2013 Sme Bcpbrochure

Asia-Pacific
Economic Cooperation
Guidebook on SME
Business Continuity Planning
APEC Small and Medium Enterprise Working Group (SMEWG)

August 2013
02 BCP Guidebook 2013
Guidebook on SME Business

Continuity Planning
0. How to Use This Guidebook.................................................03
1. Introduction...........................................................................03
2. Warm Up................................................................................03
3. BCP Framework....................................................................05
Step 1 Determine BCP Purpose, Scope, and Team........................05
4. Your Lifeline Businesses and the Threatening Risks...........06

Step 2 Prioritized Activities (PA) and Recovery Time Objective
(RTO)........................................................................................07
Step 3 What Do You Need to Resume Key Activities?....................09
Step 4 Risk Assessment – Know Your Disaster Scenarios..................10
5. Your Survival Strategies........................................................14

Step 5 Do Not Forget Pre-Disaster Protection and Mitigation........15
Step 6 Emergency Response to Disaster..........................................17
Step 7 BC Strategies to Early Resumption.........................................24
Step 8 Be Financially Prepared..........................................................28
Step 9 Exercise Makes Your Plan Functional....................................31
6. PDCA: Continuous Improvement........................................32

Step 10 Ongoing Review and Improvement...................................32
Appendix..................................................................................35
1. Blank Forms......................................................................................36
2. BCP Checklist...................................................................................57
0. How to Use This Guidebook

This Guidebook is intended to help small and medium-sized enterprises (SME)
introduce business continuity plan (BCP). It presents 10 easy steps that SME
readers can follow to develop their own BCP. In each step, forms have been
prepared to assist readers. You should fill in those forms to suit the needs of
your company. When you finish all the forms, you will have a complete business
continuity plan for your company.
There is one important point you should remember: introducing BCP is not a
simple matter of drafting a business continuity plan on paper. Adopting BCP is
a decision making by a business owner to protect their company from various
disasters and accidents and to enhance their company’s ability to survive by
carrying out planned continuity strategies. Let’s proceed with this in mind.
1. Introduction
Every business owner wants to expand their business, protect their employees,
and contribute to society by supplying their products or services. You, as a
business owner, have to protect your business not only on a fine day but also
on a rainy day and even on a stormy day. You have to successfully compete
in a tough market under ordinary circumstances, but also need resilience if you
are to successfully survive a crisis such as a natural disaster or a fire. You do not
want to see your business destroyed by a disaster, accident, terrorist attack, or
other incident. Is your company prepared for disasters?
“Failing to prepare is preparing to fail” said Benjamin Franklin. If you have not
prepared for such incidents, you are (unconsciously) preparing for failure when
a disaster or accident strikes. Business continuity plan (BCP) is the solution for
protecting your business during a crisis.
2. Warm Up
Consider the simple example of a traffic accident. Even if you always try to
drive safely, there is no 100% guarantee that you will be able to avoid a traffic
accident. What is the disaster (or worst-case) scenario for a traffic accident?
One in which you, the driver, are killed or sustain a severe injury that causes
permanent disability and keeps you from returning to life as you knew it before.
What is the disaster scenario for your company in a disaster? Your company
would be fatally wounded if critical resources sustain devastating damage that
would force you to give up on recovery (death scenario). Or your company
might sustain severe damage that would cause an extensive disruption in
your business. As a result, you might lose important customers and be forced
to scale down your operations (permanent disability scenario). These are the
worst-case scenarios that your company should avoid at all costs.
But if you are lucky and only sustain minor injuries in a traffic accident, you will
be able to recover in a short period of time and return to normal life. Likewise,
the better scenario for your company is to keep damage contained to a low
level such that it would be able to resume operations at a normal or higher

level of functionality in a short period of time. This is your survival scenario. BCP
is all about your company’s ability to achieve its survival scenario.
Here are some warm-up questions to get you started!
Q1: What is your company's disaster scenario that might lead to bankruptcy?
Q2: How soon does your company have to recover to survive from a disaster-
related disruption?
Q3: What are the critical resources whose availability determines the life or
death of your company?
Q4: Within 5 to 10 years, what kinds of disasters and accidents are most likely to
impact you, potentially triggering a worst-case scenario?
Were you able to answer the above questions easily? If not, don't worry, this
Guidebook is here to help you. But if you were, you already have a mindset
prepared for BCP. This Guidebook will guide you through 10 easy steps to build
your company’s Business Continuity Plan (BCP) program. These 10 steps are
based on the International Standard ISO22301, for Business Continuity Plan.
10 Steps for BCP
Step 1 Determine BCP Purpose, Scope, and Team
Step 2 Prioritized Activities (PA) and Recovery Time Objective (RTO)
Step 3 What Do You Need to Resume Key Activities?
Step 4 Risk Assessment – Know Your Disaster Scenarios
Step 5 Do Not Forget Pre-Disaster Protection and Mitigation
Step 6 Emergency Response to Disaster
Step 7 BC Strategies to Early Resumption
Step 8 Be Financially Prepared
Step 9 Exercise Makes Your Plan Functional
Step 10 Ongoing Review and Improvement

3. BCP Framework
When you start BCP planning, you need to create a solid foundation (or
framework) for your company’s BCP program by addressing these three
elements:
1) Purpose: Why is your company introducing BCP?
2) Scope: Which parts of your company will introduce BCP?
3) Leader: Who will serve as leader of your BCP activities?
It is very important that not only top management show visible strong
leadership, but also that all employees are fully aware of the BCP framework
(purpose, scope, and leader).
Step 1 Determine BCP Purpose, Scope, and Team

(1) Purpose
You should make the purpose clear as to why your company is going to
introduce BCP. BCP is to protect your business operation from disasters and
accidents. Your clear purpose will be a very important criterion in determining
priorities of your key products or services and selections of your business
continuity strategies. What is your BCP purpose? The first priority is to protect
people, your employees and visitors to your premises. The second is to protect
your business, fulfilling your contractual obligations to your customers and
users, meeting social responsibility and contributing to the local society and
economy. It will secure employment and protect employees’ livelihoods.
(2) Scope
The question is which section(s) of your company would you want to introduce
BCP? You can limit the scope to key sections (or departments) which introduce
BCP. For example, you can select the main factory which manufactures the
company’s top brand product or NO.1 shop which sells most. You can decide
the scope of the BCP based on your business needs and own circumstances.
You have to include the core sections which are very critical to your company's
survival.
(3) BCP Leader

You need to appoint a BCP leader who takes the initiative in company-wide
BCP activities. BCP leaders should be given authority and responsibility, which
are necessary to carry out his or her role. BCP is the company-wide activities
that require active participation and cooperation from the relevant sections.
It is desirable to nominate a person who is widely trusted in the company. If
the company size requires it, a support team should be selected to work under
the direction of the BCP leader. Management need to ensure the necessary
resources, including a budget which is available for the BCP leader and
team to carry out their duties. The SME owner (senior management) should
demonstrate a visible commitment to BCP activities and should know that only
verbal instructions are not enough to achieve successful results.
Fill in Form 1 regarding your company’s BCP framework.
Form 1 BCP Framework

BCP Purpose
Protect People
Protect Business Activities
Recover with Local Community
BCP Scope
Departments to introduce BCP
BCP Leader and Team
BCP Leader
BCP Team Members
4. Your Lifeline Businesses and the Threatening Risks

The purpose of BCP is to protect your company and business operations even
when a disaster or accident occurs and disrupts operations. First, you will focus
only on your company’s operations. Of your various business activities, which
are your company’s lifeline (or critical) businesses? Which business activities
should be given top priority for recovery if disrupted by a disaster? What
resources are necessary to keep those lifeline businesses operating? Without
those resources, the company’s top priority activities will not be able to be
resumed. Second, consider the risks to your company. What kinds of risks,
such as natural disasters or accidents, are most likely to seriously damage the
company’s assets, businesses, and supporting resources? In this chapter, you
will gain a renewed understanding of your company’s operations by looking
at these two elements: lifeline (critical) business activities and the risks that
threaten them.
Step 2 Prioritized Activities (PA) and Recovery Time Objective

(RTO)
In Step 2, you will consider what is your company’s lifeline product or service?
Which product or service should be recovered (be delivered) as the first priority
when a natural disaster (or an accident) disrupts the company’s operations?
Which business activity makes a top selling product? Which shop sells most
in your company? Those critically important business activities are called
Prioritized Activities (PAs). You have to identify the Prioritized Activities of your
company. As the second step, you should know the impact (timeline) of total
disruption to the main activities listed. How soon would the total disruption
of these activities become unacceptable to your company? (This period is
called Maximum Tolerable Period of Disruption / MTPD). What must be done to
get your business operational again in the shortest possible timeframe, before
heading towards exiting the business or filing for bankruptcy? The importance
of this simple analysis is to focus only on the impacts of disruption, setting
aside risk factors. By disregarding risk factors, such as occurrence probability
and severity of damage, during the process of analyzing your business and
identifying Prioritized Activities, you will gain a clearer understanding of how
soon your company has to resume operations to avoid bankruptcy.
Start by assessing the impacts of your company’s main business activities when
those are disrupted by a natural disaster or accident. Enter your company’s
business activities (product/service lines) in the left column of Form 2-1. You
will compare the importance of the activities listed. The level of importance
of each business activity (product/service line) should be rated using two
criteria: external and internal impacts. First rate the external impacts, those
which might affect customers, users, and society at large. How seriously might
your customers, users, the environment, or society at large be impacted if your
product or service were to stop being delivered? How long will your customers
willingly wait for you to resume operations? How soon might your key customers
switch to another provider? If you deliver certain types of products, such as
medical supplies, the disruption of such deliveries could threaten the lives of
end users. Rate the degree of the external impact as large (L), medium (M) or
small (S), using your subjective judgment to determine the relative differences
between those three levels.
Internal impacts should be reviewed based on various criteria such as financial

status (e.g. cash flow), operational problems, and the reputation of the
company. When the production line of product A is shut down, how serious of
an impact will it have, over time, on the company’s revenue? If your top brand
service is suspended, what level of impact might it have on the company's
cash flow? Rate the degree of the internal impact as large (L), medium (M) or
small (S).
Next, you should know the timeline of the impact of a total disruption. How
soon would a total disruption in those activities become unacceptable to your
company? This period is called the Maximum Tolerable Period of Disruption, or
MTPD. This is the very latest time at which your company would have to resume
the listed activities before reaching a worst-case scenario that would end in
bankruptcy.
Enter the listed activities in Form 2-2 (left column). Consider the MTPD for each
activity listed and select one of the five columns showing periods of time (3
days, 1 week, 2 weeks, 1 month, 2 months or more). Determine the period by
which each listed activity has to be resumed. For example, if the first activity’s
MTPD is one month, place a checkmark ( ) in the "1 month" column. If you
have to restore delivery to a key customer within 2 weeks, write "2 weeks" in the
rightmost column entitled Recovery Time Objective (RTO). Repeat this process
for all listed activities.
Now that you have analyzed and evaluated the internal and external impacts
and identified the Recovery Time Objective of the main activities of your
company, you will select and identify your company’s Prioritized Activities and
set Recovery Time Objective (RTO) from a company-wide perspective in Form
2-3. Your company may select one or more PA(s) depending on your business
operations.
Form 2-1 Impact Level Comparison Chart

Impact Levels
Departments Handling Each Product/Service
External Impact Internal Impact
Product / Service A L:M:S L:M:S
Product / Service B L:M:S L:M:S
Product / Service C L:M:S L:M:S
Product / Service D L:M:S L:M:S
Product / Service E L:M:S L:M:S
Form 2-2 Maximum Tolerable Period of Disruption

Departments Handling Recovery Time
Time When Impact Becomes Unacceptable MTPD
Each Product/Service Objective (RTO)
Product / Service A ~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
Product / Service B ~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
Product / Service C ~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
Form 2-3 Prioritized Activities and RTOs
Prioritized Activity(ies)
Recovery Time Objective(s)(RTO)

Step 3 What Do You Need to Resume Key Activities?

Prioritized Activities (PAs) are supported by various internal and external
resources. When disrupted, PAs are going to be resumed and those supporting
resources should be available and ready. In Step 3, you need to identify and
list the necessary resources in Form 3-1. In the subsequent steps, you will review
risks to the listed resources, and their vulnerabilities. You will consider what
measures are necessary to protect, secure availability, or prepare alternative
options. Therefore, this list is very important and basic information in your BCP
planning.
List the necessary resources in Form 3-1, dividing them into three categories
(1) internal resources, (2) essential services, and (3) business partners. The
first category is internal resources, which are usually under your company’s
control. These include buildings, equipment, machinery, tools, stock, materials,
IT systems, documents, and drawings, etc. It is also important that human
resources be reviewed from the perspective of employees’ special skills and
expertise.
The second group is, Essential Utilities such as electricity, gas, fuel, water, and
sewage etc. Communication network (phone and Internet) and transportation
network (roads, railroads, and ports) are included. These resources are
provided by public entities. They are not usually under your control. Typically,
ordinary companies cannot afford to arrange alternative sources for essential
services due to the prohibitively high costs, and their availability. Therefore,
these would become a basic condition for resumption of your PAs.
The third group is, your company’s Business Partners and your upstream and
downstream business chains. This group (direct and indirect partners) is not
only your suppliers, but also your customers. In the two catastrophic natural
disasters, the East Japan Earthquake and Thailand’s Floods which occurred in
2011, many companies were seriously affected by disruptions to their supply
chains. Many companies, which were not directly damaged by the natural
disasters, were also seriously affected.
Form 3-1 Necessary Resources for Prioritized Activities

Necessary Resources for Prioritized Activities
Type of Resources Contents
Building
Equipment / Machinery
Inventory
Internal Resources People
IT System
Fund
Other:
Electricity
Gas
Water
Essential Social Services
Phone / Communication
Traffic / Roads
Other:
Direct supplier
2nd, 3rd Supplier
Supplies
Customer
Other:
(Note: The processes of identifying Prioritized Activities, setting Recovery Time

Objectives, and listing necessary resources constitute a Business Impact Analysis
(BIA). This term is commonly used in BCP.)
Step 4 Risk Assessment – Know Your Disaster Scenarios

In Step 4, you need to clearly identify risks which may seriously threaten your
company (or may lead to a catastrophic scenario). You list the kinds of risks
your company is exposed to. You analyze and evaluate those risks, and select
risks which your company needs to take measures with ‘high priority’. You also
need to analyze and estimate to what extent your critical resources may be
damaged by such risks, and how long it will take to restore such damaged
resources. You compare the estimated restoration period with your company’s
Recovery Time Objective (RTO), set in Step 2, and determine which resources
are critical to avoid catastrophic scenarios.
The resources which need attention include those where the restoration period
exceeds the RTO and those that do not exceed it. If essential services such
as electricity, water, phone etc, take a longer period for the service to be
restored than your RTO, you may need to reconsider your RTO and wait until
such resources and services become available.
Form 4-1 assists in the process of identifying, evaluating, and prioritizing risks.
First, enter the risks your company is exposed to in the leftmost column. These
are risks which could potentially cause a disruption in your business operations
or could lead to a worst-case scenario (bankruptcy). For example, risks to your
company might include natural disasters such as earthquakes, floods, and
typhoons, or industrial disasters such as fire, explosion, blackout, leakage of
chemical substances or intentional acts such as terrorist attacks, sabotage. The
past history of such natural disasters, hazard maps, and risk information for your
local area may be published by local governments and public organizations. If
available, these can be very useful resources in conducting the risk assessment
in this step.
Next, evaluate the “Impact” and “Likelihood” of each risk, marking each as
either H (high), M (medium), or L (low) in the columns indicated. The criteria for
rating these items are shown in Table 4-1.
Table 4-1 Risk - Likelihood/Impact Scoring Scale

Rank Likelihood Impact
Disastrous, Severe damage

High Likely Threatening the company
Death, multiple injuries
Medium level damage

Middle Moderate likely Affecting operations,
Multiple injuries
Insignificant damage
Low Unlikely
Minor injuries
After you have entered L ,M or S in both the “Impact” and “Likelihood” columns
of Form 4-1, assign them an order of priority in which measures need to be
taken. Indicate the priority number in the rightmost “Priority” column.
Form 4-1 Risk Impact and Likelihood Comparison Chart (sample)

Risk Impact Likelihood Priority
Earthquake HML HML 1
Flood HML HML 2
HML HML
HML HML
Next, select a top priority risk (e.g. earthquake) and estimate the level of
damage and length of time needed for the restoration of resources should
they be damaged as the result of an incident or a disaster. The estimated
restoration period should be compared against your company’s Recovery Time
Objective (RTO), which was established in Form 2-3. Determine the resources
for which measures need to be taken.
Proceed through the following eight steps and enter the appropriate data
in the columns indicated (by arrows) in Form 4-2. Separate forms should be
completed for each selected risk because the expected damage could vary
widely by risk.
1) Enter the critical resources that were identified in Step 3
2) Enter the prioritized risk
3) Enter an outline of estimated damages to your facilities

4) Enter estimated levels of damage
5) Enter estimated periods for repair, restoration, or recovery
6) Mark the graph bars to correspond to the length indicated in item (5) above
7) Draw your RTO line (see your Form2-3)
8) Determine whether measures need to be taken for each listed resource to

achieve RTO and place a mark in the column indicated
The resources for which measures may need to be taken may include both
those whose restoration period exceeds your RTO and those that do not. If
essential services such as electricity, water, and phone service take longer
to get back online than your RTO, you may need to reconsider your RTO in
consideration of the wait-time needed for the restoration of those resources.
Form 4-2 Resource Damage Estimate Sheet (sample)
13
Risk Earthquake Assumed recovery period

Measures
Assumed damage ○○○ Day (shown by graph)
Day needed
Necessary resources Damage 3 days 1 wk 2 wks 1 mo 2 mos 3 mos
Building ○○○ 7 ds ○
Equipment /
○○○ 30 ds ○
Machinery
BCP Guidebook 2013
Inventory ○○○ 3 ds
Internal Resources
People ○○○ 3 ds
IT System ○○○ 10 ds ○
Fund ○○○
Other:
Electricity ○○○ 3 ds
Gas ○○○ 30 ds ○
Water ○○○ 15 ds ○
Essential Social
Services Phone /
○○○ 10 ds
Communication
Traffic / Roads ○○○ 8 ds
Other:
Direct supplier ○○○ 30 ds ○
2nd, 3rd Supplier ○○○ 20 ds ○

Supplies
Customer ○○○ 10 ds ○
other
The details regarding measures to be taken will be reviewed in Steps 5 to 7

below.
Examples of such measures are as follows:
1) Protection (Prevention) and Mitigation- see Step 5
- Anti-earthquake reinforcements to buildings
- Installation of equipment restraints
2) Emergency Response (Incident Response)- see Step 6
- Evacuation plan formulation
- Development of safety confirmation procedures
3) Strategies for the Early Resumption of Prioritized Activities- see Step 7
- Alternate site recovery
- IT system back ups
The required measures differ depending on the type of disaster experienced

since damage estimates can vary widely. This Guidebook guides you through a
process in which you select one risk and then proceed to estimate the damage
that would be sustained as a result. For SME owners, it might be difficult at first
to prepare for multiple risks. We suggest starting with your top priority risk first,
and then repeat the process for other risks if your company can afford to do
so.
5. Your Survival Strategies

In this section, you are going to work on the core items of your company’s
BCP. You will plan and implement your company’s Business Continuity (BC)
Strategies to achieve the Recovery Time Objective (RTO) you set in Step 2 (Form
2-3). There are three phases to a BC Strategy, all of which are important and
necessary for achieving your RTOs. You will identify the necessary measures for
your company in consideration of these three phases
(1) Protection and mitigation (Step 5)

This phase involves the protection (prevention) or mitigation of the damage
caused by an incident so that Prioritized Activities can be resumed quickly
in accordance with their RTOs. Protection and mitigation measures primarily
consist of pre-incident measures, but can also include important post-incident
measures intended to contain and minimize damage.
(2) Emergency response (Step 6)

When a disruption affects your company, you have to stabilize the situation
by eliminating danger and protecting your people, assets, and business
operations. This should be done immediately to prevent an emergency
situation from becoming an uncontrollable crisis. The first priority of emergency

response is to protect and rescue people. Subsequent priorities are to eliminate
threats and secure safety, protect assets, and prevent further damage and
secondary disasters.
(3) Continuity and recovery strategies (Step 7)

This phase involves planning and implementing strategies for continuing (or
resuming) Prioritized Activities and then restoring normal operations. Continuity
strategies focus on restarting Prioritized Activities immediately using alternative
or temporary measures. Recovery strategies focus on restoring operations to
pre-incident levels.
Protection & Incident Continuity/ Recovery

Mitigation Response Options
(for an earthquake) ‧Evacuation

‧Seismic reinforcement of ‧Confirmation of employee safety
structures ‧EOC mobolization
‧Installation of equipment ‧Relocation to alternate site
restraints
‧Recovery at affected site
‧Data back-up
‧Workaround options
‧Outsourcing
‧return to normal operation
Figure 5-1 Three phases of a Business Continuity Strategy
Step 5 Do Not Forget Pre-Disaster Protection and Mitigation

To successfully resume operations as planned, the damage to the supporting
resources should be contained, to the extent that early repair and restoration
would be possible. If such important resources sustain very severe damaged,
your company may fall into a disaster scenario, and be forced to give up the
recovery effort, or shut down for a long period of time. This would be the end
of the business and therefore, the story! This is why pre-incident strategies of
protection and mitigation are very important.
In Step 4 (Form 4-2) you identified which resources require that measures
be taken to achieve your company’s Recovery Time Objective (RTO). Those
identified resources are vulnerable and might hinder the achievement of your
RTO. In this step, you will select resources that require protection and mitigation
measures and determine the details of those measures in order to avoid a level
of damage that would make it impossible to recover your Prioritized Activities
by the established RTOs.
In Form 5-1, enter (1) resources that require measures be taken, (2) objectives
of those measures, (3) what measures to take, (4) specific plans for taking those
measures, (5) implementation deadlines, and (6) the department in charge of
implementation.
Form 5-1 Protection and Mitigation Measures for Key Resources (sample)
16
Implementation Deadlines Department in

Resources Objectives What To Do Your Plan
Immediately Within1 year Mid to Long Term Charge
Make an evacuation
Provide instructions plan and disseminate it to General affairs
Personnel Keep personnel safe ○
on evacuation safety employees dept.
Conduct evacuation drills
BCP Guidebook 2013
Check earthquake-
Check earthquake-
resistance of the building General affairs
resistance of ○
in which the headquarters dept.
buildings
is located
Protect/mitigate
Buildings
damage to buildings
Make the headquarters

Make buildings General affairs
building earthquake- ○
earthquake-resistant dept.
resistant
Install restraints to
Protect/mitigate Fix machine tools to the Manufacturing
Facilities prevent equipment ○
damage to facilities factory floor dept.
from falling over
Install restraints to Put servers at

Protect/mitigate Information
Systems prevent computers headquarters in a server ○
damage to buildings systems dept.
from falling over rack
Step 6 Emergency Response to Disaster

In Step 6, you consider immediate necessary responses to take, when the
incidents occurs, to prevent the emergency situation from becoming an
uncontrollable crisis. It is called emergency response or incident response.
The first priority of emergency response is to protect and rescue people.
Stabilization, to remove harm and secure premises, ensure safety and security
of yourself, staff and customers protection of assets, and prevention of further
damage. The potential for secondary disasters should also be considered.
First, you should understand the general picture of emergency response. As

shown in Figure 6-1, there are a series of necessary activities in an emergency
response. These activities have to be carried out, following necessary timelines
and without delay. “(1) Evacuation and rescue” should start immediately by
individual people when an incident occurs. Emergency Operation Center (EOC)
should be called, if necessary, to take coordinated measures under unified
command in your company. The activities of (3) to (8) are performed by the
Emergency Operation Center, if it is set up.
The main necessary activities are (1) Evacuation and rescue, (2) Setting up
Emergency Operation Center, (3) Safety confirmation of employees, (4)
Stabilizing the situation and prevention of secondary damage, (5) Survey
of damage, (6) Assets protection, (7) Safety confirmation of employees’
commuting, and (8) Gathering and sharing information of incident/damage.
These eight activities are described in further detail below.
Evacuation
Emergency response to disaster
and rescue
Safety Confirmation Emergency Operation Center

of employees
Safety Confirmation of
employee’ s commuting
Stabilizing the situation and

prevention of secondary damage
Survey of damage
Assets protection
Gathering and sharing information of incident/ damage
strarting up continuity/ recovery strategy
Figure 6-1 Emergency response to disaster

(1) Evacuation and Rescue

First, your company should have a general evacuation plan, which includes
evacuation procedures, evacuation sites, evacuee guidance procedures,
and names of evacuation activity leaders. You will use Form 6-1 to create
your company’s evacuation plan. You need to make sure all employees
understand the evacuation plan and are able to safely evacuate as planned.
Many companies give all employees a small emergency card containing such
key information as what actions to take, where to evacuate, and emergency
contacts. Employees are asked to carry the card with them at all times so that
they can refer to it whenever necessary. Such an emergency card is highly
recommended.
Form 6-1 Evacuation and Rescue Plan (sample)

Office/Factory Head office
Evacuation site
Parking lot in front of the head office building
(meeting place)
Person in charge: Manager of the general affairs department

Leader
Assistant: Deputy manager of general affairs department
Person in charge of rescue and Person in charge: Manager of general affairs department
medical care Assistant: Deputy manager of the general affairs department
(name, address, telephone number)

Name: ○○hospital
Hospital
Address: ○○○
Tel: **-****-****
In case of a natural disaster such as an earthquake or flood, the infrastructure

(such as the traffic network) may be damaged. Your employees may not be
able to get home and may have to stay on the company’s premises or at an
emergency shelter. Your company needs to prepare food, water, and other
supplies (e.g., blankets, radios) for employees, and it is recommended to store
enough necessary supplies (e.g., food and water) to shelter them for 3 days (see
Form 6-5).
(2) Setting up an Emergency Operation Center

When an incident occurs that could affect your business, the company has to
respond immediately to protect its people and operations. It is critical not to
succumb to panic or chaos, but to behave calmly and make the best decisions
possible while taking the necessary measures under the circumstances. In order
for the company to carry out those activities in a unified and coordinated
manner, you should establish an Emergency Operation Center (EOC) that can
serve as a central command center.
The EOC’s framework, members, duties, and procedures must be decided on

in advance and put down on paper. Form 6-2 will assist you in creating an EOC
framework for your company.
a) EOC Leader
The leader is in charge of the overall activities of the EOC. The deputies must
also be identified who will take over for the leader when he/she is absent.
The order of succession for the authority and responsibilities of the leader
should also be decided.
b) EOC members and roles

The members of the EOC should be appointed and a list of their names
created and periodically updated. EOC members are required to convene
at the EOC whenever the EOC is mobilized. EOC members must be selected
from among those employees who would be able to convene on short
notice. Form 6-2 lists the four functions shown below. If the size of the
company requires, a team can be formed to carry out each function. You
should decide on your company’s EOC framework and the functions that
best suit your company's needs.
1.Analysis and planning
2.Information gathering
3.Site operations
- Stabilization
- Rescue and medical care
- Confirmation of employee safety
- Sanitation
- Logistics
4.Public relations
This function is for keeping internal and external stakeholders informed about
the status of the company.
c) EOC mobilization criteria

When should an EOC be mobilized? You must decide the thresholds that
must be met for the EOC to be mobilized and its members called to duty.
You can establish these criteria by incident type and magnitude, such as “an
earthquake measuring 6 on the Richter scale” or "a flood warning is issued.”
d) EOC locations
The location where EOC members are to convene must be decided in
advance. You should prepare for a situation in which your first choice
location (e.g., the head office building) is unusable by selecting alternate
EOC locations as well. EOC centers (including alternate sites) should
be prepared for mobilization at any time, and thus equipped with
communication equipment, IT and office equipment, and other supporting
resources.
Form 6-2 Emergency Operation Center (sample)

Roles department/ name Tel
CEO/ ○○○○ **-****-****
Leaders
Director/ ○○○○ **-****-****
(including deputies)
Director/ ○○○○ **-****-****
Analysis and planning ○○dept./ ○○○○ **-****-****
Information function ○○dept./ ○○○○ **-****-****
Members
○○dept./○○○○ **-****-****
Site operation function
○○dept./ ○○○○ **-****-****
(stabilization, rescue and medical
○○dept./ ○○○○ **-****-****
care, confirmation of employee
○○dept./ ○○○○ **-****-****
safety, sanitation, logistics)
○○dept./ ○○○○ **-****-****
Public relations ○○dept./ ○○○○ **-****-****
Mobilization - Earthquake measuring 6 on the Richter scale
thresholds - Flood warning is issued
Order of
Meeting place Workplace Address Tel
priority
(including
1 Head office ○○○○ **-****-****
alternate
2 A office ○○○○ **-****-****
locations)
3 B factory ○○○○ **-****-****
(3) Confirmation of employee safety

You must establish procedures for confirming the safety of your employees in
advance. You will have to make sure that all employees promptly follow the
established procedures in the event of a disaster. Your company should test
its procedures by conducting drills, as these show how well employees follow
the established instructions and how long it takes to complete a confirmation
of the safety of all employees. Your safety confirmation procedures should
include a way for employees to contact the company. Multiple means of
communication should be identified (e.g. phone calls, e-mail, and Internet
bulletin board) so that redundancies are built in. Remember the lesson learned
from the catastrophic Great East Japan Earthquake of March 2011 (M9.0),
after which the mobile phone network was non-operational across a wide area
due to extensive damage and congestion. Since such risks are inherent when
relying on a single mode of communication that utilizes the mobile phone
network, backup methods must be identified.
Form 6-3 is an employee contact list with columns for each employee's
department, name, telephone number, and e-mail address. This form can also
be used as a checklist when confirming employee safety.
Form 6-3 Emergency Contact list (sample)

Telephone Safety status
Department Name E-mail address
number (to be entered in an emergency)
○○dept. ○○○○ **-****-**** ****@***.***.***
○○dept. ○○○○ **-****-**** ****@***.***.***
○○dept. ○○○○ **-****-**** ****@***.***.***
(4) Confirmation of safe commuting conditions

When a disaster affects a widespread area across an entire region, the social
infrastructure may be damaged. Your company has to decide whether it is safe
to let employees go home or whether they will need to stay on the premises.
You can do this by monitoring disaster and traffic information.
(5) Stabilization of the situation and prevention of secondary damage

When an incident occurs and creates a dangerous situation, you must work
on stabilizing the situation to ensure employee safety and prevent secondary
damage. This may include efforts to fight fires or prevent the spread of harmful
substances.
(6) Survey of damage

Once the situation has been stabilized and safety has been secured, the
damage to your company should be immediately surveyed. Your company will
have to decide on any necessary repair and recovery plans, and must start on
its recovery process as soon as possible. A sample survey form is shown in Form
6-6.
(7) Asset protection

Based on the damage survey results, you must protect and preserve your
facilities and equipment. For example, you will want to take measures to
prevent the damage from spreading and to secure your assets against theft.
(8) Compilation and sharing of information

When a disaster hits your region, it is critical that you gather the following
information using various media, including television, radio, and the Internet:
-Disaster details
-Damage to the region (including the status of essential services and traffic
conditions)
-Alerts and warnings from central/local government authorities
Your company should maintain communication with stakeholders such as

suppliers, customers, public agencies, and financial institutions by gathering
and sharing relevant disaster information. It is important to give your business
partners status updates and information on your recovery plans so as to
maintain your business relationships while you are engaged in recovery efforts.
Form 6-4 is a sample External Contact List.
Form 6-4 External Contact List (sample)

Status
External Partners Name Tel. E-mail address
(complete when an incident occurs)
○○○○ **-****-**** ****@***.***.***
Materials & Parts

○○○○ **-****-**** ****@***.***.***
Suppliers
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Logistics Service
○○○○ **-****-**** ****@***.***.***
Providers
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Equipment
○○○○ **-****-**** ****@***.***.***
Maintenance Co.
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Customers ○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Financial
○○○○ **-****-**** ****@***.***.***
Institutions
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***

Public
Agencies, Local
○○○○ **-****-**** ****@***.***.***
Government
Offices
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Essential Service
○○○○ **-****-**** ****@***.***.***
Providers
○○○○ **-****-**** ****@***.***.***

Form 6-5 Storage List for Disasters

Categories Items Numbers of items to prepare
Food / Water Drinking water 3 liters/person for 3 days
Emergency food 3 day supply/person
Sanitation supplies (tissues, wet

Living supplies 3 days
tissues, toilet paper, etc.)
Utensils Necessary numbers for people
Portable toilets 3 days
Plastic bags, tape Equal to the number of people
Blankets, sleeping bags Equal to the number of people
Portable gas and stoves 3 days
Pots and kettles 3 each
Pocket warmers 3 day supply/person
Oil heaters, oil Fuel for 3 days
Medical supplies First aid kits Equal to the number of people
Folding stretcher 3
Tools (crow bar, pliers, hammer,

Tools 3 each
shovel, cloth tape, stepladder)
Helmet and gloves Equal to the number of people
Plastic sheets, tarps 3 sheets (10m×10m)
Garbage cans, buckets 3 each
Support for getting people

Rainwear Equal to the number of people
home
Maps Equal to the number of people
Information gathering,
Radios, dry batteries 3 each
communication
Cell phone chargers 3 units per each model
Loudspeakers 3 units
Other Generators, generator fuel 2 units of fuel for 3 days

Form 6-6 Damage Survey Form

Surveyed location
Employee injuries Injured employees Names:
Appearance Large/ Medium/ Small/ None
Damage to buildings Inside Large/ Medium/ Small/ None
Safe entry Yes/ No
Equipment (Damaged equipment / number of items)
Communication equipment (Damaged equipment / number of items)
Damage to assets IT apparatus (Damaged equipment / number of items)
Fixtures and fittings (Damaged items / number of items)
Vehicles (Damaged vehicles / number of items)
Electricity Available/ Not Available
Gas Available/ Not Available
Damage to essential Water Available/ Not Available

services Landline phone service Available/ Not Available
Mobile phone service Available/ Not Available
Internet Available/ Not Available
Fire Available/ Not Available

Neighboring situations
Other
Business continuity Disrupted/ Not Disrupted
Visitors (Injured people)
Others
Step 7 BC Strategies to Early Resumption

In Step 7, you develop your company’s Business Continuity Strategies (BC
Strategies) for resumption of Prioritized Activities (PAs) within Recovery Time
Objectives (RTOs). You need to identify and prepare the internal and external
supporting resources that are necessary to resume those activities.
There are key concepts for planning your BC Strategies that you need to
consider to resume Prioritized Activities (PAs). In considering the concepts of BC
Strategies, you are going to make plans for your own BC Strategies to achieve
RTO of PAs.
Strategy 1: Resume PA at the damaged/affected site.
Strategy 2: Resume PA at an alternative site (either in-house or external facility)
Strategy 3: Resume PA by alternative methods (or workaround methods)

Your BC Strategies might be a combination of the above three strategies.
In the very early stage of your recovery planning, you have to decide where
your company will restart critical operations (or PAs). One strategy is to resume
at the damaged or affected site, another is to resume at an alternative site.
Both strategies are necessary. Your company should be prepared for a scenario
when the main facilities, such as, headquarter building or main factory are not
usable. For SMEs that have limited resources, it might be very hard to prepare
an alternate site. SMEs may only have one option to prepare a BC Strategy- to
restore damage and recover at the affected site. You should remember that
your company will be defenseless if your key facility is damaged to the extent
that it becomes unusable. In the mid to long term, you should consider how to
deal with this challenge. This process is not simply a paper exercise. The owner
and/or senior management has to make business decisions as to how and
where to recover prioritized activities from the disruption.
Form 7-1 summarizes the BC Strategies for your company, and should be
completed based on the concepts listed above. Enter your selected BC
Strategy into the appropriate column of the form. Let’s start with BC Strategy to
resume at the damaged/affected site.
Strategy 1: You have to restore the damaged resources. The buildings

and equipment/machinery may be damaged, and assistance by external
construction company and machinery experts may be necessary. Essential
services such as electricity, gas, and water are necessary to resume disrupted
operations. Recovery of such essential services to your company may become
the key to your company resuming operations. Therefore, you should estimate
how soon those public companies are able to resume services. You may need
to review your BC Strategy based on essential service restoration periods. The
next strategy is to resume at an alternative site.
Strategy 2: You need to consider the location of the alternative site, and see
if it is sufficiently distant from the current site and therefore is less likely to have
been impacted/damaged by the same disaster. You should make sure that
the essential services your company needs, are not be affected and will be
available. This strategy requires that all necessary resources, for example,
buildings, equipment, and machinery are available at this site. You also need to
consider how to transfer the workforce, and that supplies of materials and parts
are transported to this site. It will be important that you have built relationships
with your suppliers, as you will need to find other sources of assistance and seek
also corporation from external partners. This strategy is to resume PA by the
alternative method.
Strategy 3: This strategy can be used in strategy 1: damaged site recovery and
strategy 2: alternative site recovery. For example, old reserve equipment is used
to replace the damaged, newer equipment. Manual work by human hand
replaces disrupted IT systems. Your company selects what alternate methods
that fit your company’s operations. You also need to identify what kind of
assistance is necessary from external partners.
External business partners can have significant impact on your business

operations and BC Strategies. You cannot control your business partners.
Therefore, what can you do with external partners in your BC Strategies? This
will depend on your business relationship, but here some measures you can
take to help mitigate the risk. First of all, you can check their preparedness
levels in disaster management and BCP. Are they supportive of these matters
or not interested at all? If they are interested, it is recommended to exchange
what you and your partners have been doing in disaster management and
BCP. It would be more desirable that you and your partners have periodical
meetings and plan joint meetings or exercises.
Form 7-1 Continuity Strategy Summary

Continuity Strategy Summary
Key
Necessary
Activities to Resources
Priority Strategy Outline External
Resume (bottleneck
Partners
resources)
Strategy 1: Resume at the damaged/affected site
(ex.)
Restore damaged buildings and
equipment and resume PA
Strategy 2: Resume at an alternate site
(ex.)
Start up an alternate factory/
office / shop
(ex)
Activate back-up IT center
Strategy 3: Resume using alternate methods
(ex)
Start up using older methods,
using spare (old) equipment
Strategy: Other
Now that you have decided on your company’s BC Strategy using Form
7-1, you need to identify the resources necessary for executing this strategy.
Complete Form 7-2 to identify the necessary resources for each BC Strategy
listed in Form 7-1. You will prepare Form 7-2 for each BC Strategy. At the top
of Form 7-2, enter the Prioritized Activity and strategy outline you are going to
consider. There are columns of resources categorized into three groups: internal
resources, essential social services, and external partners (same as Form 3-1).
Form 7-2 BC Strategy Planning sheet

Prioritized Activity Strategy Outline
What’s to To be done by when

Details of Department
Categories Resources be done /
Measures Short Mid- Long in charge
needed
Term Term
Building
Equipment /
Machinery
Internal Stock
Resources People
IT System
(others )
Electricity/Gas/
Water
Essential Phone/
Social Communication
Services Traffic / Roads
(others )
Suppliers
External Customer
Partners
(others )
Next, enter the necessary measures in the relevant column for each resource.
In this process, you should check your review results in Form 4-2, the Resource
Damage Estimate Sheet (see column 8 where you identified which resources
are needed for achieving the RTO). For the resources identified, decide
what measures should be taken from the perspective of preventing and/or
minimizing damage and expediting restoration.
The resources that are critical in determining the restoration period required (or
bottleneck resources) should be carefully reviewed. Particular attention should
be paid to finding out how soon those resources that are not under your control
will be become available to you. You may need to flexibly revise your RTO and
BC Strategy based on that review. Enter the deadline for implementing each
measure, indicating whether it must be implemented in the short term (within 1
year) or the mid to long term (2 to 3 years or more). Also enter the departments
in charge of those measures. Once Form 7-2 has been completed with the
designated departments and deadlines, you can use the form for managing
progress on the implementation of measures. As stated above, this process
takes more than mere paperwork; it requires management decisions to be

made by the business owner (or top management) in cooperation with their
BCP Team. It is very important that top management exercise its leadership in
implementing BC Strategies.
Your outside business partners have a significant impact on your business

operations and BC Strategies. Since you cannot control your business
partners, what role do they play in your BC Strategies? It depends on your
business relationship you have with them, but you can start by checking into
their preparedness levels by asking about their disaster management and
BCP programs. Are they aware of such matters or uninterested? If they are
interested, both parties would be well served by sharing what they are doing
in terms of their disaster management and BCP activities. Ideally, you and your
partners would hold regular meetings on this topic and plan joint meetings or
exercises.
Step 8 Be Financially Prepared

Can you survive financially
if your operation is disrupted
for one or two months?
Disaster
The objective of Step 8 is
Revenue
to recognize the financial
conditions of your company Expenditure
in case of an emergency,
and to prepare appropriate
Deficit
measures in advance, to Need to prepare
measure to fulfill
av oid bankruptcy even if the shortage
income is suspended. If your

company’s operation is
suspended, your company Resumption
will lose revenue but still be Figure 8-1 Deficit Occurs After Disaster
required to pay ordinary
expenditure such as, payroll
and rent. And if your facilities are damaged, you will need cost recovery of
your damaged facilities. What you need to do in Step 8, is to estimate how
much money will needed if your company sustains damage by a disaster ; and
consider measures that could be taken to fulfill any shortage. Key factors to
consider in your financial analysis include.
- Understand how much revenue will decrease due to business disruption

(Section 1)
- Estimate how much the recovery costs will be to resume your business
operations (Section 2)
- Recognize how much ordinary expenditure will be incurred during disruption

(Section 3)
- Calculate the level of funds needed to fulfill the shortage. (Section 4)Note: It is
recommended that a company should reserve cash and deposits equivalent
to its one month revenue.
You can assess your financial status by completing Form 8-1.
(1) Check your available funds

You should check the amount of funds that you have on hand in reserves or
that would otherwise be available if needed during a business disruption. First,
fill in the total amount of available funds in Form 8-1. Examples of available
funds include cash, deposits, and short-term securities. Additionally, your
company might be able to get private funding from an owner of the company.
Next you should check your company’s insurance policies. Find out what types
of insurance policies your company has and whether such insurance policies
cover the disaster or accident in question. Also find out how much coverage
you have. You should be aware that in most cases, it takes some time for
insurance payouts to be made due the time required for investigations and
settlement negotiations.
The bottom line of Form 8-1 shows the total amount of available funds (A).
Form 8-1 Available Funds (sample)

Type Amount Other
Cash and Deposits 100,000
Insurance 50,000 Fire / Flood /Earthquake
Available Funds (A) 150,000
(2) Estimate recovery costs

Next you will assess the expenditures your company would incur as the result
of a disaster and during the disruption period. You have already estimated
damages and restoration periods for your important resources (Steps 4, 5, 6,
and 7). Now you have to do some guesswork regarding how much it would
cost to repair and restore the damaged resources that are essential to the
resumption of your Prioritized Activities. Estimate the recovery cost for each
main category of resources, as shown in Form 8-2. Buildings, equipment and
machinery, fixtures and fittings, and inventory are listed as examples. Enter the
expected total recovery cost for each category. The bottom line of Form 8-2
shows the total amount of estimated recovery costs (B).
Form 8-2 Recovery Costs

Recovery Cost Amount Other
Building 10,000
Equipment and machinery 5,000
Fixtures and fittings 5,000
Inventory 5,000
Total Recovery Costs (B) 25,000
(3) Summarize ordinary expenditures

There are ordinary expenditures that your company has to pay even during a
disruption. These expenses include fixed costs such as payroll and rents on real
estate and warehouses, as well as variable costs such as debt payments. You
need to know the total monthly amount of your ordinary expenditures during a
disruption period. Use Form 8-3 to enter the expense items and total amounts.
The bottom line shows the total ordinary expenditures (C).
Form 8-3 Ordinary Expenditures

Ordinary Expenditure Amount Other
Payroll
Purchased supplies
Rent
Others
Total Ordinary Expenditures (C)
(4) Assess cash flow status

By completing processes (1), (2) and (3) above, you will have obtained the
total amounts of your available funds (A), recovery costs (B), and ordinary
expenditures (C). Enter those amounts in Form 8-4 and calculate the balance
(=A-B-C). If the balance is negative, your company will have a shortfall in
necessary funds. If it is positive, your company is likely to have sufficient funds
for weathering a disruption.
Form 8-4 Financial Status Sheet

Available Funds (A)
Recovery Costs (B)
Ordinary Expenditures (C)
Balance (=A-B-C)
(5) Financial measures

If the balance shown in Form 8-4 is negative (indicating a fund shortage), your
company needs to take financial measures to make up for that shortfall. You
may need to increase available funds by taking out a loan from your bank or
by cutting down on redundant costs to decrease expenditures. In many cases,
the national and local governments provide low interest disaster loans for SMEs
that have been affected financially by a disaster. It is therefore important to
research what kinds of financial support programs might be available to your
company.
Form 8-5 Financial Measures (sample)

Financial Measures Amount Detail
Check the amount every
(example) Borrow from bank 100,000
December
(example) Disaster loan 150,000 Apply when hit by a typhoon
Step 9 Exercise Makes Your Plan Functional

In Steps 5, 6, and 7, your company has made various plans of BC Strategies.
Below are questions related to some of those plans. How confident can you
answer "Yes" to the following questions?
- Can all employees (and customers) evacuate promptly and safely, following
your evacuation plan?
- Can all employees call your emergency phone number to report safety
confirmation?
- Can EOC members gather properly and immediately at the meeting place
and undertake their designated role?
Planning and executing plans are different tasks. Your company’s Business
Continuity Plans should effectively work in the case of an emergency as
planned. The purpose of exercise is to ensure that your company’s plans
work effectively and achieve its objectives. Exercise is intended to not only
test its performance, but also to empower employees and provide them with
education and training to enhance their knowledge and expertise.
Some examples of the main exercises are listed below.
- Evacuation Drill: test and practice safe and prompt evacuation to the
designated location.
- Safety Confirmation Exercise: test and practice employees’ emergency calls

and safety confirmation.
- Launching EOC Exercise: test and practice starting up EOC launch and
conducting designated roles by EOC members.
- Backup Data Recovery Exercise: test and practice recovery by backing up

data.
- Re-starting Operation Exercise: test and practice resuming operations after

disruption.
- Launching Alternative Site Exercise: test and practice starting up operations

at an alternate site.
There are many types of exercises that can be conducted. It is recommended

that you conduct any exercises that your company thinks necessary and
feasible. You can increase the level of complexity of your exercises and adopt
different types of exercises to improve your company’s business continuity
capabilities.
Use Form 9-1 to create an exercise plan for your company. The post-exercise
review is important for identifying any deficiencies or problems, so that your
company can make any necessary improvements.
Form 9-1 Exercise Plan

Type of Exercise Aim Target Group Date of Exercise Post Review
6. PDCA: Continuous Improvement

Business Continuity Plan refers to your company-wide efforts to develop your
capabilities for resuming critical operations (Prioritized Activities) after a
disruption caused by a disaster. It is not easy to establish such capabilities in
a short period of time, but it is essential to continuously improve and enhance
them over time. We strongly recommend that you utilize the PDCA Cycle (Plan,
Do, Check, Act) for your company’s continuous BCP improvement.
Step 10 Ongoing Review and Improvement

You have already gone through the first Business Continuity
two phases (Plan and Do) of four phases. Planning System
In Step 10, you finish the remaining
Check (monitor and review) and Act
(maintain and improve) phases. Act Plan
Maintain and Establish
improve
(1)Review and Check Your BCP
To make your company’s BCP most
BCM
Business Continuity
effective, you should monitor and review Management
your company’s BCP activities. Your
entire BCP activities – before, during and Check Do
after an incident - should be reviewed. Monitor and Implement
review and operate
Use Form 10-1 to assist in this process,
proceeding through each of the 10 steps
PDCA cycle
outlined in this Guidebook.
You should ask the following questions for the review of each step.
- Are BC activities (which have been decided and planned) effectively done?
- Are there any tasks and problems for improvement?
- Are there any changes to internal and external circumstances which are
needed to be considered?
- Are there any areas or items which were not included in your BCP, but should
be included?
Form 10-1: BCP Review Form

Changes
Related Currently Issues to
Step Items to Review and Check in Business
Forms Effective Review
Environment
BCP Framework 1-1,

1 Purpose, scope, BCP leaders 1-2, Y/ N
and team members 1-3
Prioritized activities, recovery

2
time objectives
Supporting resources
3
Bottleneck resources
Surrounding risks Expected

4
damages
Protection and mitigation

5
measures
Emergency response, EOC,

6 safety confirmation, risk
communication
Continuity and recovery

7
measures
8 Exercises, training
Cash flow for emergencies

9
Financial measures
Monitor, review, and

10
improvement
This review and check process should be conducted periodically, at least

once per year. If there is any business environmental change in your company,
such as, change of partner companies (suppliers or vendors), core business
operations (products or services), IT system or M&A, location changes etc.,
you should pay attention to possible effects of these changes. These factors
may have not been considered or may have been omitted in your reviews,
and therefore, you may need to reconsider and make the necessary changes
to your BCP activities. It is important to periodically review and not miss the
opportunity to update your BCP. These internal reviews are usually done by BCP
teams, lead departments and internal audit departments.
(2) Management Review

In addition to the above Review and Check processes, senior management
have to proactively initiate a review of the company’s BCP at least annually,
and ensure that your company’s BCP has been managed effectively and
the PDCA cycle is working. Form 10-2 is for management review. It should be
understood that management review works as strong drive to cycle PDCA
cycle.
Form 10-2 Management Review Sheet
Check & Review Items Person in Charge Due Date Top Management
Appendix
1. Blank Forms
Form 1 BCP Framework
Form 2-1 Impact Level Comparison Chart
Form 2-2 Maximum Tolerable Period of Disruption
Form 2-3 Prioritized Activities and RTOs
Form 3-1 Necessary Resources for Prioritized Activities
Form 4-1 Risk Impact and Likelihood Comparison Chart
Form 4-2 Resource Damage Estimate Sheet
Form 5-1 Protection and Mitigation Measures for Key Resources
Form 6-1 Evacuation and Rescue Plan
Form 6-2 Emergency Operation Center
Form 6-3 Emergency Contact List
Form 6-4 External Contact List
Form 6-5 Storage List for Disasters
Form 6-6 Damage Survey Form
Form 7-1 Continuity Strategy Summary
Form 7-2 BC Strategy Planning Sheet
Form 8-1 Available Funds
Form 8-2 Recovery Costs
Form 8-3 Ordinary Expenditures
Form 8-4 Financial Status Sheet
Form 8-5 Financial Measures
Form 9-1 Exercise Plan
Form 10-1 BCP Review Form
Form 10-2 Management Review Sheet
2. BCP Checklist
1.Blank Forms
Form 1
BCP Framework
BCP Purpose
Protect People
Protect Business
Activities
Recover with Local Community
BCP Scope
Departments to introduce BCP
BCP Leader and Team
BCP Leader
BCP Team Members

Form 2-1
Impact Level Comparison Chart
Department Handling Each Impact Levels

Product/ Service External Impact Internal Impact
L:M:S L:M:S
L:M:S L:M:S
L:M:S L:M:S
L:M:S L:M:S
L:M:S L:M:S
L:M:S L:M:S
L:M:S L:M:S
L:M:S L:M:S
Form 2-2
Maximum Tolerable Period of Disruption
Departments Handling Time When Impact Becomes Unacceptable Recovery Time

Each Product/Service MTPD Objective (RTO)
Product / Service A ~ 3 ds ~1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
Product / Service B ~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
Product / Service C ~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
Form 2-3
Prioritized Activities and RTOs
Prioritized Activity(ies)
Recovery Time
Objective(s)(RTO)
Form 3-1
Necessary Resources for Prioritized Activities
Type of Resources Contents
Building
Equipment / Machinery
Inventory
Internal
People
Resources
IT System
Fund
Other:
Electricity
Gas
Essential Water
Social
Services Phone / Communication
Traffic / Roads
Other:
Direct supplier
2nd, 3rd Supplier

Supplies
Customer
Other:
Form 4-1
Risk Impact and Likelihood Comparison Chart
Risk Impact Likelihood Priority
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
H M L H M L
41
Form 4-2
Resource Damage Estimate Sheet
Risk Assumed recovery period

Need
Assumed damage Day (shown by graph)
Day measures
Necessary resources Damage 3ds 1wk 2wks 1mo 2mos 3mos
BCP Guidebook 2013
Building
Equipment /
Machinery
Inventory
Internal
Resources People
IT System
Fund
Other:
Electricity
Gas
Water
Essential Social
Services Phone /
Communication
Traffic / Roads
Other:
Direct supplier
2nd, 3rd Supplier

Supply
Customer
Other:
Form 5-1
42
Protection and Mitigation Measures for Key Resources
Implementation Deadlines
Department in
Resources Objectives What To Do Your Plan Mid to Long
Immediately Within 1 year Charge
Term
BCP Guidebook 2013
Form 6-1
Evacuation and Rescue Plan
Office/Factory
Evacuation Site
(meeting place)
Leader Person in charge;

Assistant;
Person in charge of Person in charge;

rescue and medical Assistant;
care
Hospital (name, address, telephone number)

Form 6-2
Emergency Operation Center
Roles Department/ name Tel
Leaders
(including deputies)
Analysis and planning
Members
Information function
Site operation function

(stabilization, rescue and medical
care, confirmation of employee
safety, sanitation, logistics)
Public relations
Mobilization
thresholds
Order of priority Workplace Address Tel
Meeting place
(including
alternate 2
locations)
3
Form 6-3
Emergency Contact List
Safety status to
Department Name Tel E-mail address be entered in an
emergency
Form 6-4
External Contact List
Status
(complete when
External Partners Name Tel. E-mail address
an incident
occurs)
Form 6-5
Storage List for Disasters
Categories Items Numbers of items to prepare
Drinking water 3 liters/person for 3 days

Food / Water
Emergency food 3 day supply/person
Sanitation supplies (tissues, wet tissues,

3 days
toilet paper, etc.)
Utensils Necessary numbers for people
Portable toilets 3 days
Plastic bags, tape Equal to the number of people
Living supplies
Blankets, sleeping bags Equal to the number of people
Portable gas and stoves 3 days
Pots and kettles 3 each
Pocket warmers 3 day supply/person
Oil heaters, oil Fuel for 3 days
First aid kits Equal to the number of people

Medical supplies
Folding stretcher 3
Tools (crow bar, pliers, hammer, shovel,

3 each
cloth tape, stepladder)
Helmet and gloves Equal to the number of people

Tools
Plastic sheets, tarps 3 sheets (10m×10m)
Garbage cans, buckets 3 each
Rainwear Equal to the number of people

Support for getting
people home
Maps Equal to the number of people
Radios, dry batteries 3 each
Information gathering,
Cell phone chargers 3 units per each model
communication
Loudspeakers 3 units
Other Generators, generator fuel 2 units of fuel for 3 days

Form 6-6
Damage survey form
Surveyed location
Employee injuries Injured employees Names:
Appearance Large / Medium / Small / None
Damage to buildings Inside Large / Medium / Small / None
Safe entry Yes / No
Equipment (Damaged equipment / number of items)
Communication
(Damaged equipment / number of items)
equipment
Damage to assets
IT apparatus (Damaged equipment / number of items)
Fixtures and fittings (Damaged items / number of items)
Vehicles (Damaged vehicles / number of items)
Electricity Available/ Not Available
Gas Available/ Not Available
Water Available/ Not Available

Damage to essential
services
Landline phone service Available/ Not Available
Mobile phone service Available/ Not Available
Internet Available/ Not Available
Fire Available/ Not Available

Neighboring situations
Other
Business continuity Disrupted/ Not Disrupted
Visitors (Injured people)
Others
Form 7-1
Continuity Strategy Summary
Key Resources
Necessary External
Priority Strategy Outline Activities to Resume (bottleneck
Partners
resources)
Strategy 1: Resume at the damaged/affected site
Strategy 2: Resume at an alternate site
Strategy 3: Resume using alternate methods
Strategy: Other
Form 7-2
BC Strategy Planning Sheet
Prioritized Activity Strategy Outline
To be done by when
What’s to
Details of Department
Categories Resources be done /
Measures Mid- Long in charge
needed Short term
Term
Building
Equipment /
Machinery
Internal Stock
Resources
People
IT System
Other:
Electricity/Gas/
Water
Essential Phone/
Social Communication
Services
Traffic / Roads
Other:
Suppliers
External
Customer
Partners
Other:
Form 8-1
Available Funds
Type Amount Other
Available Funds ( A )
Form 8-2
Recovery Costs
Recovery Cost Amount Other
Total Recovery Costs( B )

Form 8-3
Ordinary Expenditures
Ordinary Expenditure Amount Other
Total Ordinary Expenditures (C)
Form 8-4
Financial Status Sheet
Available Funds (A)
Recovery Costs (B)
Ordinary Expenditures (C)
Balance ( =A-B-C )
Form 8-5
Financial Measures
Financial Measures Amount Detail

Form 9-1
Exercise Plan
Type of Exercise Aim Target Group Date of Exercise Post Review

Form 10-1
BCP Review Form
Items to Review and Related Currently Changes in Business Issues to

Step
Check Forms Effective Environment Review
BCP Framework
Purpose, scope,
1 1-1 Y/ N
BCP leaders and
team members
Prioritized activities, 2-1 Y/ N

2 recovery time 2-2 Y/ N
objectives 2-3 Y/ N
Supporting
resources
3 3-1 Y/ N
Bottleneck
resources
Surrounding risks 4-1 Y/ N

4
Expected damages 4-2 Y/ N
Protection and
5 5-1 Y/ N
mitigation measures
Emergency
6-1 Y/ N
response,
6-2 Y/ N
6 EOC, safety
6-3 Y/ N
confirmation, risk
6-4 Y/ N
communication
Continuity and 7-1 Y/ N

7
recovery measures 7-2 Y/ N
8-1 Y/ N
8-2 Y/ N
8 Exercises, training 8-3 Y/ N
8-4 Y/ N
8-5 Y/ N
Cash flow for

9 emergencies 9-1 Y/ N
Financial measures
Monitor, review, 10-1 Y/ N

10
and improvement 10-2 Y/ N
Form 10-2
Management Review Sheet
Check & Review Items Persons in Charge Due Date Top Management
2.BCP Checklist
Answer
No. Question Steps Yes- Yes
No
Partially Done
Has a BCP Manager been appointed and has a budget for

1 1 0 2 4
BCP activities been allocated?
Are the BCP purpose, scope and leader well-known

2 1 0 2 4
throughout your company?
Does upper management take a visible leadership role

3 in BCP activities and show its commitment to BCP to 1 0 2 4
employees?
Does your company understand what the impacts would

4 be if the company's operations were to be disrupted for 2 0 2 4
one week? One month?
Does your company understand how soon it would have

5 to resume operations after a disruption to avoid severe 2 0 2 4
impacts that would threaten the company's survival?
Has your company identified which businesses should

6 be given top priority for the recovery and resumption of 2 0 2 4
operations?
Has your company identified important internal resources

7 or outside essential services that might create a bottleneck 3 0 2 4
for business resumption efforts?
Has your company already identified necessary materials

8 3 0 2 4
or parts which are supplied by a single supplier?
Has your company researched the disaster history or

9 risk information (such as hazard maps) that have been 4 0 2 4
published by your local government or other organization?
Is your company able to withstand the type of natural

10 disaster (with extensive impacts) that has a higher 4 0 2 4
probability of occurring than other disasters?
Has your company identified which necessary resources

might sustain severe damage as a result of the natural
11 4 0 2 4
disaster identified above (question 10), thus becoming an
obstacle for early business resumption?
Has your company planned and implemented pre-disaster

protection (prevention) and mitigation measures to protect
12 5 0 2 4
the safety and welfare of your employees from expected
disasters?
Has your company planned and implemented pre-disaster

protection (prevention) and mitigation measures to protect
13 5 0 2 4
your company's assets from disasters (earthquake, floods,
typhoons) and accidents?
Has your company prepared an emergency contact list of

14 6 0 2 4
employees?
Has your company decided on the framework for an

Emergency Operation Center, such as where to gather,
15 6 0 2 4
what members are to be called, and the criteria for
mobilization?
Has your company made a contact list of customers,

16 6 0 2 4
business partners, and authorities?
17 Does your company periodically backup its data? 7 0 2 4
Does your company have an alternate site in place in case

18 7 0 2 4
its headquarters or main business location is shut down?
Does your company have alternative or temporary

19 measures in place to replace main equipment (or other 7 0 2 4
resources) in case primary equipment becomes unusable?
Does your company know the disaster management and

20 business continuity status of suppliers that supply its essential 7 0 2 4
materials and parts?
Do you know how much funding you would be short of if

21 your company's operations were to be totally disrupted for 8 0 2 4
one month?
Have you checked what kinds of disaster support programs

22 are available through your local government or other 8 0 2 4
public organizations?
Have you set aside a cash reserve equal to one month of

23 8 0 2 4
revenue for disasters?
24 Does your company conduct periodic evacuation drills? 9 0 2 4
Does your company conduct exercises to test that data

25 9 0 2 4
can be safely recovered from backup systems?
Does your company conduct exercises to practice

26 9 0 2 4
mobilizing the Emergency Operation Center?
Does your company periodically review its disaster

27 management and business continuity plans and implement 10 0 2 4
improvement measures if necessary?
Does upper management proactively engage in the

28 10 0 2 4
periodic review of BCP activities?
Total Score
Your Tota
Your BCP Status Level
Score
Your company is defenseless against disasters and accidents. If a disaster

strikes, your company is very likely to sustain severe damage which may cause
long-term disruption. Your company needs to know the risks that threaten it 0 - 36
and to start considering what can be done to minimize the potential damage
that might be caused by such risks.
Your company is aware of the risks to which it is exposed and has taken some
necessary preparatory measures. However, the expected results of those
measures may be limited. Your company is still exposed to severe damage 37 -74
because of the weakness of your BCP activities. Be sure to prioritize BCP
activities to make your BCP more effective.
Your company has almost established BCP and has implemented measures
that would probably be effective if the risks are within your estimates.
Continue following the PDCA cycle in your BCP activities to enhance your 75 - 112
business continuity preparedness and ensure that you will be able to respond
effectively to an unexpected incident or disaster.
APEC Project: M SCE 02 11A
Produced by
APEC SME Crisis Management Center
3F, No. 16-8, Dehuei St., Jhongshan District, Taipei 10461, Taiwan
Tel: (886)-2-2586-5000 # 364 Fax: (886)-2-2598-1122
Email: [email protected] Website: www.apecscmc.org
Small and Medium Enterprise Administration, Ministry of Economic Affairs, Chinese Taipei
3F, No. 95, Sec 2, Roosevelt Rd., Taipei 100, Taiwan
Tel: (886)-2-2368-6858 Fax: (886)-2-2367-3914
In Collaboration with
Asian Disaster Reduction Center
Shin-Yurakucho Bldg, 12-1 Yurakucho 1-Chome, Chiyoda-Ku, Tokyo 100-0006 Japan
Tel: (81)-3-6269-3792 Fax: (81)-3-6269-3799
Email: [email protected] / [email protected]
For
Asia Pacific Economic Cooperation Secretariat
35 Heng Mui Keng Terrance Singapore, 119616
Tel: (65) 68919 600 Fax: (65) 68919 690
Email: [email protected] Website: www.apec.org
©2013 APEC Secretariat APEC#213-SM-03.1

2013 Sme Bcpbrochure

Uploaded by

Copyright:

Available Formats

2013 Sme Bcpbrochure

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

2013 Sme Bcpbrochure

Uploaded by

Copyright:

Available Formats

Asia-Pacific

APEC Small and Medium Enterprise Working Group (SMEWG)

Guidebook on SME Business

4. Your Lifeline Businesses and the Threatening Risks...........06

5. Your Survival Strategies........................................................14

6. PDCA: Continuous Improvement........................................32

0. How to Use This Guidebook

level such that it would be able to resume operations at a normal or higher

Here are some warm-up questions to get you started!

10 Steps for BCP

Step 1 Determine BCP Purpose, Scope, and Team

Step 2 Prioritized Activities (PA) and Recovery Time Objective (RTO)

Step 3 What Do You Need to Resume Key Activities?

Step 4 Risk Assessment – Know Your Disaster Scenarios

Step 5 Do Not Forget Pre-Disaster Protection and Mitigation

Step 6 Emergency Response to Disaster

Step 7 BC Strategies to Early Resumption

Step 8 Be Financially Prepared

Step 9 Exercise Makes Your Plan Functional

Step 10 Ongoing Review and Improvement

1) Purpose: Why is your company introducing BCP?

2) Scope: Which parts of your company will introduce BCP?

3) Leader: Who will serve as leader of your BCP activities?

Step 1 Determine BCP Purpose, Scope, and Team

(3) BCP Leader

Fill in Form 1 regarding your company’s BCP framework.

Form 1 BCP Framework

Protect Business Activities

Recover with Local Community

Departments to introduce BCP

BCP Leader and Team

BCP Team Members

4. Your Lifeline Businesses and the Threatening Risks

Step 2 Prioritized Activities (PA) and Recovery Time Objective

Internal impacts should be reviewed based on various criteria such as financial

Form 2-1 Impact Level Comparison Chart

Form 2-2 Maximum Tolerable Period of Disruption

Form 2-3 Prioritized Activities and RTOs

Recovery Time Objective(s)(RTO)

Step 3 What Do You Need to Resume Key Activities?

Form 3-1 Necessary Resources for Prioritized Activities

(Note: The processes of identifying Prioritized Activities, setting Recovery Time

Step 4 Risk Assessment – Know Your Disaster Scenarios

Table 4-1 Risk - Likelihood/Impact Scoring Scale

Disastrous, Severe damage

Medium level damage

Form 4-1 Risk Impact and Likelihood Comparison Chart (sample)

Earthquake HML HML 1

Flood HML HML 2

1) Enter the critical resources that were identified in Step 3

2) Enter the prioritized risk

3) Enter an outline of estimated damages to your facilities

4) Enter estimated levels of damage

5) Enter estimated periods for repair, restoration, or recovery

7) Draw your RTO line (see your Form2-3)

8) Determine whether measures need to be taken for each listed resource to

Risk Earthquake Assumed recovery period

Traffic / Roads ○○○ 8 ds

Direct supplier ○○○ 30 ds ○

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

Customers ○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*

○○○○ -- @..*