Local Authority Cyber Resilience Planning Guide

This guide is to assist managers in preparing and implementing Business Continuity Plans, to aid Cyber Resilience.

(C) 2003-2021Mark Brett

June 2021 Version 3


Following the events of 11th September 2001, and the London bombings of 7th July 2005, and the WannaCry malware incidents across the NHS, have caused many organisations to consider an annual review process for their Business Continuity Planning.

The guide aims to mitigate the impact of unforeseen events on the business. Subsequently, the Civil Contingencies Act 2004 and the events of 7thJuly 2005 have also heightened the need for a robust Business Continuity planning framework. In todays interconnected Internet driven world such planning is even more important. The shift to Cloud computing is making this even more difficult.

This guide was originally written in 2003 and has been updated over the years. The approach is still sound and this is continued work in progress.


Honorary Visiting Fellow (Cyber Security)

Cyber Centre London Metropolitan University

© Mark Brett 2003-2021

Your welcome to make use of the contents of this document for non-commercial purposes including Public Sector use. However I would ask that you acknowledge the fact in your derived work.


Every year unforeseen emergencies take their toll on business and industry -- in lost business and escalated costs. Something can be done. Business and industry can limit the impact and losses, returning quickly to normal operations if they plan ahead.

This guide provides step-by-step advice on how to create and maintain a comprehensive Business Continuity Planning Programme.

To begin, you need not have in-depth knowledge of Cyber Resilience. What you need is the authority to create a plan and a commitment from the Chief Officer to make Business Continuity Planning part of the corporate culture If you already have a plan, use this guide as a resource to assess and update your plan. The guide is organised as follows:

Section 1: 4 Steps in the Planning Process -- how to form a planning team; how to conduct a vulnerability analysis; how to develop a plan; and how to implement the plan. The information can be applied to virtually any type of business or industry.

Section 2: Business Continuity Planning Considerations -- how to build such Business Continuity Planning capabilities as Health & Safety, Property Protection, Communications and Community Outreach.

Section 3: Hazard-Specific Information -- technical information about specific hazards your building or site may face.

Section 4: Information Sources -- where to turn for additional information.

Appendix A BCM plan and risk assessment toolkit

What Is an Emergency?

An emergency is any unplanned event that can cause disruption or significant injuries to employees, customers or the public; or that can shut down your business, disrupt operations, cause physical or environmental damage, or threaten the facility's financial standing or public image. Obviously, numerous events can be "emergencies," including:


2.Hazardous materials incident

3.Flood or flash flood

4.Terrorist Incident

5. Malicious Incident (public or Employee)

6.Winter storm (Weather)

7.Communications failure

8.Civil disturbance (Transport strikes)

9.Loss of key supplier or customer

10.Explosion (Gas etc)

The term "disaster" has been left out of this document because it lends itself to a preconceived notion of a large-scale event, usually a "natural disaster." In fact, each event must be addressed within the context of the impact it has on the authority and the community. What might constitute a nuisance to the Council in general could be a "disaster" to a section or department.

What Is Cyber Resilience?

Cyber Resilience is the process of ; preparing for, mitigating, responding to and recovering from an emergency, which involves Cyber, that is a system or service, which is delivered by a network or the Internet, to a remote device, often through a web browser.

Business Continuity Planning is a dynamic process. Planning, though critical, is not the only component. Training, conducting exercises, testing equipment and co-ordinating activities with the community are other important functions.

Making the "Case" for Cyber Resilience

To be successful, Business Continuity Planning requires senior management support. The chief executive sets the tone by authorising planning to take place and directing senior management to get involved.

When presenting the "case" for Cyber Resilience, avoid dwelling on the negative effects of an emergency (e.g., deaths, fines, and criminal prosecution) and emphasise the positive aspects of preparedness. For example:

1. It helps the Council fulfill its’ moral responsibility to protect employees, the community and the environment.

2. It facilitates compliance with regulatory requirements such as Health & Safety.

3. It enhances the Council’s ability to recover from financial losses, regulatory fines, complaints from members and the public, damage to equipment and business interruption.

4. It reduces exposure to civil or criminal liability in the event of an incident.

5. It enhances the Council’s image and credibility with employees, customers, suppliers and the community.



Having established what your planning for (the scope)

Step 1 -- Establish a Planning Team

Step 2 -- Analyse Capabilities and Hazards

Step 3 -- Develop the Plan

Step 4 -- Implement the Plan


There must be an individual or group in charge of developing the Business Continuity Plan. The following is guidance for making the appointment.

1. Form the Team.

The size of the planning team will depend on the department’s operations, requirements and resources. Usually involving a group of people is best because:

a. It encourages participation and gets more people invested in the process. b. It increases the amount of time and energy participants are able to give. c. It enhances the visibility and stature of the planning process.
d. It provides for a broad perspective on the issues.

Determine who can be an active member and who can serve in an advisory capacity. In most cases, one or two people will be doing the bulk of the work.

Some of the planning and co-ordination, could be out sourced to the Emergency Planning .At the very least, you should obtain input from all functional areas. Remember:

  1. Senior management 

  2. Line management 

  3. Personnel and Occupational Health 

  4. Engineering and maintenance 

  5. Health & Safety 

f. Public information officer (Press & Publicity)

  1. Security 

  2. Community relations and groups 

  3. Councillors as appropriate 

  4. Departmental Representatives (Operational Service Delivery) 

  5. Legal Services 

  6. Finance and purchasing 

Have participants appointed in writing by senior management. Their job descriptions could also reflect this assignment and extra duties.

2. Establish Authority.

Demonstrate management's commitment and promote an atmosphere of empowerment by "authorising" the planning group to take the steps necessary to develop a plan. The Chief Officer or the Business Unit Manager should lead the group. Establish a clear line of authority between group members and the group leader, though not so rigid as to prevent the free flow of ideas.

3. Issue a Mission Statement – Which quantifies the purpose and scope of the plan.

Have the Chief Executive or Service/Business Unit Manager issue a mission statement to demonstrate the authority’s commitment to Cyber Resilience. The statement should:

Define the purpose of the plan and indicate that it will involve the entire organisation. Define the authority and structure of the planning group

4. Establish a Schedule and Budget

Establish a work schedule and planning deadlines. Timelines can be modified as priorities become more clearly defined.

Develop an initial budget for such things as research, printing, seminars, consulting services and other expenses that may be necessary during the development process.


This step entails gathering information about current capabilities and about possible hazards and emergencies, and then conducting a vulnerability analysis to determine the facility's capabilities for handling emergencies.

1. WHERE DO YOU STAND RIGHT NOW? Establishing a baseline

Review Internal Plans and Policies. Documents to look for include:

a. Evacuation plan

  1. Fire protection plan 

  2. Health &Safety procedures 

d Environmental policies

  1. Security procedures 

  2. Insurance programs 

  3. Finance and purchasing procedures 

  4. Quality Procedures 

  5. Personnel Handbook 

  6. Internal SLAs and External Contracts. 

  7. Health & Safety risk assessments 

  8. Risk management plan 

m Capital improvement program n. Mutual aid agreements

Business Continuity Planning Guide

2. Establish Partnerships

Meet with external agencies, community organisations and utilities. Ask about potential emergencies and about their plans and available resources for responding

Sources of information include:

  • Local Resilience Forum Cooridnator

  • Emergency Planning Officer

  • Local Hospital

  • Local Community

  • Liaison Groups Fire Brigade

  • Local Police
Ambulance Emergency Planning Officer

  • Telecommunications Companies

  • Cellular providers

  • Electric,

  • Gas and Water Utilities

  • Neighbouring Authorities

Web sites see: http://www.ukresilience.info/contingencies/cont_index.htm Business Continuity Institute see: www.thebci.org
Association of Local Authority Risk Managers http://www.alarm-uk.com/ Society of Information Technology Management SOCITM: www.socitm.net

Emergency Planning Society :http://www.emergplansoc.org.uk/

3. Identify Codes and Regulations

Identify applicable legislation and local regulations such as:

Occupational Health & Safety regulations Environmental regulations
Fire procedure codes
Corporate policies

4. Identify Critical Services and Operations

You'll need this information to assess the impact of potential emergencies and to determine the need for backup systems. Areas to review include:

  1. Council services and the facilities and equipment needed to produce them 

  2. Products and services provided by suppliers, especially sole source vendors 

  3. Lifeline services such as electrical power, water, sewer, gas, telecommunications 
and transportation 

  4. Operations, equipment and personnel vital to the continued functioning of the 

5. Identify Internal Resources and Capabilities

Resources and capabilities that could be needed in an emergency include:

a. Personnel -- Fire, Police and Ambulance Council Emergency services response team, security, Business Continuity Planning group, Fire wardens, First Aid, Public Information Officers. Computer Emergency Response Team

b. Equipment -- fire protection and suppression equipment, communications equipment, first aid supplies, emergency supplies, warning systems, emergency power equipment.

c. Facilities – Establish a Crisis Management Centre (, media briefing area, survivor reception centres, first-aid stations. Communications point, internal and external.
An emergency website, either part of the corporate one or separate. Make sure people know the address of it.

d. Organisational capabilities -- training, evacuation plan, employee support system (Counselling)

e. Backup systems -- arrangements with other facilities to provide for: Identify your Business critical processes and systems.

  • (1) Payroll 

  • (2) Communications 

  • (3) Production 

  • (4) Customer services 

  • (5) Post room services and receiving i.e. CFM print runs 

  • (6) Information systems support 

  • (7) Emergency power 

  • (8) Recovery support 

6. Identify External Resources

There are many external resources that could be needed in an emergency. In some cases, formal agreements may be necessary to define the facility's relationship with the following:

  1. Local Resilience Forum (LRF)

  2. Fire Brigade 

  3. Hazardous materials Health & Safety Executive 

  4. Emergency medical services

  5. Hospitals 

  6. Local Police liaison

  7. Community service organisations 

  8. Utilities 

  9. Key Contractors & Suppliers

7. Suppliers of emergency equipment

Insurance companies

Do an Insurance Review

Meet with Insurance Officer (Finance Dept) to review all policies and cover. (See Section 2: Recovery and Restoration.) Insurance is not a substitution to proper planning and preparedness.

8. Conduct A Vulnerability (Risk) Analysis

The next step is to assess the vulnerability of your site -- the probability and potential impact of each emergency. Use the Vulnerability (Risk) Analysis Chart in the appendix section to guide the process, which entails assigning probabilities, estimating impact and assessing resources, using a numerical system. The lower the score the better.

9. Brainstorm Potential Emergencies & Scenarios to plan for

In the first column of the chart, list all emergencies that could affect your department, including those identified by the Emergency Planning officer. Consider both:

a. Emergencies that could occur within your Site / Department b. Emergencies that could occur in your community

Historical -- What types of emergencies have occurred in the community, at this facility and at other facilities in the area?

a. b. c. d. e. f. g. h.

Severe weather Hazardous material spills Transportation accidents Bomb threats

Transport strikes
Terrorism and Industrial action

Utility outages

Geographic -- What can happen as a result of the facility's location?

Keep in mind:

  1. Proximity to flood spots, electrical lines, railways, major roads etc. 

  2. Proximity to companies that produce, store, use or transport hazardous material 

  3. Proximity to major transportation routes and airports 

  4. Proximity to terrorist targets. 

Technological -- What could result from a process or system failure? Possibilities include:

  1. Fire, explosion, hazardous materials incident - storage batteries 

  2. Safety system failure 

  3. Telecommunications failure 

  4. Computer system failure 

  5. Power failure 

  6. Heating/cooling system failure 

  7. Emergency notification system failure 

Human Error -- What emergencies can be caused by employee error? Are employees trained to work safely? Do they know what to do in an emergency? Human error is the single largest cause of workplace emergencies and can result from:

  1. Poor training 

  2. Poor maintenance 

  3. Carelessness 

  4. Misconduct 

  5. Substance abuse 

f. Fatigue

Physical -- What types of emergencies could result from the design or construction of the facility? Does the physical facility enhance safety? Consider:

a. The physical construction of the facility b. Hazardous processes or by-products c. Facilities for storing combustibles

d. Layout of equipment

e. Lighting

  1. Evacuation routes and exits 

  2. Proximity of survivor reception centres 

Regulatory -- What emergencies or hazards are you regulated to deal with? Analyse each potential emergency from beginning to end. Consider what could happen as a result of:

  1. Prohibited access to the facility 

  2. Loss of electric power 

  3. Communication lines down 

  4. Ruptured gas mains 

  5. Water damage 

  6. Smoke damage 

  7. Structural damage 

  8. Air or water contamination 

  9. Explosion 

  10. Building collapse 

  11. Trapped persons 

  12. Chemical release 

10. Estimate Probability

In the Probability column, rate the likelihood of each emergency's occurrence. This is a subjective consideration, but useful nonetheless.
Use a simple scale of 1 to 5, with 1 as the lowest probability and 5 as the highest.

11. Assess the Potential Human Impact (HARM Modelling)

Analyse the potential human impact of each emergency -- the possibility of death or injury.

Assign a rating in the Human Impact column of the Vulnerability Analysis Chart. Use a 1 to 5 scale with 1 as the lowest impact and 5 as the highest.

12. Assess the Potential Property Impact

Consider the potential property for losses and damages. Again, assign a rating in the Property Impact column, 1 being the lowest impact and 5 being the highest. Consider:

  1. Cost to replace 

  2. Cost to set up temporary replacement 

  3. Cost to repair 

13. Assess the Potential Business Impact

Consider the potential loss of market share. Assign a rating in the Business Impact column. Again, 1 is the lowest impact and 5 the highest. Assess the impact of the following. This applies to your Department and your external (CCT) suppliers if applicable. Check your SLA’s and Contracts.

  1. Business interruption 

  2. Employees unable to report to work 

  3. Customers unable to reach facility 

  4. Authority in violation of contractual agreements 

  5. Imposition of fines and penalties or legal costs 

  6. Interruption of critical supplies 

  7. Interruption of Service Delivery 

14. Assess Internal and External Resources

Next assess your resources and ability to respond. Assign a score to your Internal Resources and External Resources. The lower the score the better.
To help you do this, consider each potential emergency from beginning to end and each resource that would be needed to respond. For each emergency ask these questions:

Do we have the needed resources and capabilities to respond?

Will external resources be able to respond to us for this emergency as quickly as we may need them, or will they have other priority areas to serve?

If the answers are yes, move on to the next assessment. If the answers are no, identify what can be done to correct the problem. For example, you may need to:

  1. Develop additional emergency procedures 

  2. Conduct additional training 

  3. Acquire additional equipment 

  4. Establish mutual aid agreements 

  5. Establish agreements with specialised contractors

15. Add the Columns

Total the scores for each emergency. The lower the score the better. While this is a subjective rating, the comparisons will help determine planning and resource priorities -- the subject of the pages to follow.


You are now ready to develop a Business Continuity Planning plan. This section describes how.


Your plan should include the following basic components.

1. Executive Summary

The executive summary

Gives management a brief overview of the purpose of the plan Details the Business Continuity Planning policy
Authorises the facilities and responsibilities of key personnel; Details the types of emergencies that could occur

Explains how and where response operations will be managed.

2. Business Continuity Planning Elements
This section of the plan briefly describes the facility's approach to the core elements

Cyber Resilience, which are:

Command and control
Life and Limb - protecting your staff and the public. Property protection
Community outreach
Recovery and restoration
Administration and logistics.

These elements, which are described in detail in Section 2, are the foundation for the emergency procedures that your facility will follow to protect personnel and equipment and resume operations.

3. Emergency Response Procedures

The procedures spell out how the facility will respond to emergencies. Whenever possible, develop them as a series of checklists that can be quickly accessed by Senior Management, Department heads, response personnel and employees.

Determine what actions would be necessary to:

  1. Assess the situation 

  2. Protect employees, customers, visitors, equipment, vital records and other 
assets, particularly during the first phase of the emergency 

  3. Get the business back up and running. 

Specific procedures might be needed for any number of situations such as bomb threats or fire, and for such functions as:

Warning employees and customers
Communicating with personnel and community responders Conducting an evacuation and accounting for all persons in the facility Managing response activities
Activating and operating an emergency operations centre
Fighting fires
Shutting down operations
Protecting vital records
Restoring operations

4. Support Documents

Documents that could be needed in an emergency include:

Emergency call lists -- lists (wallet sized if possible) of all persons on and off site who would be involved in responding to an emergency, their responsibilities and their 24-hour telephone numbers.

Building and site maps that indicate:

  1. Utility shutoffs 

  2. Water hydrants 

  3. Water main valves 

  4. Water lines 

  5. Gas main valves 

  6. Gas lines 

  7. Electrical cut-offs 

  8. Electrical substations 

  9. Storm drains 

  10. Sewer lines 

  11. Location of each building (include name of building, street name and number) 

  12. Floor plans 

  13. Alarm and communicators 

  14. Fire extinguishers 

  15. Fire suppression systems 

  16. Exits 

  17. Stairways 

  18. Designated escape routes 

  19. Restricted areas 

  20. Hazardous Materials (including cleaning supplies and chemicals) 

  21. Copies of building plans 

  22. Copies of telecommunication route plans (Telephone and fibre cables) 

  23. Location of High-value items; (Deeds, Bonds, Contracts, evidence etc.) 

5.Resource lists

Lists of major resources (equipment, supplies, and services) that could be needed in an emergency; mutual aid agreements with other companies and government agencies.

  1. Emergency escape procedures and routes 

  2. Procedures for employees who perform or shut down critical operations before an evacuation 

  3. Procedures to account for all employees, visitors and contractors after an evacuation is completed 

  4. Rescue and medical duties for assigned employees 

  5. Procedures for reporting emergencies 

  6. Names of persons or departments to be contacted for


The following is guidance for developing the plan.

1. Identify Challenges and Prioritise Activities

Determine specific goals and milestones. Make a list of tasks to be performed, by whom and when. Determine how you will address the problem areas and resource shortfalls that were identified in the vulnerability analysis.

2. Write the Plan

Assign each member of the planning group a section to write. Determine the most appropriate format for each section.

Establish an aggressive timeline with specific goals. Provide enough time for completion of work, but not so much as to allow assignments to linger. Establish a schedule for:

  1. First draft 

  2. Peer review (include other sections) 

  3. Second draft 

  4. Tabletop exercise (invite other sections/departments to participate) 

  5. Final draft 

  6. Printing 

  7. Distribution publish widely including intranet – share best practise 

  8. Amendments procedures 

3. Establish a Training Schedule

Have one person or department responsible for developing a training schedule for your facility. For specific ideas about training, refer to Step 4.

4. Coordinate with Outside Agencies and Organisations

Meet periodically with other government agencies and community organisations. Inform appropriate government agencies that you are creating a Business Continuity plan. While their official approval may not be required, they will likely have valuable insights and information to offer.

Determine central government and local requirements for reporting emergencies, and incorporate them into your procedures. Appoint a ‘logist’ to keep detailed records of all executive orders, actions and operations. Number and time record all options. This will include actions, outcomes and costs incurred, along with details of who authorised the actions.

Trigger Points and Protocols

The CRASH Gates Protocol Trigger Points can be thought of a pre-defined Consequence Relevance Acceleration Severity and Harm (CRASH) Gates.

The CRASH Gate model for assessing Cyber incident trigger points;

Consequence Scaling

  1. Locally contained within the Organisation at a Sub-Departmental / Directorate Level

  2. Locally contained within the Organisation at Departmental / Directorate Level

  3. Local contained within the Organisation

  4. Affecting multiple Organisations Sub-Regionally

  5. Affecting multiple Organisations Regionally

  6. Affecting multiple Organisations Nationally

Relevance Scoring

  1. We do not have this technology in our infrastructure

  2. We have this technology, we are fully patched.

  3. We have this technology, we are partially patched

  4. We have this technology, we are not patched

  5. We have this technology, we are compromised

Severity Scoring

  1. Not affecting our infrastructure directly

  2. Affecting some of our infrastructure

  3. Affecting most of our infrastructure

  4. Affecting all of our infrastructure

  5. Our infrastructure is over run and non-functioning

HARM Levels

  1. The organisation is unaffected

  2. The organisation is affected, but fully operational

  3. The organisation is affected, and is partially operational

  4. The organisation is compromised essential services still functioning

  5. The organisation is compromised essential services lost.

Determine protocols and trigger points for turning command and control of a response over to outside agencies.

Some details that may need to be worked out are:

  1. Which gate or entrance will responding emergency service units use? 

  2. Where and to whom will they report? 

  3. How will they be identified? How will they know you? (tabards/ID) 

  4. How will facility personnel communicate with outside responders? 

  5. Who will be in charge of response activities? 

Determine what kind of identification authorities (Police/Fire) will require to allow your key personnel into your facility during an emergency. Develop and agree special ID cards and tabards etc. Ensure everyone is thoroughly briefed.

Produce A4 laminated cards which detail the key roles and responsibilities for each job.

Produce a pocket size card, with emergency contact numbers, and the five major points of the job role, where to report to etc.

Determine the needs of disabled persons and non-English-speaking personnel. For example, a blind employee could be assigned a partner in case an evacuation is necessary.

A disabled person is anyone who has a physical or mental impairment that substantially limits one or more major life activities, such as seeing, hearing, walking, breathing, performing manual tasks, learning, caring for oneself or working.

Be mindful of language barriers, written and verbal.

Your emergency planning priorities may be influenced by government regulation. To remain in compliance you may be required to address specific Business Continuity Planning functions that might otherwise be a lower priority activity for that given year.

5. Maintain Contact with Other Departments

Communicate with other offices and departments within the authority to learn:

  1. Their emergency notification requirements

  2. The conditions where mutual assistance would be necessary

  3. How offices will support each other in an emergency

  4. Names, email, telephone numbers and mobile numbers of key personnel Incorporate this information into your procedures.

6. Conduct Training and Revise plans and procedures as necessary.

Share review information with other Departmental representatives. Use the Intranet server to publish timely information

Distribute the first draft to group members for review. Revise as needed.

For a second review, conduct a tabletop exercise with management and personnel who have a key Business Continuity Planning responsibility. In a conference room setting, describe an emergency scenario and have participants discuss their responsibilities and how they would react to the situation. Based on this discussion, identify areas of confusion and overlap, and modify the plan accordingly.

7. Seek Final Approval

Arrange a briefing for the Chief Officer and Senior Management and obtain written approval.

8. Distribute the Plan

Place the final plan in four-ring binders and number all copies and pages. Document control procedures are essential for quality and auditing.

Each individual who receives a copy should be required to sign for it and be responsible for posting subsequent changes.

Ensure the plan is published on the Intranet and kept up to date. Consider storing the plan on a secure Internet facility, this will ensure authorised people can access the plan from anywhere.

Determine which sections of the plan would be appropriate to show to other agencies (some sections may refer to Confidential Corporate or Departmental Information or include private listings of names, telephone numbers or access codes and passwords). Distribute the final plan to:

  1. Chief Officers and Senior Managers 

  2. Key members of the authority's emergency response organisation 

  3. Chief Executives Office, 

  4. Emergency Planning Unit. 

  5. Community emergency response agencies (appropriate sections) 

  6. Key external suppliers. Ensure you figure in their emergency plans. 

Have key personnel keep a copy (paper or electronic) of the plan in their homes? Inform employees about the plan and

Consolidate emergency plans for better co-ordination. Stand-alone plans, such as Computer Disaster Recovery Plans, Fire Protection plan or Health and Safety plan, should be incorporated into one comprehensive plan.


Implementation means more than simply exercising the plan during an emergency. It means acting on recommendations made during the vulnerability analysis, integrating the plan into authority operations, training employees and evaluating the plan.


Emergency planning must become part of the corporate culture.

Look for opportunities to build awareness; to educate and train personnel; to test procedures; to involve all levels of management, all departments and where appropriate the community in the planning process; and to make Business Continuity Planning part of what personnel do on a day-to-day basis.

Include the emergency procedures into induction training.
Ensure the emergency procedures are discussed at a quarterly management

meeting as an agenda item.
Build the process into all project plans.

Test how Completely the Plan has been Integrated by Asking:

How well does senior management support the responsibilities outlined in the plan?

Have emergency planning concepts been fully incorporated into the Department’s accounting, personnel and financial procedures?

How can the Council’s processes for evaluating employees and defining job classifications better address Business Continuity Planning responsibilities?

Are there opportunities for distributing emergency preparedness information through corporate newsletters, employee manuals or employee mailings?

What kinds of safety posters or other visible reminders would be helpful?
Do personnel know what they should do in an emergency?


Everyone who works at or visits (Contractors) the site requires some form of training. This could include periodic employee discussion sessions to review procedures, technical training in equipment use for emergency responders, evacuation exercises and full-scale exercises. Below are basic considerations for developing a training plan.

1. Planning Considerations

Assign responsibility for developing a training plan. Consider the training and information needs for employees, contractors, visitors, managers and those with an emergency response role identified in the plan.
Determine for a 12 month period:

  1. Who will be trained? 

  2. Who will do the training? 

  3. What training activities will be used? 

  4. When and where each session will take place? 

  5. How the session will be evaluated and documented? 

Use the Training Exercises and Exercises Chart in the appendix section to schedule training activities or create one of your own.

Consider how to involve community responders in training activities.
Conduct reviews after each training activity. Involve both personnel and community responders in the evaluation process.

2. Training Activities

Training can take many forms:

a. Orientation and Education Sessions (Discussion Exercises) These are regularly scheduled discussion sessions to provide information, answer questions and identify needs and concerns.

b. Tabletop Exercise -- Members of the Business Continuity Planning group meet in a conference room setting to discuss their responsibilities and how they would react to emergency scenarios. This is a cost-effective and efficient way to identify areas of overlap and confusion before conducting more demanding training activities.

c. Walk-through Exercise -- The Business Continuity Planning group and response teams actually perform their emergency response functions. This activity generally involves more people and is more thorough than a tabletop

d. Functional Exercises -- These exercises test specific functions such as medical response, emergency notifications, warning and communications procedures and equipment, though not necessarily at the same time. Personnel are asked to evaluate the systems and identify problem areas.

e. Evacuation Exercise -- Personnel walk the evacuation route to a designated area where procedures for accounting for all personnel are tested. Participants are asked to make notes as they go along of what might become a hazard during an emergency, e.g., stairways cluttered with debris, smoke in the hallways. Plans are modified accordingly.

f. Full-scale Exercise -- A real-life emergency situation is simulated as closely as possible. This exercise involves authority emergency response personnel, employees, management and community response organisations.

3. Employee Training

General training for all employees should address:

  1. Individual roles and responsibilities 

  2. Information about threats, hazards and protective actions 

  3. Notification, warning and communications procedures 

  4. Means for locating family members in an emergency 

  5. Emergency response procedures 

  6. Evacuation, shelter and accountability procedures 

  7. Location and use of common emergency equipment 

  8. Emergency shutdown procedures 

The scenarios developed during the vulnerability analysis can serve as the basis for training events.

4. Evaluate and Modify the Plan

Conduct a formal audit of the entire plan at least once a year. Among the issues to consider are:

  1. How can you involve all levels of management in evaluating and updating the plan? 

  2. Are the problem areas and resource shortfalls identified in the vulnerability analysis being sufficiently addressed? 

  3. Does the plan reflect lessons learned from exercises and actual events? 

  4. Do members of the Business Continuity Planning group and emergency response team understand their respective responsibilities? Have new members been trained? 

  5. Does the plan reflect changes in the physical layout of the facility? Does it 
reflect new facility processes?

  6. Are photographs and other records of facility assets up to date? 

  7. Is the facility attaining its training objectives? 

  8. Have the hazards in the facility changed? (H&S Risk Assessments) 

  9. Are the names, titles and telephone numbers in the plan current? 

  10. Are steps being taken to incorporate Business Continuity Planning into the business processes? 

  11. Have community agencies and organisations been briefed on the plan? Are they involved in evaluating the plan? 

In addition to a yearly audit, evaluate and modify the plan at these times:

  1. After each training exercise 

  2. After each emergency 

  3. When personnel or their responsibilities change 

  4. When the layout or design of the facility changes 

  5. When policies or procedures change 

  6. Remember to brief personnel on changes to the plan. 


Conduct a formal audit of the entire plan at least once a year

Appendix A

Business Continuity Planning Toolkit with Risk Assessment diagnostics

Organisation Name

[Change all headings as required]

Directorate / Department:

Contact Name:


  1. Business Continuity Planning Outline 

  2. Business Continuity Plan Template 

III. Business Continuity Plan Worksheets A. Checklist

B. Business Process Template
C. Recovery Procedures Template D. Risk Assessment Worksheets

Date Completed:


Written by: _____________________________________Date:____________ Written by: _____________________________________Date:____________

Review Date: [. ]

I. Business Continuity Planning Outline Phase One

  • Identify Current Mission-Critical Business Processes (See Operations Plan for starting point) 

  • Assess Impact or Importance of Business Processes, considering: 

  • Health and Safety 

  • Revenue or Cash Flow (Treasury) implications 

  • Number of Citizens, Businesses, or Employees Impacted 

  • Central Government Reporting Requirements 

Public Perception

  • Identify Resources and Dependencies 

  • Evaluate Risk or Likelihood of Failure 

  • Application Systems and Interfaces 

  • IT Infrastructure 

Third Party Products

  • Supply Chain 

  • Infrastructure (Facilities, Telecom, Utilities) 

Establish Priority Based upon Impact and Risk

Phase Two

Develop Business Continuity Plan Based upon Available Resources and Time Make Assumptions to Focus Plan

Devise Alternatives to Complete Core Business Processes, considering: Roles & Responsibilities
Communication Channels
Manual Work arounds

Triggering Events
Who Invokes the Plan
Required Training & Preparation How & Who Maintains the Plan Needed Supplies & Equipment Additional Staffing Needs
What Ends the Plan

Review for Completeness

Phase Three

Exercise the Plan
Make Modifications as Needed

II. Business Continuity Plan Template

The following sections are included in a Contingency Plan Template. It is a sample template, therefore, sections may be added or deleted as appropriate.

Phase I

Provide the name and a brief overview of the critical business function as it

currently exists. PRIORITY:

Determine the priority of this contingency plan relative to the other contingency plans, if multiple failures occur within an authority. Use this section if applicable.


  • Describe in simple terms the risk concern and the impact to the authority. Include the nature and likelihood of expected disruptions or impacts.
For example:-
Electrical power is unavailable. If processing cannot be resumed within 3 days, Client checks will be late.

  • Describe briefly any significant dependencies or linkages of the business process with programs within the authority, with other authorities, or with other parties either inside or outside of central or regional or place based partnership 

  • State explicitly any assumptions, which your Directorate or Business Unit is making in this contingency plan. 

Provide a brief conceptual description of how the contingency plan for the business process is intended to work.

For example:-
Conduct additional quality assurance review of documents prior to mailing.

Set up account in advance with alternate supplier(s) and establish procedures for using the alternate supplier.

Investigate feasibility and cost of an uninterruptible power supply.

Describe the level of services to be provided during the disruption.

For example:

Provide continuation of normal operations.

Provide continuation of service in a degraded mode.

Provide complete departure from normal functions as quickly

Business Continuity Planning Guide

Phase 2

Describe the specific events or conditions that will trigger or invoke the plan.

For example:

Employees can’t access building entry via electronic access cards or tokens.


  • Describe the expected life or duration of the contingency plan. 
For example:
How long it might be necessary to operate under the plan.Any special timing-related constraints, e.g., back-up batteries need re-charging after 10 hours.

  • Provide detailed, step-by-step procedures for initiating and executing contingency operations, and for transitioning back to normal (non-contingency) operations with the names of the persons who are to serve specific roles regarding the plan. 
For example:
Initiate internal and vendor list notification procedures – Responsibility: Ms. X Get backup listings from off-site storage – Responsibility: Mr. Y
Contact alternate supplier to provide needed supplies – Responsibility:


Name BCP Coordinator and Team

Provide the name and contact information of the person who will give the order to invoke the plan.

Provide the name of the person who will give the order to return to normal operations.

Provide a brief description of significant resources needed to implement, execute, and transition out of contingency operation. Also identify the person who is responsible for acquiring these resources, as events may warrant.

For example:
Staffing and scheduling of personnel.
Equipment, temporary hardware and software, forms and supplies, etc. Possible temporary working facilities.
Communications, both verbal and data.

Phase 3

Provide a brief description of any training or exercising of the plan that will be necessary.

For example:
Perform a structured walk-through to ensure that all the processes will work as expected.

Perform an exercise or “dry-run” to ensure that all the processes work.

Perform a “mock” exercise with required staff and vendors on a non-work day.

In continuity planning, the maintenance process ensures that people and process aspects of the plan which need additional work are properly addressed and corrected.

The following types of maintenance should be conducted for every business continuity plan in your Directorate or Business Unit:

o Scheduled
o Unscheduled o Post exercised


A. Checklist

B. Business Process Template

C. Recovery Procedures Template

D. Risk Assessment Worksheets

COMPONENTS OF A Cyber Resilience Plan


Checklist Components

Authority Name * PROCESS:
Business Process Name * Business Process Overview PRIORITY:

Priority within authority


Risk Description
Impact of Risk on Authority
Nature and likelihood of disruptions Dependencies upon business process Assumptions
Mitigating Strategies description
Level of service to be provided

Activation Trigger(s) *

Duration of contingency plan
Recovery Procedures/Work-Around * Responsible person for each action

Person invoking plan
Person ordering return to normal operations Resources Required *

Exercising Required
Person responsible to obtain resources Maintenance Required

Business Process [Title]



Risk Description:

Mitigating Strategies:

Activation Trigger(s):


RECOVERY PROCEDURE ACTION PLAN Recovery Procedures (Action Plan):


Implementation: Person Responsible:

Invokes Plan:

Return to Normal Operations:

Resources Required:

(Staff, supplies, etc.)

Procedures Responsibility





Sample Risk Assessment Worksheet

Purpose and Directions Purpose:

This worksheet is intended to provide a framework for answering the following questions for a particular business process:

  1. Where could a potential failure occur? 

  2. Does it impact this business process? If so, how much? 

  3. What has been done or is in progress to mitigate the threat of a failure? 

Based on the answers to the above questions: 4. What is the remaining risk?

By answering the last question, you should be in a better position to focus your contingency planning efforts, particularly which business processes are most in need of contingency planning and what specific failures do the contingency plans need to address and at what level of detail.








Choose a particular business process.

Review the areas of concern to determine if any need to be added or expanded upon that are specific to the business process. Modify spreadsheet as

appropriate. Note: the Remediation or Mitigation Status Values are stored in columns E-I, which are hidden.

For each area of concern, assign a level of dependency of High, Medium, Low, or Not Applicable (or blank).

Choose from the drop-down list of choices for the Remediation or Mitigation Status. This information will most likely come from the individuals within your authority that are responsible for status reports. If the choices do not properly reflect your status, type in your own status description.

Based on the level of dependency and the remediation or mitigation status, assess the remaining risk and assign a value of High, Medium, or Low. Alternatively, you may choose to comment on your analysis rather than assign a specific level of risk.

Once you have determined the highest remaining risk areas, focus your Contingency Planning initiative to address the risk areas. This would include which business processes need contingency plans, how detailed the plans should be, and


Directorate/ Business Unit

Business Process:

Areas of Concern Mitigation status

Risk Assessment (H/M/L)

Level of Dependency (H/M/L)


Operating System

Third Party Software


Custom Source Code/SCL

Internal Interfaces

External Interfaces (Banks, Government Agencies, Other NC)

Shared Data

Operating System Third Party Software

Telephone Switches

Voice Mail
Voice Response Units
Customer Service Centre reliance Mobile Phones

Fire Alarm Systems Security Systems Building Control Systems Parking Control Systems

Application Interfaces Hardware Infrastructure Supplier Support





Last updated