Program Administration
Purpose
The proposed business continuity plan is mainly targeted to prepare the Real Estate Development firm to cope efficiently with various types of services outages that are caused by such external factors beyond the company’s control as natural disasters and man-made incidents. The plan provides a detailed guideline on the appropriate emergency actions as well as the service restoring activities essential to for the company’s prompt recovery.
It is expected that all the Real Estate Development‘s sites will implement the proposed plan and take the proposed measures in order to minimize the risks of operational disruptions and ensure a quick recovery in case of emergencies. The plan encompasses all the development sites; it likewise points out the key vulnerabilities and puts a particular emphasis on the prevention of services outages associated with voice communications.
Scope
The scope of this plan is limited to cover the general points of security concerns. Hence, it, first and foremost, defines the scope of organizational security responsibilities. Secondly, it describes the appropriate course of actions within various emergency scenarios and provides an overview of both emergency and business recovery processes.
A special focus is put on the ICT security as it is considered to be one of the most vulnerable elements. Finally, the plan provides some recommendations upon the relevant preventative measures such as effective training and regular plan’s review and improvement. As long as the proposed plan is a business continuity plan it addresses the problem complexly without focusing on the day-to-day security procedures and activities.
Plan Objectives
The proposed plan targets a series of objectives:
- It is expected to be a useful guideline for the Real Estate Development’s recovery team.
- It targets to identify the most critical points of concern and provide a guideline on how to address them.
- It describes all the procedures and resources that are essential to perform the relevant emergency activities.
- The plan points out the stakeholders that need to be informed in case of emergency.
- It provides a guideline on how to perform an effective analysis of the service outages and work out consistent preventative strategies.
- It puts a particular emphasis on managing the company’s vital records in case of emergencies.
Key Definition
It is proposed to determine the definitions of the key notions that compose the basis of the plan’s concept:
- Business Continuity Plan (BCP). BCP is plan targeted at recovering the major business services after the outage (Long, 2008, p. 25).
- Disaster. Heng (2004) describes a disaster as “an even that disrupts mission-critical business processes and degrades their service levels” producing a negative impact on the organizational financial and operational environment (p. 65).
- Risk Management. It is a scope of methods aimed at addressing risk prevention and management within an organization (Long, 2008, p. 25).
- Information Security Management System (ISMS). It is a system that comprises the relevant security standards (for example, ISO 27001), strategies and procedures (Long, 2008, p. 26).
Business Continuity Organization
The diagram represented below illustrates the business continuity organization, defining the key roles and responsibilities of every team.
Emergency Management Standards
Data Backup Policy
First and foremost, it is essential to determine the most critical sets that contain corporate data. These data sets should be backed up on a regular basis. In addition, these sets should be regularly audited to ensure that all the files are not damaged and to identify the most valuable documents that will be particularly problematic to replace.
The backup documentation should be stored in a different location than the original data. It is likewise essential to ensure that it is properly protected from potential environmental hazards. Every department of Real Estate Development should establish its own data retention policy that would register the length of data retention and its type.
Tape Retention Policy
First of all, it is necessary to classify the data into two groups: those sets that need to be archived and those that should remain live. This classification can be performed upon such criteria as data age, its type, and the last access data. It is highly important to employ different criteria and not only the data age, as even old data might be regularly updated. Next, it is essential to determine the type of retention for each set of data.
Hence, for instance, some data sets do not need to be overviewed; others need to be addressed on a regular basis. Finally, it is critical to set the reasonable framework for the retention period. This framework mainly depends on the significance of the data – thus, the most important tapes can require regular protection. Billing tapes is a special class of data. It is proposed that those billing tapes the retention period of which is longer than three years should be destroyed every half a year. All billing tapes should be stored in a different location than the main office.
System Images Tape
It is proposed to copy all the recent image files once in two weeks. It is kindly recommended that all the backup files are stored beyond the original site. The relevant activities should be carried out by the system supervisor.
Off-Site Storage Procedures
It is important to ensure that all the backup materials are stored offsite, in secure facilities, free from environmental hazards. The storage vendor should coordinate the data rotation on a regular basis. It is likewise critical to see to the fact that the access to the offsite is limited, and its reliability is annually tested.
General Emergency Recovery Process
The Activation of Emergency Evacuation Procedures
Time: The activation of emergency evacuation procedures should begin as soon as the emergency situation is announced.
Responsible Body: The activation of emergency evacuation procedures is an immediate responsibility of the Business Continuity Manager.
Procedure: All the staff needs to be evacuated from the Real Estate Development’s site.
The Implementation of Business Continuity Plan
Time: The implementation of the BCP should begin as soon as the emergency situation is announced.
Responsible Body: The implementation of the BCP should be carried out by the Business Continuity Manager along with the Chief Review Officer if the latter is currently available.
Procedure: Business Continuity Manager should follow the prescribed plan to perform the relevant implementation.
Steps: First and foremost, it is essential to collect all the details associated with the incident through the emergency call (the time, the scope, the injuries, the contacted parties, the access to the site, etc.). Secondly, it is essential to ensure that the relevant evacuation procedures are already being implemented and request that their progress is constantly reported. Next, it is necessary to call an emergency meeting where the team will decide upon the following issues:
- How the BCP should be implemented;
- What priority tasks and key business functions should be completed;
- Where the recovery office should be located;
- Who should take up the communication contact activities;
- Which team members should remain on-site.
Next, the managers should inform the staff members about their decisions and the associated instructions, and the BC manager should see to the fact that every member is aware of the delegated authorities and has a clear vision of further actions.
The Management of the Staff-Related Concerns
Time: The management of the staff-related concerns should be carried out during the entire emergency period in order to ensure that the staff is timely informed not to come to work and is evacuated (for those employees who are at work).
Responsible Body: The management of the staff-related concerns should be carried out by the managers of the relevant departments within Real Estate Development.
Procedure: The managers of different departments should follow the prescribed plan to perform the relevant activities as soon as the evacuation is completed.
Steps: First and foremost, it is essential to determine the location of all the staff members: those who are on-site, those who have a day off or vacation, etc. Secondly, it is critical to ensure that all the staff members have been evacuated safely and are provided with telephones to contact their families. Next, it is necessary to contact the HR department to provide the staff’s transportation and private counseling, if necessary. In case the employees do not need to be present on-site in accordance with the relevant instructions, they can be sent home. Finally, it is essential to update the relevant data through calling the incidence commander to track the most critical staff-related concerns.
Informing the Employees That Are Out of Work during the Emergency
Time: Informing the employees that are out of work during the emergency should be performed right after the emergency is announced.
Responsible Body: The Emergency Response Team should contact the senior managers that, in their turn, inform the team managers and request them to communicate the incident to their team members.
Procedure: The communication process should be carried out in accordance with the organizational hierarchical structure.
Steps: First of all, it is necessary to collect all the details associated with the incident through the emergency call (the time, the scope, the injuries, the contacted parties, the access to the site, etc.). Secondly, it is critical to assign the relevant managers to inform the employees. It is important that the so-called “call tree” is designed in such a manner that the information is spread in the shortest time possible and with the minimal number of the network agents.
Emergency Procedures for Different Scenarios
Scenario 1: Natural Disaster
In the case of a natural disaster that is likely to affect the Real Estate Development facility, it is essential to complete several steps. First and foremost, in case the disaster can be foreseen in advance, it is critical to start the preparation within two days. The preparation might comprise deploying the portable fuel generators within a reasonable distance and the support personnel within the safety zone.
It might also include acquiring such basic necessities as cash, food and water, gasoline, medical supplies, etc. The relevant Emergency Medical Technician should be notified about the coming disaster in advance if it is possible. In case the disaster is foreseen one day in advance, it is important to back up the corporate data, examine the backup generator status – it is critical to ensure that all the e-mails and file servers are likewise backed up. The senior managers should be timely informed and instructed.
Scenario 2: Fire
If a fire is present in the Real Estate Development site, it is required to assess the situation, evaluate its severity, determine whether the fire should be characterized as major or minor and perform the relevant action described in this section. First of all, it is necessary to call 9-1-1. Secondly, all the personnel within the site should be informed on the emergency and evacuated in the shortest time possible.
The Emergency Medical Technician and the site security should be informed and instructed in a timely manner. The latter is expected to see to the fact that the access to the site is limited. The vendor staff should be consulted about protecting the equipment. The evacuated personnel should be located in one site in order to evaluate their condition and determine whether anybody needs special medical assistance.
Scenario 3: Network Services Provider Outage
In case of a network services provider outage that is likely to affect the Real Estate Development facility, it is essential to complete the following steps:
- All the senior managers should be informed about the service outage timely.
- In case the outage lasts more than one hour, all the calls should be routed with the help of alternative sources. In case the length of the outage is exceeding, it is recommended to deploy all the satellite phones.
- It is essential to contact the relevant network service provider to report the outage and find out whether the problem can be fixed promptly.
Scenario 4: Flood or Water Damage
In the case of a flood or water damage that are likely to affect the Real Estate Development facility, it is essential to complete several steps. First and foremost, it is necessary to evaluate the scope of the incident and determine whether any external assistance is required. In case, the situation cannot be managed within the site, it is essential to call 9-1-1.
All the employees that are on-site at the time of the incident should be informed and evacuated, if necessary. In order to manage the water-related incident, it is critical to identify its cause and eliminate it. Hence, it is recommended to check the air conditioning equipment. In case there is a lot of water flowing, it is essential to perform the relevant power-down procedures.
Business Recovery Procedures
Setting Up a Business Recovery Office
Time: Setting up a business recovery office should be started as soon as the BC Manager assumes it possible.
Responsible Body: Setting up a business recovery is an immediate responsibility of the Business Recovery Office Manager.
Procedure: The procedure implies coordinating the process of the recovery office setting up carried out by the Business Recovery Office Manager with the relevant department managers and the staff.
Steps: First of all, it is necessary to contact the partner real estate companies to agree upon the rent of a temporary office. Secondly, it is required to call an emergency meeting with the presence of the representatives of the Real Estate Development’s departments. Next, it is critical to examine the availability of the essential resources. If some resources are unavailable, it is required to make the relevant allowances.
Finally, it is essential to allocate the resources to the relevant department and assign the responsibilities to the managers. It is likewise critical that the recovery team sets up the telephone and computer communication in the shortest time possible. Each newly established workstation should provide its contact telephone number and ensure that it is available in case of emergency.
Priority Communication
Consistent communication ensures effective management of the emergency situation. Hence, it helps the emergency teams to ensure regular and detailed reporting, to keep all the stakeholders informed, and to provide the staff with timely instructions (Gibb & Buchanan, 2006).
Time: The consistent communication should be established immediately after the incident occurs.
Responsible Body: Maintaining effective communication is an immediate responsibility of the Crisis Communication Team.
Steps: First and foremost, it is essential to receive the confirmation of the location of the newly established business recovery office. Secondly, the team should go to this office immediately. Next, it is essential to report the information regarding the service’s availability or the anticipated time of recovery. In case the existing phone links are out of order, it is required to set up the new links. The major stakeholders should be promptly contacted and informed about the most relevant details.
Reinstating Office Services
Time: The office can be set up back again as soon as the incident is managed and the team has access to the office.
Responsible Body: Setting up the office is an immediate responsibility of the Recovery Team.
Steps: First and foremost, it is essential to ensure that the all the emergency-related needs are covered. Secondly, it is necessary to see to the fact that the office’s usability meets the needs of Real Estate Development. Next, it is critical to determine the equipment that cannot be recovered and needs to be purchased. Finally, it is important to ensure that the newly set-up office meets the requirements of the health and safety standards. As soon as all the actions are carried out, the Real Estate Development staff can return back to work
Business Continuity Plan for ICT
The ICT sector is considered to be particularly vulnerable to service outages, and the incident outcomes are especially critical for it (Herbane, Elliot, & Swartz, 2004). Therefore, a special BCP is proposed to manage emergencies within the ICT sector.
Phone
Scenario 1: There is no access to the site, and the phone system is out of order.
In this case, it is necessary to contact the relevant service suppliers and explain the problem. If the break is fixable, the system will eliminate it distantly. Otherwise, it will be essential to wait, until the team can access the building.
Scenario 2: There is access to the site, and the phone system is out of order.
In this case, it is necessary to contact the relevant service suppliers. In case they cannot repair the break, the team might install a support telephone system until the former is repaired or replaced.
Scenario 1: There is no access to the site, and the e-mail system is out of order.
In this case, the team has to contact the server center and employ the backup data until the service is repaired.
Scenario 2: There is access to the site, and the e-mail system is out of order.
In this case, the team should consult the corporate Technology Advisor and follow the provided instructions. While the server is being repaired, the team might use the offsite backup data. In case the problem cannot be eliminated, it is necessary to make the relevant allowances and order new software.
Networks
Scenario 1: There is no access to the site, but the e-networks system is still operating.
In this case, the corporate Technology Advisor is obliged to contact the IT suppliers. The latter can provide support remotely. In the case of the long-term outages, the team can continue its work offsite.
Scenario 2: There is no access to the site, and the e-networks system is not operating.
In this case, the corporate Technology Advisor is obliged to contact the IT suppliers. The latter can provide support remotely. Most likely, the repair process will be postponed until the team can access the site.
Scenario 3: There is access to the site, and the e-networks system is not operating.
In this case, the corporate Technology Advisor is obliged to contact the IT suppliers. The problem should be timely eliminated. Otherwise, it is necessary to purchase the new equipment.
Payroll
Scenario 1: There is no access to the site, and there is no access to the payroll system.
In this case, it is essential that the Technology Advisor arranges the installation of the relevant payroll software offsite.
Scenario 2: There is access to the site, but there is no access to the payroll system.
In this case, it is recommended that the Technology Advisor either contacts the partner bank and arranges to process the payments upon the previous pattern or arranges the installation of the payroll system offsite.
Training, Testing, and Exercising
Practice shows that one of the most effective preventative tools is consistent personnel training. Therefore, the corporate staff and the BCM department, in particular, should be properly trained to possess the skills and knowledge to cope with emergencies. One of the training elements is the responsibilities assignation. Hence, every team should have a clear vision of its role and of responsibility. Another important element is studying the safety measures. Otherwise stated, all the staff members should be aware of the safety norms and standards as well as of the importance to follow them in their day-to-day activity (Lam, 2002).
The BC competence needs to be tested regularly. In order to examine the employees’ skills and awareness, external auditors or corporate managers can be involved. Real Estate Development can likewise initiate artificial emergency alerts to ensure consistent exercising.
Program Maintenance and Improvement
In order to ensure the plan’s efficiency, it is essential that it is reviewed every quarter. The plan’s improvement might be carried out on the basis of the data analysis carried out by the BC Planning Team (Cerullo & Cerullo, 2004). Every emergency incident should be accompanied by the relevant evaluative analysis in order to determine its cause and eliminate the existing risk factors.
Reference List
Cerullo, V., & Cerullo, M.J. (2004). Business Continuity Planning: A Comprehensive Approach. Information Systems Management, 21(3), 70-78.
Gibb, F., & Buchanan, S. (2006). A framework for business continuity management. International Journal of Information Management, 26(2), 128-141.
Heng, G.M. (2004). Implementing Your Business Continuity Plan. Singapore: GMH Continuity Architects.
Herbane, B., Elliot, D., & Swartz, E. M. (2004). Business Continuity Management: time for a strategic role? Long Range Planning, 37(5), 435-457.
Lam, W. (2002). Ensuring business continuity. IT Professional, 4(3), 19-25.
Long, J.O. (2008). ITIL Version 3 at a Glance: Information Quick Reference. Research Triangle Park, North Carolina: Springer Science & Business Media.