Treasury Board of Canada Secretariat
Symbol of the Government of Canada

ARCHIVED - A Guide to Effective Business Continuity in Support of the Year 2000 Challenge

Warning This page has been archived.

Archived Content

Information identified as archived on the Web is for reference, research or recordkeeping purposes. It has not been altered or updated after the date of archiving. Web pages that are archived on the Web are not subject to the Government of Canada Web Standards. As per the Communications Policy of the Government of Canada, you can request alternate formats on the "Contact Us" page.

5.0   Plan

In order to establish a yardstick against which a department's progress in implementing business continuity can be measured, plans must be developed and implemented. Failure to develop these plans may significantly affect the department's preparedness in dealing with possible crises.

5.1 Process

The Integrated Business Continuity Approach

Note: Risk planning is based on the SEI "Plan" process [CRM Guidebook, Chapter 6, Page 53].

With the first three activities completed, departments can then develop plans to address the risks and ensure their preparedness to ensure business continuity. The two plans that need to be developed are:

  1. Risk Action Plan. This plan will address known risks and develop specific strategies to address the risks; and
  2. Business Continuity Preparedness Plan. This plan address all the components required to respond and recover from a crisis. It addresses both compliancy and business continuance contingency plans developed for specific risks or events; crisis scenarios to link possible risk events; crisis response plans, and business resumption plans.

These plans should be developed by members of the governance structure assigned to the areas of the business continuity process (i.e. risk action plan, contingency planning, crisis management, and business resumption).

The process to be implemented consists of providing the information identified in the corresponding templates and, more importantly, mobilizing the resources to implement the plans.

More specifically, the objective of the Risk Action Plans is to determine what actions should be taken, if any, to mitigate the identified risks. Risk action planning answers the following questions:

Table 7: Risk Action Planning Questions
Question Explanation
  • Whose risk is it?
Responsibility must be assigned for each risk item
  • What can be done about it?
An approach or strategies to deal with the risk item must be developed
  • How much and what should be done?
The scope and actions to manage the risks must be determined

The resulting risk action plans must then be implemented according to the assigned responsibilities.

The objective of the business continuity preparedness plan is to address all the components required to respond and recover from a crisis. In essence, it also answers fundamental questions such as:

Table 8: Business Continuity Planning Questions
Question Explanation
  • Where are the risks? Where should we develop contingencies? What will be those contingencies?
Departments must develop both compliance and business continuity contingency plans for those areas where they are exposed.
  • What are the likely crisis scenarios?
Departments must attempt to anticipate likely crisis scenarios in order to develop effective responses to these events.
  • What needs to be done in order to recover from these crises?
Departments must determine what needs to be done in order to revert back to normal operations after experiencing a crisis or implementing a contingency plan.

Both of these plans are supported by templates.

5.2 Data Flow

Figure 6 – Plan Data Flow

Figure 6 – Plan Data Flow

The following data inputs are required:


Table 9: Plan Data Inputs
Data Input Description
Risk Information Sheet(s) From the "Analyze" activity containing the risk information
Risk Assessment Report Contains the risk information as well as other background information such as observations or problems.
Business Continuity Statement of Requirements and Capability Assessment From the "Analyze" activity, stating the requirements for contingency planning.


The deliverables to be developed as part of this task include:

  1. Updated risk information sheet(s) with the risk action plan information; and
  2. Business continuity preparedness plan, with crisis scenarios, contingency plans, crisis response plan and business resumption plan.

5.3 Techniques and Tools 

Table 10 provides a summary of the techniques and tools used for this activity. Details of the techniques and tools can be found in the appendices.

Table 10: Plan Techniques and Tools
Activity Techniques and Tools
  • "Plan" Detailed Procedures (Appendix O)
  • [CRM Guidebook, Chapter A-7,
    Page 295].
Develop Business Continuity Preparedness Plan
  • Sample Contingency Planning – Table of Contents (Appendix P)
  • Crisis Scenario Definition Detailed Procedures (Appendix Q)
  • Sample Crisis Response Plan – Table of Contents (Appendix R)
  • Sample Business Resumption Plan – Table of Contents (Appendix S)

5.4 Guidelines and Tips

The following are guidelines and tips that can facilitate the performance of this activity.

  1. Plan important risks first (those that are likely to materialize soon and have a significant negative impact);
  2. Plan efficiently (stay focused on the cost-benefit of the proposed plans);
  3. Ensure that the risk action plans address the source of the risk;
  4. Make sure that key stakeholders are present and provide input into the planning process;
  5. Implement the risk action plans in a timely manner in order to effectively deal with the risks;
  6. Communicate the risk mitigation strategy and risk action plans (included as part of the updated Risk Information Sheets) to the Governance Structure members; and
  7. The level of contingency planning should be commensurate to the level of exposure for each function (i.e. the more exposed a function is to disruption, the greater the efforts should be in the area of contingency planning).