BUSINESS

CONTINUITY
PLAN
&
DISASTER
RECOVERY
PLAN
TEMPLATE

Enquizit Ltd.
Dawson House, 5 Jewry Street, London EC3N 2EX
Tel: 020 3780 7200 | Email: info@ecmsp.co.uk
For further information and additional client case studies
and testimonials visit our website
https://www.ecmsp.co.uk/
OVERVIEW AND OBJECTIVES

This template discusses the various disasters that could affect your business operations and
explores the options you must consider in such circumstances. The document examines how a
business could continue to operate with minimal disruption to its critical functions.

The template consists of a Business Continuity element, which focuses on:

Office Facilities Staff Safety

It also consists of a Disaster Recovery element, which focuses on:

IT Recovery Backup Facilities Telecoms Recovery

By incorporating both types of planning, the template seeks to address critical events and actions
that impact staff, facilities and IT components in order to provide a holistic view of the recovery and
continuity process.

In the following pages, you will find the various event types described and appropriate responses outlined. A
final Plan Checklist is provided to summarise all of the considerations required to create and put into
effect a comprehensive BCP and DRP strategy.

Business Continuity Plan & Disaster Recovery Plan Template | 2

TABLE OF CONTENTS
OVERVIEW AND OBJECTIVES...................................................................................2

MAINTAINING DOCUMENT & VERSION CONTROL.................................................4

Document Control......................................................................................................................4
Version Control..........................................................................................................................4
DRP Contacts............................................................................................................................4

ASSESSING YOUR CURRENT SITUATION & RISKS.......................................................5

What You Need to Know Now: Pre-DRP Questions........................................................................5
How a Disaster Will Affect Your Business............................................................6

RESPONSE / RECOVERY TIMELINES FOR EVENT TYPES..............................7

DETAILED REVIEW OF DISASTER EVENT TYPES...................................................8

STAFF ACTION POINTS....................................................................................................10

Examples of Contact Information to be Stored and Updated.........................................................10
Examples of Actions to be Taken by Staff Members at Time of Disaster Event.......10
Communicating The Disaster Event: The Contact Tree................................................................11

BCP — LOCATION RECOVERY........................................................................................12

Paperwork and Non-IT Physical Items..........................................................................................12

DR — IT RECOVERY..................................................................................................................13
Stage 1 – Hardware Requirements.............................................................................13
Stage 2 – Component Recovery...................................................................................................13

STAFF TRAINING AND RECOVERY................................................................................15

BCP AND DRP CHECKLIST..............................................................................................16

FINAL WORD......................................................................................................................17
MAINTAINING DOCUMENT &
VERSION CONTROL

A Business Continuity & Disaster Recovery Plan is only as effective as its last update and its last test. The
document control should be assigned to a senior staff member who will be responsible for its
maintenance. Whenever the document is updated, the changes should be noted as a revision and
approved by the appropriate staff member. A list of key BCP/DRP contacts should also be
maintained. The information below provides the list of staff members who are responsible to
update and maintain this document. It also includes the version history and officials responsible
for disaster recovery planning.

Document Control
The maintenance and updating of this document is the responsibility of:

STAFF MEMBER DATE APPROVED SIGNATURE

Version Control
This should be updated whenever the plan has been modified so that changes can be tracked
and monitored.

VERSION DATE AMENDMENTS DETAILS AMENDED BY

1.0 Initial Document BCP & DR Plan

DRP Contacts
For further information regarding this document, please contact:

COMPANY LANDLINE MOBILE

Company Officer

Other contacts
ASSESSING YOUR CURRENT
SITUATION & RISKS

Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) are tools to assist your
organization in preparing for disaster occurrences that could make some or all of your resources
unavailable for a period of time.

The first step in preparing for a disaster is to take a good look at your current business and
determine what you consider to be critical functions and critical hardware and software components
that might be at risk. You also need to evaluate your staff in terms of their ability to effectively lead a
recovery effort.

Below, therefore, are some important questions to consider the answers to…

What You Need to Know Now: Pre-DRP Questions

Location: YES
If your main site goes down, can you continue to operate from a different NO
site?
Communications: YES
Do you have contact information for all staff members, vendors, suppliers, IT firm,
insurance companies, and any other “need to know” contacts in the event of a NO
disaster?
Hardware: N/
Do you know what sits on each of your servers (internet, email, printing, backup,
remote access, etc.) and do you have this documented? A
NO
Software: YES
What software and what versions of that software do you have and are these
documented somewhere? NO

Phone system:
Have you contacted your phone service provider and established a mobile phone YES
number to be put on standby for potential redirection of your main number when NO
and if needed?

Paperwork: YES
Is all of your paperwork backed up, scanned or protected somehow? NO

Recovery information and instructions: YES

Is your BCP/DRP stored online and accessible from a remote location? NO

Backup systems: YES

Is your business data backed up and recoverable? NO
How a Disaster Will Affect Your Business
There are many possible disaster scenarios which can cause a wide variety of business disruptions.
These disruptions can range from a component failure to a large-scale catastrophe. To make
disaster planning more manageable, we have grouped these possible situations into categories,
based on similar actions that will be required.

Disasters come in varying forms. We group them as follows:

TYPE 1: File loss, partial system failure, phone system failure, internet failure

(list of systems that we depend on)

1. VOIP Phone System

2. Office Internet Connection

3. Systems

a. Office 365 (Email, Teams, SharePoint, MS Office)

b. Bamboo HR

c. Surepayroll

d. Sage (Timesheets, Expense Reports & Accounting)

e. LastPass

f. Monday.com(Project tracking, Task tracking)

g. Atlassian (Confluence, Jira, Service Desk)

h. Github

i. Box

j. Google Drive

TYPE 2: Loss of location but the system is not affected

1. McLean, VA office

TYPE 3: Full loss of system but the location is not affected e.g. Virus, equipment
theft, hacking, or power outage

1. Laptops

2. Systems Mentioned above under Type 1

TYPE 4: Full loss of location and system (physical location and system described above)

TYPE 5: Loss of staff (e.g. Wholesale headhunting, lotto syndicate, bird flu etc.)

Incase of loss of staff initiate hiring process using:

1. Internal HR Team

2. Recruitment agency

For the purposes of this document, we will focus on a recovery from a Full Loss of Location and
System (Type 4), which encompasses recovery from all other event types except Type 5, which is
addressed in the Staff Training & Recovery section towards the end of the document.
RESPONSE / RECOVERY TIMELINES
FOR EVENT TYPES
Just like a government official declares a “state of emergency,” your company officer must decide when to call for
disaster recovery actions. He or she must decide whether and when a BCP/DRP must be executed. It
is important to set a fixed worst-case scenario timeframe for response and recovery. Critical Information
may be unavailable (like when access to the building might be restored). Once you decide a DR
event is occurring, you should move ahead with the BCP/DRP. Time is critical. From the start of
action, a fully-working office can be 48-72 hours away.

Occurrence of the event: What type of event is occurring and what is the timescale to action for that
event?

Type 1: File loss, system failure, phone system failure,

internet failure, hardware failure

Action: Contact IT Support Provider

Response/recovery time: Determined by IT support

Type 2: Loss of location but the system is not affected

Action: Relocate staff to home or second location

Response/recovery time: Refer to BCP

Type 3: Loss of systems but the location is not affected

Action: Full DR implementation

Response/recovery time: Determined by IT support

Type 4: Full loss of site and system

Action: Full DR & BCP Implementation

Response/recovery time: Determined by IT / BCP

Type 5: Loss of staff e.g. wholesale

headhunting, Lotto syndicate, Bird
Flu etc.

Action: Engage Recruitment Agency

Response/recovery time: Varies with availability
DETAILED REVIEW
OF DISASTER EVENT TYPES
DR actions and timeframes are dependent on the type of disaster event. Once an event is
defined as a disaster, recovery actions start as soon as possible, but complications and delays
may impede recovery, so full recovery may take some time.

DRPs and BCPs should be designed to handle the majority of disasters that can be anticipated, but
as with any serious and unexpected interruption, there can be special situations that need to be
dealt with. Below are the actions, timeframes and special circumstances associated with typical
disaster types.

TYPE 1 EVENT Failure type: There is a file loss, partial system failure, phone
failure, or internet failure.

Action: Communicate with IT for regular IT support.

Time to Immediate – establish quickest time frame to action with

action start: your IT support provider.

Special If a fix is not possible within 2 days for business critical

circumstance: system loss, change event to a Type 3 event

TYPE 2 EVENT Failure type: There is a loss of location but the system is not affected –
(most pressing threat in the UK at present).

Action: Relocate staff to backup location or home.

Time to 1) If your location is lost for more than 1 day (unless full
action start: staff remote access is implemented), then action is
immediate.
2) If police or emergency services estimate that the location
will be unavailable for 1 day or longer, then action is
Special immediate.
circumstance:
If, during a Type 2 event, the power is cut or systems such
as internet or phones fail, then change to Type 4 event.

TYPE 3 EVENT Failure type: There is a complete loss of the system but the location is not
affected (e.g. Virus, equipment, theft, hacking, or power loss).

Action: Full DR implementation.

Time to Immediate – establish quickest timeframe to action with your

action start: IT support provider.

Special 1) If any of the critical systems cannot be repaired onsite or if

circumstance: the time to repair is expected to be longer than 1 day, then
change to a Type 4 event.
2) In this event, a loss of power will be a Type 4 event unless
a generator has been agreed to.
3) Wholesale location theft results in a Type 4 event.
 TYPE 4 EVENT Failure type: There is a complete loss of location and systems.

Action: Full DR & BCP Implementation.

Time to 1 day.
action start:

Special It is at the Managing Director’s discretion whether action is

circumstance: delayed until agreement is reached with the insurance
provider.

TYPE 4A EVENT Failure type: There is a fire, flood or similar catastrophe that wipes out
everything with no possibility of location or systems being
recovered.
Action:
Full DR & BCP Implementation.
Time to
action start: Immediate.

Special
circumstance: If there is no possibility of recovering location and
repairing physical systems, contact your IT service
provider.

TYPE 5 EVENT Failure type: Loss of staff e.g. Wholesale headhunting, Lotto
syndicate, Bird Flu etc.

Action: Contact Recruitment

Time to Agency. Immediate.

action start:

Special For bigger pandemic type events it may be very difficult to

circumstance: action any plans if human movement is restricted.
STAFF ACTION POINTS

Disaster events can create confusion, panic, misinformation and misdirection. In such situations,
people need to be informed of what has happened and instructed on what needs to happen, with
each member of staff knowing his or her role in advance. A clear line of communication should therefore be
established to reach all affected parties, including internal and external organisations. A list of key company
contacts should also be stored and updated on a regular basis so they are immediately available
should a disaster occur.

Examples of Contact Information to be Stored and Updated

• Full and updated staff member contact list
• Office management contacts
e.g. Services (gas, electricity, air-conditioning etc.), building services (landlord, local council.,
emergency services (also include disaster event numbers)
• Full and updated customer list:
this should be reviewed and revised accordingly once a month
• Full and updated supplier list:
this should be reviewed and revised accordingly once a month
• Full and updated contractor list:
this should be reviewed and revised accordingly once a month

Examples of Actions to be Taken by Staff Members at Time of Disaster Event

Note: You need to read your own BCP/DRP, decide the event and severity, and initiate the contact of staff
and all other contacts as appropriate to your business. Here are some examples of “Communication
Action Branches” which could be assigned to different staff members:

STAFF MEMBER 1 • Refer to BCP plan and decide on event type and severity. Initiate staff
contact.

• Engage IT support - Call IT support provider who will proceed to action

DRP dependent on event type and severity.

• Get in touch with critical contacts and inform them of the incident
and estimated lead time for recovery.

• Contact insurance company and inform of the event, confirming

relevant coverage and any actions required to ensure all possible claims
are covered.

STAFF MEMBER 2 • Contact relevant staff members under your Action Communication Branch
(below) and pass on the message detailing the event type.

• For location loss, contact and arrange office space for the staff on
a day by day basis, and verify that the insurance company agrees with
this arrangement.

• Contact any live location contractors (refer to relevant Contact List for
contact information).
STAFF MEMBER 3 • Contact current clients and advise of the event type and severity along
with any deadlines in the sales process that may not be met.

• Contact relevant staff members under your Contact Tree Branch (below)
and pass on the message detailing the event type.

STAFF MEMBER 4 • Contact Suppliers (refer to relevant Contact List for contact information)
and inform them of the event type and severity along with any critical
payments that may be delayed.

• Contact relevant staff members under your Contact Tree Branch (below)
and pass on the message detailing the event type.

Communicating The Disaster Event: The Contact Tree

The most efficient way to contact all staff members is to have a “Communications Contact Tree” in place. This
enables one staff member to contact several other staff members, and if needed, those staff members can
continue the chain.

STAFF MEMBER 1

STAFF MEMBER 2 STAFF MEMBER 3 STAFF MEMBER 4

BCP — LOCATION RECOVERY

Working space can be at a premium if a major event occurs. The inability to hold staff meetings and have
ongoing staff interaction can severely impede business continuity. Here are three options to deal with loss
of location in the disaster event stage.

a) If space is available at a b) Provision space in serviced c) Recreate your servers in a

Director’s home, this offices; locate 3 spaces hosted environment (for
would be preferable to in your area and ensure example, your IT support
rental space for the short you have relevant contact provider’s offices) and have
term. details. all staff work done remotely
from home. This solution
will require an investment in
standby hosting space and
possibly staff equipment.

Action: Identify location and Action: Confirm location and Action: Engage hosting facility
space if feasible enter initial dialog with preferred provider
location and provider

Paperwork and Non-IT Physical Items

When planning for Business Continuity, it is important to take stock all of the non-IT items that
support or are a part of your business. Things like furniture items for insurance reporting, or
security devices for logging into your bank, should not be taken for granted.

You may also have a lot of information on paper. Does it need to be scanned? Do you have digital backup that
can be accessed remotely? It is advisable to have a process within your company for scanning all
paperwork and storing it in the Cloud.

While this should be sufficient for most paperwork, there may be certain kinds (such as drawings or plans)
that would be hard to digitize and almost impossible to recreate without significant effort. These, along with
sensitive information like banking figures, should be stored offsite in the home of a responsible staff
member.
DR — IT RECOVERY

A full IT and network recovery relies on information and backed up data kept away from the office. It is
highly recommended that a full Disaster Recovery rehearsal is carried out at least once (but
preferably twice) a year to ensure all relevant information and data is correct and recoverable. If
this is not done, there is a significant chance that the recovery will suffer partial or total failure.

Once an event has been declared, the first point is to define the hardware requirement. Certain events will
not need hardware e.g. Hacking or virus attacks that format the system.

Stage 1 – Hardware Requirements

Is hardware reqired? NO Proceed to Stage 2

YES

Is standby hardware Contact suppliers, agree on costs and order

contracted? NO

YES

Proceed to Stage 2

Stage 2 – Component Recovery

The recovery of IT components can be a very daunting task, even for seasoned IT professionals on
staff. This task is more easily accomplished by having an established IT provider to partner with.

EXTERNAL Process: Check with your ISP/provider to verify continued viability. If you are using
MAIL an internal server, log on to the Cloud portal and use your email that way.
CONTROL Follow with testing.

INTERNET Process: Liaise with relevant ISP/provider to ensure at least a viable connection for
PROVISION your requirements. Follow with testing.
 PHONE Process at point of failure:
SYSTEM 1. Contact your phone line provider and redirect main numbers to the
standby mobile number you set up in the pre-DR stage.
2. Arrange for temporary lines (this may be in serviced office or at Director’s
location). This is only to be actioned if a significant long-term event has
occurred, as line provision will take 10 days minimum.
3. Contact VOIP provider and set up a temporary VOIP provision.
Consider forwarding numbers to that system.
4. Test phone system functions, including inbound, outbound, voicemail, Caller Line
Identification, call forwarding and hunt groups.

SERVERS Process at point of failure:

1. When a disaster occurs and the servers are gone, where is the data? Call your
IT support or backup vendor (or obtain an offsite physical backup) and request
a high priority copy to a USB drive. Provide delivery address and confirm
ETA.
2. If no remote active directory exists, then provision exchange server recovery
software. You should know how to back up your servers, be able to test, and have
data ready to be recovered.

After Server hardware provision (Stage One):

This process is divided into two stages. The primary reason for this is to enable the
flow of email as quickly as possible. Should this not be required (often
provisioning of internet services is delayed), then this will all happen as one stage.

Email functionality enabled:

1. Rebuild the server, configure all users and applications; configure any printers.
Test to make sure all clients have server access.
2. Test internal and external email; make sure all applications are working; test
printers.
Each server needs to be tested for functionality by the relevant department.

Data recovery:
1. Recover all file data and email data (may require loss of the system
while this is happening).
2. Confirm and configure any permission requirements.
3. Confirm and recover any third-party applications.
4. Test different application types and data locations on data drive; confirm
emails are accurate and complete; confirm permissions are correct; test third
party apps.

WORK- To reestablish business continuity, it may be necessary for staff members to work
STATIONS from home or from another location. Laptops can be provided to members to allow
them mobility and to give you more options in staff placement. Verify that laptops
& PRINTER are covered by insurance and, if the location is unsecured, take precautions to
prevent theft.
After provisioning:
1. Build standard configuration for laptops.
2. Connect to network; test user-specific settings (email, drives, printer, etc.)
3. Give users instructions for passwords and access.
4. Test email and printing to and from multiple locations/ laptops.
5. Confirm access to all file and email data.
STAFF TRAINING AND RECOVERY

It is a good idea to assess the skill and knowledge levels of key employees and do cross-training
where appropriate to facilitate recovery efforts. Periodic testing of the DRP will reveal training needs. Key staff
should also be made be familiar with critical server operation, software versions, phone and
telecommunications equipment, and vendor information.

It is recommended that you set up a relationship with a Recruitment Agency that focuses in your field.
Creating detailed job descriptions will ensure that in the event of wholesale staff loss (a Type 5 event), you
have your full requirements on hand to source new people. Reduce the risk as much as possible by backing
up on the server all data that your staff might retain on external equipment.
BCP AND DRP CHECKLIST

Below is a practical checklist you can use to ensure you are accounting for the key
Business Continuity and Disaster Recovery issues we have discussed in this document:

Document & Version Paperwork & Non-IT Items

Date of latest update Accounting & Payroll items
Document control manager / contacts Furniture
Drawings & blueprints
Testing
Other critical paperwork
Annual Test Schedule
Current Test Date Hardware
Servers
Staff Action Points PCs
Laptops
Staff Communication Tree Printers
Offsite Data Backup & DR Solution
Contact Lists
Staff, including job Software
descriptions Customers Operating System and Version
Suppliers Applications
Partners Offsite Data Backup & DR Solution
Recruitment Agency
Telecommunications
Location(s) Phone System
Backup location Intranet/Internal
network
Internet ISP
Email
Remote access
FINAL WORD

In Business, There Should Be No Surprises…

According to the Department of Trade & Industry, 70% of companies that encounter a significant loss of
data go out of business within a year. When things don’t go as expected, therefore, events with
highly negative consequences - whether natural or man-made - can not only interrupt business
continuity, but could put an end to your business altogether. In spite of all this, in the race for
market share, growth and profitability, Business Continuity & Disaster Recovery considerations still frequently
fall by the wayside.

The best form of protection is to begin preparing for any such emergency today. Having a
reputable and proven BCP and DRP services provider like EC-MSP is the best way to make sure you
have thought through all of the myriad disaster scenarios and consequences along with their required
recovery actions and timelines.

EC-MSP will work with you to ensure you have fully-established BCP & DR capabilities, along with
a comprehensive and testable plan for recovering all of your vital business assets, so that in the
case of your company, there will be no surprises.

Contact EC-MSP today on 020 3780 7200 to learn how we can help.

“ Thanks to EC-MSP, we now

have a robust, cost-effective
solution, and trust that
“ We view EC-MSP as
part of the team. They
are technically
“ EC-MSP was recommended
to us and they have lived
up to all expectations. The
our data, the core of our competent, financing deal they came
business, is in safe hands.” extremely thorough and their up with was also very
engineers are easy to work attractive – ideal for a
with – in fact, the users at small business.”
Nutmeg don’t have a bad
word to say about them.”
Ewan Silver
Chief Technology Officer, Steve Vaudrey
Nutmeg Matthew Dixon The Clarion Agency
Hudson Walker