Business Impact Analysis
This phase is used to obtain formal agreement with senior management for each time-critical business resource. This phase has the following sub-phases:
Deciding maximum tolerable downtime, also known as MAO (Maximum Allowable Outage)
Quantifying loss due to business outage (financial, extra cost of recovery, embarrassment), without estimating the probability of kinds of incidents, it only quantifies the consequences
Choosing information gathering methods (surveys, interviews, software tools)
Selecting interviewees
Customizing questionnaire
Analyzing information
Identifying time-critical business functions
Assigning MTDs
Ranking critical business functions by MTDs
Reporting recovery options
Obtaining management approval
Recovery Phase
This phase involves creating recovery strategies are based on MTDs, predefined and management-approved. These strategies should address recovery of:
Business operations
Facilities & supplies
Users (workers and end-users)
Network Data center (technical)
Data (off-site backups of data and applications)
BCP Development Phase
This phase involves creating detailed recovery plan that includes:
Business & service recovery plans
Maintenance plan
Awareness & training plan
Testing plan
The Sample Plan is divided into the following phases:
Initial disaster response
Resume critical business ops
Resume non-critical business ops
Restoration (return to primary site)
Interacting with external groups (customers, media, emergency responders)
Final Phase
The final phase is a continuously evolving process containing testing, maintenance, and training.
The testing process generally follows procedures like structured walk-through, creating checklist, simulation, parallel and full interruptions.
Maintenance involves:
Fixing problems found in testing
Implementing change management
Auditing and addressing audit findings
Annual review of plan
Training is an ongoing process and it should be made a part of the corporate standards and the corporate culture.