WIXLIB

1/5WHAT’S IN A BUSINESS CONTINUITY DISASTER RECOVERY PLAN TEMPLATE?The building blocks for asuccessful recovery programAlthough business continuity (BC)/disaster recovery(DR) plans vary from company to company, industryto industry, and even from department to department,most BC/DR plans will conform to a logical template.Some plans are hundreds of pages long, while othersare only tens of pages; however, they contain the samebasic building blocks that you can use as a frameworkfor your own BC/DR plan.So if you’ve been tasked with creatinga BC/DR plan for your team, function,business unit, or company, you canlikely get yourself 80% of the way thereby taking an existing disaster recoveryplan template and customizing it to yourspecific situation. The goal of this whitepaper, therefore, is to share insightsinto effective disaster recovery plantemplates that we at Sungard AS havegained over the last 30 years, as wellas to provide a sample template thatyou can follow when writing your ownBC/DR plan.Plan section:IntroductionThe plan introduction usually consistsof general information about a plan,such as the information about the entitycreating the plan (i.e., the particularcompany, business unit, or functionalarea), maintenance history of the plan(i.e., when the plan was last revisedand tested), the purpose of the plan,the scenarios being targeted, and anyassumptions underlying the plan.The purpose forBC/DR Plan isthe same for everyorganization,to document thespecific proceduresto be performedbefore, during andafter a disasterdeclaration.Some sections that we commonlysee included in the introductorysection include: Plan purpose: for example, to allowcompany personnel to quickly andeffectively restore critical businessoperations after a disruption. Plan objective: for example, toidentify the processes or stepsinvolved in resuming normalbusiness operations. Plan scope: for example, the worklocations or departments addressed. Plan scenarios addressed:for example, loss of a primarywork area, loss of IT servicesfor a prolonged period of time,loss of workforce, etc. Plan assumptions: for example,you may want to call out the numberof work locations impacted at anygiven time, that key personnel areavailable for any recovery efforts,or any assumptions you may havemade about vendor or utility serviceavailability.WHITE PAPERThought Leadership

2/5WHAT’S IN A BUSINESS CONTINUITY DISASTER RECOVERY PLAN TEMPLATE?Plan section:Recovery Strategies and ActivitiesAfter the initial introductory section,there are usually a number of modulesabout the strategies outlined in theplan, as well as the specific personnelundertaking the recovery and therecovery activities.Examples of sections that you maywant to consider for your ownBC/DR plan include: Recovery Strategy Summary:In this section, a plan will typicallyoutline the broad strategies to befollowed in each of the scenariosidentified in the plan Introductionsection. As an example, if “loss ofwork area” is identified as a possiblefailure scenario, a potential recoverystrategy could be to relocate to apreviously agreed-upon orcontracted alternate work location,such as a Sungard AS work arearecovery center. Recovery Tasks: This section ofthe plan will usually provide a list ofthe specific recovery activities andsub-activities that will be requiredto support each of the strategiesoutlined in the previous section.For example, if the strategy is torelocate to an alternate worklocation, the tasks necessary tosungardas.comsupport that relocation effort couldinclude identifying any equipmentneeds, providing replacementequipment, re-issuing VPN tokens,declaration of disaster, and so on. Recovery Personnel: Typically,a BC/DR plan will also identifythe specific people involved inthe business continuity efforts,for example, naming a team leadand an alternate team lead, as wellas the team members associatedwith any recovery efforts. Thissection of the plan will also includetheir contact information, includingwork phone, cellphone, and emailaddresses. Obviously, because ofany potential changes in personnel,the plan will need to be a “living”document that is updated aspersonnel/workforce changesare made. Plan Timeline: Many plans alsoinclude a section in the main bodythat lays out the steps for activatinga plan (usually in the form of a flowchart). For example, a typical plantimeline might start from the incidentdetection, then flow into theactivation of the response team,the establishment of an incidentcommand center, the notificationof the recovery team, followed bya decision point around whetheror not to declare a disaster. A plantimeline may also assign therecovery durations or recovery timeobjectives required by the businessfor each activity in the timeline.Figure 1 provides an exampletimeline for an IT disaster recoveryorganization is given below forcritical Tier 1 systems and theresumption of business operations. Critical Vendors and their RTOs:In this section, a plan may also listthe vendors critical to day-to-dayoperations and recovery strategies,as well as any required recoverytime objectives that the vendorsmust meet in order for the planto be successful. Critical Equipment/ResourceRequirements: A plan may alsodetail the quantity requirementsfor resources that must be in placewithin specified timeframes afterplan activation. Examples ofresources listed might includeworkstations, laptops (bothwith and without VPN access),phones, conference rooms, etc.

3/5WHAT’S IN A BUSINESS CONTINUITY DISASTER RECOVERY PLAN TEMPLATE?Figure 1OFFSETRECOVERY DURATIONIncident detectionHOUR 01 HOURActivate initialresponse teamHOUR 11 HOUREstablish incidentcommand centerHOUR 21 HOURNotify recoveryteam and makerecommendationsHOUR 31 HOUR4 hours past incidentDeclarea disaster?NOTerminateHOUR 4—HOUR 44 HOURSYESRequest/Obtainoffsite tapesMobilize/Preparerecovery team8 hours past incidentRestore network/telecomRestore SANHOUR 8Restore VMs16 HOURSRestore AS40024 hours past incidentValidate dataintegrityHOUR 2410 HOURSValidate userconnectivityHOUR 341 HOUR35 hours past incidentResume normaloperationssungardas.comHOUR 35

4/5WHAT’S IN A BUSINESS CONTINUITY DISASTER RECOVERY PLAN TEMPLATE?Plan section:AppendicesEvery plan contains appendices uniqueto the entity for which the plan wascreated, so there is not a great dealof standardization in the appendices.In general, a plan’s appendix is anexcellent place to include the detailsspecific to the successful recoveryof the specific entity for which theplan is being created. Below wehave provided examples of thetypes of information included in planappendices, which you can customizeaccording to the needs and functionsof your specific group, department,business unit, or company.Figure 2:Example recovery status report formRecovery Status Report FormAfter the Plan has been activated, you are required to submit periodic Recovery Status Reports.NAME: Business Continuity SiteInformation: If your plan callsfor “failing over” to an alternatework location, it may be a goodidea to include information aboutthat alternate work site in the plan’sappendix. The details of the sitemight include: Commencement date (includinglast contract renewal date) Location of the facility Details about the officeenvironment, such as number ofworkstations, servers, telephony,printers, internet access, andother equipment provided Site contact details How the site is invoked and thepersonnel authorized to invoke it Maps of meeting points: For thoseplans specifying a meeting locationfor employees, maps of the routesand alternate routes to thoselocations are useful.DEPT:DATE:TIME:COMMENTS:CONCLUSIONS:Include details thatare specific to yourorganization’s recoverysuccess in the appendixof your BC/DR Plan.sungardas.com Vendor Contact Information:Many plans include the detailsof how to reach the vendors listedas critical to normal operationsor recovery operations. Forms: If there are forms requiredby the plan, such as an incidentreport form, injury summary form,disaster-related expense trackingforms, consolidated status reportforms, manual purchase orderforms, etc., the plan appendixis a useful place to locate them.Figure 2 provides an example ofa Recovery Status Report Form. Communication Plans: Successfulplans will include the individualsresponsible for communicationsduring the time in which the planis invoked, as well as the groupsor constituents with which theyare responsible for communicating.For example, it would be desirableto specify both internal and externalcommunicators. For internalcommunicators, you will need toidentify the person communicatingwith the command team andwith employees, as an example.For external communicators, bestpractices include identifying theindividual in charge of communicationswith the media, with customers,with partners, and with vendors, etc. Disaster Declaration Procedures:If there are business continuityor disaster recovery vendorscontracted, the plan appendix maybe a good place to include anyrelevant disaster recoveryprocedures, such as Sungard ASRecovery Services. Employee Contact Information:Instead of inserting the contact detailsof the employees in the RecoveryStrategies and Activities section ofthe plan (which can often take upmany pages and become unwieldy),you can also leverage the plan’sAppendices as an alternate locationfor this information, as well as anyphone tree procedures or call lists. Process Flows: During planactivation, employees must oftenfollow alternative processes orprocedures (because primaryprocesses are down or unavailable).Therefore, the plan appendices is agood place to list any out-of-processflows or procedures. For example,how to create manual purchaseorders, how to take use corporatecredit cards, how to access fuel/cash access cards. Checklists: Checklists that provideuseful reminders of “what to do”are often found in plan appendices.During an unexpected outage,human beings are often operatingunder higher levels of stress andanxiety, so offering them an easy-toaccess checklist of to-dos cansmooth and even automate therecovery process towards asuccessful result. Examples ofchecklists might be the stepsinvolved in accessing an applicationvia the Internet, or how to redirectcall volumes in a call center.