Forward…
Since the publication of this article in the winter (2004) issue of the Disaster Recovery Journal, partnerships have been formed among 7 organizations to create BC Best Practices guidelines.

· Association of Records Management Administration (ARMA)
· Business Continuity Institute (BCI)
· Disaster Recovery Journal (DRJ)
· Disaster Recovery Institute International (DRII)
· International Security Systems Certification Consortium (ISC2
· Financial Services Technology Consortium (FSTC)
· National Fire Protection Association (NFPA)

Its Time to Develop Universally Accepted Practices
In life, there are several questions that are difficult to answer, such as, “What is the meaning of life?” or “Why do 7-11’s have locks on their doors if they never close?” Few people can come up with an answer to these questions and I feel the same way when my manager asks, “What is the best practice for conducting a business impact analysis?”
As an industry it’s time for us to develop universally-accepted business continuity best practices, allowing business continuity planners to intelligently answer our management and colleagues when they ask, “What is the best practice for …” questions.

Gartner considers the term “best practice” to mean “expertise or lessons learned and captured from successful experience.” This assumption drives their definition of a best practice: “A best practice communicates insight on the application of a process or the performance of a task. A best practice improves the outcome, diminishes the risk, increases the reliability, or improves the understanding of the process or task.”

The Disaster Recovery Journal (DRJ) Editorial Advisory Board and DRII have established a Best Practices Committee to address the need for universally accepted business continuity best practices. The mission of the best practices committee is, “To be recognized as a leading source of ‘sound’ best practices by providing a depository of knowledge and recommendations offered by skilled business continuity practitioners.”

Best practices will be compiled from submittals by experienced business continuity practitioners from the public and private sectors, as well as user groups and/or related organizations, in regard to the industry standard Professional Practices. The Best Practices Committee will review the submittals semi-annually for approval. The approved submittals will reside on the DRJ website for all practitioners to access and implement within their respective organizations.

The goal is to complete the general business continuity best practices document first, and then write industry-specific business continuity best practices documents.

The nine subject areas being considered for the first draft of the best practices document are:
1. Program Management
• Outlining project scope
• Performing project management
• Obtaining program sponsorship and management
• Ensuring organization awareness and participation
• Determining cost analysis and funding
• Maintaining organization awareness

2. Business Impact Analysis
• Identifying types of impacts
• Assessing levels of impacts
• Determining levels of impacts over time
• Reporting assessments and conclusions

3. Risk Management
• Performing risk assessments
• Recommending risk mitigation measures
• Documenting risk acceptance

4. Incident Response Management
• Planning emergency response
• Documenting a crisis management plan
• Planning media and public relations communications

5. Communications Planning
• Identifying communications roles and responsibilities
• Establishing employee call lists and alternatives
• Planning media and public relations communications
• Planning for customer communications
• Planning for vendor communications

6. Business Continuity Planning
• Identifying continuity planning scope
• Establishing continuity roles and responsibilities
• Identifying continuity planning solutions
• Ensuring data and document integrity
• Planning for facility replacement or restoration

7. Public, Private, Regional Coordination
• Planning for coordination with local organizations and industry for regional events
• Planning for coordination between public/private entities for events of mutual concern

8. Plan Maintenance, Exercise, and Training
• Determining validation and testing of solutions
• Documenting planning gaps
• Documenting change management
• Documenting asset management
• Performing staff and recovery team training

9. Reports and Audits
• Completing exercise reports
• Responding to audits
• Submitting management updates

We now have an e-mail address to submit your best practices: bestpractices@drj.com. The Best Practices Committee needs your input to create this best practices document. The time is now. When we establish best practices we will be recognized as a discipline.

About the Author

Lori Yelland, CBCP, is Assistant Vice President at Comerica, Inc. and the Manager of Information Services Disaster Recovery. She is a member of the DRJ Editorial Advisory Board and the Chairperson of the DRJ Editorial Advisory Board's Best Practices Committee.