Business Continuity Planning

Workshop

State of Arizona
Department of Administration
 TABLE OF CONTENTS

INTRODUCTION 4

BACKGROUND 5

SCOPE 5

BUSINESS IMPACT ANALYSIS 5

STRATEGY AND PLAN DEVELOPMENT 10

PROGRAM IMPLEMENTATION 16

APPENDIX A - BUSINESS CONTINUITY PLAN TEMPLATE 17

1 - AGENCY IDENTIFICATION ............................................................................................................ 17

2 - SUMMARY AREAS OF RESPONSIBILITY ......................................................................................... 18
3 - SUMMARY OF BUSINESS PROCESSES .......................................................................................... 19
4 - BUSINESS PROCESS INFORMATION ............................................................................................. 20
5 - BUSINESS INFORMATION AND DOCUMENTS 21
6 - PROCESS TASKS 21
7 - PROCESS CALL TREE 23
8 - INTERNAL AGENCY DEPENDENCIES 24
9 - EXTERNAL DEPENDENCIES 25
10 - EXTERNAL CONTACTS 26
11 - CUSTOMER CONTACT 27
12 - RESPONSE/RECOVERY TEAM PERSONNEL 28
13 - BUSINESS EQUIPMENT AND SUPPLIES 29
14 - INFORMATION TECHNOLOGY APPLICATIONS 30
15 - INFORMATION TECHNOLOGY SERVER/HARDWARE 31
16 - INFORMATION TECHNOLOGY TELECOMMUNICATIONS 32
17 - ALTERNATE SITES 33
APPENDIX B - FIELD TEMPLATE DEFINITIONS 34

1 - Agency Identification 34
2 - Summary Areas of Responsibility 34
3 - Summary of Business Processes 34
4 - Business Process Information 35
5 - Business Information and Documents 35
6 - Process Tasks 36
7 - Process Call Tree 36
8 - Internal Agency Dependencies 36
9 - External Dependencies 36
10 - External Contacts 36
11 - Customer Contact 37
12 - Team Personnel 38
13 - Business Equipment and Supplies 38
14 – Information Technology Applications 38
15 – Information Technology Server/Hardware 39
16 – Information Technology Telecommunications 40
17 - Alternate Sites 40

APPENDIX C - GLOSSARY 41
 Introduction
This document describes a methodology to assist state agencies in developing a comprehensive
Business Continuity Plan that will ensure the continuation of core processes with the occurrence of
unforeseen circumstances.

Prior to developing a Business Continuity Plan (BCP) an agency must first identify the "subject
knowledge experts" available within the organization. Instruct them to read through this entire
document to gain a better understanding of the key components necessary in developing a plan. It is
recommended that these employees be empowered by management to make high-level decisions on
behalf of the agency. These individuals are usually managers that are at a level from which they
oversee one or more of the agency's core processes, also known as business services. The level and
title of these managers will vary from division to division.

This document is organized as follows:

• A Background on the standards and policies that describe the urgency of continuity planning.

• The Scope.

• Business Impact Analysis (BIA) - the process for determining the acceptable level of impact to
your agency by core business process and function. This methodology is heavily weighted on
the impact to customers resulting from the loss of your agency core processes and functions.

• Strategy and Plan Development - the process for identifying detailed resource requirements
and developing alternatives for each business process.

• Program Implementation - the process for training, testing/implementing and updating the
Business Continuity Plan and identifying strategies to completing a comprehensive Business
Continuity Program within an agency.

• Business Continuity Plan Template - a series of forms for use in collection and documentation
of the core processes identified by your agency. Additionally, if an existing business continuity
plan exists these forms will be helpful in identifying any gaps that need addressing.

• Glossary - A collection of common terminology and definitions.

Considerations
The kickoff meeting should include the agency leadership members; it may also be useful to include
those who have first hand knowledge of core processes in this meeting. Describe the project’s goals
and its importance to the ongoing continuity of your agency. Answer any questions and clearly define
the roles and responsibilities of each participant.

Page 4
 Background
For most agencies, services to their customers and/or the public would effectively cease if the core
processes supported by key support systems were inaccessible for an unacceptable period of time. In
some cases, the failure or inaccessibility of a critical core business process may immediately
jeopardize public health and safety. Each agency should establish risk management and disaster
recovery planning processes for identifying, assessing, and responding to the risks associated with loss
of ability to execute its core processes. To adequately address the agency’s requirements for recovery,
plans for such recovery should be developed as a part of an agency-wide Business Continuity Program.

Scope
This document is intended to provide guidance and assistance for all agencies in the development,
implementation and maintenance of a business continuity program.

Business Impact Analysis

Definition
The Business Impact Analysis (BIA) identifies the operational (qualitative) and financial (quantitative)
impact of an inoperable or inaccessible core process on an agency's ability to conduct its critical
business processes. The BIA provides the basis for formulating your agency’s strategies into the
Business Continuity Plan (BCP) Template. This assessment guides the selection of recovery strategies
that may be employed to restore operations within the required time frames. An agency-wide
operational impact assessment is required to develop and implement an appropriate business continuity
program and determine the effects on the public caused by a loss of ability to continue core business
processes.

Information regarding the effect of having to recover from an emergency situation is collected through
interviews with the managers of core processes. This information is analyzed and a business analysis,
operational impact analysis, and financial impact analysis (where appropriate) are developed for each
core business process.

• The Business Analysis identifies and describes critical, essential and administrative core
processes, and the high-level resources that support these functions. It also describes the public
and customers served by these functions. This analysis enables us to confirm the managers’
description of their operations and highlight functional inter-dependencies and single points of
failure.

Page 5
Core Business Processes (also known as Business Services)
Identify the core processes performed by the agency, and understand the flow of information,
materials, and services through these core processes.

Considerations for the operational and financial impacts to recover from situations that have disrupted
core business processes of an agency must be identified. This includes a detailed description of the
effects on all customers served by each core process.

For each core process, define the Maximum Acceptable Outage (MAO); the point at which resource
and functional support should be restored. Describe the financial impact for an outage of the duration
suggested by each function’s assigned MAO, and decide whether that level of financial impact is
acceptable or if the MAO should be adjusted to reflect different recovery timeframes than the MAO,
which was originally assigned to the function.

An agency must then categorized each of the core business processes into one of three different
functions:

• Critical Functions: functions which have a direct and immediate affect on the general public
in terms of the loss of life, personal injury, loss of property, and/or the ability of government to
maintain direction and control. The loss of a critical function may either result in such losses
or inhibit government’s ability to preclude or minimize such losses. Most State agencies will
not have “critical functions.”

• Essential Functions: functions, which provide necessary government services to the public
which, are not deemed “critical functions.”

• Administrative Functions: functions which relate to the internal control, management and
administration of a government agency supporting its ability to perform business functions,
e.g., training, payroll, personnel services, facility maintenance, etc.

Page 6
Business Analysis Activity

Components
Identify core processes within each division.

Understand and describe the high-level flow of information, goods, and services through these core
processes.

Understand and document the customers served by each core process.

Gain confirmation of a “shared understanding” of the division to ensure that the remaining analyses
are appropriately focused.

Approach
The high-level approach to the Business Analysis consists of gathering information about core
processes, documenting business flows, identifying customers, and gaining confirmation of the
information.

Most agencies are structured along functional boundaries (e.g.: Accounting, Information Technology,
etc.) and the core processes within those units (e.g.: Payroll, Accounting, etc.). In reality, however, an
agency’s business is conducted through one or more business processes. A business process describes
a set of recurring activities - a flow of information and/or materials - that produce something of value
for a customer. A process may cut across multiple divisions, and usually contains several functions.
These processes are not always readily apparent. It is more straightforward to analyze the agency in
terms of the core processes performed. Each agency may perform one or more core processes; it is
critical to understand the relationships between those core processes and the end customer in order to
analyze the impact of an interruption of a given function. The specific approach to understanding
these core processes and business flows is:

• Review relevant documentation (e.g., critical success factors, strategic plans, budgets, performance
measurements, IT Plans, Y2K documentation, division goals, organizational charts, etc.) to build
an understanding of organizational purpose and structure.

• Conduct interviews with the agency leadership members to collect information on their “first-
hand” perspectives on how your agency operates. It is important to note that these interviews will
serve as data-gathering opportunities for all three steps of the BIA. In other words, a manager
should be interviewed only once; in this interview, all information should be gathered for the
Business Analysis.

• Compile the results of your interviews in the form of business flows. These flows should describe
each core process and the flow of information, services, or goods into and out of the process to
include the customer.

7
• Develop descriptions of support functions. Some functions within your agency may perform
important roles, which contribute indirectly to your agency’s ability to implement its assigned
programs. These can be classified as support functions. For example, every division should have a
facility in which to operate, but it would be difficult to describe the specific ways.

• Develop a matrix (or another document) which describes the relationship of the core processes
identified to the organizational structure of the agency.

• Confirm understanding of the agency, its core processes, and its business flows with appropriate
management through review of the descriptions of the core processes performed. Much of this
confirmation may be accomplished as the materials are developed.

Data Collection
The following information sources should be considered in the business analysis:

Information regarding core processes performed, inputs and outputs of those core processes, and the
customers of these outputs gathered through interviews with process managers.

Documentation regarding the agency’s objectives (programs implemented), core processes performed,
organizational structure, and the flow of information, goods, and services through your agency to the
end customer.

Resources
To conduct the Business Analysis, you will rely primarily on the availability of process managers for
participation in interviews and validation meetings. These managers should be at a level from which
they oversee one or more core processes - not simply activities or tasks. The level and title of these
managers will vary from division to division.

Decision Points
As the documentation of the core processes performed by each division is completed, they should be
reviewed and confirmed with appropriate management. Any necessary corrections should be made to
ensure that the final deliverables represent a shared understanding of how the division accomplishes its
goals and delivers its services/products to the customer.

Deliverables
A matrix or other document, which relates the core processes, identifies the function of each process
and aligns to the organizational structure of the agency needs to be developed.

A depiction of the business flows for all non-support core processes needs to be identified and these
depictions may be pictorial or descriptive, and should highlight:

• The impact on the public

8
• Relationships between core processes, support functions, and business units

• Single points of reliance

• Support service reliances

• Interdependency/interactivity of core processes

9
 Strategy and Plan Development

Definition
Continuity strategy development is the process of determining the high-level approach, which the
agency, board or commission will use to address its Business Continuity Planning needs. The
objectives are to identify alternatives for specific continuity requirements, evaluate those alternatives,
and recommend a business continuity strategy for management’s approval.

The Strategy Development builds upon the MAO’s identified for each core process in the BIA by
defining the specific resources necessary for the performance of that process, and setting a
recommended strategy for the recovery of those resources in an outage. Then these strategies are
thoroughly documented, recorded (e.g. Business Continuity Plan (BCP) Template) and compiled into a
comprehensive plan for the agency. This is a critical decision-making step in the development of a
Business Continuity Program, because this analysis provides the specific guidelines by which the
program will be implemented.

The Plan Development builds upon the strategies selected for each of the agency's core business
processes. The Plan Development is required for each of the following four phases:

• Response: the reaction(s) to an incident or emergency in order to assess the level of

containment and control required activities.

• Resumption: the process of planning for an/or implementing the recovery of critical business
operations immediately following an interruption or disaster.

• Recovery: the process of planning for and /or implementing recovery of less time sensitive
business operations and processes after critical business process functions have resumed.

• Restoration: the process of planning for and/or implementing full-scale business operations,
which allow the organization to return to a normal service level.

Getting Started

First, identify the individual(s) who will be responsible for the development and implementation of the
agency's Business Continuity Plan. It is recommended that these employees be empowered by
management to make high-level decisions on behalf of the agency. It is preferable to designate one or
more of the agency’s top-level managers for this responsibility.

10
Next, identify team members to work with this individual. All team members must have the training
and the ability to perform these duties, and each member should have an alternate who is equally
qualified. Team members should include the individual or individuals that will be responsible for
overseeing the activation of the continuity plans in response to an event.

Each subset of the Business Continuity Plan should be assigned an appropriately sized team, with a
clearly identified, responsible, leader, and alternate leader. If your agency is relatively small, these
teams may only include a few individuals; if your agency operates in many, large facilities, the teams
may need to include many personnel, organized into sub-teams by building and floor.

Representatives of each team should develop the procedures for each subset. As the procedures are
developed, they should be organized into a logical order, and grouped, if necessary, by any specific
scenarios to which they may pertain. For example, some emergency response procedures may apply in
a major natural disaster, but not in a “routine” power outage.

To develop a Business Continuity Plan, it is first imperative to understand the scope of these plans.
The scope will be determined based on the agency’s priorities and size, and based on the level of detail
addressed by the procedures developed for business and infrastructure continuity. These plans should
be written at a level of detail, which will permit the designated continuity team to accurately
implement them with little additional guidance in an emergency situation. Contingency management
plans may include:
• Business continuity policy
• Emergency response (Response Phase)
• Emergency evacuation
• Damage impact assessment
• Disaster declaration and escalation
• Command center activation
• Personnel notification procedures
• Resumption of normal operations
• Physical and security assessments
• Administration
• Media management
• Employee crisis management
• Vendor communications management
• Client communications management
• Salvage operations
• Travel coordination
• Recovery expense control and reporting

11
 • Plan exercise project management
• Plan maintenance management

The following information sources should be considered in the development of your Business
Continuity Plan:

• Agency and program missions, descriptions and core business processes.

• Position descriptions, activity instructions, or other existing internal documentation, which may
describe similar procedures to those being developed.

Sample procedures from Federal & State documents, as well as from industry publications such
as:

✔ SP 800-34 Contingency Planning Guide for Information Technology Systems, June 2002 -
csrc.nist.gov/publications/nistpubs/index.html

✔ Contingency Planning & Management - www.contingencyplanning.com ,

✔ Disaster Recovery Journal - www.drj.com,

✔ Disaster Resource Guide - www.disaster-resource.com

12
Requirements for "Response" Phase
At minimum, an agency must list those responsible and authorized for actions taken during a declared
disaster, including those that will communicate with the media.

Requirements for "Resumption, Recovery and Restoration" Phases

Based on the information defined in the Business Process Requirements final decisions on alternative
strategies need to be selected for each phase that will meet the MAO’s established in the BIA. In
addition to cost, advantages and disadvantages should be discussed for each alternative strategy.
These alternatives may include contracted services from an outside vendor, internal operational
changes, or reciprocal arrangements with other departments or agencies.

Where appropriate, it may be necessary to develop vendor requests for proposals (RFP's) for alternate
facilities and/or services. These RFP's are submitted to the vendors in a form that will allow for
standardized categorization of responses. Recovery alternatives (including proposal responses
received) are analyzed in relation to predetermined criteria and a documented summary of the analysis
is developed. The basis for the identification of recovery alternatives is to be able to select a strategy
that best fits the needs of the organization. The agreed upon strategy will most likely be a combination
of recovery alternatives for each type of resource group identified.

When you have completed defining the strategy alternatives and selected the preferred and cost
effective method you will have as a deliverable an analysis of recovery techniques to be incorporated
into each of the following

Considerations for Selecting Alternate Strategies

In developing alternatives the following should be considered:

• Alternate procedures

• Ability to process manually

• Suspending the function for some period of time

• Mitigation of insurance

• Outsourcing and vendor services for hot/warm processing site, temporary personnel agencies,
cellular phone rental, etc.

• Process re-design

• Single points of failure

• Ability to re-create information

13
• Back-up vs. replication

• Business cycles

• Linkage with other alternatives

• Work schedule modification to maximize resource use

• Internal resource capability

• The option to “do nothing”

Plan Requirements
There are standard requirements for state agency Business Continuity Plans. At minimum the
following steps describe the necessary components to a comprehensive plan.

Agency Identification
The agency name, address, and primary and secondary contact information for the Business Continuity
Plan must be identified.

Summary of Areas of Responsibility

The agency needs to identify and provide a summary list of those individuals ultimately responsible for
the BIA. This list should include a Primary and Secondary person that has the authority to declare an
agency disaster and put the plan into motion. Also, a media spokes person, all agency Team Leaders
and alternates responsible for restoring processes, and other related contacts need to be included.
Summary of Business Process
All critical, essential and administrative core business processes need to be compiled in priority order.

Define Business Process Requirements

For each of core business processes identified, strategies to accomplish each of the four phases
(Response, Resumption, Recovery and Restoration) need to be selected. The following information
must be identified for each business process:
• Process information
• Business information and documents
• Process tasks (steps needing to be accomplished within each phase - Response to Restoration)
• Process Call Tree
• Internal agency dependencies

14
• External dependencies
• External contacts
• Customer contacts
• Response/recovery team personnel
• Business equipment and supplies
• Information technology applications
• Information technology server/hardware
• Information technology telecommunications
• Alternate sites
• Any other detailed information on the business process deemed necessary for successful
restoration of service

15
 Program Implementation
Definition
Business Continuity Plans are only a part of the Business Continuity Program. The BCP
is a living document and agencies need to ensure that their plans are constantly reviewed
for accuracy and updated on a regular basis. In addition, it is critical that training, testing
and evaluation of the plan are conducted on a regular basis to determine if changes are
required.

However, agencies must also complete the following operational activities to ensure a
comprehensive Business Continuity Program exists within their agency:
• Completion of Emergency Response Plan, Information Technology Vulnerability
Survey, a physical security gap analysis, and plans to close any identified security
gaps.

• Identify new or modified operating procedures to increase continuity.

• Review and modification of data backup and off-site storage procedures.

• New or modified restoration procedures.
• Development of alternate procedures for use during a disaster.

• Negotiating and implementing contracts and other provisions as needed.

• The development of internal alternate facilities and equipment.

• Documenting infrastructure procedures (e.g. developing step-by-step recovery
scripts, which guide an employee through the procedures necessary to recover the
service, resource, or system).

• Standards, forms, and guidelines for standard procurement procedures, available

from your agency’s procurement group or the State Procurement Office.

• Information re-creation procedures. Procedures to re-create or re-capture

information that may be lost during a disaster (records, recent transactions, work
in progress).

• Detailed team definition and procedures including responsibilities and time line
oriented task definitions.

• Organizational information (procedures, organizational charts, etc.) which reflects

any organizational changes implemented.

• Position descriptions, activity instructions, or other existing internal

documentation.

16
Appendix A - Business Continuity Plan Template
(You may copy each form, where applicable, as many times as necessary to document
your core business processes also known as business services.)

1 - Agency Identification

Agency Name: 1

Agency Contact Information

First Name: 2 Last Name: 3

Title: 4

Business 5
Address:

City: 6 State: 7 ZIP: 8

Work E-mail: 9

Work Phone: 10

Cell Phone: 11 Pager: 12

Agency 13
Mission
Statement:

Agency Goals 14
and
Objectives:

17
2 - Summary of Areas of Responsibility

This section provides a summary list of those responsible and authorized for actions taken
during a declared disaster, including those that will communicate with the media. This
list should include Team Leaders responsible for restoring processes but should not
include other team members or contacts. Ensure that the full details for these people are
filled out on the Recovery Personnel Form.

Name Responsibility/Authorization Home Phone Work Phone

15 Primary--Declare an Agency
Disaster
16 Secondary—Declare and Agency
Disaster
17 Media Spokes Person
18 Team XXX Leader 19 20 21

18
3 - Summary of Business Processes

Identify each core business process by type: Critical, Essential, or Administrative

Process Name *Process Rating

22 23

*“CRITICAL FUNCTIONS” are functions which have a direct and immediate affect on the general public in terms of the loss of
life, personal injury, loss of property, and/or the ability of government to maintain direction and control. The loss of a critical
function may either result in such losses or inhibit government’s ability to preclude or minimize such losses. Most State agencies will
not have “critical functions.”

“ESSENTIAL FUNCTIONS” are functions, which provide government services to the public, which are not deemed “critical
functions.”

“ADMINISTRATIVE FUNCTIONS” are functions, which relate to the internal control, management, and administration of a
government agency supporting its ability to perform operational functions, e.g., training, payroll, personnel services, facility
maintenance, etc.

19
4 - Business Process Information

Complete this form for each process and/or function your group performs during normal
operations or would need to perform because of a prolonged outage.

Process Name: 24

*Phase: 25
Choices: Response, Resumption, Recovery, and Restoration
Team Name: 26

**Process 27
Rating:
*Choices: Critical, Essential, and Administrative
Priority 28
Sequence:
Choices: 1, 2, 3, 4, etc.
Process 29
Category:
Choice: TBD
***Frequency: 30 Backup: 31
Choice: Yes or No
****MAO: 32 *****RTO: 33
Please provide time with unit of measure. Please provide time with unit of measure.
Insurance 34 Dollar 35
Coverage: Amount:
Choice: Yes, No or N/A
Minimum 36 Dollars 37 Dollars 38
Number of Invested for Necessary
Employees: Resumption: During
Resumption:
*Phase:
Response: the reaction(s) to an incident or emergency in order to assess the level of containment and control required activities.
Resumption: the process of planning for an/or implementing the recovery of critical business operations immediately following an
interruption or disaster.
Recovery: the process of planning for and /or implementing recovery of less time sensitive business operations and processes after
critical business process functions have resumed.
Restoration: the process of planning for and/or implementing full-scale business operations, which allow the organization to
return to a normal service level.

**Process Rating:
Critical: are functions which have a direct and immediate affect on the general public in terms of the loss of life, personal injury,
loss of property, and/or the ability of government to maintain direction and control. The loss of a critical function may either result in
such losses or inhibit government’s ability to preclude or minimize such losses. Most State agencies will not have “critical
functions."
Essential: are functions that provide necessary government services to the public which are not deemed “critical functions.”
Administrative: are functions which relate to the internal control, management and administration of a government agency
supporting its ability to perform operational functions, e.g., training, payroll, personnel services, facility maintenance, etc.

***Frequency: Daily, Weekly, Bi-Weekly, Semi-Monthly, Monthly, Quarterly, Semi-Annually, Annually, On Demand, Variable
****MAO (Maximum Allowable Outage): the amount of time the process can be out without causing harm to agency or customers.
*****RTO (Return to Operation): the amount of time in which it takes to restore the process.

20
5 - Business Information and Documents

Complete a form for each document, data set, hard copy file, manual, and other
information you need to recover or perform your processes/functions.

Process Name: 39

Information 40
Name:

Information 41
Description:

Process Name 42
or Support
Function:

Media Type: 43
Choice: Paper File, Computer Report, Data Backup, Manual, Fiche, Form, Currency, Stamps, Other

Information 44
Type
Sensitivity:
Choice: Public, Sensitive, or Confidential also include applicable Arizona Revised Statute

Original 45 Alternative 46
Source: Source:

Backed Up: 47 Archived: 48

Choice: Yes or No Choice: Yes or No

Back Up 49
Location:

Last Update: 50 Next Update: 51

21
6 - Process Tasks

Please indicate all the steps necessary for restoration for each critical, essential and
administrative process.

Process Name: 52

Task Estimated Person

Task Description
Order Duration Responsible
1 53 54 55
2
3
4
5
6
7
8
9
10

22
7 - Process Call Tree

Complete the form for each process.

Process Name: 56

Initiator: 57

Initiator Calls: Who Calls: Who Calls:

58 59 60

23
8 - Internal Agency Dependencies

Identify internal agency dependencies in which this process is dependent and briefly describe the
dependency. Also, identify contact name and number for that other Division or Sub-
organization.

Process Name: 61

Division/Sub-
Dependency Contact Name Contact Number
organization
62 63 64 65

24
9 - External Dependencies

Identify outside agencies or organization in which this process is dependent and briefly
describe the dependency.

Process Name: 66

Agency/
Dependency Contact Name Contact Number
Organization
67 68 69 70

25
10 - External Contacts

Complete a form for each vendor, business partner or other external contact that you must
contact (either to notify them or to request assistance) in case of a prolonged outage of the
indicated process.
Process Name: 71

General

Business 72
Name:

Address: 73

City: 74 State: 75 ZIP: 76

Phone: 77 FAX: 78

Primary Contact

First Name: 79 Last Name: 80

Title: 81

Home Address: 82

City: 83 State: 84 ZIP: 85

Home E-mail: 86 Work E-mail: 87

Home Phone: 88 Work Phone: 89

Cell Phone: 90 Pager: 91

Service Information:

Purchase 92
Order #:

Product/ 93
Service:

Emergency 94 Normal Lead 95

Lead Time: Time:

Disaster 96
Recovery
Agreements:

Alternative 97
Vendor:

Notes: 98

26
11 - Customer Contact

Complete a form for each customer of the indicated process that you must contact in case
of a prolonged outage.
Process Name: 99

General

Customer 100
Name:

Address: 101

City: 102 State: 103 ZIP: 104

Phone: 105 FAX: 106

Primary Contact

First Name: 107 Last Name: 108

Title: 109

Home Address: 110

City: 111 State: 112 ZIP: 113

Home E-mail: 114 Work E-mail: 115

Home Phone: 116 Work Phone: 117

Cell Phone: 118 Pager: 119

Services Provided to Customer:

SLA/IGA or 120
Agreement #:

Product/ 121
Service:

Emergency 122 Normal Lead 123

Lead Time: Time:

Disaster 124
Recovery
Agreements:

Notes: 125

27
12 - Response/Recovery Team Personnel

Complete a form for each person on the team.

Process Name: 126

Team Name: 127

Team Member 128

Position:
Choice: Leader, Alternative Leader, and Member

Employee ID: 129

First Name: 130 Last Name: 131

Title: 132

Home Address: 133

City: 134 State: 135 ZIP: 136

Home E-mail: 137 Work E-mail: 138

Home Phone: 139 Work Phone: 140

Cell Phone: 141 Pager: 142

Restoration 143 Backup Site 144

Site Access: Access:
Choices: Yes or No Choices: Yes or No

Off-site 145 Command 146

Storage Center
Access: Access:
Choices: Yes or No Choices: Yes or No

28
13 - Business Equipment and Supplies

List all equipment and supplies (to include but not limited to: transportation vehicles, fax,
copiers, general furniture, special business forms, paper, etc.) that is needed to perform
the processes.

Process Name: 147

Quantity Manufacturer Description Cost *Phase

148 149 150 151 152

*Phase:
Response: the reaction(s) to an incident or emergency in order to assess the level of containment and control required activities.
Resumption: the process of planning for an/or implementing the recovery of critical business operations immediately following an
interruption or disaster.
Recovery: the process of planning for and /or implementing recovery of less time sensitive business operations and processes after
critical business process functions have resumed.
Restoration: the process of planning for and/or implementing full-scale business operations that allow the organization to return to
a normal service level.

29
14 - Information Technology Applications

Complete the form for each computer application, other than office productivity tools
residing on PCs, necessary to restore the process.

Process Name: 153

Computer 154
Application
Name:

Team Name: 155

*Application 156
Listed in ISIS:
Choice: Yes or No
Server/ 157
Hardware ID:

System ID: 158

Run Frequency: 159

File Structure: 160

Executable 161
Location:

Source Code 162

Location:

System
163 Name: 164
Documentation:
Choice: Yes or No
User
165 Name: 166
Documentation:
Choice: Yes or No
Operations
167 Name: 168
Documentation:
Choice: Yes or No
Restoration
169 Name: 170
Documentation:
Choice: Yes or No

*Inventory System for Information Service (ISIS) is the Government Information Technology Agency’s
data base in which all agencies are to maintain their IT inventory.

30
15 - Information Technology Server/Hardware

For each process, please complete the following information about each server or other
piece of centralized hardware necessary to restore the necessary computer applications.

Process Name: 171

Computer 172
Application
Name:

Server/ 173
Hardware ID:

*Listed In 174
ISIS:
Choice: Yes or No

Type: 175 Manufacturer 176

:

Model: 177

Memory Size: 178 Hard Disk 179

Size:

Processor: 180 IP Address: 181

Network 182
Operating
System:

RTO: 183

*Inventory System for Information Service (ISIS) is the Government Information Technology
Agency’s data base in which all agencies are to maintain their IT inventory.

31
16 - Telecommunications

For each process, please complete the following information about the
telecommunications needs for each application that supports a business service/process.
This is to include, but not limited—to number of telephone lines, call center integrated
applications, data lines, and or special high speed dedicated lines with external customers.

Process Name: 184

Computer 185
Application
Name:

Server/ 186
Hardware ID:

*Listed In 187
ISIS:
Choice: Yes or No

Telecommunication 188
Type:
Describe in sufficient detail the type, quantity and if known or applicable who is at the distant end that
this special high-speed dedicated line connects.

RTO: 189

*Inventory System for Information Service (ISIS) is the Government Information Technology
Agency’s data base in which all agencies are to maintain their IT inventory.

32
17 - Alternate Sites

Complete this form for each alternative site that is in your business continuity plan including sites used for
Command Centers, Backup Sites, Off-Storage Sites, Restoration Sites, etc.

Site Type: 190

Choices: Command Center, Backup Site, Off-Site Storage, Restoration Site, etc.

Description: 191

Square Contact
Location Type: 192 193 194
Footage: Number:
Choices: Primary or Secondary

Address: 195

City: 196 State: 197 ZIP: 198

Telephone: 199 Fax: 200

Directions: 201

33
Appendix B - TEMPLATE FIELD DEFINITIONS

1 - Agency Identification
(complete one sheet per agency)
1 Agency name
2 First name of individual who is ultimately responsible for the entire plan (hereafter referred
to as "Contact")
3 Last name of Contact
4 Current job title of Contact
5 Contact's physical location address
6 City name
7 State
8 Zip code
9 Contact's work email address
10 Contact's work telephone and extension if needed
11 Contact's cell phone number if available
12 Contacts' pager number if available
13 Enter Agency’s Mission Statement
14 Enter Agency’s Goals & Objectives

2 - Summary Areas of Responsibility

(complete one sheet per agency)
15 Identify the name of the primary individual within the agency that has the authority to
declare an agency disaster
16 Identify the name of the secondary individual within the agency that has the authority to
declare an agency disaster
17 Name of the media spokes person
18 Team Leader Name (note: one name must be identified for each team within the agency)
19 Team Name (one for each business process)
20 Home telephone number for individual named in previous field
21 Work telephone number for individual named in previous field

3 - Summary of Business Processes

(complete as many sheets as needed per agency)
22 List each business process identified within the agency
23 Label each process one of the following types:
Critical: are functions which have a direct and immediate affect on the general public in
terms of the loss of life, personal injury, loss of property, and/or the ability of government to
maintain direction and control. The loss of a critical function may either result in such
losses or inhibit government’s ability to preclude or minimize such losses. Most State
agencies will not have “critical functions.
Essential: are functions, which provide government services to the public which, are not
deemed “critical functions.

34
 Administrative: are functions which relate to the internal control, management and
administration of a government agency supporting its ability to perform critical and essential
functions, e.g., training, payroll, personnel services, facility maintenance, etc.

4 - Business Process Information

(complete one sheet per business process per each applicable phase)
24 Business Process name
25 Identify which of the following phases this sheet references:
Response: The reaction(s) to an incident or emergency in order to assess the level of
containment and control required activities.
Resumption: The process of planning for an/or implementing the recovery of critical
business operations immediately following an interruption or disaster.
Recovery: The process of planning for and /or implementing recovery of less time sensitive
business operations and processes after critical business process functions have resumed.
Restoration: The process of planning for and/or implementing full-scale business
operations, which allow the organization to return to a normal service level.
26 Team Name
27 Identify the process rating as Critical, Essential or Administrative – see field #33 above for
definitions
28 Identify the agency’s priority level of this process
29 This field for future use – will relate to the Arizona Statewide Emergency Plan
30 Indicate the frequency of this process (e.g. daily, weekly, bi-weekly, semi-monthly, monthly,
quarterly, semi-annual, annually, on demand, variable, etc.)
31 Indicate whether the data, documents, or other information necessary to run this process is
currently backed up
32 Provide the maximum acceptable outage (MAO) or the acceptable time of delay including
the unit of measure (e.g. number of minutes, hours, days, etc.) Example: 24 hours
33 Indicate the time needed to get the process operational again (RTO) including the unit of
measure (e.g. number of minutes, hours, days, etc.) Example: 24 hours
34 Indicate whether or not this process has insurance coverage
35 If yes in field #34 indicate the dollar amount of insurance coverage
36 Identify the minimum number of employees needed to perform this process within this
phase
37 Estimate the necessary amount of dollars needed for investment to get the process
operational
38 Estimate the necessary amount of dollars needed to expend during a crisis to get the process
operational

5 - Business Information and Documents

(Complete one for each business information and document needed for the process)
39 Business process name
40 Information/Document name
41 Describe the information or document needed
42 Indicate the process(es) and/or support function of this information/document
43 Indicate the media type: paper file, computer report, data backup, manual, fiche, form,
currency, stamps, etc.
44 Enter: Public, Sensitive, or Confidential also include applicable Arizona Revised Statute
45 Describe the original source

35
46 Identify an alternative source
47 Indicate whether or not the information/document is backed up
48 Indicate whether or not the information/document is archived
49 Identify and describe the backup location
50 Define when the information/document was last updated
51 Define when the information/document will be updated next

6 - Process Tasks
(complete for each process - list tasks in priority order - from each phase: Response to
Resumption)
52 Business process name
53 Brief description of task needing to be completed
54 Estimated time necessary to complete task
55 Person responsible to ensure that task is completed on time

7 - Process Call Tree

(complete one Call Tree for each process)
56 Business process name
57 Indicate the first person that will initiate the call tree
58 Indicate the first person that the initiator will contact
59 Indicate who this person is to contact next
60 Indicate who this person is to contact next

8 - Internal Agency Dependencies

(complete for each process)
61 Business process name
62 Identify each division/sub-organization that is dependent on this process
63 Identify briefly the dependency
64 Identify the first and last name of a contact
65 Identify contact’s telephone number with area code

9 - External Dependencies
(complete for each process)
66 Business process name
67 Identify each agency/organization that is dependent on this process
68 Identify briefly the dependency
69 Identify the first and last name of a contact
70 Identify contact's telephone number with area code

10 - External Contacts
(Complete one for each external contact needed for the process, if applicable)
71 Business process name
72 Vendor/company/external contact name
73 Number and street address

36
74 City
75 State
76 Zip code
77 Telephone number and extension
78 Fax number
79 Primary contact’s first name
80 Primary contact’s last name
81 Title of primary contact
82 Home address of primary contact if applicable
83 City
84 State
85 Zip code
86 Home E-mail, if applicable
87 Work E-mail
88 Home telephone number, if applicable
89 Work telephone number if different than in #77above
90 Cell phone number
91 Pager number
92 If a vendor, indicate the purchase order number
93 Define the product or service
94 Identify the emergency lead time necessary the vendor or partner needs before they are able
to provide the good or service
95 Identify the normal lead time necessary the vendor or partner needs before they are able to
provide the good or service
96 Provide a description of any agreements made in the event of a disaster (e.g., enhanced
services during a disaster, etc.)
97 Identify if there is an alternate vendor available and the telephone number
98 Describe any information necessary related to this external contact

11 - Customer Contact
(Complete one for each customer contact needed for each process, if applicable)
99 Business process name
100 Customer contact name
101 Number and street address
102 City
103 State
104 Zip code
105 Telephone number and extension
106 Fax number
107 Primary contact's first name
108 Primary contact's last name
109 Title of primary contact
110 Home address of primary contact if applicable
111 City
112 State
113 Zip code
114 Home E-mail, if applicable
115 Work E-mail
116 Home telephone number, if applicable
117 Work telephone number if different than in #105 above

37
118 Cell phone number
119 Pager number
120 Indicate the SLA/IGA agreement number, if applicable
121 Define the product or service
122 Identify the emergency lead time necessary your agency needs before you are able to
provide the good or service
123 Identify the normal lead time necessary your agency needs before you are able to provide
the good or service
124 Provide a description of any agreements made in case of a disaster (e.g., RTO times, etc.)
125 Describe any information necessary related to this customer

12 - Team Personnel
(complete one sheet for each team member – some teams may be responsible for more
than one business process, but each process must be assigned to team)
126 Business process(es) name
127 Team name
128 Identify the team member position: Leader, Alternative Leader or Member
129 Employee’s identification number
130 Team member’s first name
131 Team member’s last name
132 Team member’s title
133 Team member’s home address
134 Team member’s city
135 Team member’s state
136 Team member’s zip code
137 Team member’s home E-mail address
138 Team member’s work E-mail address
139 Team member’s home phone number with area code
140 Team member’s work number with area code
141 Team member’s cell phone number with area code
142 Team member’s pager number with area code
143 Indicate whether this team member has access to a restoration-site facility
144 Indicate whether this team member has access to a backup-site facility
145 Indicate whether this team member has access to an off-site storage facility
146 Indicate whether this team member has access to the designated Command Center

13 - Business Equipment and Supplies

(complete for each process)
147 Business process name
148 List the quantity of the item needed (e.g. PC, telephone, fax machine, desks, etc.)
149 List the specific manufacturer if applicable
150 Describe any special features and explain why required
151 Estimate the cost for equipment and supplies
152 Define which phase items are required for

14 – Information Technology Applications

(complete one for each application needed for the process)

38
153 Business process name
154 Name of computer application
155 Team name assigned to process
156 Indicate whether this application has been entered into the Government Information
Technology Agency’s Information Services Inventory System (ISIS) in which all agencies
are to maintain their IT inventory
157 Indicate the hardware’s identification (can use a network name, serial or tag number, etc.)
This will server as cross reference to the “Server/Hardware” form
158 Indicate the application’s System ID name or number. This will server as cross reference to
the “Server/Hardware” form
159 Provide the length of time the application is required to run (Examples include: on-demand,
daily, weekly, etc.
160 Indicate the application’s file directory’s structure on the server
161 Indicate the location of the program’s executable file
162 Provide the location of the application’s source code
163 Indicate whether this application has system documentation
164 Indicate the system documentation name (to cross reference with the “Business Information
and Documents” form
165 Indicate whether this application has documentation that helps people use the computer
program
166 Indicate the user documentation name (to cross reference with the “Business Information
and Documents” form
167 Indicate whether this application has documentation that explains what is necessary from a
computer operations perspective
168 Indicate the operations documentation name (to cross reference with the “Business
Information and Documents” form
169 Indicate whether this application has documentation that explains what is necessary to
restore the application
170 Indicate the restoration documentation name (to cross reference with the “Business
Information and Documents” form

15 – Information Technology Server/Hardware

(complete one for each server/hardware needed for the process)
171 Business process name
172 Name of computer application
173 Indicate the hardware's identification (can use a network name, serial or tag number, etc.)
This will server as cross reference to the "Server/Hardware" form
174 Indicate whether this application has been entered into the Government Information
Technology Agency's Information Services Inventory System (ISIS) in which all agencies
are to maintain their IT inventory
175 Provide a description of the type of Server or Hardware (e.g., Server, Mainframe,
Minicomputer, etc.)
176 Indicate the Manufacturer that produced the Server or Hardware
177 Indicate the Manufacturer model name or number of the Server or Hardware
178 Indicate the size of the memory inside the Server or Hardware and include the unit of
measure (e.g., 256 MB)
179 Indicate the size of the hard drive total space (including added external drives) used by the
server and include the unit of measure (e.g., 60 GB)
180 Provide a description of the processor type (e.g., RISC, Pentium II, Pentium III, etc.)
181 Indicate the server's assigned IP address, if any
182 Indicate the operating system platform that runs on the Server or Hardware (UNIX,
Windows NT, etc.)

39
183 Indicate the amount of time it will take to get the hardware returned to operation (RTO)
including unit of measure (e.g. number of minutes, hours, days, etc.) Example: 24 hours

16 – Telecommunications
(complete one for each server/hardware needed for the process)
184 Business process name
185 Name of computer application
186 Indicate the hardware's identification (can use a network name, serial or tag number, etc.)
This will server as cross reference to the "Server/Hardware" form
187 Indicate whether this application has been entered into the Government Information
Technology Agency's Information Services Inventory System (ISIS) in which all agencies
are to maintain their IT inventory
188 Provide a description of the type of service (e.g., Call Center, PBX, TDD Server, and type
of line (voice, data, or video), special high-speed dedicated line, etc.)
189 Indicate the amount of time it will take to get the hardware returned to operation (RTO)
including unit of measure (e.g. number of minutes, hours, days, etc.) Example: 24 hours

17 - Alternate Sites
(complete one sheet for each alternate site)
190 Identify type of alternate site (complete one sheet for each of the following applicable
types):
Command Center:
Backup Site:
Off-site Storage:
Restoration Site:
Other:
191 Provide a detailed description of the site and what business processes will be available at
this location
192 Identify whether this location is the primary or secondary location
193 Provide the total square footage of the site
194 Provide a site phone number for executive contact (e.g., number used by Governor to
contact agency director, etc.)
195 Provide the address of the location
196 City name
197 State
198 Zip code
199 Main telephone number at alternate site
200 Fax number at alternate site
201 Provide directions, cross streets, etc.

40
Appendix C - GLOSSARY
Administrative Functions Functions which relate to the internal control,
management and administration of a government agency
supporting its ability to perform operational functions,
e.g., training, payroll, personnel services, facility
maintenance, etc.

Agency Any state agency, board, commission or political

subdivision.

Agency Sensitivity to Disruption The point at which the agency requires that its operations
be returned to serve their customers.

Alternate Site A location, other than the normal facility, which can be
used to conduct core processes.

Business Continuity The ability to continue essential business processes at an

acceptable level despite a support function outage.

Business Continuity Planning Providing for the timely availability of all of the
resources necessary to operate critical business processes
at a level acceptable to the public.

Business Function/Area/Unit A definitive function within the business process; may

equate to departmental structure. Does not imply
complete independence from other functions within a
process.

Business Impact Analysis To determine the operational (qualitative) and financial

(quantitative) impact of an inoperable or inaccessible
service area on an agency’s ability to conduct its critical
business processes; provides the basis for formulating the
agency’s business recovery strategies and a business
continuity program.

Business Process Sets of recurring activities - a flow of information and

materials that produce something of value for a customer
or the public.

Contingency Plan A written plan used to respond to the disruption of

agency operations. This plan may focus on response to
specific disruption scenarios.

41
Controls Measures designed to reduce or mitigate the risk of
exposures to threats.

Core Processes Business processes on which the viability of an agency

rests; without these processes, an agency could not do
business.

Critical Functions Functions which have a direct and immediate affect on

the general public in terms of the loss of life, personal
injury, loss of property, and/or the ability of government
to maintain direction and control. The loss of a critical
function may either result in such losses or inhibit
government’s ability to preclude or minimize such losses.
Most State agencies will not have “critical functions.”

Declaration Fee A one-time charge, which is paid to the provider of an

alternative site facility or service at the time a disaster, is
officially declared.

Director The chief executive officer for a State agency boards or

commission.

Disaster An event which leads to disruption of critical business

processes; implies unrecoverability, irreparable damage,
or a disruption which lasts for and unacceptable period.

Disruption An unplanned interruption of critical business processes.

Emergency Operations Center The facility used in case of a disruption to coordinate

(EOC) agency response and recovery activity.

Emergency Response Procedures The procedures used by an agency to immediately

respond to an emergency disruption.

Essential Functions Functions that provide government services to the public

which are not deemed “critical functions.”

Emergency Response Team (ERT) A group of personnel with the responsibility to

immediately respond to an emergency.

Estimated Recovery Time (ERT) The amount of time from the point of the disruption to
the recovery of essential resources/services.

Executive Sponsor The designated individual who provides guidance to the

agency/division business continuity program
development and adjudicates all issues emanating from

42
 the Executive Steering Committee. This individual is
typically the Director, Deputy Director, or Division AD.

Executive Steering Committee The agency’s upper management personnel who provide
oversight and direction to the Business Continuity Task
Team for the development of the agency’s Business
Continuity Program.

Facilities Team The agency personnel responsible for maintenance of the

facilities. In the recovery efforts, this team may be
expanded to include personnel with a detailed knowledge
of work area recovery issues that should be incorporated
into relocation considerations.

Financial Impact The quantifiable dollar value of lost revenue or additional

expenses incurred as a result of a disruption.

Hot/Warm site Information systems recovery facilities that are either

fully or partially equipped prior to a disruption. These
sites can be housed internally at agency facilities, at
vendor provided facilities, or in mobile trailers.

Impact Tolerance Another way of describing the MAO and RTO. This
assessment discusses interruption in terms of how long an
agency can tolerate an interruption in critical business
processes due to an unplanned interruption.

Informal Contingencies Informal but potentially viable fallback procedures

existing within business areas/units to address operational
mishaps and localized equipment malfunctions.

Inventories A list of all resources and components of those resources

necessary both at a degraded level and to recover the
agency, board or commission 100%. (e.g. furniture,
equipment, computer hardware and software.)

Liability A likely negative effect resulting from the loss of utility,

access and/or facility.

Maximum Acceptable Outage The maximum period that a given resource of function
(MAO) can be unavailable before an agency will sustain
unacceptable consequences (financial losses, client/public
services, etc.).

Maximum Probable Loss (MPL) Calculation of estimated financial loss, which may be
incurred by an agency in case of an outage. MPL takes
into consideration revenue/cost, losses incurred

43
 associated with property and equipment, the application
of business interruption and property insurance, costs
incurred by the private sector and mitigating expenses.

Mitigating Expenses Cost of contingency plans or arrangements in place that

would potentially offset the extent of losses or exposure
over a period.

Notification List A list of personnel, staff members, media, private sector

groups and organizations, vendors, insurance and other
key persons to inform in the event of a disruption. It is
often designed so that the most critical individuals are
contacted first, to assist with recovery efforts.

Operational Impact The qualitative effect on an agency, board, or

commission’s ability to conduct business because of a
disruption.

Outage Timeframes The duration of time, over which a disruption occurs,

affecting both the impacts of the disruption and the
alternatives used for recovery.

Plan Administrator Individual or group within the agency board or

commission with specific responsibility for the
maintenance and testing of the Business Continuity
Program. The “owner” of the plan.

Plan/Program Exercise An integral part of a Business Continuity Program is

development of exercises to familiarize personnel with
recovery procedures and identify opportunities to
improve the plan.

Public & Media Relations Team The agency, board or commission’s personnel or
representatives responsible for responding to the press
and managing the public’s expectations in case of a
disruption.

Recovery Phase The process of planning for and/or implementing

recovery of less time sensitive business operations and
processes after critical business process functions has
resumed.
Recovery Alternatives The options from which an agency, board or commission
may select to respond to a disruption. Alternatives may
include alternate facilities, outsourcing to vendors,
elimination of core processes, manual procedures, etc.

44
Recovery Point Objective (RPO) The point in time to which data must be restored in order
to resume processing transactions.

Recovery Strategy The set of selected recovery alternatives, which define the
manner in which an agency, board or commission intends
to respond to and recover from a disruption.

Recovery Time Objective (RTO) The target time frame for restoration of critical business
processes and service areas.

Resource Requirements Major resource(s) supporting agency business processes;

equipment, information systems, data communications,
voice communications, office facilities, staff, etc.

Response Phase The reaction(s) to an incident or emergency in order to

assess the level of containment and control required
activities.

Restoration Phase The process of planning for and/or implementing full-

scale business operations which allow the organization to
return to a normal service level.
Resumption Phase The process of planning for and/or implementing the
recovery of critical business operations immediately
following an interruption or disaster.

Revenue Impact The direct impact an outage may have upon the primary
revenue streams of an agency.

Risk The potential for exposure to loss. Risks, either man-

made or natural, are constant throughout our daily lives.
The potential is usually measured by its probability in
years.

Scenario Hypothetical situation, which may occur as a result of an

outage caused by, or associated with, potential threats
and/or vulnerabilities identified.

Script A prepared list of responses to answer questions and

telephone calls in case of a disruption. These can be
generic or specific to the type of disruption.

Service Expectations The service level required to meet the expectations of the
public, e.g. quality, timely deliveries, customer service
etc.

Single Point of Failure A critical function, support service, or other key resource
which cannot be effectively redirected or recovered

45
 elsewhere in an agency, board or commission.

Statement of Assumptions Management has agreed upon impact scenario from

which the scope of the planning process is performed.
Assumptions may include the type of disaster, the areas
affected, the time of day or year, and so on. The
assumption reflects management's risk tolerance for
scoping the planning effort and selection of alternatives.

Structured Walk-Through Exercise A simulation method used to exercise or “test” a

completed disaster recovery plan. Team members meet
to verbally walk through each step of the plan to confirm
the effectiveness of the plan and identify gaps,
bottlenecks, or other opportunities for improvement.

Threat External in nature; agency, board or commission would

have minimal if any control in preventing occurrence;
however, protective measures may be implemented to
minimize impact of an occurrence.

Triggers Change management processes and procedures, which

cause updates and changes to be made to the Business
Continuity Program.

Vulnerability Weakness in the design or application of control within a

process, function, or facility which may promote or
contribute to a disruption.

46