TORONTO (07/19/2000) - Business unit contingency planning was never more visible or more important than in 1999, when every senior manager had to review his or her operations in preparation for the Year 2000. A formal Business Impact Analysis (BIA) was conducted at many organizations - for the first time in some cases - to identify single points of failure and other risks and threats to business operations. But just because Year 2000 rolled in with little disruption, that's not to say that business unit contingency plans aren't worth the effort or that they are no longer important.

When preparing business unit contingency plans, the critical question is: are they feasible and appropriate? Everyone looks for a magic solution to this question. The problem is that the answer isn't so easy - it can only be determined through comprehensive testing of the contingency plans. And everyone hates testing.

One tool that can help assess the strength and reasonableness of the business unit contingency plan is a self-assessment questionnaire. In an organization that is developing plans for the first time or that has focused on IT recovery plans in the past, the use of a self-assessment questionnaire can be an effective way of identifying obvious weaknesses in the current plans. The accompanying questionnaire, completed by the people that know the business, can allow these plans to be brought to a new level of quality and effectiveness.

My suggestion is to provide the questionnaire to the writers of the business unit contingency plans and let them do their own analysis (through completion of the questions) and adjustments to their plans. In the ongoing maintenance of the plans (i.e. in the second year), I suggest a more formal feedback to the questionnaire.

BUSINESS UNIT CONTINGENCY PLANS (SELF-ASSESSMENT QUESTIONNAIRE) FOCUS: Strengthening of Business Unit Contingency Plans PURPOSE: Assist Business Unit Review of their Contingency Plans The assessment of a Business Unit's Contingency Planning documentation should consider the following questions (at two levels):

ORGANIZATIONAL LEVEL (BU) QUESTIONS

1. Do all critical functions of the Business Unit have contingency plans in place?

2. Do the contingency plans (level of content) reflect the risks and impacts involved?

3. Is the Business Unit prepared (capable) to implement their contingency plans?

4. What are the key activities still outstanding? (to be prepared) 5. Has the Business Unit completed the contingency planning documentation in accordance with the corporate planning policies and guidelines?

6. Is the plan tested and subsequently reviewed/revised accordingly on a regular basis to ensure optimum performance?

7. Have arrangements been made for coordination with local emergency services?

(if applicable)

8. Have arrangements been made for emergency funds availability? (if applicable) DOCUMENT LEVEL QUESTIONS 1. Does the plan contain clear/concise Statements of Policy and Purpose and describe the critical functions covered by the plan?

2. Does the plan provide sufficient information for each section of the document to allow the reader to understand and execute the plan?

3. Does the plan contain a brief description of the business functions and systems used, including the criticality of the area?

4. Does the plan describe the roles and responsibilities of the BU management and staff in its function as a Crisis Management Team, and the communication process for escalation of problems?

5. Are all key points of contact listed and updated at least monthly?

6. Does the plan contain a section where risks and contingencies are identified? - Are risks identified? (Note - Can be in a Risk and Impact Worksheet) - Have contingencies, resource requirements, solutions and workarounds been detailed for each identified risk including site-specific and area-wide events? - Does the plan address the impacts of the contingencies that may be put in place? - Does the plan address the possibility of degraded system functionality, including the need for additional training and personnel requirements to accomplish a manual workaround?

7. Does the plan describe the necessary actions to ensure that the proper coordination of activities is carried out?

8. Does the plan describe how the plan will be maintained, tested, reviewed and updated to ensure that it accurately reflects the most current information, including the assignment of responsibility for plan maintenance?

9. Does BU documentation follow corporate planning policy and guidelines?

10. Is the plan distributed to all relevant personnel?

11. Is there adequate provision for emergency communication among key personnel in the event of a contingency?

12. Has a Crisis Management Centre been designated at which all relevant personnel are to convene in the event of a contingency?

13. What improvements to the contingency planning documentation would improve its overall effectiveness?

Dan Swanson, CIO Canada's "Web Browser" columnist, is a consultant with LGS Group in Winnipeg, specializing in audit and management consulting. He can be reached at dswanson@lgs.ca.