DRJ - Main Board

[cavittl]

I am the only person in the company with the BC background so asking for help is difficult.
Long story short. A vendor was brought in and conducted the BIA for the company in 2007. The vendor provided the final report in Adobe format w/security. They were fired. As I am trying to now create BC Plans for a particular business unit I am finding that I need to update this old data. I am using the BIA template from DRII. In this particular location there are 5 - 6 business functions performed across three area's. How would I document the critical applications for each specific area. Should I add an additional applications tab?

[JohnGlenn]

First, THROW AWAY THE 2007 DOCUMENT; it's worthless.
Second, identify the profit center or centers.
Third, with input from the functional units, identify ALL the risks to the profit center(s).
Internal resources such as ("but not limited to")

Accounting (A/R and A/P)
Facilities
Finance
HR & people (staff)
IT
Legal
Production
Security

External resources such as ("but not limited to")

Customers/Clients
Neighbors
Regulatory
Vendors (including lenders)

Don't forget things such as weather in all its variations.
Fourth, rate the threats according to the Probability vs. Impact matrix. Play the "What If" game with the SMEs: What If this AND this AND that happened; what would be the impact?
Fifth, identify ways to avoid or mitigate risks. Start with the threats that would cause the greatest interruption to "business as usual."
Document everything, have functional unit SME's vet it, and submit to your management sponsor.
You have now completed the BIA & Risk Analysis and presented the Second Deliverable. *
Once management tells you which recommendations it will implement and on what schedule you create Response Plans and then, alphabetically,

Awareness and Safety Program
Business Continuity related Policies & Procedures (with help from HR and Legal).
Contact lists (with help from HR)
Plan maintenance procedure (with frequency and "revisit triggers")
Resources lists (hardware & software, with license information and media locations), documents (e.g., regulations).
Vendor information

Again, the same "not limited to" caveat applies.
This is the Final Deliverable
Now start over <g>
* The First Deliverable was the SOW/Project Plan. Without these related documents you are open to the dreaded Scope Creep.

While your employere probably will not agree, I would suggest that a consultant be engaged to help you through the process, at least the first time, and then brought back briefly to help you exercise the plan and, typically after a year, provide some update guidance. Consider it OJT or an internship; you do the work and the consultant mentors you.

[ctaylor2121]

Go by the NIST. It tells you exactly how to do a BIA.