Business Continuity & IT Disaster Recovery Planning Use Case Design

The BC/DR Plans application allows you to develop detailed business process recovery plans, IT disaster recovery plans, or crisis team response plans using an automated workflow for approval and testing. The BC/DR Plans application allows you to do the following:

• Manage recovery plan maintenance, execution, and communication in disaster situations. The application also contains a centralized repository for components of the plan and links them to risk assessments, business impact analysis, and items related to business hierarchy and enterprise infrastructure.
• Distinguish between business continuity plans and IT disaster recovery plans, and document crisis team response plans.
• Develop a library of recovery strategies and associate them to multiple BC/DR plans.
• Capture items, such as financial statement entries or transactions, that could get backlogged during a disruption so they can be quickly resolved after the event.
• Select members of the recovery team for roles for each plan.
• Document requirements, such as equipment, facilities, and vital records necessary to recover the target of the BC/DR plan (reference the Requirements application).
• Connect BC/DR Plans to risks in the BCM Risk Register and Business Impact Analysis applications.
• View information about plan testing, such as links to all completed tests, test cycles, the date of the last BC/DR plan test, the date of the next BC/DR plan test, and the test status.
• Review the plan according to the selected review cycle.
• Attach a copy of the plan for distribution to other employees.

The Recovery Strategies application functions as a repository where you can document recovery strategies that can be pulled into BC/DR plans and associated with supporting recovery tasks. There can be multiple recovery strategies per BC/DR plan depending on the type, location, and magnitude of the process, system, or facility being recovered, as well as the risks outlined in each plan.

Through the Recovery Strategies application, you can:

• Categorize strategies by loss type, such as Facilities, Assets, IT, People, and Third Parties.
• Associate multiple recovery tasks to a strategy.
• Estimate recovery strategy duration by summarizing the time for each recovery task.
• Link BC/DR plans to the relevant Recovery Strategies for that plan.
• Link to activated recovery strategies.
• View an execution summary of the recovery strategy last activated.

The Recovery Tasks application functions as a repository where you can document recovery tasks that can then be associated with any recovery strategy and pulled onto BC/DR plans.

Through the Recovery Tasks application, you can:

• Capture the order in which to perform each task.
• Store recovery tasks, scripts, and run books.
• Designate the role responsible for performing each task.
• Capture the estimated and actual duration of each task.
• Associate recovery tasks with applicable recovery strategies.
• View an execution summary of the last activated recovery task.

The Requirements application provides a location to document detailed requirements related to each BC/DR plan. For example, the application can include equipment, applications, facilities, and vital records related to each business process that might be required for the function to operate until it is recovered.

Through the Requirements application, you can:

• Set a requirement type and capture relevant information, such as quantity, type, and location, so you can reconcile the assets you have to those needed across your BC/DR plans.
• Link requirements to 1 or many BC/DR plans.
• Attach supporting documentation to requirements.

• Link each requirement to infrastructure items, such as assets, systems, facilities, and information that you are tracking in Archer.

The Roles and Responsibilities application enables you to document key roles within the BCM program. These roles are then cross-referenced to recovery tasks. Users or groups are associated with the pertinent roles. This application uses roles instead of individuals because individuals may change positions frequently in an organization, whereas roles do not change as often.

Through the Roles and Responsibilities application, you can:

• Add roles to recovery tasks.

• Capture the users or groups responsible for performing the responsibilities of a role.
• Link to the recovery tasks that each role is responsible for performing.

The Notifications and Call Trees application enables you to manage notifications by using a call tree (a network of people organized in such a way that they can quickly and easily spread information amongst each other).

Through the Notifications and Call Trees application, you can:

• Document notifications (specific messages).
• Document call tree initiators and recipients.
• Create custom messages to send to recipients.

The Testing/Exercise application enables you to test Business Continuity, IT Disaster Recovery or Crisis Response plans. Through the results of these tests, you can evaluate the effectiveness of the associated plans and gain insight into areas of the process that need additional attention.

Through the Testing/Exercise application, you can:

• Select a test type.
• Select a BC/DR plan to activate, and then copy the selected plans for testing.
• Select loss types, such as Facilities, Assets, IT, People or Third Parties, that are impacted in the test scenario.
• Document test scenario details, including the disruption, what happened, where it occurred and the impacts.
• Determine if the exercise identified gaps in strategies, tasks, or the ability to achieve Recovery Time Objectives (RTOs) or Recovery Point Objectives (RPOs).
• Track metrics on the completion of the tasks in the Activated Plans application, including the number of tasks completed, the number of tasks remaining, the duration of the recovery strategies and tasks, and the number of tasks that exceed the estimated duration.
• Document whether the test passed or failed and the justification of the results.
• Send the results of the test to a reviewer for approval.
• Generate results of the test or exercise and records them as Findings.

The Activated Plans application enables you to document BC/DR plans and the associated recovery strategies and tasks that have been activated as the result of a crisis event or a test scenario. By creating unique copies of the activated plans, you can track the completion of the recovery strategies and tasks. The Activated Plans application allows you to do the following:

• View information about your BC/DR plans, for example, the name, category, purpose, scope, type, backlog, assumptions, recovery team, call trees, and requirements.
• View information about the status of the executed plans, such as the total number of recovery strategies and tasks completed, the progress, and task duration.
• Link to the Recovery Strategies and Recovery Tasks applications.
• View information about the completed tasks, such as the name of the individual performing the task, the status of the task, and the duration of the task.

The BCM Risk Register application enables you to identify and evaluate risks by documenting them and assessing the likelihood and impact of the risks to business operations. Based on these evaluations, you can associate the risks to any mitigation and add the necessary steps to BC/DR plans to react to the risks. The BCM Risk Register application allows you to do the following:

• Rate the impact and likelihood of each risk.
• Link the BCM Risk Register to the BC/DR Plans application.
• Categorize risks, such as Natural Threat, Technology Threat, or Business Related Threat.
• Prompt a periodic review and approval for each risk.
• Associate risks to crisis events.
• Relate the risk to multiple targets, such as Business Processes, Applications, Products and Services, Devices, Facilities, and Information Assets.

The Applications application stores all software applications used by the organization to perform business operations. You can view how an application is used, the people that use it, and the devices on which the application is installed. You can also track the business impact, customer impact, and licensing details, and associate it with other aspects of the enterprise infrastructure.

Note: The Applications application is included in the Enterprise Catalog package.

The Contacts application serves as a central repository for contact information, is utilized across multiple areas of Archer, and contains information that is often leveraged by other use cases. Updates to a profile record within this application automatically propagate in any records with displayed contact information.

Note: The Contacts application is included in the Enterprise Catalog package.

The Devices application serves as a central repository for knowledge, such as criticality, about IT devices and which applications they support. You can manage devices to ensure that they are protected according to management expectations. The application is also associated with other aspects of the enterprise infrastructure.

Note: The Devices application is included in the Enterprise Catalog package.

The Facilities application maintains a listing of all organizational facilities, such as data centers and branches. You can document and review all information associated with a specific facility, such as contact personnel, location information, and technologies associated with the location.

Note: The Facilities application is included in the Enterprise Catalog package.

The Information Assets application allows you to manage a repository of information assets, such as credit card data, financial forecasts, employee Social Security numbers, and trademarks. Use this application to perform online assessments to determine information classification ratings and required retention periods. Link information assets to the business processes they support, the applications where they are managed, and the facilities where they are housed.

Note: The Information Assets application is included in the Enterprise Catalog package.

The Products and Services application maintains all products and services provided within an organization. For example, a financial services firm provides a variety of products and services, such as banking, brokerage, and lending services.

Note: The Products and Services application is included in the Enterprise Catalog package.

The Storage Devices application serves as a central repository for storage devices used within the infrastructure.

Note: The Storage Devices application is included in the Enterprise Catalog package.

Provides the appropriate access levels within the use case to Program Leaders.

Provides the appropriate access levels within the use case to Business Process Owners.

Provides the appropriate access levels within the use case to Program Team Member.

Provides the appropriate access levels within the use case to the executive team.

A Chief Executive Officer, a Chief Operations Officer, a Chief Financial Officer, an Executive Vice President , or Senior Vice President level, who might report into IT, Finance, or Operations.

Puts the DR team in place to ensure IT recovery is implemented across the enterprise.

Made up of senior management from such groups as Finance, Human Resources, Operations, Security, and Legal.

Establishes the program under the direction of the steering committee.

Establishes the IT Disaster Recovery program with proper approaches, resources, and priorities. Helps IT managers implement and test DR plans for their areas of responsibility.

Holds the ultimate responsibility for the performance of a business process in realizing its objectives. Can implement measures and controls to make the process more resilient, ensure BC plans are in place and tested, and that they are able recover their process if it is disrupted.

Holds the ultimate responsibility for areas of the IT infrastructure. Also responsible to implement and test IT DR plans for those areas and ensure they coordinate with other dependencies, both IT and the business.

The BR Task Driver dashboard contains quick links for frequent tasks and features metrics specific to the current user, such as BIAs pending my action, past due BCDR Plans, and active Incidents.

The BR Process Manager dashboard displays items relevant to Business Process Owners and Program leads. Charts are designed to help them determine how processes are functioning and identify gaps. The dashboard features metrics, such as expired BIAs and BCDR plans, BIA RTOs and RPOs, and the dependency mapping status by business unit.