Year 2000 Business Continuity and Contingency Planning
1.0 Initiation
Executive management needs to be fully aware of the potentially devastating
financial, organizational, and political consequences of the failure of
one or more mission-critical information systems. It is the responsibility
of the executives responsible for the agency’s core business processes
to work with the Chief Information Officer, the Chief Financial Officer,
and the Year 2000 program manager to reduce the risk of Year 2000-induced
business failures. Agency managers must dedicate sufficient resources and
staff for the business continuity planning tasks, and ensure that senior
managers support this effort.
Key Processes
1.1 Establish a business continuity project work group
1.2 Develop and document a high-level business continuity planning
strategy
1.3 Identify core business processes
1.4 Define roles and assign responsibilities
1.5 Develop a master schedule and milestones
1.6 Implement a risk management process and establish reporting
systems
1.7 Assess existing business continuity, contingency, and disaster
recovery plans and capabilities
1.8 Implement quality assurance reviews
1.1 Establish a business continuity project work group
Establish, within the agency’s Year 2000 program office, a business continuity
work group. The group should include representatives from the agency’s
major business units, domain experts in relevant functional areas, business
continuity and disaster recovery specialists, operational analysts, and
contract specialists. Access to legal advice is also a necessity. This
group should work closely with the Year 2000 program manager and staff
to ensure access to information on the status of the agency’s Year 2000
renovation, validation, and implementation efforts.
1.2 Develop and document a high-level business continuity planning strategy
A high-level business continuity planning strategy provides the agency’s
executive management with a high-level overview of the Year 2000 business
risks and solutions. The strategy should address the project structure,
its relationship with the Year 2000 program, metrics and reporting requirements,
and the initial cost and schedule estimates. The risk of business failure
is not limited to the organization’s internal information systems. Many
federal agencies also depend on information and data provided by their
business partners—including other federal agencies, hundreds of state and
local agencies, international organizations, and private sector entities.
Finally, every organization also depends on services provided by the public
infrastructure--including power, water, transportation, and voice and data
telecommunications.
1.3 Identify core business processes
Analyze agency business plans and work with business process owners and
Year 2000 program staff to identify core business processes and supporting
mission-critical systems for each business area. Ensure that all key business
dependencies are clearly identified, including infrastructure and external
sources of critical supplies and information. Identify executives responsible
for the operation and continuity of each core business process. Use ownership
of core business processes to promote executive ownership of the planning
effort.
1.4 Define roles and assign responsibilities
Define roles and assign responsibilities for leading the planning effort
and for performing analyses and designing business alternatives, including
contingent operations for sustained and prolonged disruption. Appoint individuals
to lead the development of contingency plans for each of the core business
processes. Define responsibilities for documenting the business continuity
plan and defining the essential operational activities comprising it. Ensure
that individuals responsible for the various business continuity and contingency
planning activities are held accountable for the successful completion
of individual tasks, and that the core business process owners are responsible
and accountable for meeting the milestones for the development and testing
of contingency plans for their core business processes.
1.5 Develop a master schedule and milestones
Develop a schedule for the planning effort and the delivery of interim
and final products. Link the schedule to critical stages in the Year 2000
program effort. Update as required.
1.6 Implement a risk management process and establish reporting system
Manage the business continuity planning tasks and activities as a sub-project
within the Year 2000 program office. Rank business risks and focus the
planning effort on the greatest risk to critical core business processes.
Identify project risks and develop metrics. Establish reporting system,
reporting requirements, and formats. Track estimates and after each step
is completed update estimates as needed, especially when new information
significantly alters the estimates. Estimate and assign risk to each mission-critical
system undergoing renovation or replacement. Track and compare actual costs
against estimates.
1.7 Assess existing business continuity, contingency, and disaster recovery
plans and capabilities
Assess existing business continuity, contingency, and disaster recovery
plans for their
applicability. Identify weaknesses and strengths of existing plans.
1.8 Implement quality assurance reviews
Task the agency’s quality assurance staff to review the business continuity
planning processes. For example, use the quality assurance office staff
to ensure that the business continuity team reviews existing contingency
plans and that the existing contingency and disaster recovery plans are
updated and incorporated into the business continuity plan. The quality
assurance reviews should examine the worst case scenarios to ensure that
a feasible backup strategy--including private sector solutions-- can be
successfully implemented in a national emergency.
Overview| | Initiation|
|Business Impact Analysis| |Contingency
Planning| |Testing
The Disaster Center Year 2000 Page|
|The Disaster Center Index Page
Formated from text provided by: The United States General
Accounting Office Accounting and Information Management Division HTML format
Copyrighted by The Disaster Center 1998