Disaster Center Bookstore-a service of Rothstein Associates

PRINCIPLES AND PRACTICE OF BUSINESS CONTINUITY:
TOOLS AND TECHNIQUES
By Jim Burtles, KLJ, MMLJ, FBCI
(New – July 1, 2007)

Endorsed by Survive, The Business Continuity Group
Endorsed by The Business Continuity Institute.

--------------------------------------------------------------------------------------------------------

INCLUDES CD-ROM WITH TOOL, TEMPLATES AND BONUS RESOURCES!

--------------------------------------------------------------------------------------------------------

"An invaluable, comprehensive and practical guide to assist companies of all sizes with their
Business Continuity Planning – written by a BC practitioner with years of experience to help
others learn and avoid pitfalls." - Survive - The Business Continuity Group

--------------------------------------------------------------------------------------------------------

This new book explores the subject of Business Continuity Management: from basic
principles to best practices. On completing this book, the reader should be in a position to
engage in all of the activities associated with the development, delivery, exercise and
maintenance of an effective business continuity program. The included CD-ROM provides
extensive tools, templates and other valuable resources.

--------------------------------------------------------------------------------------------------------

CONTENTS

PREFACE
INTRODUCTION

1. A POTTED HISTORY

2. FUNDAMENTALS OF RECOVERY
The Backlog Trap
The Decision Point and Business Tolerance
Micro Sufficiency
Micro Sufficiency v. Macro Efficiency
Organic Resilience
The Basic Functional Relationships
Protective Strategies
The Tiers of Governance

3. GETTING STARTED
Business Continuity project champion
A viable game plan
Deliverables and other Outcomes
Board level Motivators
Scaling to Fit
Standards and their Interpretation
Hidden Benefits
The Auditor's Role

4. UNDERSTANDING THE RISKS
Risk Assessment Methods
Grid Impact Analysis
Risk Acceptance
The Cost of Loss
Loss of Profit
Invisible Costs
Investment Wisdom
Basic Effects
QwikRisk
Risk Reporting

5. IMPACTS AND CONSEQUENCES
Facilitated Business Impact Analysis
Business Impact Analysis
Fire Exposure Analysis
Some Thoughts on Improved Fire Drills
Fire Drills and Exposures
The importance of timing
Functional Analysis
Compliance Issues

6. CONTINUITY STRATEGIES
The Range of Choices
Business Continuity Strategies
Strategy Selection Process
Backup and Restore Procedures

7. EMERGENCY RESPONSE
Command and Control
Emergency Evacuation
Communications
Emergency Requirements
Battle Boxes
Contact Lists

8. SALVAGE AND RESTORATION
Site and Structures
Equipment and Technology
Documents and Records
Electronic Equipment
Process Equipment

9. DISASTER RECOVERY
Technology And Support Services
Systems Recovery
Disaster Recovery Sites
Work Area Recovery
In-House or Third-Party
Back Up Regimes

10. BUSINESS CONTINUITY PLANS
Business Continuity Plans
Emergency Response Plans
Crisis Management Plans
Function Restoration Plans
Disaster Recovery Plans
The Use of Planning Tools

11. LONG TERM CONTINUITY
Relocation or Expansion
Back to Normal; Reverse Recovery or Revacuation
Resources and Facilities

12. REVIEW AND AUDIT
Review Process
Auditing

13. EXERCISING AND TESTING
Capability and Confidence
Testing Plans and Procedures
Exercise Development and Delivery
Cabaret Testing

14. CRISIS MANAGEMENT
Internal Affairs
External Affairs and the Media

15. PERSONNEL CONSIDERATIONS
Health, Safety and Welfare
Emergency Working
Fatigue and Isolation
Rotas and Rotation
Rewards and Acknowledgment
Counselling
Relative Response Team

16. LIAISING WITH OTHERS
Local Authorities
Regulators
Emergency Services
The Community
Insurers
Competitors
Neighbours
Fire and Rescue
Classes of Fire
Fire doors
Portable Fire Extinguishers
Air (Hints and Tips)
Fire Protection Systems
Fire fighting in history

17. QUOTES, QUIPS AND COMMENTS

18. GLOSSARY OF TERMS

19. BUSINESS CONTINUITY TOOL KIT

20 CONCLUSION

--------------------------------------------------------------------------------------------------------

CD-ROM CONTENTS

1. RISK ASSESSMENT TOOL
This tool has been in more or less continuous use for about 25 years. During that time it has
evolved into a useful general purpose tool for the business continuity practitioner. The majority
of the questions are derived from actual incidents which have interrupted business operations,
or put them under threat, at some point in time. While there is a strong emphasis on
computer- based operations, the investigation process does cover most of the common
physical risks which should be considered by the business continuity planner. However, risk
investigation is largely a matter of common sense combined with an enquiring mind. Keep
asking questions until you are satisfied that you understand what is happening, what might
happen and what could cause it.

2. IMPACT ANALYSIS TOOL
This was specifically designed to be used in conjunction with the functional analysis
approach as described in Chapter 5. However, it can also be used as a support tool during
the investigative phase of a normal business impact analysis. It covers the type of questions
you need to ask those managers who are responsible for the core business units, functions
or processes.

3. KEY FUNCTION SELECTION LIST
This tool was also developed for use in connection with functional analysis. It acts as a
prompt when trying to plot the main functions of an organization. As it is a rather generalized
tool you may want to add other items to the list before use in any particular industry which
has unique characteristics or ways of achieving things.

4. RECOVERY NEEDS ANALYSIS TOOL
This tool is another example of the type of worksheets which are used during the data-
gathering phase data.

5. CRITICAL DATA CHECKLIST
This checklist is designed to help the user identify the various types of data which may be
classified as critical and require to be included within the back up regime.

6. DUMMY BUSINESS CONTINUITY PLAN
This example is derived from a plan we prepared for a firm of consulting engineers with a
number of regional offices. The basic template behind this plan has evolved over the past 20
years and has also served as a teaching aid on various training courses for business
continuity personnel.

7. BUSINESS CONTINUITY PLAN CHECKLIST
This is a tool for use when reviewing or auditing a business continuity plan. It provides an
objective view of what are deemed to be the essential ingredients. A subjective view of
whether those ingredients are practical and meaningful is also required if the review or audit is
to be really effective in highlighting any shortfalls, redundancies or confusions within the text.

8. SAMPLE EVACUATION PLAN
The original for this plan was developed as a direct result of the lessons learned from a series
of terrorist attacks, culminating in the 9/11 event. It is based on certain assumptions which
are stated within the plan. Clearly, in a disastrous event where there is no prior warning there
is no requirement for an evacuation plan. The plan has been based on the assumption that
there would be We have made the assumption, therefore, that we can expect twenty minutes
warning and the plan is based on this assumption. Parts of the evacuation procedures can
also be used to get people to safety under various other circumstances, such as a fire or any
other threat to the health and safety of the building's occupants.

9. EMERGENCY EVACUATION CHECKLIST
This checklist should be used to investigate and evaluate the various options for getting
people to a place of safety in an emergency. The output of the investigation, using this tool,
provides the input to an emergency evacuation plan.

10. SAMPLE EMERGENCY RESPONSE PLAN
This was derived from the same basic template as the business continuity plan. It would
normally form a module within the overall plan but here it is shown as a separate stand-alone
item. This also has been used extensively as a teaching aid, especially on emergency
management training courses.

11. EMERGENCY MANAGER'S NOTES
These notes are designed to help the emergency manager keep track of his, or her, activities
and responsibilities during the first few minutes, or hours, of an incident. They are intended to
supplement rather than replace a full emergency response plan.

12. EMERGENCY RESPONSE CHECKLIST
The emergency response checklist provides a cryptic overview of the key activities during an
emergency. It can be used by the administration section to keep track of events and perhaps
act as a prompt in case anything should be overlooked.

13. SYSTEMS RECOVERY CHECKLIST
This checklist is intended to be used by the technical team who are responsible for carrying
out systems recovery testing as a part of the disaster recovery program. The original version
was developed about ten years ago but the principles of trying to ensure compatibility and
suitability of the recovery resources should still apply. The other important issue is the quality
and reliability of the back up and the regime which produces it.

14. SAMPLE CRISIS MANAGEMENT PLAN
The sample crisis management plan was originally developed for a newspaper chain and was
printed as a double sided, tri-fold document which could be slipped into a director's pocket, or
diary; to be carried at all times. Indeed, these were so easy to produce that they kept a small
supply at each one of their regional offices.

15. FIRE EXPOSURE ANALYSIS TOOL
This is a data collection tool for use in conjunction with the fire exposure analysis concept as
described in Chapter 5 where you will find full instructions on how to proceed with this
technique. The resulting fire exposure analysis report should prove useful in establishing the
need for some form of contingency planning or, at the very least, some form of document
protection policy.

16. SERVICE IMPACT ANALYSIS TOOL
The original version of this tool was developed by Liz Taylor of Public Risk Management as a
means of identifying the critical services delivered by a local authority. However, the principle
of scoring key aspects and multiplying them to gain a distinctive score can be applied to any
business environment.

17. RESOURCE REQUIREMENTS ANALYSIS TOOL
The original version of this tool was also developed by Liz Taylor of Public Risk Management
as a means of identifying the critical resource requirements for a local authority. It is a
companion to the service impact analysis tool and is intended to be used in conjunction with
it.

18. PLOT DEVELOPMENT TOOL
This tool is designed to assist the user in the selection of suitable plot lines as the basis of
their exercise scenarios. It provides a number of basic ideas together with a rating system to
help the scriptwriter select the most appropriate ones for different occasions and
circumstances.

19. EMERGENCY MOVE CHECKLIST
This checklist is designed to support the review and analysis process whenever the operation
is moved to a recovery center. While it is designed as a post-event tool, it might be equally
useful when reviewing a test, or a training exercise, which entails moving to a recovery site.

20. EXERCISE SCRIPT
This document represents a typical script for an exercise designed to explore the manner in
which a telecommunications company responded to a serious incident. It may provide the
reader with some ideas about the layout and contents of a working script.

21. EXERCISE FACILITATOR'S CHECKLIST
This checklist is for an exercise facilitator to make sure everything has been accounted for
when preparing to deliver an exercise.

22. EXERCISE LOG
This log is designed to keep track of what happens during an exercise so nothing gets
overlooked during the subsequent debriefing, reporting and reviewing.

23. SAMPLE EXERCISE REPORT
This is a 'sanitized' version of an actual exercise report. It is included here as an example of
the style and contents of such a report.

24. OUTLINE HOLDING STATEMENT
This is a suggested layout for an initial holding statement, suitable for use in the immediate
aftermath of any incident which might be serious enough to attract the attention of others. It
should be prepared as soon as possible after an 'incident' occurs, although one should avoid
using that word in the description of the event.

* * * PLUS * * * BONUS MATERIALS including:
· 16+ Helpful Articles
· Integrity Indexing Methodology Tools and Resources
· Operational Governance Tools and Resources
· Student Assignments
· Case Studies and Exercises
· Reader Self-Assessment
· Web URL References

--------------------------------------------------------------------------------------------------------

EXCERPT FROM THE FOREWORD BY THE BUSINESS CONTINUITY INSTITUTE

“As Technical Services Director of The Business Continuity Institute I am delighted to provide
this foreword for what I believe will be a very important addition to the currently available
literature on Business Continuity Management.

“In fact, the author Jim Burtles is one of the few practitioners that have both the depth of
knowledge and length of experience to write what might arguably be the most comprehensive
review of the subject ever produced. I have known Jim Burtles since around 1986 and
although we have never directly worked together commercially, our paths have crossed many
times over the past two decades. When we both started in Business Continuity it was a little
known subject largely restricted to IT recovery specialists. Jim and I shared both a hope and
a belief that it could and would become something much greater. I believe it has exceeded
our expectations and continues to do so on an almost daily basis.

“Part of this success story has been due to an organisation that both Jim and I are very
committed to – The Business Continuity Institute. The BCI was formed in 1994 and has gone
from strength to strength. Jim and I share the distinction of being founder members of The
Institute together with a handful of other UK-based practitioners. From such small beginnings
it is now a major name in the world of Business Continuity. With nearly 4000 members in
over 80 countries and a growing list of international Chapters and Forums, The BCI is
increasingly being seen as the definitive voice in world Business Continuity Management.

“Jim’s contribution to this has been enormous --- his unfailing intellectual rigour about his
subject, his passion for persuading others of its importance and his determination to turn
BCM into a mainstream management discipline has never wavered. When others might have
thought of retiring Jim has just started on another challenge, the latest being this formidable
“tour de force” through the complexities of Business Continuity.

“Business Continuity certainly has its technical elements but it really fits the category of a
mainstream business issue. It has its own standards such as BS25999 in the United
Kingdom, NFPA1600 in North America and other national standards in Australia, Singapore
and beyond. It has its own institutions such as the BCI and the Disaster Recovery Institute
International (DRII), and is increasingly influencing government policy and regulatory regimes.
It has a global reach and a resonance that is understood from Europe to America, from Asia
to Africa. Its principles work for multi-national corporations and small businesses, for public
as well as private sector organisations. Most significantly, it has its “gurus” and thought
leaders – 0one of the best of these in my view is Jim Burtles.

“I believe there is a growing awareness across the world of what business continuity really is
and why it is so important to corporate survival. We have seen a real increase in high-profile
events that have been broadcast on our televisions and in our newspapers, all of which have
highlighted the benefits of good planning and response capabilities. We have an increased
perception of threats, some of which we understand well, some that come as a complete
surprise and others that, although known, shock us by the severity of their consequences
when they occur.

“In today’s world there is a more global nature to these threats. Businesses have far more
economic interdependency between regions than ever before. We invariably rely on longer
supply chains for physical production of the goods we consume, and we increasingly rely on
offshore outsourced operations for much of our service delivery and back office administration.

“Probably the most global industry of all is the Financial Sector, and it is in this field that
regulation, legislation and standards have really started to take hold. Compliance with a
myriad of different requirement in different countries is making the role of the compliance
professional both extremely challenging and increasingly risky. In this sector at least, BCM is
now often being seen as a compliance issue rather than a risk, security or emergency
planning issue.

“There is clear evidence that there is a coming together of BCM thinking amongst the various
financial regulators, which is likely to be a strong driver for more consistency. The Basel
Committee on Banking Supervision, Joint Forum has issued seven high-level principles for
business continuity (http://www.bis.org/publ/joint17.htm) that individual country regulators will
look to enforce. The countries represented were: USA, UK, Canada, France, Netherlands,
Hong Kong, and Japan, so although not universal it does represents most of the major
players in the financial markets.

“With so much current debate about the exact nature and boundaries of Business Continuity
Management, this book puts it all into perspective and gives us an authoritative view from
someone who has really seen and done it all during a long and outstanding BCM career.

- Lyndon Bird, Technical Services Director, The Business Continuity Institute.

--------------------------------------------------------------------------------------------------------

EXCERPT FROM THE INTRODUCTION

In this book, we will explore the subject of Business Continuity Management; I intend to
explain the basic principles and describe what I regard as good practice. On completing this
book, the reader should be in a position to engage in all of the activities associated with the
development, delivery or maintenance of a business continuity program.

We start by looking at how and why the subject came into existence, which leads naturally
into some thoughts about the science behind the basic principles. The practical aspect
opens up with ideas about launching a program and getting to grips with the operational risks
and threats. Risk management is a well-established discipline and much of our work is often
predicated upon the work done by others in this area.

Where business continuity is particularly unique is in the next stage of developing a practical
understanding of the impacts and consequences of risk. This enables us to design an
appropriate continuity strategy to meet the precise needs of the organization. Business
impact analysis is an especially valuable contribution to the development of continuity and
resilience in any enterprise.

We then move on to look at the basic continuity strategies and how to select the most
appropriate one to meet the needs and the budget. This leads us on to considering the
emergency response aspect which is about arranging and preparing to deal with a business
interruption. Understanding the management and control of the effects and consequence of
such an event leads us naturally towards the need to know something about restoration and
recovery of facilities resources and equipment. Here again the business continuity manger
needs to have basic understanding of a complex and well-established discipline.

We then move on to look at disaster recovery techniques which are the various ways in which
the technical people can prepare to rebuild or recover the support services and functions. This
is another area where the business continuity manager will need to rely upon the specialist
skills of other people. So the requirement is to have a broad understanding in order to be able
to call on their services and interpret what they are saying into meaningful terms.

Armed with a rounded knowledge of the prerequisites we then look at the development and
construction of the actual business continuity plans. We examine the various types and
levels of plans which are required to cover the various aspects of a disruptive event. In our
model we envision five distinct types of plans, but there is no fixed rule about this. The plans
and their format have to fit the needs, and structure, of the enterprise concerned.

Having covered the build-up towards, and the actual development and delivery of, the
business continuity plans we next consider the longer term which is about raising awareness,
applying the skills, looking after the resources and keeping the plans up to date. A review or
audit program is then discussed as a means of ensuring the ongoing suitability of the
program as well as its strategy, plans and resources.

With an established business continuity program behind us, in theory at least, it we next
introduce the need for, and the know-how of, exercising the plans and testing their
components. This chapter covered the most important stage of preparing to deal with a major
disruption. Without testing we have no means of knowing whether our plans will work.
Without exercising we have no way of knowing whether our people can cope.

Adding another layer of sophistication we then look at how to arrange for crisis management
which is all about protecting the brand and image. Although crisis management requires the
services of senior stakeholders for the actual delivery, it is the duty of the business continuity
manager to ensure the arrangements are in place to enable it to happen.

We cover the need to deal sympathetically with personnel in the wake of a disaster before
looking at the need to liaise with others. This liaison work can, and should, be started
proactively in order to ensure there are no surprises. Obviously it will continue throughout an
emergency and possibly for some while afterwards.

Anyone who has read and understood this body of work should, theoretically, be ready to
tackle any aspect of business continuity with some degree of confidence. There is some
subsidiary material which may bolster this confidence. These extra materials include a bunch
of quotes you may use to garnish your own presentations and a glossary to make sure you
are expressing yourself correctly. Finally there is a toolkit on CD-ROM which contains
samples of all the materials you will need in the role of a business continuity professional, as
well as a selection of supplementary reading material.

--------------------------------------------------------------------------------------------------------

ABOUT THE AUTHOR

JIM BURTLES KLJ, MMLJ, FBCI is a well known international figure in the business
continuity profession with 30 years of experience spread across 22 countries. He is a
founding fellow of the Business Continuity Institute where he has served as a director for over
ten years. As the original Standards Officer, he was heavily involved in the evolution of its
professional standards and ethics.

He received the freedom of the City of London in 1992 and was presented with a Lifetime
Achievement Award by his peers in 2001. During 2004 he worked with the Cabinet Office in
the United Kingdom, helping to develop their guidance material to support the Civil
Contingencies Act (2004). He also represents the business community on the London
Regional Resilience Team which is the central coordinating body for London's response to an
emergency.

Over the years, Jim Burtles has been involved with charitable works and was promoted in
2005 to the rank of KLJ, Knight of Grace within the Military and Hospitaller Order of St.
Lazarus of Jerusalem, He has also been granted Membership of the Companionate of Merit in
recognition of his work on behalf of the Order, MMLJ. The Order of St Lazarus of Jerusalem
was founded in 1098, at the Infirmary of St. Lazarus during the First Crusade.

Originally a research engineer involved in the development of early transistor technology in the
late 1950s, he joined IBM as a service engineer in 1969. During his eighteen years with IBM,
he was at the forefront of the emerging business continuity profession. His first involvement
with Disaster Recovery (or DR) was in 1976 as the field engineer responsible for repairing and
recovering a critical banking system that had been struck by lightning. Later he became a
systems engineer, advising customers on such matters as system performance and
reliability. He went on to become IBM's disaster recovery country specialist before joining
Safetynet as their principal consultant in 1987. (Safetynet was a leading small systems
disaster recovery service which was subsequently acquired by Sungard).

In 1995 he was appointed as a director of Corporate Integrity where he was head of training
until they were acquired by Adam Associates in 2000. Two years later he set out on his own
as the principal of Total Continuity Management, where he now focuses on executive-level
training and support for Business Continuity Management and the development of specialist
emergency response skills.

During the early years he played a leading role in the development and expansion of disaster
recovery principles and practices. Since then he has been instrumental in maturing those
early pioneering methods into the professional skill set of the modern business continuity
manager. When he first became involved in the subject there was no body of knowledge to
refer to, nothing had been published. Indeed, very few people had even though about business
continuity; so he set about inventing and developing ideas and theories to explain what the
problems might be and how we could solve them. For example, the backlog trap, now
accepted by almost everyone as a fact of life, was an early development of his which paved
the way for a more constructive approach to business resilience.

His practical experience includes hands-on recovery work with victims of events such as
bombings, earthquakes, storms and fires. This includes technical assistance and support in
90+ disasters, as well as advice and guidance for clients in over 200 emergency situations.
Through his activities as a trainer and consultant he has helped to introduce business
continuity and its related disciplines into both the public and private sectors.

A regular speaker on the international scene, Jim Burtles has introduced over 2,500 people
into the profession through formal training programs, and provided partial or top-up training for
another 800+ through workshops covering specific subject or skill areas. He has also helped
a number of consultancies and service providers to develop their methodologies, tools and
professional services. This includes the design of specialist risk management tools, training
courses and bespoke services for niche industries as well as the training of staff and clients.

Jim Burtles has carried out business continuity assignments (a mixture of auditing, training,
consulting and research work) in Australia, Belgium, Cayman Islands, Denmark, Eire,
France, Germany, Gibraltar, Holland, Isle of Man, Italy, Jersey, Nigeria, Norway, Saudi
Arabia, South Africa, Spain, Switzerland, Turkey, United States of America and throughout
the United Kingdom.

--------------------------------------------------------------------------------------------------------

Order #DR800. ISBN 1-931332-39-8.
2007, Book plus CD-ROM.
Rothstein Associates Inc., Publisher.

Planned availability: July 1, 2007.

--------------------------------------------------------------------------------------------------------

Rothstein Associates Inc.

4 Arapaho Rd.

Brookfield, CT 06804-3104

1-888-ROTHSTEin

Telephone: 203.740.7444; 888.768.4783

Fax: 203.740.7401

E-Mail: info@rothstein.com