A standard format for the procedures should be developed to facilitate consistency, conformity and maintenance. Standardization is especially important if several people write the procedures.
Two basic formats are used to write the plan: background information and instructional information.
Background information should be written using indicative sentences while the imperative style should be used for writing instructions. Indicative sentences have a direct subject-verb predicate structure, while imperative sentences start with a verb (the pronoun “you” is assumed) and issue directions to be followed.
Recommended background information includes:
• Purpose of the procedure
• Scope of the procedure (e.g., location, equipment, personnel, and time associated with what the procedure encompasses)
• Reference materials (i.e., other manuals, information, or materials that should be consulted)
• Documentation describing the applicable forms that must be used when performing the procedures
• Authorizations listing the specific approvals required
• Particular policies applicable to the procedures
Instructions should be developed using a pre-designed format. A suggested format for instructional information is to separate headings common to each page from details of the procedures. The format is illustrated on this page. This format can be especially useful in that the columns for “Responsible Party(s)” and “Date/Time” can be used to record a chronological journal of the actual recovery time and events.
A clearly written plan is much easier to maintain, implement and use. Helpful tips in writing and maintaining the detailed procedures include:
• Be specific. Write the plan with the assumption it may be implemented by personnel unfamiliar with the function and operation.
• Use short, direct sentences, and keep it simple. Long sentences can overwhelm or confuse the reader.
• Use topic headings to start each paragraph.
• Use short paragraphs. Long paragraphs can be detrimental to reader comprehension.
• Present one idea at a time. Two thoughts normally require two sentences.
• Use active voice verbs in present tense. Passive voice sentences can be lengthy and may be misinterpreted.
• Use imperative style versus indicative sentences. The imperative style starts with a verb. The indicative sentence has a subject, verb and predicate structure, which is longer.
• Prepare an outline. It helps to organize the procedures, identifies major steps, and identifies potential redundancy.
• Use a standard format.
• Use descriptive verbs. Non-descriptive verbs such as “make” and “take” can cause procedures to be wordy.
• Avoid jargon.
• Use position titles (rather than personal names of individuals) to reduce maintenance and revision requirements.
• Use front and backsides of pages.
• Avoid gender nouns and pronouns that may cause unnecessary revision requirements.
• Develop uniformity in procedures to simplify the training process and minimize exceptions to conditions and actions.
• Identify events that can occur in parallel, and events that must occur sequentially.
Supporting Documentation And Inventories
In addition to static procedures, the business continuity plan should include supporting documentation (i.e., user manuals, technical documents, job descriptions, floor plans, etc.) and inventories (i.e., hardware, applications, vendor contacts, emergency contacts, personnel lists, etc.). These documents and inventories may have been created for other purposes: employee payroll lists, vendor billing files, fixed asset lists, downtime procedures, etc., and are therefore, updated on a regular basis. Refer to them in your plan procedures, and include them in a hard copy or electronic format. As long as the information is accessible, it is not necessary to “recreate” it in the plan. Designing the plan to interface with existing documents will significantly reduce maintenance efforts.
Plan Maintenance Activities
It is important that the plan be continually maintained and updated. Business continuity plans should include specific maintenance responsibilities and procedures. The major considerations in this process include:
• Maintenance frequency
• Change factors
• Maintenance responsibilities
• Distribution considerations
The recovery procedures for each team should be updated at minimum on a yearly basis and should also be updated following major organizational changes. Telephone lists and other inventories should be updated at least quarterly. The plan should also be reviewed and updated when there are major changes in technology. A plan maintenance form (as illustrated above) can be used to record and control all maintenance changes, additions or modifications to the plan.
It is important to recognize factors that may change the business continuity plan:
• Procedural changes
• Organizational structure changes
• Personnel changes/turnover
• Physical changes (e.g., facilities)
• Technology changes
• Recovery requirements changes
• Testing issues
Maintenance responsibilities should be clearly defined in both the plan and in the individual position descriptions for those with maintenance responsibilities. Examples of maintenance responsibilities may include:
• Business continuity planner directs and controls plan maintenance.
• Team members are responsible for maintaining their respective team sections.
• Department heads are responsible for the detail relating to their department.
• Board of directors and senior management are responsible for review and approval of the plan.
• Internal audit is responsible for examining the plan to determine if it satisfies the recovery objectives of the organization and is accurate and up-to-date.
Update methods include:
• Page replacement
• Section replacement
• Plan replacement
• Old materials should be returned and destroyed
It is also possible to use paperless business continuity plans. Such plans are often developed in a specialized software package for business continuity planning, and are available electronically over the Internet or Intranet. Electronic plans are easier to maintain and distribute.
To facilitate maintenance, it is important to monitor and track each copy of the plan. A distribution log (as illustrated above) can be used to record and control all copies of the business continuity plan issued to various personnel.
A business continuity plan usually contains information that is confidential to the organization.
Accordingly, the business continuity plan should be a restricted document and classified as confidential given the nature of the contents. Each individual with a copy of the plan is responsible for security and control of the document in accordance with policies for the protection of proprietary information.
The business continuity planner is responsible for the authorized distribution of the business continuity plan and should maintain a master distribution list. Each authorized copy of the plan should contain a version identification number and the recipient should be recorded on the distribution list.
Full copies of the plan are usually provided to all team managers. Partial copies of the business continuity plan may be distributed to other members and reflect plan details associated with the responsibilities of their assigned team(s). Additionally, the business continuity planner should maintain master copies on-site, and copies at the off-site storage location both printed and electronic versions.
An out-dated business continuity plan can negatively impact the recovery capabilities and timelines of an organization. Accordingly, it is critically important to implement adequate maintenance policies and procedures.
Geoffrey H. Wold, CPA, CMA, CMC, CDP, CSP, CISA, CFSA, CIRM, is a partner and the managing director for LBL Technology Partners. He specializes in providing a wide range of technology planning services for a variety of industries, and has written 20 books on several technology topics including eight books on business continuity and security planning.
Tina L. Vick, CBCP, CFSA, is the CEO and managing director of Innovative Advisors, Inc. She is a Certified Business Continuity Professional specializing in risk and security analysis, plan development, project management, and software design and development.