Business continuity planning projects, like disaster recovery projects, are initiated for many reasons, such as:

• Auditor reporting.
• Regulatory compliance.
• Stakeholders demands.
• Experience with an event or disruption.

Whatever the reason, committing funds, resources and time to activating a business continuity project, as well as understanding the ongoing cultural change that will become a long term, integral part of day-to-day business, is critical to the success of the project.

Find out what is really important to your management and use that information to show value to the project. It may be that they are concerned about:

• Product delivery.
• Customer service.
• Satisfying board members.
• Auditors.

It is important to find out what management really cares about in running the business and which elements are critical in their minds, to keeping the business doors open even in the face of disaster. When necessary, a cost/benefit analysis should be prepared to demonstrate the benefits of ensuring the protection and availability of those critical elements. A cost/benefit analysis should include:

1. Business continuity plan start-up and ongoing costs associated with the resources, time and effort necessary to the plan, as well as any third party contracts that may need to be created. An ongoing annual cost should also be calculated to include plan maintenance, administration, awareness, training and testing.

2. An estimate of the rebuild costs if a business continuity plan is not developed. Things like potential employee recruitment and new hire costs, technology replacement and potential moving costs should be included. Financial and/or operational impacts related to the critical functions of the business not being performed should also be estimated.

3. Potential savings to the business should also be investigated and reported to management. These savings could include:
1. Discounted insurance premiums to the business for having recovery plans in place.
2. Opportunities to outsource technology maintenance, support and/or upgrades which might be more cost-effective than providing in-house service.
3. Off-site vaulting vs. providing appropriate environments and structure on-site.

Phase I - Information Gathering...

Structure - Once the approval of senior management is obtained, a high level message should go out to all employees expressing the following:

1. Management support for the planning project.
2. Employee cooperation is expected.
3. A brief overview of the objectives of the planning effort.
A project team should be established consisting of:
1. A project manager who coordinates the activities of the team, manages timelines and budget, and reports to senior management.
2. Departmental representatives and a backup that understand the inner workings of each functional area and are able to answer questions contained in a Business Impact Analysis.
3. One or two key resources from technology who would understand the underlying technical issues as recovery requirements are prioritized.
4. A project liaison, someone who would have access to current employee organizational charts, insurance polices, third party contracts, etc.

Budget - This phase requires the most participation from the employee population but should be the closest to "true" cost as we are mainly dealing with employee time. This one-time cost could have been reported in the cost/benefit analysis.

Timelines - Timelines should be establishes based on employee availability but should be as aggressive as possible while everyone is still aware and supportive of the initiative. Probably the longest and most time consuming of the three phases.

Milestones - Milestone during Phase I can include:

• Completion of the risk analysis/assessment and reporting the results to senior management.
• Completion of the business impact analysis and reporting appropriate recovery alternatives to senior management.
• Establishment of the emergency response teams, their responsibilities and informing employees of who those team members are.
• Management decision on a recovery strategy that will best suit the established recovery requirements.

Phase II - Plan Development...

Structure - Once an appropriate recovery strategy has been chosen by management, the following additions to the project team may be necessary:

• Legal counsel to complete any necessary third party contract negotiations.
• Senior management with signing authority for third party contracts.
• Technical writers for plan documentation.
• Human resources/property management and the local emergency authorities to document emergency response procedures.
• Communications representative with media training to develop corporate first response scripts.

Budget - Budget items could include:

• Consultant or contract resources.
• Media management and communications courses.
• Plan documentation software and training.
• Any third party contracts that are established.

Timelines - Timelines will vary depending on:

• Whether third party contracts are evaluated and established.
• Participation and availability of departmental planning resources.
• Whether technical writers are used for plan documentation.
• Software training.

Milestones - Milestones for this phase could include:

• Completion of third party recovery provider contracts.
• Completion of each departments or business units recovery plan.
• Completion of the technical recovery solutions to reflect established Recovery Time Objectives (RTO).

Phase III - Business Continuity Process...

Structure - The two main focuses of the project manager in this phase are:

• Developing initial awareness and recovery training for all employees.
• Coordinating and scheduling the first recovery test for the organization.

The project team should continue to forward status reports to senior management however, the frequency of those reports may drop down to once a month. The project team for employee training might consist of:

• The project manager who coordinates the activities of the teams, manages timelines and budget, and reports to senior management.
• Representation from human resources or the internal training department.
• Representation from one or two key divisions to review and evaluate the training material.
• Outside resources (if necessary) which specialize in employee awareness and training for business continuity.

The other set of activities that will be happening at the same time is for a team to develop a test plan, script and schedule for an initial restoration and/or recovery. To accomplish this, a project team needs to be assembled which includes:

• A project manager.
• Technology support representatives.
• Human resource representatives to facilitate travel or other related issues (if necessary).
• Representatives from the departments to be tested.
• Representatives from the recovery site provider (if necessary).

Budget - Budget estimates will vary depending on whether training and awareness programs are developed in-house or purchased from an outside vendor. In addition, creating a testing budget will depend on whether the testing will be done in-house or at an off-site or third party facility. Charges for using these facilities should be determined during the negotiation process in order to facilitate the testing budget process.

Timelines - Timelines for this phase are never ending as testing and education should be ongoing. Testing and education schedules should be developed for each new year and far enough in advance to ensure appropriate participation.

Milestones - Milestones for this phase could include the announcement that all employees had completed initial awareness/training classes as well as the completion of the first recovery testing.