsibility for the business continuity

3
Control #
Management Practice
Questions
Management
Response
Recommendation
program to maintain focus and apply appropriate resources.
Is the senior management
sponsor involved in the BCP
program on a periodic
(minimum) basis?
NO
A senior manager who does not actively participate in the business
continuity program will not be able to provide adequate support for key
recovery related initiatives. Develop an appropriate schedule for
involvement, including specific triggers that mandate senior input
and/or review.
Does management mandate an
annual risk assessment?
NO
The Risk Assessment will help management identify scenario
exposures/risks (i.e. events that could impact the location of the
business or processing centers). In many areas where exposures exist,
controls may be implemented to mitigate the impact of the threats.
Management may decide to accept certain exposures given the
likelihood and weight of impact of the threat on the business and/or the
cost of implementing additional controls. Management should also
consider new threats and scenarios as the environment changes to
accommodate for appropriate response mechanisms
BCP OBJECTIVES
Are the BCP program
objectives documented?
NO
The Business continuity program objectives help to document and
implement senior management’s mission statement on BCP. BCP
objectives are not the same as recovery priorities. They are the
operational targets, updated periodically, to help make the overall
program successful. Develop significant, measurable, and attainable
program objectives that address the organization’s industry and
current/future regulatory environment.
Are the BCP program
objectives measurable?
NO
Without measurable (metrics, timeframes, etc…) objectives, it is
difficult to determine whether the target environment has been met.

4
Control #
Management Practice
Questions
Management
Response
Recommendation
Management should define the business continuity program objectives
and communicate them throughout the organization.
Are the BCP program
objectives integrated with the
company’s strategic business
plan?
NO
Business continuity plans are designed to protect the long-term
enterprise value. Develop a system to incorporate key strategic
objectives into the business continuity program.
Are the BCP program
objectives realistic and
achievable?
NO
Setting objectives for the BCP program requires the balance of realistic
and achievable objectives. Management should determine the resources
required for reaching the BCP objectives and the resources readily
available. Management should identify any potential resource gaps and
report those deficiencies to senior management for either increased
support or a redesign of the BCP objectives.
Are the BCP program
objectives based on the
company’s industry sector?
NO
The business continuity program should address the unique industry
requirements and processes of the organization. Management should
develop BCP objectives that address those industry specifics.
Are the BCP program
objectives based on current
and anticipated regulatory
requirements? NO
Management should be addressing the regulatory environment of the
organization in its BCP program. When new regulation is proposed or
released, management should review and adjust its BCP program to
meet those changes. Management should develop its business continuity
program objectives to meet or exceed the current regulatory
requirements.
BCP PROGRAM RESOURCES
Is there a BCP program
coordinator?
NO
Document the recovery organization and the associated names with the
various team leader roles and responsibilities. The organization must

5
Control #
Management Practice
Questions
Management
Response
Recommendation
identify who is the point person for all BCP issues. Designate a BCP
coordinator who understands the organization and will be supported by
its various stakeholders.
Is the BCP Program
coordinator held accountable
for results of the program? NO
A business continuity program should be treated like any other major
company initiative. This includes creating objectives and holding the
BCP coordinator accountable to them. Develop a system for evaluating
the program coordinator against the program objectives.
Is the role and responsibility of
the BCP Program Coordinator
documented and understood?
NO
Business continuity interacts with every area of the organization, and it
is possible for the duties of a BCP coordinator to be misaligned or
miscommunicated. Develop a documented role and list of
responsibilities for the BCP coordinator, including how the BCP
coordinator will interface with department/business unit representatives.
The BCP Coordinator’s responsibility is to manage and coordinate the
response to, and recovery from, a crisis. This role will continue through
the restoration until the situation returns to normal. The Coordinator’s
key roles and responsibilities are:
• Select/Activate Emergency Operations Center;
• Direct information gathering;
• Project manage the recovery;
• Ensure delegated tasks are completed; and
• Communicate and coordinate with Business Recovery Teams.

6
Control #
Management Practice
Questions
Management
Response
Recommendation
The Coordinator is a project manager and a decision-maker, overseeing
and directing recovery efforts and tasks, focusing on the coordination
and management role. This function involves gathering relevant
information and options from the various teams to enable accurate
decision-making, and to delegate and follow up tasks to ensure things
actually happen.
Is the BCP Program
Coordinator empowered to
make significant decisions
about the BCP program?
NO
The BCP Program coordinator is senior management’s agent for
implementing the business continuity program. Establish clear authority
thresholds that permit appropriate flexibility in BCP program
management.
Is there a designated BCP
representative within each
business unit? NO
Each business unit should have input into the contents of the BCP in
order to make the plan comprehensive and dynamic. Management
should designate a BCP representative for each business unit to liaison
with the BCP Program coordinator.
Is a process in place to
determine resources (internal,
external, and budget) required
for ongoing BCP program
success?
NO
A BCP program requires a budget and dedicated staffing to ensure that
the objectives can be met within the assigned timeframes. Management
should also consider situations where external (vendors, business
partners, and consultants) may be needed to meet shortfalls due to
“peek” periods of key program activities.
Additionally, management should identify where additional
organizational headcount could be engaged to make up for staffing
shortfalls during periods of increased manual workarounds (i.e.: systems
downtime).
Management should identify the required resources and allocate funding

7
Control #
Management Practice
Questions
Management
Response
Recommendation
and staffing as need to the BCP program
RECOVERY ORGANIZATION / TEAMS
Is there a formal BCP
organization consisting of
designated personnel and
recovery teams?
NO
Detailed roles and responsibilities for the recovery organization help to
provide a framework for a successful plan development and
implementation. In developing and maintaining an effective and
efficient business resumption capability, leadership roles should be
defined. This group has the responsibility for overall strategic guidance
during the recovery efforts, allocating resources
Management should create a formal BCP organization that includes a
Steering Committee, Damage Assessment, Corporate Support Team,
Business Recovery Teams, and Technical Recovery Teams. This will
ensure that the overall responsibility for evaluating and making
decisions as to the deployment of recovery resources consists of senior
corporate managers representing IT, business operations, finance, and
such other business functions, as the organization may feel are
advisable. Additionally this would facilitate the establishment of a
EOC (Emergency Operations Center), identify who is
Authorized to Declare and Rescind a Disaster.

8
Control #
Management Practice
Questions
Management
Response
Recommendation
Is there a distinct technology
recovery team?
NO
Management should create a Technology Recovery Team
This team is responsible for providing technical recovery of systems,
platforms, data, networks and applications. This team is responsible for
verifying that applications are functioning properly, ensuring user
connectivity and providing recovery services as defined in their
documented scope, objectives and roles and responsibilities. At a high-
level the team will:
(1) Oversee the technical damage assessment;
(2) (2) Determine the system recovery priorities based on damage
assessment; and
(3) (3) Locate, acquire and restore hardware and software as needed.
Is there a distinct business
process recovery team?
NO
Management should create Business Recovery Teams
The Business Recovery Teams are responsible for maintaining business
operations while minimizing any adverse publicity, client service and
financial impact. These teams are responsible for communicating with
the BCP Coordinator and initiating recovery tasks as indicated in their
documented plans.
These teams consist of members of each of the business units who will
be responsible for the recovery of the key business processes and, if and
when an incident occurs which requires evacuation of the facility and
relocation to a recovery facility, the invocation of their call trees. Each
team has a primary and alternate (in cases where the primary person is
unavailable) team leader to lead recovery efforts for that specific team.
Is there a distinct corporate
support team?
NO
Management should create a corporate support team to provide
administrative, financial, and other such services, as may be required by

9
Control #
Management Practice
Questions
Management
Response
Recommendation
the recovery (business and / or technical) teams. This team could
include:
Logistics, Facilities & Maintenance, Public Relations, Real Estate, Vital
Records Crisis Management Desk, Finance, Human Resources,
Insurance, IT, Legal.
Is there a distinct damage
assessment team?
NO
Management should designate a Damage Assessment team. This could
include representatives from Finance, Insurance and Human Resources,
Logistics and Facilities, Legal, Public Relations, Information
Technology Support team, and the affected business units. The team
will arrange for the salvage or repair of resources where possible. This
team will make a decision on whether to repair the existing facility or
prepare a new facility must be made if significant damage occurs.
Are the roles and
responsibilities of the various
recovery teams clearly
defined?
NO
The roles and responsibilities for the various recovery teams should be
clearly defined and documented. The individual teams need to focus on
their specific role and responsibilities to ensure that an efficient
recovery is implemented.
Are the relationships between
the various recovery teams and
their joint accountabilities
clearly defined?
NO
The relationships and effective communication between the various
recovery teams are integral to a successful recovery effort. It is
important for each team to understand the overall recovery strategy and
appreciate what other teams are doing. The BCP Coordinator is
responsible for acting as the hub for this communication,
communicating information on a regular basis to prevent a silo approach
to the recovery.
DOCUMENTATION PROTOCOL
Is there a central repository for NO A central repository allows for document control, security and

10
Control #
Management Practice
Questions
Management
Response
Recommendation
BCP related documentation? maintenance. Management should create a secured database, directory
tree, and intranet site or software repository for BCP documentation.
Have all BCP plan components
been identified and integrated
to ensure a successful
implementation? NO
BCP plans include many components (evacuation plans, business
relocation plans, technology plans, manual workarounds, data
restoration plans, etc…) that need to be leveraged to create an effective
enterprise wide plan. Management should ensure that all plan
components have been identified and leveraged to ensure a non-siloed
and complete recovery effort.
Are plan component
documents consistent when
referencing common
procedures? NO
A consistent approach to referencing procedures or defining
nomenclature ensures a level ground for developing and implementing
recovery plans. Management should develop a consistent nomenclature
and reference procedure.
ESCALATION & EXECUTION
Are there clearly defined
thresholds to guide the
escalation sequence and trigger
recovery activities?
NO
Disaster declaration, evacuation, damage assessment, emergency
response, and off-site storage and retrieval procedures must be
documented in the plan; all procedures must provide sufficient detail to
be carried out and tested. Business units must identify specific
prioritized activities for the recovery of all critical business functions.
Are formal documented
procedures in place to guide
the escalation and
implementation of the
organization’s recovery
strategies?
NO
When a crisis situation arises, the designated point person (i.e.: systems
issues- contact the IT Manager), based on the situation, must be
informed immediately. That person then takes steps to evaluate the
situation, with the assistance of other team members where necessary.
Based on the disaster criteria, the steering committee or crisis mgmt
team either declares a disaster or arranges for the correction of the

11
Control #
Management Practice
Questions
Management
Response
Recommendation
problem and resumption of normal processing. It is essential that proper
call chain procedures are documented and followed. Effective
Communications play a vital role in the recovery effort.
In a facilities situation when a disaster occurs, all personnel at the
facility should be evacuated; all staff should be directed to the
predetermined assembly location. One or a number of people (e.g., fire
wardens) should be made responsible for taking a head count to ensure
all staff have been evacuated. Plans should note any personnel with
specific emergency skills such as CPR, fire fighting and medical
emergency skills. These people should also have specific
responsibilities in an evacuation so their skills can be used to the best
advantage. Other people may be assigned responsibilities to complete
backups of work in process in a non-life-threatening situation or in a
case where advance warning of an impending disaster is received.
Document all assembly and evacuation procedures and assembly
locations in the plan. All business units should be familiar with
emergency response procedures at their site.
Are the recovery strategies
coordinated and integrated
across all departments,
business units, divisions, etc.? NO
A business continuity plan recovers business processes. The
identification of cross business unit processes, intra and inter office
dependencies (the supply chain) is essential to a successful recovery.
Management should ensure that all recovery strategies leverage the
business process recovery strategies to ensure that the recovery plan
objectives are met.
Do the response programs
include physical and logical
security requirements?
NO
Awareness of physical and logical security threats to your organization,
and having them tied to your BCP program is critical to your incident
management model. Management should ensure that the security and
information security areas of the organization are tied into the BCP

12
Control #
Management Practice
Questions
Management
Response
Recommendation
process.
Are administrative personnel
and associated resources
identified and documented in
the plan to ensure that the
recovery strategies are
properly supported?
NO
Administrative resources are required to facilitate recovery needs for
such activities as supplies fulfillment and documentation of actions
taken (minutes). Management should document the roles and
responsibilities of administrative support for the recovery efforts.
BCP PROGRAM AWARENESS
Is there a formally documented
training and awareness
schedule and format for all
applicable employees?
NO
Procedures must be established for informing and keeping staff current
on business continuation planning and individual responsibilities. Plan
content and implementation must be fully understood by all staff.
Procedures should be developed for training all personnel in emergency
response and notification procedures. Training in evacuation and the use
of disaster prevention measures should be conducted. This should
include notifying the proper emergency services and the Business
Continuation Officer or alternate contacts and moving to the assembly
location. Recovery team members should also be trained in the timing
and technical aspects of their recovery tasks where necessary.
Information should be presented to the recovery team leaders and
alternates explaining the interaction of team activities and their
relationship to the recovery of all critical business functions. The
interdependence of teams should be emphasized to create unity between
the teams and to ensure a smooth recovery.
For their own safety, all employees should be aware of the appropriate
response in a life threatening emergency situation. Personnel need to
understand the interaction between recovery teams and how their

13
Control #
Management Practice
Questions
Management
Response
Recommendation
specific responsibilities and tasks fit into the overall BCP. For members
of recovery teams, the majority of their training will be provided during
plan testing. The members of critical department teams should be
prepared to complete their normal duties in other surroundings and with
minimum required resources.
Is BCP addressed when
conducting training for related
disciplines (disaster recovery,
risk management, security,
etc.)?
NO
All employees should be trained in how their particular discipline is
interrelated with BCP. Where feasible, management should incorporate
BCP into existing training programs (i.e.: information security training
programs should include how escalation of a security related event
might lead to a BCP implementation).
Do company publications
include information and
updates on the BCP program?
NO
Management should consider creating an internal publication, website,
or other periodic publication to foster BCP awareness in the
organization.
Do all employees understand
the BCP program and how
they can contribute or get
involved? NO
Documented procedures must be established for informing and keeping
staff current on business continuation planning and their individual
responsibilities. Plan content and implementation must be fully
understood by all staff. All staff should be able to know how to get in
contact with their local business unit BCP representative, and the BCP
coordinator.

14
Control #
Management Practice
Questions
Management
Response
Recommendation
Does the company share
information concerning their
BCP with outside interests
(customers, suppliers,
regulatory agencies, insurance
companies, etc.)?
NO
Management should have all requests for information on their state of
readiness directed to one central liaison. Management should have
created and approved a single policy statement regarding the
organization’s state of readiness, and where appropriate, test with key
external organizations as needed.
2. BUSINESS IMPACT ANALYSIS
PROCESS MAPPING
Is there a formal procedure to
identify time critical business
and operational processes
(process mapping) within the
company?
NO
Management should document how the organization will identify and
document critical business processes and supporting resources. The
process should include the roll-out of a Business Impact Analysis to
identify each business unit’s Recovery Time Objectives (RTOs),
Critical resource requirements; and Processing interdependencies.
The identified resources, and the time that these resources must be made
available, define the parameters for the Business Continuity Plan (BCP),
and ultimately drive the recovery priorities and the strategy for each
business unit.
Does the process mapping
exercise involve all appropriate
stakeholders (internal and
external)?
NO
Business units must address workflow interdependencies between their
own function’s processes and other business units and/or external
sources.
Internal and external business process interdependencies should be
defined and documented for all critical business processes to ensure the

15
Control #
Management Practice
Questions
Management
Response
Recommendation
entire process is both identified and can be recovered.
Business units relying on third party vendors for critical products or
services should verify that the vendor has business continuation plans in
place that meet the unit’s service expectations and requirements. The
third party should have a documented and tested plan addressing the
recovery and resumption of operations in the event of a business
disruption. The plan should be available for review by the business unit
and Internal Audit, and these units should be allowed to participate in
testing if they so request.
Is the process mapping
exercise and any
corresponding assessment
applied consistently across all
departments, business units,
divisions, etc.?
NO
For each critical business function that a business unit has identified, the
business unit should identify critical inputs associated with that
function’s processes. Inputs to a critical business process are sources of
information or services received from internal business units as well as
external Company Name business partners/stakeholders, which are
necessary to perform key tasks (Inputs come in a variety of formats and
include but are not limited to: paper, magnetic media, microfiche,
electronic, reports, telephone calls, transmission feeds, mail, and faxes).
Business units must identify not only the apparent applications and
processes that are necessary for the successful performance of unit
functions, but also the upstream/downstream processes that affect their
process. Planners may find it necessary to speak with process owners or
other operational support staff/vendors for assistance in identifying
these downstream applications.
Outputs to a process should also be identified - although a processes’
outputs may not be critical for the business unit producing them, these
outputs may be critical inputs to another process or function and should,

16
Control #
Management Practice
Questions
Management
Response
Recommendation
therefore, be identified.
BUSINESS IMPACT ANALYSIS PROCESS
Has a Business Impact
Analysis been completed?
NO
The purpose of a BIA is to identify the Recovery Time Objectives
(“RTO”) (the maximum tolerable time to recover critical business
functions and existing resources supporting each function). The BIA
also includes resource requirements to meet the RTO so you can easily
identify and fulfill your recovery needs. These may include: Staff;
Desktops, PCs (stand-alone); Telephones and Fax Machines; Office
Equipment & Supplies; Stationery & Forms; Applications and
Hardware Platforms; Internal Networks; External Connectivity; Vital
Records; and Dependencies (Internal Business Functions, External
(business partners).
Management should gather through interview and document
information on estimates of tangible or intangible costs associated with
business disruption (quantitative or qualitative assessments) based on
the knowledge of the business should be determined including: - loss of
customer goodwill; - loss of market share; - loss of information used to
make strategic and operational decisions; - missed business
opportunities; reduced cash flow control; and- other operational
impacts? Management should identify the IT recovery timeframe for
each of the critical applications / software packages identified by the
business function?
The Work Area and IT Recovery Strategy will be driven by the
requirements gathered in the BIA, and the gap of the Time and
Resources available from IT and Facilities.
Use the BIA information to drive RFPs to vendors for recovery
contracts.

17
Control #
Management Practice
Questions
Management
Response
Recommendation
Is a BIA completed annually?
NO
The BIA is used to facilitate the identification of various impacts and
exposures that would result from a significant business disruption. The
process of considering financial, customer service, legal and regulatory,
and operational impacts will enable the organization to assign a more
accurate recovery time objective that is based on the importance of its
business functions to the organization and to justify potential
contingency related expenditures.
Impacts should be documented consistent with the approach that a
disruption occurred at the worst possible time (worst-case scenario).
The unit should consider peak operating times, workflow fluctuations,
and frequency of key reports (end of week, month, quarter). Any
methodologies used to arrive at quantitative impacts must be included to
support those amounts (For example, if a business unit claims that a one
day disruption would result in a financial impact of $50,000, the
business unit must provide the detail used to arrive at those amounts,
i.e., the number and type of transactions multiplied by the dollar amount
per transaction).
Management should ensure that all business units perform a business
impact analysis (BIA) to evaluate the financial and non-financial
impacts of a worst-case disaster scenario on each particular function.
Did the BIA document more
than IT applications?
NO
An effective BIA will identify not only the RTOs, but additionally all
the resources required by the business unit to perform its critical
activities. Those resources should include but are not limited to:
• Personnel, including the functions that each employee completes;
• Computer hardware and peripherals;
• Software, both application and systems;
• Networks and communications;

18
Control #
Management Practice
Questions
Management
Response
Recommendation
• Voice communications;
• Office space;
• Office and other equipment, including supplies related to that
equipment;
• Supplies, business forms, and manuals; and
• Vital records necessary to continue critical business operations after
a disaster.
Are the impact metrics
associated with the BIA
determined by senior
management?
NO
Management should review and approve all recovery plans. The
Business Continuity Officer and appropriate Business Unit
Management, Operations & Systems management t, and the Risk
Officers should also validate the critical business functions and their
related recovery time objectives. The review process should consider
all documented impact metrics used to define the necessity to resume
business in a timely manner in the event of a disaster.
Did the BIA consider multiple
business impact metrics other
than financial metrics
(intangible costs associated
with business disruption
(qualitative assessments) based
on the knowledge of the
business)?
NO
Management should consider business impacts such as:
Financial Impacts include the loss of revenue resulting from termination
or delays in processing products or providing services, delays in
collecting or investing cash receipts that result in a loss of income or
increases in borrowings, loss of market share resulting in termination or
delays in producing products or providing services, and increases in
expenditures to recover Critical Business Functions.
Customer Service Impacts include termination or reduction of meeting
the requirements or expectations of our customers (including the affect
to Company Name’s public and industry image), for information about
or support of products and services provided by the organizational unit.
The level of impact (Low, Medium, High) may be associated to drivers

19
Control #
Management Practice
Questions
Management
Response
Recommendation
that are specific to business unit operations; in the case of a call center, a
low impact may relate to the inability to service 100 calls per hour
versus a high impact of 1,000 calls per hour. The business unit’s degree
of impact must be justified using business unit performance drivers. In
other words, after specifying the qualitative impact (i.e., “inability to
service customer calls”), define the quantitative impact in terms of
specific drivers (i.e., customer calls/hour) that can be translated into a
low, medium, or high impact to the organization. Business units must
also consider the consequences of not meeting the objectives outlined in
any existing service level agreements.
Legal & Regulatory Compliance Impacts include the potential for
breaches of contract or failure to meet regulatory requirements
(including the inability to maintain records in conformity with generally
accepted accounting principles, and tax requirements or the inability to
comply with court orders or applicable settlement or litigation
agreements). It also means to (1) Explain the expected timing and
exposure to increased legal liabilities; (2) Explain the range of potential
damages, fines, and/or penalties; and (3) Identify and paraphrase the
specific regulation being violated, how it applies, and the potential
sanctions if compliance requirements are not met.
Operational Impacts include the inability to meet customer, business
unit, and work group performance expectations, the cost of write-offs
caused by processing delays, the cost of backlogs created and resource
requirements needed to address those backlogs, and the potential cost
associated with recovering records damaged or destroyed as well as
other operational costs to restore operating performance to minimum
acceptable standards.

20
Control #
Management Practice
Questions
Management
Response
Recommendation
Are roles and responsibilities
associated with the BIA
process clearly documented
and understood? NO
A uniform approach to the rollout of a BIA tool for information
gathering ensures a level playing field for evaluating recovery priorities
across an organization. Management should develop a consistent
methodology and approach for the BIA process. Develop policies and
procedures for the BIA process. Designated staff should be responsible
for implementing and summarizing the results of the BIA.
Is the BIA process consistently
applied across all departments,
business units, divisions, etc.?
NO
A uniform approach to the rollout of a BIA tool for information
gathering ensures a level playing field for evaluating recovery priorities
across an organization. Management should develop a consistent
methodology and approach for the BIA process. Designated staff
should be responsible for implementing and summarizing the results of
the BIA.
Does the BIA process provide
the basis for the company’s
business interruption insurance
program?
NO
Impacts associated with the BIA process provide a basis for providing
adequate insurance. The organization should quantify the loss due to an
outage where feasible in order to justify loss potential and coverage
requirements.
RECOVERY TIME OBJECTIVES
established corporate RTOs?
NO
Management should set corporate objectives for recovery based on
regulatory and market drivers that dictate recovery times. Recovery
time objectives (RTO) should be assigned to critical business processes,
and should be validated by senior management to ensure accuracy and

21
Control #
Management Practice
Questions
Management
Response
Recommendation
uniformity.
Are the corporate RTOs
aligned with the BCP
objectives?
NO
Business units need to be able to map their objectives for recovery to the
organizational objectives. Management should define the overall
corporate objectives for recovery and the individual business processes
should map their RTOs to the corporate objectives, where applicable, to
ensure that there is a common ground/goal to allocating recovery
resources and priority setting.
Have all organizational process
stakeholders established RTOs
for their individual processes?
NO
Without priorities based on critical impact, recovery plans may not
adequately address recovery needs, appropriate priorities and ultimately
limit financial loss. All business units should identify their RTOs based
on criticality and resource requirements.
Are the individual
business/operational process
RTOs aligned with the
corporate RTOs? NO
Business units need to be able to map their objectives for recovery to the
organizational objectives. Management should define the overall
corporate objectives for recovery. The individual business processes
should map their RTOs to the corporate objectives, where applicable, to
ensure that there is a common ground/goal to allocating recovery
resources.
Are all RTOs achievable based
on internal and external
conditions?
NO
Management should create a gap analysis to compare the RTOs of the
business units to the actual recovery abilities of the organization.
Management should ensure that where the business process RTO
exceeds the actual recovery time, manual workarounds exist to fill the
gap or consider allocating resources to developing a shorter recovery
time capability. Where the RTO is less than the actual recovery ability
of the organization, consider strategically re-allocating recovery
resources.

22
Control #
Management Practice
Questions
Management
Response
Recommendation
RESOURCE REQUIREMENTS
Did the BIA include an
assessment of minimum
resources required to recovery
operations within the specified
recovery time objective
(RTO)?
NO
Minimum recovery resources such as critical personnel, IT resources,
platforms, hardware, software, workspace requirements,
telecommunications, and supplies must be identified by critical business
process and within required recovery time frames.
Have minimum personnel been
documented for each phase of
recovery?
NO
In a phased recovery approach, staff are scheduled to arrive at different
times based on RTO. Not all staff for every function is needed
immediately. Business units should consider their staffing requirements
based on the time that their facility may be inaccessible and working
from an alternate site.
Have minimum
office/administrative
equipment (e.g. photocopier,
fax, etc) requirements been
documented for each phase of
recovery? NO
An effective BIA will identify not only the RTOs, but additionally all
the resources required by the business unit to perform its critical
• Personnel, including the functions that each employee completes;
• Computer hardware and peripherals;
• Software, both application and systems;
• Networks and communications;
• Voice communications;
• Office space;
• Office and other equipment, including supplies related to that
equipment;

23
Control #
Management Practice
Questions
Management
Response
Recommendation
• Supplies, business forms, and manuals; and
• Vital records necessary to run critical business operations
Identifying the respective resource requirements will not automatically
result in those resources being made available in a contingency situation
- even if those resources have been communicated to the appropriate
infrastructure providers. Management must do that
Have minimum information
technology resources been
determined for each phase of
recovery?
NO
The resource needs of a business unit change over time and should be
considered when planning for a recovery. The BIA should identify:
• Application name;
• Description;
• Application version/release
• Date of last update;
• Hardware and peripheral device requirements;
• Communications requirements;
• Systems software requirements;
• Databases required;
• Libraries required; and
• Any special forms and supplies used.
For a phased recovery, where immediate, intermediate and long-term
needs are identified.
Does an accurate inventory of
IT applications and their
NO
Recovery needs and requisite back-up procedures can not be fully
understood and implemented without having a complete picture of the

24
Control #
Management Practice
Questions
Management
Response
Recommendation
requisite hardware/network
exist?
IT environment. Management should identify all the resources required
and maintained by the business unit to perform its critical processing
Applications, Platforms, Data, Hardware, and Shared Drives
Have minimum facility/floor
space requirements been
recovery?
NO
The business continuation plan must identify all computing, workspace
and other resources required to support the unit’s critical business
functions based on a phased recovery over time. Business unit’s
resources change based on the length of the outage and their RTO, so
appropriate resources need to be staged for delivery.
Has minimum specialty
equipment been determined for
each phase of recovery for
each business unit?
NO
Management should identify and document, by critical business
function, office, workspace, and special equipment requirements for
operations under recovery conditions. Record:
• Number of standard workspaces required
• Number and type of telephone lines (e.g., dedicated lines);
• Collating equipment;
• Copiers and paper;
• Phone recording devices;
• Date stamps
• Mailroom equipment (scales, tape guns, meters, etc.);
• Security requirements, including security over files, plans, financial
records and other records (i.e., vaults, locking file cabinets, etc.);
• Special storage requirements; Cabinet requirements for filing
reference books, storage or other needs.

25
Control #
Management Practice
Questions
Management
Response
Recommendation
• Stationary;
• Forms, noting any specific requirements (e.g., pre-numbering); and
Suppliers, including contact names and emergency telephone numbers
For a phased recovery, where immediate, intermediate and long-term
needs are identified.
Have required vital records
been documented for each
phase of recovery for each
business unit?
NO
Vital records must be identified, protected from destruction, and copies
stored off-site where appropriate. Procedures should be developed to
ensure that the off-site records remain current. The location of off-site
storage should be such that it is unlikely that a single event would
destroy both the original and stored records. This standard does not
replace or alter other record management policies for other vital and
important records.
In the context of business continuation, vital records are those records
necessary to continue business operations after a disaster. Although
certain records may be required as a matter of policy or to comply with
federal or state laws or regulations, these records may not be essential to
the recovery of critical business functions and will, therefore, not be
considered vital for BC purposes. A vital record may be in the form of

26
Control #
Management Practice
Questions
Management
Response
Recommendation
paper, microfilm, electronic file, microfiche, videotape, optical disk, or
other unique forms. They may include things such as customer data,
loan documents, debtor information, creditor information, contracts, and
payroll records. Vital records should be identified by business function
to help ensure that no vital records are omitted. A brief description of
the vital record, the location of originals and backups, and the media
type on which the vital record is held must be provided. For each type
of vital record, determine any other requirements including security,
environmental requirements, software required to manipulate data, and
any other requirements.
Management should identify and document, by critical business
function, vital records required for operations under recovery
conditions. Record:
• Brief description;
• Media on which the vital record is held;
• Equipment required to make use of the vital record, e.g., microfiche
reader;
• Usual location of the vital record;
• Off-site storage location, for copies of vital records (include contact
information);
• Frequency of backups;
• Whether backups are incremental or full;
• Whether the vital record is to be held by statutory regulation; and
• Any other requirements.
Is there a process in place to NO Management should identify where recovery resources may not comply

27
Control #
Management Practice
Questions
Management
Response
Recommendation
address and/or satisfy quality
control or certification issues
associated with the required
resources?
with quality control standards (i.e.: ISO 9000, ISO 17799) and develop
procedures to ensure quality control measures meet organizational
guidelines, and where this can not be accomplished, seek alternate
recovery resources.
Where applicable, are multiple
sources for recovery resources
documented and certified?
NO
Management should identify where recovery resources may not comply
with quality control standards (i.e.: ISO 9000, ISO 17799) and develop
procedures to ensure quality control measures meet organizational
guidelines, and where this can not be accomplished, seek alternate
recovery resources.
Do the company’s resource
requirements at time of
disaster serve as the foundation
for the extra expense insurance
program?
NO
A business impact analysis should be used as the foundation for an
estimate of recovery resources (fulfillment). Management should
leverage this information in its loss estimates for insurance coverage.
3. STRATEGY SELECTION
BUSINESS PROCESS RECOVERY
Is a business recovery strategy
selected for each business
process? NO
Management should identify and document alternate facilities for the
recovery of critical business systems (e.g., hardware, applications, and
telecommunications).
Is the strategy based on a
recent (within 12 months)
business impact analysis?
NO
Management should re-perform a BIA to ensure that the recovery
strategy meets current recovery needs.

28
Control #
Management Practice
Questions
Management
Response
Recommendation
Have at least two strategies
been evaluated for cost and
benefit for each business
process?
NO
Every organizational unit must be prepared to relocate critical business
functions to an alternate site and resume operations. Efforts should be
focused on selecting an internal, cost-effective recovery solution. In the
event that external vendor solutions need to be considered, the business
unit must prepare and submit a cost-benefit analysis to their business
unit management and senior mgmt. Alternate site agreements, whether
internal or external, must be included in the plan document.
Did the selection process
include consideration of
internal recovery strategies?
NO
Where feasible, an internal solution for recovery should be examined.
The ability to leverage existing real estate greatly reduces the cost of
recovery in some situations. Management should review their ability to
recover internally. It may be possible to distribute the workload of one
site across other sites in the event of a disaster. Work with the
appropriate infrastructure providers to identify if the organization has
any such sites and whether these sites are suitable based on the
following considerations:
1. System compatibility (voice, data, access, etc.);
2. Sufficient capacity to handle the additional processing;
3. Availability of staff to handle the increased processing load or
whether staff can be temporarily transferred to the alternate site; and
4. The ability for critical business functions to be distributed among
multiple sites or whether they must be performed at a single site.
Does the strategy include
minimum personnel as has
been determined for each
phase of recovery?
NO
Redundant headcount, the ability to relocate in the time required, and
the ability to obtain local resources may inhibit recovery needs.
Management should ensure that the strategy chosen could meet the
minimum resources required.
minimum information
technology resources as has
NO
Information technology can not always be made available at and
alternate site due to timing, expense, and feasibility. Management
should ensure that the strategy chosen has the requisite recovery

29
Control #
Management Practice
Questions
Management
Response
Recommendation
been determined for each
phase of recovery?
resources.
minimum facility/floor space
requirements as has been
recovery?
NO
The BIA will drive the work space requirements of the organization.
Management should ensure that the strategy chosen has the requisite
recovery resources.
minimum specialty equipment
as has been determined for
each phase of recovery?
NO
Specialty equipment can not always be made available at and alternate
site due to timing, expense, and feasibility. Management should ensure
that the strategy chosen has the requisite recovery resources.
Did the strategy selection
process include issues
involving existing suppliers?
NO
Management should identify where the supply chain could affect the
recovery efforts.
4. PLAN DOCUMENTATION
PLAN FORMAT
Is the BCP in a logical format
that allows all necessary users
to access and utilize the plan? NO
The organization should identify the plan scope and objectives during
the project initiation phase. The scope of the plan should be explicit;
specify the function(s), department(s), unit, business group, and
locations that the plan is directed at protecting.

30
Control #
Management Practice
Questions
Management
Response
Recommendation
At a minimum, the objectives of a business continuation plan should be
to:
• To establish guidelines and standards to protect associates;
• To increase awareness and expose associates to emergency
operations responsibilities;
• To ensure the continuation of business operations;
• To provide Company Name organizational units and subsidiaries
with a tested vehicle which, when executed, will permit an efficient,
timely resumption of the interrupted business operations;
• To establish alternative means of business operation (including
interim and manual processing strategies) to minimize the impacts
of a disruption to the Enterprise;
• To provide for the timely and orderly restoration of business
functions
• To protect corporate assets through reasonable and cost effective
measures (data, information, fixed assets, cash flow, etc.);
• To fulfill all critical legal and regulatory obligations and
commitments;
• To mitigate deterioration in client and investor services and
relations;
• To protect long-term market share; and
• To minimize the impact to Company Name’s public and industry
image.
In addition, plans must disclose any limitations of the plan, including
limitations due to scope or assumptions.
I s the BCP format consistent
with the organization’s
documentation procedures?
NO
Business continuation plans should be completed utilizing enterprise
approved and licensed software tools; it is strongly recommended that
business units use Enterprise BC planning tools where applicable. In

31
Control #
Management Practice
Questions
Management
Response
Recommendation
addition, Business Continuation Plans should incorporate the following
formatting conventions:
• Detailed table of contents
• Version Control representing “last update”
• Plan version number
• Page numbers
• Section tabs
Are the definitions and terms
utilized in the BCP consistent
across all departments,
business units, divisions, etc.?
NO
The nomenclature that is utilized in the plan should be universal across
the organization to avoid confusion. Management should develop a
common glossary or list of acronyms that can be used to facilitate this
process.
PLAN ACCESS
Is the most recent copy of the
BCP located off-site?
NO
Management should ensure that a copy of the BCP is stored off-site, and
can be accessed for reference purposes. Where feasible, the copy
should be stored at the alternate recovery site.
Is the off-site storage location
for the BCP exposed by the
same perils as the plan site
(e.g. flood, earthquake,
tornado, etc.)?
NO
Management should ensure that a copy of the BCP is stored off-site, and
can be accessed for reference purposes. The copy should be stored in a
facility that is not exposed to the same risk that the original is exposed
to. A complete copy of the plan (hard copy and electronic) should be
located off-site (i.e., at home or at a storage facility) to guarantee its
availability for use during an emergency.
Is the BCP accessible
electronically?
NO
Management should consider burning a copy of the plan on a CD or
other form of media that can allow for back-up without risk of deletion
(CDR: no re-write allowed). A complete copy of the plan (hard copy
and electronic) should be located off-site (i.e., at home or at a storage

32
Control #
Management Practice
Questions
Management
Response
Recommendation
facility) to guarantee its availability for use during an emergency.
Is the BCP accessible by all
necessary recovery
stakeholders?
NO
The BCP contains sensitive organizational information. Management
should identify the appropriate stakeholders and control access to the
BCP.
Is the appropriate level of
information available and
accessible to the various
recovery stakeholders? NO
Management should identify the appropriate stakeholders and control
access to the BCP. The information in a business continuity plan is
highly sensitive and should only be distributed to those who need to be
involved in the recovery. The BCP Coordinator should maintain a list
of all employees who have copies of the plan and ensure that all
recipients have a current version.
PLAN CONTENT
Has the organization
developed a business
continuity plan for its critical
business processes?
NO
Management should develop a BCP across its organization. The BCP
should encompass all its critical business processes. The first step in
determining what processes are critical is to perform a Business Impact
Analysis.
Does the plan include
alternates for each team
position?
NO
Business units must determine the staffing (primary and alternates) and
specific responsibilities and tasks of all teams and team members
involved in all phases (emergency response, recovery, and restoration)
of resumption from a business disruption.
Does the plan include key
supplier representatives and
NO

33
Control #
Management Practice
Questions
Management
Response
Recommendation
contacts (and alternate
suppliers)?
and Internal Audit and these Company Name units should be allowed to
participate in testing if they so request.
Does the plan include up-to-
date contact numbers and
addresses for team members
(and alternates), vendors,
suppliers, and emergency
support personnel?
NO
Contact numbers (internal call trees, external vendors) are often out of
date or maintained by individuals throughout an organization. This
leads to either an incomplete listing, or a lack of a backed up copy of the
list. Where feasible, management should compile a list of key contact
numbers, and store them off-site. Organization charts should include
personnel names and titles. As with all documents that are subject to
frequent revision, organization charts should note when the document
was last updated.
Does the organization have
documented team notification
procedures?
NO
Disaster declaration, evacuation, damage assessment, emergency
response, and off-site storage and retrieval procedures must be
documented in the plan; all procedures must provide sufficient detail.
Business units must identify specific prioritized activities for the
recovery of all critical business functions. Communications play a vital
role in the recovery effort.
Sequence of notification should be organized in a call chain structure.
Does the organization have
documented vendor
notification procedures?
NO
Management should ensure that there are clear policies and procedures
for notifying key supply chain partners key information in crisis
situations.

34
Control #
Management Practice
Questions
Management
Response
Recommendation
Has the organization
documented individual
responsibilities and procedures
for all time sensitive business
processes?
NO
Documented policies and procedures ensure that in the event that
primary recovery personnel are not available to carry out recovery
efforts, others can do such in their place. Additionally, documented
policies and procedures allow for training and awareness to be increased
in the organization.
Management should document individual responsibilities in the BCP.
Does the BCP include the BCP
Organization & Structure?
NO
A documented command and control structure allows for clear and
concise implementation of recovery efforts. Management should
document at a minimum:
• The BCP Coordinator
• The Crisis Management Team
• The Damage Assessment Team
• Business Unit Recovery Team Members
• The Technology Recovery Team
Is the methodology for the
BCP Development, including
the BIA process documented
within the plan (Standards,
Guidelines, Policies and
Procedures)?
NO
Without governing standards or formal policies and procedures guiding
the plan development the organization may be exposed to an increased
risk of not having complete plans developed across all its businesses.
Management should consider enhancing its policies and procedures to
include these key components: Business Impact Analysis, Plan
development, Documentation, Incident Management, Strategy
Selection, Maintenance, Awareness and Training, Testing
Is the escalation sequence (i.e.
incident management process)
adequately documented and
explained within the BCP?
NO
Management should document the process that the organization will
utilize to rapidly recognize and escalate incidents affecting the systems
and / or the facility. The objective of this process is to ensure that a
problem is quickly recognized and managed using a set of procedures to
ensure command and control during a disruption to its operation, so that

35
Control #
Management Practice
Questions
Management
Response
Recommendation
the impact of an incident does not spread to other parts of the
organization.
It is important to note that not all incidents are considered disasters.
Problems that can be detected and repaired within the Recovery Time
Objectives (RTOs) established by the business units are not considered
disasters. A disaster is any potential situation that causes a cessation of
normal business functions for an unacceptable period of time; i.e.,
exceeds the RTOs and requires the implementation of special
procedures by the Business Recovery Teams.
Are primary and alternate
assembly and Emergency
Operations Center (EOC)
locations identified and
documented in the plan.
NO
Identify and document appropriate locations for assembly of personnel
at the time of a disaster and an Emergency Operations Center (EOC)
from which the EMT will operate.
All personnel should be aware of the immediate steps to be taken in the
event of a disaster. The first task is to ensure that all personnel are
accounted for and that everyone is aware of the actions to be taken in
initiating the recovery process at a common location. An assembly
location should be established where all staff could meet if a disaster
occurs. When selecting an assembly location, business units should
consider the following:
• An assembly location should be within walking distance of the
original facility but far enough away to ensure employees are not in
further danger. It should be large enough to shelter all employees;
• Receiving permission for assembly locations that are not on
Company Name leased or owned properties (i.e., a hotel lobby or
adjacent third party parking lot);
• Outdoor assembly locations should always have an alternate

36
Control #
Management Practice
Questions
Management
Response
Recommendation
location as bad weather can make an outdoor assembly site unusable
or unsafe; and
• An assembly location should have access to telephones.
Are the RTOs documented and
explained for all critical
processes?
NO
Based on the information provided as part of the BIA (and as a basis for
subsequent contingency resource planning requirements, each
organizational unit must assign a criticality rating. The criticality rating,
known as the recovery time objective (RTO), identifies the time frame
by which critical business functions must be recovered (e.g., the amount
of time a business unit can survive without performing the critical
business function). If the recovery time objective is dependent upon the
time of the month or year (peak processing periods), base your interval
on the most vulnerable time a business interruption may occur.
Are manual workarounds
documented in the BCP?
NO
Plans must include interim and manual processing strategies where
those procedures currently exist or where they may prove useful or
necessary to ensure the continuation of critical business operations.
Did the business process
owners document their own
manual workarounds/alternate
processes?
NO
Business units, in developing solutions to meet their recovery time
objectives, may be able to implement interim and/or manual processing
strategies. Those solutions, if available, must be documented in the plan
Interim processing strategies relate to temporary solutions that a
business unit may be able to implement from the time of disruption to
the time that a critical function’s applications can be recovered. For
example, a call center may be able to reroute calls from the affected site
to a call center with excess capacity for a period of three days. In some
cases, interim business unit procedures may include using a desktop
application (e.g., Microsoft Excel®) to input transaction data that can be
transferred or uploaded to the original application when that application

37
Control #
Management Practice
Questions
Management
Response
Recommendation
becomes available. Business units must be creative in developing
interim processing solutions for application failures. Plans should
document the interim solution, duration, and all required procedures for
implementing the solution.
Manual processing strategies relate to recovery procedures that do not
rely on the computerized application(s) associated with a critical
function. Using manual workarounds, critical functions or portions of a
critical function can continue to be processed. For example, a life
insurance sales agent could revert to using manual forms to capture
client information; the information collected could be collected (input)
in a desktop application (the interim processing strategy) and later be
uploaded to the recovered application. Manual procedures should be
developed and/or documented in business unit plans.
Is the primary/alternate
recovery site documented in
the BCP?
NO
functions to an alternate site and resume operations. This site should be
documented in the plan with appropriate relocation directions.
Are directions to the recovery
sites documented in the BCP?
NO
functions to an alternate site and resume operations. This site should be
documented in the plan with appropriate relocation directions
Are clear reporting instructions
NO
Management should ensure that the crisis management model represents
the response mechanism that will ensure that management is efficient in
dealing with disaster incidents through a set of procedures that provides
for command and control during a disruption to its operation. The model
should allow for rapid recognition of severe problems and an ability to
escalate them in a controlled and appropriate manner.

38
Control #
Management Practice
Questions
Management
Response
Recommendation
Are data restoration procedures
NO
In a disaster, data may be lost due to data back-up procedures and
systems downtime. Management should ensure that all business units
have documented in their plans on how they will re-enter
transactions/entries/orders into the systems that may have been lost (not
backed up) without adverse affects to the organization.
Did the business process
owners document their own
data restore procedures? NO
Each business process is unique, and therefore to ensure that a data
restoration process is complete, it is important that the user community
that is responsible for implementing the data restoration process be
involved in the creation of the procedures.
Are the testing/exercising
objectives/criteria documented
within the BCP?
NO
Management should document the objectives of the plan testing. Some
objectives could be to:
1. Determine the state of readiness of the AIGFP recovery organization
to respond to and recover from a disruption to business, operations and
systems at the facility;
2. Determine whether the required resources (identified through the
business impact analysis in chapter 4) for recovery are available at
recovery locations;
3. Determine whether the Business Continuity Plan (BCP) has been
properly maintained to reflect changes in the business and technology.
4. Manage the expectations of the business units as to what they can
expect in the event of an actual incident;
5. Instill a sense of calm and confidence by showing that there is a

39
Control #
Management Practice
Questions
Management
Response
Recommendation
demonstrable state-of-readiness for a potential disruption of services;
and
6. Demonstrate compliance with applicable regulatory requirements.
Is the testing/exercising
schedule documented and
explained?
NO
Business Continuity Plan test frequencies should be derived from the
business unit’s critical business function recovery time objectives.
Business units must perform a full integrated test (simulated recovery of
all critical business functions within a particular unit) every twelve (12)
months,. It is the business unit’s responsibility to schedule with the
necessary internal and external service providers and implement testing.
Are pre-test checklists and
associated procedures
NO
Advance preparation for testing is a key component of a successful test
program. A Test Preparation Checklist and Worksheet should be used
to detail the proper steps that should be taken for advance planning of
plan testing.
The worksheet should identify the scope, objectives, assumptions,
scenario, test date and post mortem date.
Are post-test checklists and
associated procedures
NO
Execution and review of test results are some of the key components of
a successful test program. After completion of the tests, all test
participants should complete a Post Test Evaluation Questionnaire.
Are plan maintenance
schedules documented in the
BCP?
NO
Plan information that is subject to change must be reviewed and updated
on a semi-annually basis and whenever there is a material change to a
business unit’s critical functions; the following actions should be
performed as part of the update process:
1. Update critical functions and associated recovery time objectives
where appropriate;
2. Confirm that assembly locations, alternate sites, and emergency

40
Control #
Management Practice
Questions
Management
Response
Recommendation
operations centers are current and available;
3. Review and update contact lists (employees, vendors, clients, etc.)
and emergency phone numbers;
4. Maintain team rosters and information;
5. Update AIGFP business unit organization charts;
6. Review vital record and other off-site storage arrangements; and
6. Review all recovery procedures and update as necessary.
PLAN REFERENCES & INTEGRATION
Are appropriate references to
all related plans included in the
BCP?
NO
BCP plans include evacuation, relocation, manual workarounds, data
restoration, IT, etc… Management should ensure that all plan
components are included and leveraged for a successful recovery.
Does the BCP properly
document and integrate all the
company plans, procedures
and related disciplines?
NO
BCP plans include evacuation, relocation, manual workarounds, data
restoration, IT, etc… Management should ensure that all plan
components are documented and appropriately referenced and leveraged
for a successful recovery.
Is the process for coordinating
with outside agencies (e.g. fire
department, local government
agencies, etc.) documented and
explained?
NO
Management should ensure that their plan documents all the potential
local agencies, fire, police, and emergency response organizations in the
area to ensure that crisis management roles and responsibilities are
coordinated in cases of emergency.
Are all necessary third parties
(vendors, suppliers, customers,
NO
Management should make advance preparations with recovery resource
providers and vendors to ensure recovery resource needs can be

41
Control #
Management Practice
Questions
Management
Response
Recommendation
etc.) involved in the recovery
strategies identified and
documented with appropriate
contact information provided?
obtained in an efficient manner. Where possible, management should
test with these parties to ensure abilities meet needs.
5. AWARENESS & TESTING
AWARENESS PROGRAMS
Do you have a documented
BCP awareness and training
program?
NO
Procedures must be established for informing and keeping staff current
on BCP and individual responsibilities. Plan content and
implementation must be fully understood by all staff.
Do the business unit mangers
provide employee awareness
on their roles in the BCP?
NO
Business Recovery Teams should responsible for training staff and
promoting and maintaining BCP awareness within their organizations;
procedures must be developed to meet unit BCP training objectives.
Employees need to understand their roles as members of the BCP
community.
Business Recovery Teams can increase staff awareness by conducting
informative sessions presenting the objectives, importance and outline
of the BCP. Memos, bulletins, staff meetings, testing, and formal

42
Control #
Management Practice
Questions
Management
Response
Recommendation
training programs may all be used as means for reinforcing BCP
information. Business units may also choose to distribute wallet cards
and/or tri-folds containing key information as a tool for increasing staff
awareness.
Procedures should be developed for training all personnel in emergency
response and notification procedures. Training in evacuation and the use
of disaster prevention measures should be conducted. This should
include notifying the proper emergency services and the BCP
Coordinator or alternate contacts and moving to the assembly location.
TEST CRITERIA & OBJECTIVES
Is there a formal BCP test
criteria for all departments,
business units, divisions, etc.? NO
Business continuation plan test exercises must be conducted to
demonstrate the ability of the business unit to recover its critical
business functions within specified recovery time objectives. All
business units must develop a reasonable test strategy and schedule.
Does the test formats satisfy
industry standards and best
practices?
NO
Business units should develop an appropriate test strategy and provide
detailed test schedules that identify test levels, test types (for component
testing), test objectives, and scheduled test dates. Use the EBCO
approved planning tool to document these requirements.
Three distinct test levels have been identified to help validate a plan’s
accuracy and effectiveness: the structured walk-through, component

43
Control #
Management Practice
Questions
Management
Response
Recommendation
testing and integrated simulations (full operations tests). The testing
frequency for each test level is determined by the critical business
function’s recovery time objective.
Following are short descriptions for each of the three basic test levels:
1. Structured Walk-Through
Also referred to as a “table-top” exercise, the structured walk-through is
a paper evaluation of a business continuation plan designed to expose
errors or omissions without incurring the level of planning and expenses
associated with performing a full operations test. The structured walk-
through is, in effect, a role-play of a “disaster” scenario that takes place
within the confines and safety of a conference room.
2. Component Testing
Component tests are actual physical exercises designed to assess the
readiness and effectiveness of discrete plan elements and recovery
activities. The isolation of key recovery activities allows team members
to focus their efforts while limiting testing expense and resources. This
methodology is effective for identifying and resolving issues that may
adversely affect the successful completion of a full operations test.
Component tests include:
• Evacuation tests
• Emergency notification test (call tree tests)

44
Control #
Management Practice
Questions
Management
Response
Recommendation
• Application recovery test
• Remote or Dial-in access test
• Critical business function recovery test
3. Integrated Simulation/Full Operations Test
The full operations test requires extensive planning and preparation and
should not be performed until most, if not all, of the plan components
have been tested. This test requires the simulated recovery of critical
business functions across a business unit - it is the closest exercise to an
actual disaster. Although a full operations test requires weeks of
planning and considerable coordination of personnel and resources, the
exercise provides a business unit with a level of confidence about their
ability to recover in an actual event.
Is the scope of the test defined
and documented (i.e. what
portions of the plan will be
included in the test) in advance
of testing?
NO
plan testing.
Are test objectives clearly
defined and documented prior
to each test?
NO

45
Control #
Management Practice
Questions
Management
Response
Recommendation
plan testing.
Are all test assumptions
adequately defined and aligned
with the test objectives?
NO
plan testing.
Have you tested all plan
components in the last 12
months?
NO
Organizations that do not test all aspects of their plans have shown to be
drastically hampered in their ability to recover from a disaster.
Management should ensure that al aspects of their plans are tested
regularly. User involvement in the testing process would greatly
enhance the effectiveness of testing.
Are users involved in testing?
NO
Organizations that do not involve users in testing have shown that the
testing performed is too technically centered, with little benefit to the
actual end user. User involvement in the testing process would greatly
enhance the effectiveness of testing.
Has your testing included key
supply chain vendors?
NO
Organizations have many supply chain dependencies. Key vendors and
service providers may present a single point of failure in your delivery
mechanism. Include vendor dependencies in your testing.
Does an independent observer
monitor the tests?
NO
An independent observer (not involved in the test preparation) should
have the responsibility of monitoring the testing to ensure quality
control standards are met, and additionally provide for an objective
viewpoint on how to improve testing going forward.

46
Control #
Management Practice
Questions
Management
Response
Recommendation
TEST SCRIPTS
Do you utilize test scripts for
your tests?
NO
Test scripts provide for an audit-able and repeatable method of testing.
Additionally the test script can be used as a method to train employees
on the BCP. Test scripts should be used on all tests.
Do the test scripts require
proof of test success/failure?
NO
Proof of test success or failure is critical to ensuring that your plan can
withstand an audit. Logs, screen prints, output files, etc… can all be use
as proof of testing. Management should require that all testing have
documented proof of testing and results.
Do the test scripts compare
actual to expected results?
NO
Gaps in the recovery plan are best identified through extensive testing.
Comparison of actual to expected test results often leads to plan
enhancements an end to end solution that meets recovery needs.
Management should ensure that all testing compares actual to expected
test results.
Is there a consistent team of
internal and third party
personnel responsible for
developing test scripts?
NO
A dedicated testing group can provide for a more efficient testing
process, and help in the identification of testing interdependencies. A
testing team should be identified, and their associated roles and
responsibilities documented.
Is there a process to facilitate
review and critique of all test
scripts by a qualified BCP
practitioner prior to conducting
the test?
NO
After completion of the tests, all test participants should complete a post
test evaluation questionnaire including questions such as:
Was the test objective and scenario clear?
What could have made the test run more smoothly?
Were any procedures/documents missing during the test? (I.e. not stored
off-site or not completely documented.) If so, what was missing

47
Control #
Management Practice
Questions
Management
Response
Recommendation
Did you notice any single points of failure in the recovery process that
were not previously identified? If so, what were they?
Were there any prevention or mitigation measures that would lessen the
effort needed to recover? If so, what were they?
Did you make any assumptions that were not clearly made prior to the
test? What were they? Did they change the outcome of the test?
Were the appropriate people included in the Recovery Team? If not,
who should/should not be part of the Recovery Team?
Did you learn any lessons during this test? What were they?
TEST EXECUTION & FOLLOW-UP
Have plan component tests
been conducted for all
appropriate business units
and/or departments?
NO
Component Testing is an off-hours exercise to test a particular segment
of the recovery plan. It serves to verify the correctness of operating
procedures, hardware components and the ability to restore a business
unit’s critical functions. An example of this test is a limited systems
restoration and a connectivity test at the recovery site.
It may include exercising the effectiveness of the call tree by placing
actual phone calls to ensure that awareness exists among recovery teams
and that the call trees reflect current staffing and their respective contact
information. It may also involve testing evacuation and relocation
procedures by personnel evacuating the facility and reporting to the
Emergency Operations Center, personnel relocating to their respective
recovery locations. It is important to note that while personnel might
relocate to the recovery site; this type of testing will not include
processing transactions or key activities.
Is there a procedure/tool to log
problems/issues during the
test?
NO
Problems identify weaknesses in plan components. Problem tracking
and resolution can lead to altering test objectives going forward and
ultimately refining the BCP. A problem tracking process should be
established.

48
Control #
Management Practice
Questions
Management
Response
Recommendation
Is there a designated team
responsible for analyzing and
interpreting the test results?
NO
Test results must be evaluated and documented subsequent to test
completion. The business unit should assess the results against
predefined test objectives and communicate the evaluation to the
business unit executives; unsuccessful tests must be rescheduled. The
Business Continuation Plan must be revised in view of the test results.
Does the follow-up team have
a formal process to evaluate
the test results?
NO
To determine a test’s success, tests results should be compared with
predefined test objectives. Failure to meet test objectives will require a
reschedule of the test. Test results that should be measured include
elapsed time to perform specific activities, accuracy of documentation
for each activity, and amount of work completed. It is worthwhile to
distribute evaluation forms to test participants and observers,
immediately following a test, to solicit feedback on their impression of
the recovery procedures. Evaluations are also effective for promoting a
sense of ownership among those involved.
Is there an evaluation form to
facilitate the analysis of the
test?
NO
After completion of the tests, all test participants should complete a post
test evaluation questionnaire including questions such as:
Was the test objective and scenario clear?
What could have made the test run more smoothly?
Were any procedures/documents missing during the test? (I.e. not stored
off-site or not completely documented.) If so, what was missing
Did you notice any single points of failure in the recovery process that
were not previously identified? If so, what were they?
Were there any prevention or mitigation measures that would lessen the
effort needed to recover? If so, what were they?
Did you make any assumptions that were not clearly made prior to the
test? What were they? Did they change the outcome of the test?
Were the appropriate people included in the Recovery Team? If not,

49
Control #
Management Practice
Questions
Management
Response
Recommendation
who should/should not be part of the Recovery Team?
Did you learn any lessons during this test? What were they?
Is a formal report summarizing
the results of the test prepared?
NO
A post mortem session should be conducted after all tests. Involve test
participants in a group discussion session to provide feedback on the
efficiency of plan procedures. The group discussion and related
documentation of test results should occur in a timely manner (i.e.,
usually within one week following test exercises). The BCP
Coordinator, in conjunction with necessary business unit management,
will review test results, identify specific action items, assign resolution
assignments and related target dates for completion, coordinate
appropriate changes to the plan, and reschedule tests, if necessary BCP
test documentation and results should be communicated to business unit
management in order to keep management apprised of the unit’s state of
preparedness. Copies of test results should be part of the plan
document.
6. MAINTENANCE
PLAN MAINTENANCE
Are the maintenance roles and
responsibilities clearly defined
and documented?
NO
The Business Continuity Plan (BCP) has been designed to be a living
document. To ensure that it remains current, it must be reviewed on a
routine basis and revised to reflect changes within the organizational
environment. Certain unscheduled business and / or non-business-
related events that occur can affect the BCP. For example, system
developments or a change in a critical application from one platform to
another would require a review of and revision of the recovery and
testing strategies, and possibly the IT Vendor Contact lists. Formally
documented maintenance policies and procedures that identify triggers
for plan maintenance should be put in place.

50
Control #
Management Practice
Questions
Management
Response
Recommendation
Is there a method to ensure all
BCP maintenance is approved?
NO
Management should ensure that BCP is integrated into the
organization’s change management process. Additionally, management
should ensure that all trigger events are documented to allow for regular
maintenance activities.
A list of event triggers includes but is not limited to:
• Regulatory requirements;
• New products;
• Business acquisitions;
• New hardware, platforms, applications, or other technology change;
• Vendor bankruptcy;
• Facility move;
• Personnel changes or relocations;
• Transfer of functions;
• Consolidation or outsourcing of work functions;
• Change in critical third party vendor/suppliers;
• Changes in telecommunications (voice or data);
• Structure/equipment; and Results of BCP testing.
Are there automatic triggers to
ensure that the core plan
elements remain current? NO
The business continuation plan must be reviewed quarterly to ensure
that all required updates have been performed. Document control
procedures should be implemented in order to protect the integrity of the
plan.

51
Control #
Management Practice
Questions
Management
Response
Recommendation
on a quarterly basis and whenever there is a material change to a
• Update critical functions and associated recovery time objectives
where appropriate;
• Confirm that assembly locations, alternate sites, and emergency
• Review and update contact lists (employees, vendors, clients, etc.)
• Maintain team rosters and information;
• Update business unit organization charts;
• Review vital record and other off-site storage arrangements; and
• Review all recovery procedures and update as necessary.
• Regulatory requirements;
• New products;
• Business acquisitions;
• New hardware, platforms, applications, or other technology change;
• Vendor bankruptcy;
• Facility move;
• Personnel changes or relocations;
• Transfer of functions between existing sites (London, Paris, Tokyo);

52
Control #
Management Practice
Questions
Management
Response
Recommendation
• Consolidation or outsourcing of work functions;
• Change in critical third party vendor/suppliers;
• Changes in telecommunications (voice or data);
• Structure/equipment; and Results of BCP testing.
DOCUMENT CONTROL
Documentation produced during a BCP project that forms part of a final
deliverable must be maintained throughout the life of the plan. To
ensure that all plan recipients are provided with complete, accurate, and
current copies of the business continuation plan, plans should adhere to
the following document control procedures:
• Version Numbering
• Revision History
• Page Numbering
Document Distribution
Document Distribution
The information in a business continuation plan is highly sensitive and
should only be distributed to those who need to be involved in the
recovery. The BC Planner should maintain a list of all employees who
have copies of the plan and ensure that all recipients have a current
version. In addition, Planners are responsible for retrieving plan copies
for employees who leave the business unit.
The distribution list should be incorporated as part of the document.
When new versions are issued, old versions should be destroyed. A

53
Control #
Management Practice
Questions
Management
Response
Recommendation
distribution list should include the employee’s name, plan version
number, date issued, and date returned (when applicable).
Is there a formally documented
plan maintenance schedule?
NO
The business continuation plan must be reviewed periodically to ensure
that all required updates have been performed. Document control
procedures should be implemented in order to protect the integrity of the
plan.
on a quarterly basis and whenever there is a material change to a
• Update critical functions and associated recovery time objectives
where appropriate;
• Confirm that assembly locations, alternate sites, and emergency
• Review and update contact lists (employees, vendors, clients, etc.)
• Maintain team rosters and information;
• Update business unit organization charts;
• Review vital record and other off-site storage arrangements; and
• Review all recovery procedures and update as necessary.
Regulatory requirements;

54
Control #
Management Practice
Questions
Management
Response
Recommendation
New products;
Business acquisitions;
New hardware, platforms, applications, or other technology change;
Vendor bankruptcy;
Facility move;
Personnel changes or relocations;
Transfer of duties;
Consolidation or outsourcing of work functions;
Change in critical third party vendor/suppliers;
Changes in telecommunications (voice or data);
Structure/equipment; and Results of BCP testing.
Is the responsibility for plan
maintenance clearly defined at
all levels of the organization?
NO
The organization should define in its policies and procedures the event
triggers for maintenance to ensure that all changes affecting the
operation of critical business processes are communicated and/or
adequate notice is given to the appropriate individual(s) responsible for
BCP maintenance?
Is there an independent audit
process to help ensure all plan
elements are updated
according to the established
maintenance schedule?
NO
An independent review process ensures that the plans meet the
corporate objectives. Shifts in corporate priorities may not be present in
current recovery efforts. Periodic reviews by an independent internal or
external organization (not involved in the planning process) ensure the
plans meet all external (Regulatory) and internal (Corporate, business,
etc…) requirements.

55
Control #
Management Practice
Questions
Management
Response
Recommendation
Is there an accountability
process for third-party vendors
and related BCP stakeholders
outside the company?
NO
Business units should verify that critical third party vendors meet
specific business continuation planning requirements. Business
continuation considerations should be addressed during contract
negotiations. Alternate vendors should be identified whenever possible.
and Internal Audit, and these Company Name units should be allowed
to participate in testing if they so request. Business units should clearly
communicate their recovery time objectives for all functions that require
support from a third party vendor. In addition, the business unit should
provide third party vendors with an overview of their recovery strategy
including alternate site location, contact names and numbers, and any
additional special services that may be required during recovery. The
vendors should be included in the testing of business unit plans.
SENIOR MANAGEMENT REVIEW
Is there a formal review
process involving senior
management?
NO
Senior management commitment is essential to the success of the BCP
program. The lack of senior management involvement may increase the
risk that:
• That plans will not sufficiently limit financial loss
• The plans may not be developed and implemented appropriately
Management should consider representation on the BCP steering
committee. Additionally, management should have periodic reports
from the BCP steering Committee to periodically on the state of
readiness.

56
Control #
Management Practice
Questions
Management
Response
Recommendation
Are the BCP program
objectives reviewed and
revised on a regularly
scheduled basis? NO
An inadequate review process can result in plans not meeting corporate
objectives. Shifts in corporate priorities may not be present in current
recovery efforts. Periodic reviews by an independent internal or
external organization (not involved in the planning process) ensure the
plans meet all external (Regulatory) and internal (Corporate, business,
etc…) requirements.
Does senior management
provide feedback to the
recovery stakeholders
following the regularly
scheduled review?
NO
Management should consider including BCP as an agenda item on a
senior level committee (i.e.: Audit Committee) that reports to the Board
on BCP readiness for the purpose of review and discourse.

2015-01- BCP Assessment QA.pdf

More Related Content

What's hot (20)

Similar to 2015-01- BCP Assessment QA.pdf (20)

Recently uploaded (20)

2015-01- BCP Assessment QA.pdf