Business Continuity Planning: A Step-by-Step Guide With Planning Forms on CD-ROM, 3rd Edition, by Kenneth Fulmer.

BUSINESS CONTINUITY PLANNING:
A STEP-BY-STEP GUIDE WITH PLANNING FORMS ON CD-ROM
THIRD EDITION
by Kenneth L. Fulmer, CBCP
Philip Jan Rothstein, FBCI, Editor

- - - - - - - - -

This easy-to-use, step-by-step guide Includes complete book contents PLUS
planning forms and template on CD-ROM for the beginner or experienced contingency
planner.

- - - - - - - - -

ENDORSED BY THE BUSINESS CONTINUITY INSTITUTE (BCI) AND THE
DISASTER RECOVERY INSTITUTE INTERNATIONAL (DRII)

- - - - - - - - - -

For some organizations, Business Continuity (BC) Planning is a fact of life - dedicated staff,
budget and resources devoted to continually developing, exercising, validating, maintaining
and enhancing their ongoing Business Continuity Management programs. For the typical
business whether large or small, reality usually gets in the way.

A colleague of mine used to say that Business Continuity had its own specific gravity: It
never quite sank to the bottom of the pile of priorities, but never quite rose to the top. It was
always next (or next but one) on the list of things that had to be done.

Every business owner or manager knows they need to address business continuity - some
day - after putting out day-to-day fires, paying the bills, taking care of customers, and
catching their breath. So, what are those of us who have the luck to operate in the real world,
supposed to do about business continuity?

The answer is obvious - do what you can realistically accomplish with whatever time and
resources you are able to spare. Of course, you should ensure your BC program meets any
legal, contractual or regulatory requirements - and meets your fiduciary responsibilities.

In this book and companion CD-ROM, Ken Fulmer has provided us with a clear, easy-to-use
resource for business continuity: a step-by-step tool which isn't going to overwhelm you nor
break the bank, yet which will provide you with a sound foundation for beginning on the path
to effective business continuity. While there are more complex tools and books available, this
Guide will get your BC program going surprisingly fast and with a lot less sweat and tears
than you might expect. It will also give you a structure which you can continue to build on as
your business changes and evolves, and as you are willing and able to devote more
resources to business continuity.

My advice to the reader is to do the best you can, as soon as you can, to address the
business continuity requirements of your organization - your business' survival may depend
on it!

Philip Jan Rothstein
Fellow, Business Continuity Institute (FBCI)

- - - - - - - -

CONTENTS

DISASTER RECOVERY INSTITUTE INTERNATIONAL

THE BUSINESS CONTINUITY INSTITUTE

PREFACE by Melvyn Musson, FBCI, CBCP, CISSP

PREFACE by Philip J. Rothstein, FBCI

PREFACE by Andrew Hiles, FBCI

INTRODUCTION

1 WHY SHOULD YOUR BUSINESS PREPARE FOR A DISASTER?
What Disaster Might Hit You?
It's Too Much Work! Why Shouldn't We Just Take the Risk?
Legal Reasons for Having a Plan
Statutory Example
Determining Liability

2 GETTING STARTED
Basic Considerations
An Alternate Business Location
Vital Records
Key People
A Plan
How Many Plans?
Types of Plans
The Planning Steps You Will Take with this Book
Step 1 - Writing the Purpose, Objectives, Scope and Assumptions
Purpose of the Plan - Sample Text
Plan Objectives - Guidelines
Scope of the Plan - Guidelines
Planning Assumptions- Guidelines
Step 2 - The Plan Coordinator and Development Team: Job Descriptions
The Plan Development Team
Step 3 - Assigning Action Items, Coordination of Responsibilities and Timeframes

3 ITS TIME TO ROLL UP YOUR SLEEVES AND TO ASSESS YOUR CURRENT RISK
Step 4 - Where Do You Stand Right Now?
Begin by Reviewing Internal Plans and Policies
Meet with Outside Groups
Identify Codes and Regulations
Identify Critical Products, Services and Operations
Identify Your Internal Resources and Capabilities
Identify External Resources
Conduct an Insurance Review
Assess Your Vulnerability
Begin by Listing Potential Threats
Estimate Probability
Assess the Potential Human Impact
Assess the Potential Property Impact
Assess the Potential Business Impact
Assess Internal and External Resources
Add the Columns
Hazard-Specific Information
Hazardous Materials Incidents
Floods and Flash Floods
Hurricanes
Tornadoes
Severe Winter Storms
Earthquakes
Technological Emergencies
Analyzing the Risk Assessment
Step 5 - Doing Your Business Impact Analysis
Identifying Critical Systems, Applications and Vital Records
Using Your Business Impact Analysis
What's Your Staying Power?
Timing Your Defense
What Immediate Resources Do You Need?
Develop Recovery Priorities
Identify Preventive Controls
Develop Technical Recovery Strategies
Step 6 - Selecting Your Recovery Teams
Roles and Responsibilities
Team Leaders
Team Members
Step 7 - Developing Your Recovery Strategies and Action Plans
Recovery Strategy Overview
Sample Action Plan Task List

4 PUTTING IT ALL TOGETHER
Step 8 - Documenting Your Business Continuity Plan
Background Information
Action Plan
Plan Appendices
Step 9 - Testing Your Plan
Preparation of Testing Procedures
Checklist Testing
Non-Business-Interruption Test
Parallel Testing
Business Interruption Testing
Frequency of Test
Evaluating Your Test Results
The Checklist Worksheet
The Test Evaluation Form
Step 10 - Distributing Your Plan

5 CONGRATULATIONS! - BUT DON'T LET IT COLLECT DUST
Step 11 - Maintaining Your Plan

APPENDIX A SAMPLE RISK ASSESSMENT

APPENDIX B RISK ANALYSIS CHECKLIST

APPENDIX C GUIDELINES FOR DEVELOPING YOUR DATA SHEETS

APPENDIX D BUSINESS CONTINUITY GLOSSARY

APPENDIX E SELECTED BUSINESS CONTINUITY ARTICLES
Pitching Preparedness
Why Assess? A Case Study
Slow-Motion Disaster
Managing Management: A Case Study
"Almost" Disasters

REFERENCES

ABOUT THE AUTHOR

- - - - - - - -

DISASTER RECOVERY INSTITUTE INTERNATIONAL
Belinda Wilson, CBCP, Vice Chairperson DRII

“In today's business environment, change is the norm. The path to your business goals is
seldom marked, and never direct. Success in this world demands agility and resilience, and
relies on its ability to easily adapt and be flexible in a world of uncertain times. An adaptive
infrastructure that tightens integration and synchronization between IT resources and
business processes while delivering a level of interoperability that supports the requirements
for a new infrastructure ecosystem. An adaptive infrastructure delivers virtualized resources
as services in response to business process requirements. It scales or redeploys resources
quickly and efficiently as the business requires, in a single department or across the entire
enterprise. To adapt effectively to change in the business environment, the infrastructure itself
must deliver services continuously, secure against attack and threat.

“But continuous, secure operations are more than a step toward somewhere else: they are a
destination of their own. It is time to begin the journey toward an infrastructure that can serve
as a dependable foundation for your business today, and the engine of quick, smooth
adaptation to business requirements in an unpredictable future.

“Businesses build cultures of business continuity by planning, then overcoming everyday
threats and obstacles, until continuity is no longer optional but rather is built into the
company's corporate culture. Never complete, the process cycles through analysis, building,
integration, management and evolution. With every turn, your business becomes more
secure, efficient and agile in its response to both challenge and opportunity.

“The continuity and security of your business are not isolated destinations. Even your first
steps will bring you toward a broader, more integrated operational vision. And efficiencies will
only improve as employees move together toward common objectives. As you go, the path
will get easier. Protecting and organizing information systems helps you pick up
speed-moving ahead with new sophistication and efficiency. Your systems will become not
just safer, but easier to use and manage for employees, partners and customers.

“No destination is final, but the journey toward continuous operations brings its own practical,
measurable rewards along the way. And with every step, your business grows more resilient,
more agile and better prepared to take advantage of the next business change.

“This book demonstrates the changing focus of business continuity moving it outside of IT
and into the boardroom. Decisions surrounding business continuity are no longer involving
only the technical provisioning but are business driven to help ensure companies are "always
on" and thus competitive. The book supports the processes and guidelines set forth in DRI
International's (DRII) approach to ensure a successful implementation of a business
continuity program and is a good starting point for someone new to the industry.”

- - - - - - - -

THE BUSINESS CONTINUITY INSTITUTE
Larry Kalmis, FBCI, Chairman, BCI

“Kenneth Fulmer, CBCP has produced an important and useful guide for the business
continuity planning novice. This clear, concise work will also be a valuable reference for the
advanced practitioner.
“Mr. Fulmer upholds many of the principles you will find promoted and supported by the
Business Continuity Institute and encouraged as part of Business Continuity Management
good practices.

“In more than thirty years as a business continuity practitioner, I have seen many small and
medium-size businesses pay the penalty for lack of preparedness. Often, overwhelmed by
the jargon employed by many practitioners and the mistaken concepts that business
continuity is too costly, that it is only for the "big boys," and that they do not have the
resources or knowledge base, they choose to take the risk instead. For many, it is an
unfortunate choice because much can be done with reasonable commitment to avoid
business disruptions or mitigate the impact for those that are unavoidable.

“In this excellent primer, Mr. Fulmer sets out a simple, concise, and, most of all, logical
roadmap both for developing the justification for a business continuity / disaster recovery
program as well as for developing and maintaining the resultant plan. He starts by leading you
through the assessment of potential risks and impacts establishing the business case,
which, after all should be the ultimate driver for any commitment of staff and other resources
to business continuity. Mr. Fulmer then, using straightforward, jargon-free, checklists, tables,
and worksheets, takes you step-by-step through generally accepted "good practices,"
enabling you to construct an appropriately sized recovery plan.

“This book clearly puts forth the rationale, concepts, and mechanics for business continuity
planning in an easy-to-use format for the business continuity initiate. The advanced
practitioner will also find this book a practical reference and its checklists, tables, and
worksheets a useful toolkit.

Larry Kalmis, FBCI
Project Executive, Virtual Corporation
Chairman, the Business Continuity Institute

- - - - - - - -

EXCERPT FROM THE PREFACE
Melvyn Musson, FBCI, CBCP, CISSP

“One of the first things that one needs to do when asked to write the preface to a book, is to
determine what you feel the book's niche will be. In this case, the book has a very specific
niche as a down-to-earth, practical "primer" or introduction to Business Continuity Planning,
particularly for small and medium-sized firms.

“It will also help answer the questions "what have I got myself into?" and "what is covered by
Business Continuity Planning?" These are questions which someone with little or no
Business Continuity Planning experience will ask themselves immediately after they are
informed that they are now responsible for such planning within their firm, or that they are now
charged with developing such a plan for the firm.

“Other books can provide more depth of detail that may subsequently be needed, but this
book will enable someone with little or no experience to start to put together a project plan,
determine what they need to include in the initial structure of the plan and identify those
areas that they may need to research further. Someone with more experience will find this
book a useful resource to make sure they have covered all the bases. Worksheets, forms and
action items are located throughout the book to provide that initial information base on which
to build a plan.

“This book provides the basic information to enable firms to start the development of their
plans in the "classical" business continuity planning manner. Alternatively if one wishes to
approach the plan in a different manner, possibly due to corporate culture issues, the book
still provides an information base that can assist one in developing your own project and plan
documentation.
One other advantage of starting with this book is that the reader starts from a simple
beginning and can build to more detail, as that becomes necessary. This point is a key
consideration. There is a tendency when developing a Business Continuity Plan to make it
more complicated and detailed than may be necessary, particularly in small or medium-sized
firms.

“The Rt. Hon. David Blunkett, presently the Home Secretary in the United Kingdom
Government, said recently in the Foreword to a new booklet "Expecting the Unexpected:
Business Continuity in an Uncertain World" that Business Continuity and planning is just as
important for small firms as it is for large corporations and that plans need to be simple but
effective, comprehensive but tailored to the needs of the organization.

“This book will put those, particularly in small and medium-sized firms, on the track to
develop simple but comprehensive plans tailored to the needs of their organizations. Although
written with an IT bias, one can extrapolate from the IT to determine what needs to be done
by the business units or from an overall business perspective.

“For those wanting to research Business Continuity Planning further, the Disaster Recovery
Institute International (www.drii.org) and the Business Continuity Institute (www.thebci.org)
have developed a set of Professional Practices for Business Continuity Planners. These
comprise 10 subject areas of a common body of knowledge that characterizes the
profession. Each subject area contains a description of the area, the role of the professional
and an outline of the knowledge that the professional should demonstrate within that subject
area.

Melvin Musson, Fellow, Business Continuity Institute (FBCI)
Business Continuity Planning Manager, Internal Audit
Edward Jones, St. Louis, Missouri, USA

- - - - - - - -

EXCERPT FROM THE PREFACE
Andrew Hiles, FBCI

“We had an international prospect in a financial district. He had been talking about
implementing a business continuity project for around eighteen months - but there was no
real sign of movement on it. We had one final try to persuade him to go ahead with the
project, identifying disasters that had happened in the district and to similar organizations. At
the meeting, he said "Yes, we ought to get round to it. But it will never happen to us." The
following month there was an explosion in the area, damaging his offices. I telephoned him
and asked him if he was now convinced of the case for business continuity. "Yes," he said.
"We have just authorized spending $15 million on a second site."

“We do not all have the luxury of a budget of that size. But there is always something
meaningful that we can do to reduce risk, protect our assets and plan for continuity and
recovery.

“Time is the crucial element. The first few hours following a disaster is the time when recovery
success or failure is decided. A plan is vital to put order into chaos and to make the most of
those crucial early hours - and the days that follow.

“This book provides practical advice, easy to follow formats and checklists that will help its
readers to understand, reduce and manage the risks to their organization. It gives
step-by-step guidance on how to develop, test and maintain plans to handle emergencies,
protect people and ensure business continues - come what may.”

Andrew Hiles, Fellow, Business Continuity Institute (FBCI)
President, Kingswell International Limited
Oxford, United Kingdom

- - - - - - - - -

EXCERPT FROM THE INTRODUCTION

“Devastating acts like the September 11, 2001 terrorist attacks in New York and Washington,
D.C. have left many businesses and individuals concerned about the possibility of future
threats and their potential impacts on us. Recent PricewaterhouseCoopers research from
public sources has revealed that the financial impacts from these attacks were staggering:
- An estimated 14,600 businesses inside and around the World Trade Center were
impacted by the disaster.
- 13.4 million square feet of space in six buildings in and surrounding the WTC
complex were destroyed.
- 36 miles of new cable had to be installed by the New York electric utility,
Consolidated Edison.
- 652 companies occupying 28.6 million square feet of space were temporarily or
permanently displaced by the destruction.
- 200,000 communication lines were knocked out by network failures.
- 12,000 Con Edison customers had their electric power fail.

“In addition to the direct impacts of the attacks on September 11, the indirect impact to U.S.
businesses has been estimated at $151 billion in the first year” - Fortune, February 18, 2002.

“However, there are things you can do to prepare for the unexpected that will give you a
measure of control over the effects of a disaster.

“Whether it is caused by terrorist activity, nature, technical problems or human error, any
emergency can force catastrophic consequences and enormous costs on your business. The
result: property damage, interruption of operating procedures, lost profits and even your
competitive standing.

“In emergencies, it is critical that you make the right decisions and bring the immediate
threat to your company and your employees under control quickly. Your company must
resume its most important functions in an emergency mode as quickly as possible. At the
time of a disaster, the one thing that all companies have working against them is time. Lost
time translates into dissatisfied customers, lost revenue, and more.

“Many existing Business Continuity Plans today are too complicated and have not been well
maintained. The September 11th attacks have caused us to question more than ever, how
useful our plans would really prove to be.

“Traditionally, disaster recovery planning has focused on computer systems. However,
recovering business operations includes more than just the computer system. Thought needs
to be given to such issues as long distance service, secure locations where employees can
work, and the salvage or replacement of building contents. Because mission-critical functions
usually depend on technology and telecommunications networks, rapid recovery of these is
very important, but is of little value without also recovering enterprise-wide business
operations.

“Many organizations have mainframe and minicomputer recovery plans in place. However, it is
important for us to recognize that over time, many of our applications may have migrated to
distributed decentralized environments with fewer controls and less security.
A plan for business continuity will be worth your effort and can be considered an asset, but
only if you follow through on these essential steps:
- Before a disaster strikes, identify all computer systems, applications, people,
equipment and supplies needed for recovery.
- Have a back-up procedure for critical files and systems, and a secure off-site storage
facility.
- Have one or more alternate places to go for data processing and business
operations.
- Be able to maintain effective control over the recovery effort.
- Identify outside resources that can assist you in the recovery process.
- Test your plan to evaluate its capability to provide the required level of support for
your core business process and ultimate recovery.
- Maintain the plan. Depending on a plan that is out-of-date can be worse than having
no plan at all.

“While this book and accompanying CD-ROM provide a comprehensive approach to business
continuity and recovery, it is not intended to be a substitute for professional, legal or financial
advice. It is designed to help planning coordinators focus on key points to explore while
developing Business Continuity Plans for their companies.”

- - - - - - - - -

ABOUT THE AUTHOR

KENNETH L. FULMER, CBCP, has been involved in the Business Continuity Planning field
for over 14 years. He has been a member of the Disaster Recovery Institute International
(DRII, www.drii.org) since 1991 and a Certified Business Continuity Planner since 1992. Mr.
Fulmer's career has spanned 27 years in the computer-related industry and has published,
trained and spoken on business continuity issues.

Ken began his career as a public school teacher in Silver Spring, MD, and has since been a
Bank Officer for Imperial Bancorp; now Comerica Bancorp, New York, and a National Account
Executive with Digital Equipment Corporation; now Hewlett Packard.

Ken's Third Edition of Business Continuity Planning: A Step-by-Step Guide with Planning
Forms on CD-ROM builds upon the foundation of the two previous, highly successful editions.

- - - - - - - - -
2004, 190 pages plus CD-ROM. Order #DR772.
Published by Rothstein Associates Inc.
ISBN #1-931332-21-5.
In Stock for immediate shipment.
- - - - - - - -

The Disaster Center Bookstore

MORE NEW RELEASES & SPECIAL OFFERS!

Disaster Center Bookstore-a service of Rothstein Associates