Transcription
Government of Alberta Business Continuity GuideBusiness Continuity Guide2017June 2017Page 1
Government of Alberta Business Continuity GuideAcknowledgementsThe Business Continuity Guide is the primary resource document for the Government ofAlberta’s departments in the development of a business continuity plan as defined by theAlberta Emergency Plan. The Alberta Emergency Management Agency has prepared this guidein order to provide a frame of reference for Business Continuity Officers to develop, maintain,and improve their departmental Business Continuity Programs. Consideration has been given tothe development of three components: the legislated requirements, business continuity plancomponents (ability to activate and implement the plan), and business continuity managementprogram components (ability to improve department’s business continuity resilience) forcontinuous improvement.The guide emphasizes departments’ responsibility to resume essential services for Albertans inthe face of business continuity disruptions. In managing business continuity disruptions, asuccessful outcome is judged by both the technical response and the perceived competence ofthe management.We hope you find this guide a valuable addition to your business continuity planning resources.If you have any questions, comments, or recommendations for amendments, please contact:Plans ManagerAlberta Emergency Management Agency14515 122 Ave NWEdmonton, Alberta T5L 2W4Phone: 780-422-9000Website: http://www.aema.alberta.ca3rd EditionISBN 978-0-7785-5982-5Copyright 2014 the Crown in the Right of Alberta, as represented by the Minister of MunicipalAffairs, Alberta Emergency Management Agency, Edmonton, Alberta, Canada.All Rights reserved. Commercial use strictly prohibited. Modification or reproduction prohibitedunless authorized in writing by the copyright owner.Page 2
Government of Alberta Business Continuity GuideRecord of AmendmentsThe Business Continuity Guide may require updates and amendments based on variousfactors. In order to ensure that the most accurate copy of the Guide is maintained, it isrecommended that a business continuity team member be assigned the responsibility ofmaintaining current copies of the Guide.List of all amendments made to the Guide since ctive DateApril 200715 August 20141 June 2017Amended By(Please print)InitialsShem BundiAlanYounghusbandDan HowladerSBAYDHPage 3
Government of Alberta Business Continuity GuideTable of ContentsAcknowledgements . 2Record of Amendments . 3Table of Contents. 4Business Continuity Management . 71.1Executive Summary . 71.2GOA Business Continuity Management (BCM) . 71.3Authority and Legislation . 71.4Guiding Principles . 81.5Business Continuity Standards and Best Practices . 81.6Acronyms . 81.7Terms and Definitions . 9Business Continuity Program Creation and Management .112.1What is a Business Continuity Program? .112.2BCM Program Scope .11Business Continuity Plan Development .133.1Overview and Plan Development Objectives.133.2Planning Steps / Development Process .133.2.1Initial Preparation .133.2.2Interim Plan .143.2.3Risk Assessment .143.2.4Business Impact Analysis .143.2.5Emergency Response and Contingency Procedures .153.2.6Disaster Recovery and Continuity Strategies .153.2.7Writing .153.2.8Awareness and Training .153.2.9Review, Test, Exercise, Audit, and Maintenance .153.3Structure and Content of the Business Continuity Plan .153.3.1Cover Page, Contents and Layout .153.3.2Business Continuity Program .163.3.3Plan Activation, Coordination and Communication .163.3.4Business Impact Analysis and Risk Assessment .173.3.5Business Unit(s) Continuity Procedures .173.3.6Review, Maintenance, Training, and Exercises .173.3.7Supporting Documents .17Page 4
Government of Alberta Business Continuity Guide3.4Approval and Distribution .173.5Summary .18Plan Activation and Incident Management .194.1Overview.194.2Management and Control Responsibilities .194.2.1Executive Team .194.2.2Management Team .194.2.3Operational / Response Team .194.3Emergency Operations Centre Location .204.4Emergency Procedures .204.5Activation Procedures and Operations .204.6Communication Plan .20Risk Assessment .225.1Background.225.2Risk Assessment Processes .225.2.1Risk Assessment Considerations .225.2.2Risk Assessment Walkthrough .225.2.3Setting the Context .235.2.4Risk Identification .235.2.5Risk Analysis .235.2.6Risk Evaluation .255.2.7Risk Mitigation .265.3Summary .27Business Impact Analysis .286.1Overview.286.2Business Impact Analysis Importance .286.3Conducting a Business Impact Analysis.296.3.1Define the Scope .296.3.2Preparing the Business Impact Analysis .296.3.3Data Collection: Scope and Methods .306.3.4Post Collection Activities .316.3.5Processing Data .316.3.6Data Control .326.4Final BIA Report .326.5Summary .33Business Continuity Strategies.34Page 5
Government of Alberta Business Continuity Guide7.1Overview.347.2Information Gathering for Strategy Development .357.3Approaches for Business Continuity Strategies.357.3.1Disaster Recovery Strategies.357.3.2Business Continuity Strategies .357.4Strategy Selection Process .367.5Summary .36Awareness and Training .378.1Overview.378.2Creating Awareness.378.2.1General Staff Awareness Training .378.2.2Business Continuity Team Training.378.2.3Executive and Senior Management Training .37Program Maintenance .389.1Overview.389.2Review Process .389.3Audit Process.39Exercising and Testing .4110.1Overview.4110.2Exercise Types and Methods .4110.2.1Walkthrough Business Continuity Exercise .4110.2.2Table Top Business Continuity Exercise .4110.2.3Simulation Business Continuity Exercise .4210.3Lessons Learned .42Page 6
Government of Alberta Business Continuity GuideBusiness Continuity Management1.1Executive SummaryWhen a significant event causes disruption to the provision of essential services to Albertans,the Government of Alberta (GOA) will execute the GOA Business Continuity Plan (BCP) in orderto recover the disrupted services. The GOA BCP outlines the framework by which thegovernment manages the continuity of its essential services during business disruptions. Underthe coordination of Alberta Emergency Management Agency (AEMA), individual departmentswill implement their individual BCPs (as required) to ensure the continuation of critical and vitalservices that are essential for the health and safety of all Albertans. Under current legislationand in conjunction with industry best practices, AEMA and GOA departments maintaincomprehensive Business Continuity Management programs to address the known and unknownrisks that may adversely affect Albertans.This guide will assist Business Continuity Officers (BCOs) and their teams through the processof business continuity planning and management. This guide is intended as an overview ofcurrent best practices targeted at GOA departments, and while extensive, may not cover allunique requirements for each department. Users are encouraged to seek additional informationas needed of this guide to meet the demands of their departments. Similarly, while many of thelessons and components in this guide may transfer to municipal management, outside usersshould ensure fit and applicability for their specific requirements. Additional information andassistance for GOA departmental Business Continuity Teams (BCTs) is available from AEMA.1.2GOA Business Continuity Management (BCM)When a disruptive incident occurs, and the initial emergency response has been resolved,departments need to begin the task of restoring and maintaining essential services to Albertans.Through a comprehensive Business Continuity Program, with a documented BCP, departmentswill be able to assess potential risks, understand their impacts, and know how to resumeessential services efficiently and effectively, regardless of the mechanism of disruption.A comprehensive Business Continuity program will: 1.3Ensure provision of essential services to all Albertans.Ensure and maintain confidence in government.Minimize potential revenue loss.Reduce the impact related to service disruption.Authority and LegislationThe current legislative framework for business continuity planning in the GOA is derived fromthe Emergency Management Act (EMA) and the Government Emergency ManagementRegulation (GEMR). These documents assigned roles, responsibilities and authorities forbusiness continuity planning in the GOA.The GEMR assigns AEMA the responsibility for developing, implementing and maintaining theAlberta Emergency Plan (AEP) and the GOA BCP. The GEMR also assigns AEMA theresponsibility for requiring each department, in consultation with AEMA, to prepare, implement,and maintain a BCP. The deputy heads of departments (typically deputy ministers) retain theaccountability for business continuity planning within each department.Page 7
1.4Government of Alberta Business Continuity GuideGuiding PrinciplesThis guide provides a frame of reference for BCOs to develop, maintain, and improve theirdepartmental BCM program. This guide is meant to highlight current industry best practices andprovide suggestions or an alternative perspective that will enhance existing BCPs. The Guide isnot a prescriptive instruction manual that must be followed to meet GOA BCP requirements.While not focusing on templates, it is understood that content specific to the department bemore important than standardization of the plan.1.5Business Continuity Standards and Best PracticesBusiness continuity continues to gain momentum and recognition within both the national andthe global emergency management framework. Currently, the GOA recognizes that in theinternational business continuity community, ISO 22301:2012 provides leadership andcomprehensive standards for business continuity professionals to benchmark against indeveloping and enhancing their BC programs. AEMA uses CSA Z1600 to create measureablegoals within a national context. Both of these standards are used as benchmarks in developingthis Guide and will be used on an ongoing basis to inform best practice for the GOA.1.6AcronymsAcronymFull SpellingAEMAAlberta Emergency Management AgencyAEPAlberta Emergency PlanBCBusiness ContinuityBCGBusiness Continuity GuideBCMBusiness Continuity ManagementBCOBusiness Continuity OfficerBCPBusiness Continuity PlanBCTBusiness Continuity TeamBIABusiness Impact AnalysisCSACanadian Standards AssociationDMDeputy MinisterEMAEmergency Management ActEOCEmergency Operations CentreFERPFacility Emergency Response PlanGEMRGovernment Emergency Management RegulationGOAGovernment of AlbertaGOA BCPGovernment of Alberta Business Continuity PlanIAPIncident Action PlanITInformation TechnologyMTPDMaximum Tolerable Period of DisruptionRTO(s)Recovery Time Objective(s)Page 8
1.7Government of Alberta Business Continuity GuideTerms and DefinitionsBusiness continuity management – A holistic process that identifies potential threats / risks tothe organization and the impacts those threats / risks may pose to continuity of essentialservices. This is a framework for building organizational resilience with the capability for aneffective response that safeguards the interests of key stakeholders and organizationalreputation.Business continuity plan – A plan that prioritizes essential services, employs mitigationmeasures, and coordinates and implements the continuity of service strategies when a businessdisruption occurs.Business continuity program – Ongoing management and governance process supported bytop management and appropriately resourced to implement and maintain business continuitymanagement.Business disruption – Any event, anticipated or not, which causes an unplanned, negativedeviation from the expected delivery of essential services according to GOA objectives.Business impact analysis – Process of analyzing government activities and determining theircriticality based on set criteria.Department – A department is a cabinet minister’s area of responsibility, or portfolio, and thepeople who work for the ministry. The Minister, who is head of the ministry, is a member of theExecutive Council. For the purpose of this plan, a department will include Agencies, Boards,and Commissions (ABCs) with the understanding that their participation in the program islargely voluntary and at the discretion and direction of their department deputy head.Essential (or common) function – An internal function or process that supports adepartment’s essential services, there are two types of common functions: A business procedure that can be either automated or manually operated.A business unit of a department that is crucial to the continued functioning of thedepartment’s essential services.Essential services – There are four categories of essential services: Critical, Vital, Necessary,and Desired. Essential services are a product or benefit delivered directly to externalstakeholders by departments of the GOA. Essential services are delivered to either: Citizens of Alberta, including, but not limited to individuals, families, organizations or localgovernments; andOther departments of the GOA or other levels of government that support the citizens ofAlberta.Exercise – Process to assess, practice, and improve performance during a simulated businesscontinuity disruption.Maximum Tolerable Period of Disruption (MTPD) – This is the period it would take foradverse impacts, which might arise as a result of not providing a product / service or performingan activity, to become unacceptable.Recovery Point Objective – Refers a point to which information technology (IT) used by anactivity must be restored to enable the activity to operate on resumption.Page 9
Government of Alberta Business Continuity GuideRecovery Time Objective –The period of time following an incident within which product orservice must be resumed, or activity must be resumed or resources must be recovered.Resources – All assets, people, skills, information, technology, premises, and supplies that anorganization has to have available to use, when needed, in order to operate and meet itsobjectives.Risk – Something that exposes the GOA to potential disruption of essential services, and isevaluated by likelihood and impact.Risk assessment – Overall process of identifying, analyzing, and evaluating risks.Significant Business Continuity Disruption – An event where:1. A single department is overwhelmed and is unable to manage / respond to the incidentwith internal resources2. Multiple departments are impacted for longer than 24 hours3. Government is not able to maintain essential services within predefined timeframes (24hours for critical services, 72 hours for vital services and two weeks for necessaryservices).4. The Provincial Operations Centre is at levels 2-4 in response to a business continuitydisruption (see Section 8.5 for more details).Vital Records – Vital records are those without which a public authority could not continue tooperate. They may include documents, files, or records in any form or format, containinginformation that is essential to operations.Page 10
Government of Alberta Business Continuity GuideBusiness Continuity Program Creation and Management2.1What is a Business Continuity Program?At its core, business continuity is focused on minimizing preventable disruptions to the essentialprograms and services offered by a government, an industry, or a business, and whenpreventing service gaps is no longer an option, business continuity describes processes andpractices to restore and resume business as efficiently as possible. Within the GOA, businesscontinuity refers to both the protecting of outward services provided to Albertans as well as tothe internal processes that support those services.The central document of a business continuity program is the BCP, which prioritizes essentialservices, describes mitigation measures, and coordinates and implements continuity of servicestrategies when a business disruption occurs. The BCP should be a living document thatreflects the values, objectives, and framework of its department that grows and changes inaccordance with each departmental reorganization. A BCP must outline realistic and achievablestrategies that help departments identify and prioritize their core services; recognize risks andhow to mitigate them; and create specific, actionable solutions to continue providing serviceregardless of disruptive events and emergencies.The BCM program is a cyclical program that delineates and describes all activities concerningbusiness continuity within the department. A typical BCM Program encompasses developmentof a BCP with all that this entails as described in this guide; awareness and training for thedepartment on the BCP; execution of the BCP as required; and amendments and improvementsto BC matters on a regular basis.The BCM program must be managed within an established framework and according to theprinciples contained in the department’s BCM policy. A BCM Program must reflect thedepartment’s strategy, objectives and culture to ensure that the program is relevant, effectiveand meets current service delivery goals. The cyclical /continual improvement of BC programinvolves a Plan, Do, Check and Act Model as illustrated in Figure 1 below.2.2BCM Program ScopeClearly defining the scope of the BCM program allows the BCT to describe what isencompassed by the program, and limits redundancies caused by external partner plans orprograms. The scope of a BCM program begins with identifying the departmental mission andobjectives, and outlining what processes and services support those overarching principles. Aclearly articulated scope also helps participants understand the limitations of a BCM program.Figure 1 – Cyclical / Continual Improvement of BC ProgramPage 11
Government of Alberta Business Continuity GuidePage 12
Government of Alberta Business Continuity GuideBusiness Continuity Plan Development3.1Overview and Plan Development ObjectivesBusiness continuity plans provide guidance for sustaining essential services during a disruption,and procedures for recovering those functions that are disrupted.Plan development objectives are to: 3.2Understand the purpose and role of supporting plans (i.e. Communication Plan, CrisisManagement Plan, Facility Emergency Response Plan, Disaster Recovery Plan), anddevelopment of policies and procedures.Identify the key people involved in implementing the BCP, and clarifying their roles andresponsibilities before, during, and after a disaster.Understand the process, design framework, structure, and contents of the BCP.Planning Steps / Development ProcessDeveloping a plan is an extended process that will engage multiple partners across yourdepartment. It is recommended that you work through a progressive development process thatwill enable to you to build your BCP through collaborative and objective analysis. Thesuccessive planning steps / development process described below are intended as a suggestedmethod that will facilitate GOA departments in producing an effective BCP. In order to developa relevant and tailored BCP, each departmental BCO must determine the level of detail requiredfor each step to address their specific departmental needs.Figure 2 – Planning Steps Flowchart – Phases of BCP Development3.2.1Initial PreparationAs in any major policy or program development, there are initial key steps that must besatisfied before creating a BCP. Below are common considerations which will need to beaddressed prior to Plan development. This is not an exhaustive list; individualdepartments may have unique considerations in their initial preparation. Engage ManagementPage 13
Government of Alberta Business Continuity GuideIdentify the right level of management to sponsor the Business ContinuityProgram.o Ensure management understands what the BCP will encompass, when itwould be used and what are its intended outcomes.o Be open about the resources necessary to complete a BCP and confirmthat these resources will be available throughout the development of theplan.Establish BCMS requirements, considering the organization’s mission, goals,internal and external obligations, and legal and regulatory responsibilities.Secure team member participation and commitment.Define the scope of your BCP.o 3.2.2Interim PlanBCP development takes time, and disasters can happen at any time prior to completionof a thorough plan. If a BCP is being developed for the first time (as opposed to updatingor modernizing an existing plan), departments may want to consider adopting an interimplan. An interim plan offers limited protection against disruptions and should be preparedwhen the department doesn’t have an existing BCP or the current BCP is significantlyout of date. The interim plan should be solely focused on critical services which areregarded as particularly at risk or vulnerable. In order to ensure timeliness of an interimplan, the plan should be developed independently by the BCT; the formal BCPdevelopment will engage all stakeholders.Key things to consider when devising an interim plan are: Notify management about the Interim Plan Structure and Roles Appointment of a Business Continuity Team (BCT) to develop the Interim Plan Establish a procedure for convening the BCT Identify basic recovery requirements and practical recovery strategies Ensure that all members of the BCT have a copy of the Interim Plan and thatthey are fully briefed on its contents3.2.3Risk AssessmentRisk Assessment (RA) consists of identifying and assessing risks that can potentiallydisrupt business operations. Upon completion of a risk assessment, BCOs should knowthe most likely and most dangerous threats to departmental operations. The RA then willinform possible actions for risk mitigation.
Business continuity continues to gain momentum and recognition within both the national and the global emergency management framework . Currently, the GOA recognizes that in the international business continuity community, ISO 22301:2012 provides leadership and comprehensive standards for business continuity professionals to benchmark against in
