5.0 Guidelines Designation
This guideline is designated as ASIS GDL BC 01 2005.
The Business Continuity (BC) Guideline has applicability in both the private and public sector environments. The BC Guideline is a series of interrelated processes and activities that will assist in creating, testing, and maintaining an organization-wide plan for use in the event of a crisis that threatens the viability and continuity of the organization.
The BC Guideline is a tool to allow organizations to consider the factors and steps necessary to prepare for a crisis (disaster or emergency) so that it can manage and survive the crisis and take all appropriate actions to help ensure its continued viability. The advisory portion of the guideline is divided into two parts: (1) the planning process and (2) successful implementation and maintenance. Part One provides step-by-step Business Continuity Plan preparation and activation guidance, including readiness, prevention, response, and resumption/recovery. Part Two details those tasks required for the Business Continuity Plan to be maintained as a living document, changing and growing with the organization and remaining relevant and executable. Appendix A offers the ASIS Business Continuity Guideline Checklist.
Recent world events have challenged us to prepare to manage previously unthinkable situations that may threaten an organization’s future. This new challenge goes beyond the mere emergency response plan or disaster management activities that we previously employed. Organizations now must engage in a comprehensive process best described generically as Business Continuity. It is no longer enough to draft a response plan that anticipates naturally, accidentally, or intentionally caused disaster or emergency scenarios. Today’s threats require the creation of an on-going, interactive process that serves to assure the continuation of an organization’s core activities before, during, and most importantly, after a major crisis event.
In the simplest of terms, it is good business for a company to secure its assets. CEOs and shareholders must be prepared to budget for and secure the necessary resources to make this happen. It is necessary that an appropriate administrative structure be put in place to effectively deal with crisis management. This will ensure that all concerned understand who makes decisions, how the decisions are implemented, and what the roles and responsibilities of participants are. Personnel used for crisis management should be assigned to perform these roles as part of their normal duties and not be expected to perform them on a voluntary basis. Regardless of the organization -- for profit, not for profit, faith-based, non-governmental -- its leadership has a duty to stakeholders to plan for its survival. The vast majority of the national critical infrastructure is owned and operated by private sector organizations, and it is largely for these organizations that this guideline is intended. ASIS, the world’s largest organization of security professionals, recognizes these facts and believes the BC Guideline offers the reader a user-friendly method to enhance infrastructure protection.
9.0 Key Words
Business Continuity Plan, Business Impact Analysis, Crisis Management Team, Critical Functions, Damage Assessment, Disaster, Evaluation and Maintenance, Mitigation Strategies, Mutual Aid Agreement, Prevention, Readiness, Recovery/Resumption, Resource Management, Response, Risk Assessment, Testing and Training.
Alternate Worksite: A work location, other than the primary location, to be used when the primary location is not accessible.
Business Continuity: A comprehensive managed effort to prioritize key business processes, identify significant threats to normal operation, and plan mitigation strategies to ensure effective and efficient organizational response to the challenges that surface during and after a crisis.
Business Continuity Plan: An ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure the continuity of operations through personnel training, plan testing, and maintenance.
Business Impact Analysis: A management level financial analysis that identifies the impacts of losing an organization’s resources. The analysis measures the effect of resource loss and escalating losses over time in order to provide reliable data upon which to base decisions on mitigation, recovery, and business continuity strategies.
Contact List: A list of team members and key players in a crisis. The list should include home phone numbers, pager numbers, cell phone numbers, etc.
Crisis: Any global, regional, or local natural or human-caused event or business interruption that runs the risk of (1) escalating in intensity, (2) adversely impacting shareholder value or the organization’s financial position, (3) causing harm to people or damage to property or the environment, (4) falling under close media or government scrutiny, (5) interfering with normal operations and wasting significant management time and/or financial resources, (6) adversely affecting employee morale, or (7) jeopardizing the organization’s reputation, products, or officers, and therefore negatively impacting its future.
Crisis Management: Intervention and coordination by individuals or teams before, during, and after an event to resolve the crisis, minimize loss, and otherwise protect the organization.
Crisis Management Center: A specific room or facility staffed by personnel charged with commanding, controlling, and coordinating the use of resources and personnel in response to a crisis.
Crisis Management Planning: A properly funded ongoing process supported by senior management to ensure that the necessary steps are taken to identify and analyze the adverse impact of crisis events, maintain viable recovery strategies, and provide overall coordination of the organization’s timely and effective response to a crisis.
Crisis Management Team: A group directed by senior management or its representatives to lead incident/event response comprised of personnel from such functions as human resources, information technology facilities, security, legal, communications/media relations, manufacturing, warehousing, and other business critical support functions.
Critical Function: Business activity or process that cannot be interrupted or unavailable for several business days without having a significant negative impact on the organization.
Critical Records: Records or documents that, if damaged, destroyed, or lost, would cause considerable inconvenience to the organization and/or would require replacement or re-creation at a considerable expense to the organization.
Damage Assessment: The process used to appraise or determine the number of injuries and human loss, damage to public and private property, and the status of key facilities and services resulting from a natural or human-caused disaster or emergency.
Disaster: An unanticipated occurrence or event, including natural catastrophes, technological accidents, or human-caused events, causing widespread destruction, loss, or distress to an organization that may result in significant property damage, multiple injuries, or deaths.
Disaster Recovery: Immediate intervention taken by an organization to minimize further losses brought on by a disaster and to begin the process of recovery, including activities and programs designed to restore critical business functions and return the organization to an acceptable condition.
Emergency: An unforeseen occurrence or situation that happens unexpectedly and demands immediate action and intervention to minimize potential losses to people, property, or profitability.
Evacuation: Organized, phased, and supervised dispersal of people from dangerous or potentially dangerous areas.
Evaluation and Maintenance: Process by which a business continuity plan is reviewed in accordance with a predetermined schedule and modified in light of such factors as new legal or regulatory requirements, changes to external environments, technological changes, test/exercise results, personnel changes, etc.
Exercise: An activity performed for the purpose of training and conditioning team members and personnel in appropriate crisis responses with the goal of achieving maximum performance.
Maintenance: See Evaluation and Maintenance.
Mitigation Strategies: Implementation of measures to lessen or eliminate the occurrence or impact of a crisis.
Mutual Aid Agreement: A pre-arranged agreement developed between two or more entities to render assistance to the parties of the agreement.
Prevention: Plans and processes that will allow an organization to avoid, preclude, or limit the impact of a crisis occurring. The tasks included in prevention should include compliance with corporate policy, mitigation strategies, and behavior and programs to support avoidance and deterrence and detection.
Readiness: The first step of a business continuity plan that addresses assigning accountability for the plan, conducting a risk assessment and a business impact analysis, agreeing on strategies to meet the needs identified in the risk assessment and business impact analysis, and forming Crisis Management and any other appropriate response teams.
Recovery/Resumption: Plans and processes to bring an organization out of a crisis that resulted in an interruption. Recovery/resumption steps should include damage and impact assessments, prioritization of critical processes to be resumed, and the return to normal operations or to reconstitute operations to a new condition.
Response: Executing the plan and resources identified to perform those duties and services to preserve and protect life and property as well as provide services to the surviving population. Response steps should include potential crisis recognition, notification, situation assessment, and crisis declaration, plan execution, communications, and resource management.
Risk Assessment: Process of identifying internal and external threats and vulnerabilities, identifying the likelihood of an event arising from such threats or vulnerabilities, defining the critical functions necessary to continue an organization’s operations, defining the controls in place or necessary to reduce exposure, and evaluating the cost for such controls.
Shelter-in-Place: The process of securing and protecting people and assets in the general area in which a crisis occurs.
Simulation Exercise: A test in which participants perform some or all of the actions they would take in the event of plan activation. Simulation exercises are performed under conditions as close as practicable to “real world” conditions.
Tabletop Exercise: A test method that presents a limited simulation of an emergency or crisis scenario in a narrative format in which participants review and discuss, not perform, the policy, methods, procedures, coordination, and resource assignments associated with plan activation.
Testing: Activities performed to evaluate the effectiveness or capabilities of a plan relative to specified objectives or measurement criteria. Testing usually involves exercises designed to keep teams and employees effective in their duties and to reveal weaknesses in the Business Continuity Plan.
Training: An educational process by which teams and employees are made qualified and proficient about their roles and responsibilities in implementing a Business Continuity Plan.
Vital Records: Records or documents, for legal, regulatory, or operational purposes, that if irretrievably damaged, destroyed, or lost, would materially impair the organization's ability to continue business operations.