This document provides a business continuity plan for a small business that provides consulting services. It identifies key business functions and processes, potential impacts of disruptive events, resilience strategies, and recovery actions. The plan addresses how the business would continue operating and recover if it lost its IT infrastructure, office, or other assets due to events like fire or flood. It outlines backup procedures for important digital and physical assets and identifies alternative options and vendors that could be used to quickly restore operations.

1. Example Business Continuity Plan
Based upon DS4.2 from COBIT (Control Objectives for Information Technology)
Prepared by: Micheal Axelsen FCPA1
Director, Applied Insight Pty Ltd
Provided as is, without warranty, for businesses to consider as a very early starting point in
the preparation of a business continuity plan. This work is based upon material delivered to
University business students.
Question One: Research Issue – Personal Data Protection
Assume a fire has destroyed your bedroom. Identify the items in your room that would be
irreplaceable if this scenario eventuated. Draw up a business continuity plan for your
bedroom and yourself.
Identify what you would need to do to ensure that irreplaceable items are better protected in
the future. Identify the steps you would need to take immediately after the fire to recover
from this disaster.
Worked Solution
Note that in COBIT 4.1, regarding the IT aspects we would need to identify an IT continuity
plan. Firstly, we need to understand our business requirements – what our key business
functions and processes are (DS4.2).
So, the business continuity plan draws upon our risk management framework (for argument’s
sake, AS/NZS 4360:2004):
• Identify key business functions and processes.
1
Micheal may be contacted on 0412 526 375 or micheal.axelsen@appliedinsight.com.au.
1

2. • Identify ‘major’ disruption by reference to risk appetite
Consider what the definitions of economic loss might be that are insignificant, minor,
moderate, major, or catastrophic (e.g. catastrophic might be $1,000,000 whilst
insignificant might be $500).
• Identify potential business impacts
• What actions can be taken to address requirements for:
• Resilience (reduce likelihood or consequence of the risk)
• Alternative processing (work-arounds in the event access is denied)
• Recovery capability of critical IT services (recovery of critical IT services)
• Identify usage guidelines, roles and responsibilities, procedures, communication
processes, and the testing approach
2

3. A rough approach might look like this:
Business Continuity Plan
Risk Appetite: The business has determined that it can withstand a $3,000 level of disruption.
Assumptions: Catastrophic events (e.g. fire, flood) would result in similar business impacts. Actions to reduce impact will work equally as well
for low-impact events (e.g. localised flooding, loss of internet connection).
Note: Some things are deliberately missing – who can spot something?
Key business functions Business impact if Resilience Actions Procedures &
unavailable Responsibilities
Client Acquisition:
• Marketing website material Clients unable to discover Host with reliable ISP with strong Take XML download of posts/content MSA
(two websites, business and identify financial background (Yahoo) monthly. Add to backup processes.
www.michealaxelsen.com and services. Large business
www.appliedinsight.com.au) impact. Host on a common ISP platform.
and supporting collateral
If content lost, would take
months to re-create, if at
all possible.
• Current marketing plan Marketing stages with Incorporate into Exchange Server None identified. MSA
clients lost. Moderate with email – reduce points of failure.
business impact.
Reputable provider with SLA
(WebCentral)
Enables sync across devices and
internet access.
Service Delivery
• Methodologies and client Affects ability to convince Store in a single place and protect Backup process: MSA
outputs clients of capability. that well (i.e. hard drive) and
incorporate into backup processes. 1. Use SyncBack for each laptop daily –
3

4. Key business functions Business impact if Resilience Actions Procedures &
unavailable Responsibilities
Affects efficiency and files are stored in three places (PMD,
effectiveness as these are Dell, HP).
all key to service delivery. 2. Daily backup from Dell to external
USB using MS Backup & Sync
(monthly resets to keep disk space
low).
3. Monthly backup of entire system to a
third 500gb pocket media drive kept at
separate office 5 km away.
• Precedents and models Affects ability to convince Store in a single place and protect See backup process MSA
clients of capability. that well (i.e. hard drive) and
incorporate into backup processes.
Affects efficiency and
effectiveness as these are
all key to service delivery.
• Templates Affects ability to convince Store in a single place and protect See backup process MSA
clients of capability. that well (i.e. hard drive) and
incorporate into backup processes.
Affects efficiency and
effectiveness as these are
all key to service delivery.
• Research Notes Affects ability to convince Store in a single place and protect None required – rely upon Evernote SLA. MSA
clients of capability. that well (i.e. hard drive) and
incorporate into backup processes.
Affects efficiency and
effectiveness as these are Store research notes in Evernote
all key to service delivery. software (paid subscription) –
enables sync across devices and
mobile access.
Maintained in three places (Dell,
online, and HP Mini-Note).
Administrative Support
4

5. Key business functions Business impact if Resilience Actions Procedures &
unavailable Responsibilities
• MYOB Accounting System Unable to invoice and Store in a single place and protect See backup process MSA
meet external compliance that well (i.e. hard drive) and
requirements. incorporate into backup processes.
• Access to email Unable to communicate Incorporate into Exchange Server None. MSA
with clients. with email – reduce points of failure.
Reputable provider with SLA
(WebCentral)
• Task list Current workload would Incorporate into Exchange Server None. MSA
be lost. with email – reduce points of failure.
Reputable provider with SLA
(WebCentral)
Enables sync across devices and
internet access with only an internet
connection.
• Mobile telephone Major contact point with Insurance policy None. MSA
clients lost; $1,200 phone
to replace if purchased.
• VOIP phone Major contact point with None – wear this as an expense. Identify provider (Engin telephone). MSA
clients lost; $100 phone to
replace if needs to be Divert VOIP phone to mobile in
repurchased. emergency using password details noted in
Evernote.
• Accounting records (Paper) Unable to invoice and Monthly scan to electronic format. See backup process. MSA
meet external compliance
requirements.
• Bookmarks Lose record of access to Place bookmarks online in webspace None. MSA
many required online (start.michealaxelsen.com) using
services (e.g. online Google start page.
5

6. Key business functions Business impact if Resilience Actions Procedures &
unavailable Responsibilities
banking, blog,
• Critical passwords Unable to access many Store passwords in Evernote None. MSA
websites crucial to (encrypted using common super-
operating business duper secret password).
Will be able to regain access with PC
and internet connection.
• Suncorp Token Key Without this, I lose access In event of catastrophe, Suncorp None. MSA
to online banking full stop. provides a temporary security code
until a new key is issued.
IT Infrastructure
• Dell Laptop (15”) (approximately $3K) Unable to provide Insurance policy; In event of loss, identify with insurance MSA
services backup processes provider and order replacement.
Preferred Vendor: Dell
• HP Laptop Mini-Note 2133 (approximately $1K) Unable to provide Insurance policy; In event of loss, identify with insurance MSA
services backup processes provider and order replacement.
Preferred Vendor: HT
• HP Scanjet bubblejet printer Unable to provide Insurance policy; In event of loss, identify with insurance MSA
services backup processes. provider and order replacement.
Order three year on- Preferred Vendor: HT
site warranty.
• Pocketmedia Drive Unable to provide Insurance policy; In event of loss, identify with insurance MSA
services backup processes provider and order replacement.
Preferred Vendor: HT
• External USB HDD (WD) Unable to provide Insurance policy; In event of loss, identify with insurance MSA
services backup processes provider and order replacement.
6

7. Key business functions Business impact if Resilience Actions Procedures &
unavailable Responsibilities
Preferred Vendor: HT
• Broadband connection Unable to perform Identify a secondary Use alternative provider (suggested: $10 MSA
online banking, pay alternative provider per GB wireless connection at UQ,
bills, and deliver available quickly from office).
services.
Or just wifi surf someone else’s open
wireless connection .
• CD Media (to reinstall software) If lost, would require re- Backup CD media and Restore from separate DVDs. MSA
purchase of $5,000 store in a separate
worth of Microsoft location (office)
goodies without proof- together with software
of-purchase. keys.
7