In some organizations with potential public risk exposures—such as nuclear power plants, airline companies, oil and gas exploration and drilling firms, banks, and government or public institutions—additional risk documentation is also recommended. These documentations are also part of the traditional ERM process. As an example, the following are typical procedures and documentation arising from operational risk planning, and they can be customized to an organization’s unique needs.
- Business Continuity Plan (BCP) focuses on sustaining business functions during and after a disruption (e.g., business functions may include an organization’s payroll process or consumer information process). A BCP may be written for a specific business process or it may address all key business processes. IT systems are considered in the BCP in terms of their support to the business processes. A Disaster Recovery Plan, Business Resumption Plan, and Occupant Emergency Plan may be appended to the BCP as required.
- Business Recovery Plan (BRP) or Business Resumption Plan addresses the restoration of business processes after an emergency. Development of the BRP will be coordinated with the Disaster Recovery Plan and BCP.
- Continuity of Operations Plan (COOP) focuses on restoring an organization’s main essential functions at an alternate site and performing those functions for up to 4 weeks before returning to normal operations. A COOP addresses headquarters-level issues; it is developed and executed independently from the BCP. The document can include Delegation of Authority, Orders of Succession, and Procedures for Vital Records and Databases.
- Continuity of Support Plan and IT Contingency Plan (Recovery Strategy) include the development and maintenance of continuity of support plans for general support systems and contingency plans for major applications.
- Cyber Incident Response Plan (CIRP) establishes procedures to address cyber-attacks against an organization’s IT system. A CIRP is designed to enable security personnel to identify, mitigate, and recover from malicious computer incidents, such as unauthorized access to a system or data, denial of service, or unauthorized changes to system hardware, software, or data (e.g., malicious logic, such as a virus, worm, or Trojan horse).
- Disaster Recovery Plan (DRP) becomes applicable after catastrophic events that deny access to the normal facility for an extended period. Depending on the organization’s needs, several DRPs may be appended to the BCP.
- Crisis Management Plan (CMP) and Crisis Communications Plan (CCP) detail how organizations prepare their internal and external procedures prior to and during a disaster. A crisis communications plan is often developed by the organization that is responsible for public outreach. Plan procedures are included as an appendix to the BCP. The communications plan includes the designation of specific individuals as the only authority for answering questions from the public regarding disaster response.