First, THROW AWAY THE 2007 DOCUMENT
; it's worthless.
Second, identify the profit center or centers.
Third, with input from the functional units, identify ALL the risks to the profit center(s).Internal resources such as ("but not limited to")
Accounting (A/R and A/P)External resources such as ("but not limited to")
HR & people (staff)
Vendors (including lenders)
Don't forget things such as weather in all its variations.
Fourth, rate the threats according to the Probability vs. Impact
matrix. Play the "What If" game with the SMEs: What If this AND this AND that happened; what would be the impact?
Fifth, identify ways to avoid or mitigate risks. Start with the threats that would cause the greatest interruption to "business as usual."
Document everything, have functional unit SME's vet it, and submit to your management sponsor.
You have now completed the BIA & Risk Analysis and presented the Second Deliverable. *
Once management tells you which recommendations it will implement and on what schedule you create Response Plans and then, alphabetically,
Awareness and Safety ProgramAgain, the same "not limited to" caveat applies.
Business Continuity related Policies & Procedures (with help from HR and Legal).
Contact lists (with help from HR)
Plan maintenance procedure (with frequency and "revisit triggers")
Resources lists (hardware & software, with license information and media locations), documents (e.g., regulations).
This is the Final Deliverable
Now start over <g>*
The First Deliverable was the SOW/Project Plan. Without these related documents you are open to the dreaded Scope Creep.
While your employere probably will not agree, I would suggest
that a consultant be engaged to help
you through the process, at least the first time, and then brought back briefly
to help you exercise the plan and, typically after a year, provide some update guidance. Consider it OJT or an internship; you do the work and the consultant mentors you.