Service Continuity
A Project Management Process Area at Maturity Level 3
Purpose
The purpose of Service Continuity (SCON) is to establish and maintain plans to ensure continuity of services during and following any significant disruption of normal operations.
Introductory Notes
Service continuity is the process of preparing mitigation for significant disruptions to service delivery so that delivery can continue or resume, although perhaps in a degraded fashion. These practices describe how to prepare service systems and the resources they depend on to help ensure that a minimum critical level of service can continue if a significant risk is realized. Part of service continuity is identifying which services cannot be disrupted and which can be disrupted and for what amount of time.
The Service Continuity process area builds on the practices in the Risk Management process area. The Risk Management process area describes a general systematic approach to identifying and mitigating all risks to proactively minimize their impact on the project. Service continuity practices are a specialization of risk management that focuses on dealing with significant disruptions of normal operations. If risk management has been implemented, some of the resulting capability may be used to provide for more effective service continuity. However, generic risk management does not guarantee that service continuity is accomplished. Therefore, the specific practices of the Service Continuity process area are required in addition to those of the Risk Management process area.
Service Continuity can be applied at both the organization level and the project level. Therefore, the use of the term “organization” in this process area can apply to a project or the organization as appropriate.
Typically, service disruption is a situation that involves an event (or sequence of events) that make it virtually impossible for a service provider to conduct business as usual.
Examples of such events include the following:
• Disruptions to infrastructure, such as significant equipment malfunctions and building collapse
• Natural disasters, such as hurricanes, tornados, and earthquakes
• Human events, such as civil unrest and acts of terrorism
A service provider may only have a short period of time in which to recover and resume providing services.
The Service Continuity process area covers developing, testing, and maintaining a service continuity plan. First, the following must be identified:
• The essential functions that support the services the organization has agreed to deliver
• The resources that are required to deliver services
• The potential hazards or threats to these resources
• The susceptibility of the service provider to the effects of each hazard or threat
• The potential impact of each threat on service continuity
This information is used to develop a service continuity plan that, in the event of a disruption, enables the organization to resume service delivery. Creating the service continuity plan typically involves the following three activities conducted after the information listed above has been collected. All of these activities, including the collection of information, are repeated periodically to keep the plan current:
• Documenting the service continuity plan based on the information previously collected
• Documenting the tests to validate the service continuity plan
• Documenting the training materials and training delivery methods for carrying out the service continuity plan
Finally, service continuity plans must be validated. Because it is unwise to wait until an emergency occurs to first execute the service continuity plan, personnel who will perform the procedures in the service continuity plan must be trained in how to perform these procedures. In addition, periodic tests must be conducted to determine whether the service continuity plan would be effective in an actual emergency or significant disruption and what changes to the plan are needed to enable the organization to continue to deliver service reliably.
Related Process Areas
Refer to the Service Delivery process area for more information about delivering services.
Refer to the Decision Analysis and Resolution process area for more information about evaluating alternatives.
Refer to the Organizational Training process area for more information about delivering training.
Refer to the Project Planning process area for more information about developing a project plan.
Refer to the Risk Management process area for more information about identifying and analyzing risks.
Specific Practices by Goal
SG 1 Identify Essential Service Dependencies
The essential functions and resources on which services depend are identified and documented.
The first step in service continuity planning is to identify and prioritize essential services so that a plan can be created that enables these services to be provided during an emergency.
The second step is to identify and document the functions and resources on which these services depend. Essential functions may include manual processes, automated processes, end-user activities, and service delivery activities themselves whether prescheduled or a result of on-the-fly service request management.
Identified and prioritized services, functions, and resources are effectively the requirements for service continuity and can be managed as such.
Refer to the Requirements Management process area for more information about managing requirements.
SP 1.1 Identify and Prioritize Essential Functions
Identify and prioritize the essential functions that must be performed to ensure service continuity.
To identify essential functions, an intimate understanding of all service system operations is required. Although many functions are important, not every activity performed is an essential function that must be sustained in an emergency or significant disruption of services.
The priorities of essential functions should reflect which services can be disrupted and for what period of time (i.e., long versus short disruption). Understanding which services are critical drives which essential functions are required to provide critical services.
Establishing correct priorities requires involvement of a wide range of stakeholders.
Refer to the Integrated Project Management process area for more information about coordinating and collaborating with relevant stakeholders.
Typical Work Products
1. A business impact analysis
Subpractices
1. Identify and prioritize the essential services of the organization.
2. Identify the essential functions on which services rely.
3. Analyze the criticality of providing those functions and the impact to services if the essential functions cannot be performed.
Refer to the Decision Analysis and Resolution process area for more information about analyzing possible decisions using a formal evaluation process that evaluates identified alternatives against established criteria.
4. Prioritize the list of essential functions that must be provided despite a significant disruption.
SP 1.2 Identify and Prioritize Essential Resources
Identify and prioritize the essential resources required to ensure service continuity.
Essential resources are resources necessary to the continued functioning or reconstitution of services during and after an emergency. These resources are typically unique and hard to replace. Essential resources therefore include key personnel as well as essential assets, data, and systems. Essential resources may need to be protected. Suitable substitutes may need to be provisioned in advance. In the case of data, backups and archives may need to be established.
Many organizations make the mistake of identifying systems, personnel, and infrastructure inside the organization while overlooking resources outside the organization on which service continuity also depends. Resources that are commonly overlooked include consumables and vital records (e.g., documents describing legal or financial obligations).
Essential resources may be identified through analyses of the following:
• Delivery of services
• Functions essential to service continuity
• In-service agreements, supplier agreements, and standard service definitions
• Dependencies among service system components, relevant stakeholders, and the delivery environment
Common resource dependencies include information and data sources from both inside and outside the organization and the key personnel who make decisions regarding the service delivery or who are significant contributors to performing service delivery tasks.
Refer to the Integrated Project Management process area for more information about coordinating and collaborating with relevant stakeholders.
Essential resources generally fall into one of the following categories:
• Emergency operating resources (e.g., key personnel, equipment, consumables) necessary to resume disrupted services
• Legal and financial resources (e.g., contractual documents) that are essential to protect the rights and interests of the organization and individuals directly affected by the emergency
Refer to the Plan Data Management specific practice in the Project Planning process area for more information about data management activities.
Typical Work Products
1. Orders of succession
2. Delegations of authority
3. Directory of critical personnel with contact information
4. Data and systems required to support identified essential service functions
5. Records of service agreements and contracts
6. Records of legal operating charters (e.g., articles of incorporation, authorization by local, state, or national government agencies)
7. Personnel benefit balances, payroll, and insurance records
8. List of internal and external resources required
9. List of dependencies and interdependencies of resources
Subpractices
1. Identify and document internal and external dependencies.
2. Identify and document key personnel and their roles in relation to service delivery.
3. Identify and document organizational and relevant stakeholder responsibilities.
4. Identify and document resources required by essential functions to ensure continuity.
5. Prioritize resources based on an evaluation of impact from their loss or from lack of access.
6. Ensure that safety provisions are made for personnel, both internal and external, within the delivery environment and for organizational supporting functions.
7. Ensure that records and databases are protected, accessible, and usable in an emergency.
SG 2 Prepare for Service Continuity
Preparations are made for service continuity.
Preparing for service continuity involves creating a plan, delivering training to execute the plan, and putting resources into place such as back up sites or systems.
Not all services must be resumed immediately following a disruption. The service continuity plan identifies those services that must be resumed and the priority sequence for recovery of those services.
In addition, training to execute the service continuity plan must be developed and delivered to those who may have to implement the plan.
Refer to the Integrated Project Management process area for more information about integrating plans.
Refer to the Project Planning process area for more information about developing a project plan.
SP 2.1 Establish Service Continuity Plans
Establish and maintain service continuity plans that enable the organization to resume performing essential functions.
A service continuity plan provides explicit guidance to the organization in the event of a significant disruption to normal operations. An organization may maintain multiple plans covering different types of disruptions or different types of services. Conversely, there may be need for only one service continuity plan.
Typical Work Products
1. Formal statement of who has the authority to initiate and execute the service continuity plan
2. List of communication mechanisms needed to initiate the execution of the service continuity plan
3. List of threats and vulnerabilities that could impede the ability of the organization to deliver services
4. List of alternate resources and locations that support the organization’s essential functions
5. Documentation of the recovery sequence
6. List of key personnel’s roles and responsibilities
7. List of stakeholders and the methods used for communicating with them
8. Documented methods for handling security-related material, as appropriate
Subpractices
1. Identify and document threats and vulnerabilities to ongoing service delivery.
Information on threats and vulnerabilities is usually developed in other processes and activities and used as an input to the service continuity plan. In the service continuity plan, the events, threats, and vulnerabilities most likely to lead to enacting the plan are recorded. Different actions may be planned for categories of events. Risk information gathered about individual services may also be an input to this portion of the plan.
Refer to the Risk Management process area for more information about identifying, analyzing, and mitigating risks.
2. Document the service continuity plan.
3. Review the service continuity plan with relevant stakeholders.
4. Ensure that secure storage and access methods exist for the service continuity plan and critical information and functions needed to implement the plan.
5. Ensure that vital data and systems are adequately protected.
Addressing the protection of vital data and systems may include developing additional service system components.
6. Document the acceptable service level agreed to by the customer for when a shift between the normal delivery environment and the recovery environment (e.g., site affected by disruption, alternate site) is necessary.
Document the acceptable service levels for various outage scenarios (e.g., site, city, country).
7. Plan for returning to normal working conditions.
8. Develop procedures for implementing the service continuity plan.
9. Revise the service continuity plan as necessary.
Examples of when the service continuity plan may need to be revised include the following:
• There are major changes to the services being delivered.
• Essential functions or infrastructure change.
• Key dependencies on resources, both internal and external, change.
• Feedback from training warrants change.
• Preparing for verification and validation of the service continuity plan identifies changes that are needed.
• Results of verification and validation warrant change.
• The delivery environment changes.
• New significant threats or vulnerabilities have been identified.
SP 2.2 Establish Service Continuity Training
Establish and maintain training for service continuity.
Training the personnel who will be involved in executing the service continuity increases the probability of success in the event that the plan must be executed. It may be appropriate to include the customer and end user in service continuity training.
Examples of when customers and end users should be considered include the following:
• Situations in which the customer and end user are colocated with the service provider and could be affected by the same events causing the service provider to initiate its service continuity plan
• Situations in which a change required by executing a service continuity plan may affect the customer’s or end user’s way of doing business
Examples of the types of staff to be trained include the following:
• Personnel who respond to service requests
• Personnel who provide infrastructure support (e.g., information technology, utilities)
• End users
• Suppliers
• Selected project and organization managers and staff
Examples of service continuity training methods include the following:
• Role playing
• Scenario-based training
• Classroom instruction
• Group discussions
Typical Work Products
1. Service continuity training material
Subpractices
1. Develop a strategy for conducting service continuity training.
2. Develop and document service continuity training for each category of threat and vulnerability to service delivery.
3. Review service continuity training material with relevant stakeholders.
4. Revise the training material as needed to reflect changes in the service continuity plan and feedback on training effectiveness.
SP 2.3 Provide and Evaluate Service Continuity Training
Provide and evaluate training in the execution of the service continuity plan.
Training provides instruction to personnel who might have to participate in executing the service continuity plan in the event of a significant disruption. In addition, training provides a mechanism for gathering feedback on whether the service continuity plan should be updated or clarified.
Refer to the Organizational Training process area for more information about providing necessary training.
Typical Work Products
1. Training records
2. Evaluations of training effectiveness by students and training specialists
3. Suggested improvements to the service continuity plan
Subpractices
1. Deliver training that covers the execution of the service continuity plan to appropriate personnel.
2. Maintain records of those who successfully complete service continuity training.
3. Solicit feedback on how well service continuity training prepared those who will execute the service continuity plan.
4. Analyze training feedback and document suggested improvements to the service continuity plan and service continuity training.
SG 3 Verify and Validate the Service Continuity Plan
The service continuity plan is verified and validated.
Verifying and validating the service continuity plan helps to ensure preparedness for various threats and vulnerabilities before a significant disruption occurs. This practice enables reviews, tests, and demonstrations to be conducted in a relatively benign environment.
Accomplishing verification and validation includes selecting appropriate methods, conducting verification and validation, and analyzing results.
Examples of verification methods include the following:
• Inspections
• Peer reviews
• Audits
• Walkthroughs
• Analyses
• Simulations
• Testing
• Demonstrations
Examples of validation methods include the following:
• Discussions with end users, perhaps in the context of a formal review
• Prototype demonstrations
• Functional demonstrations (e.g., testing a backup file system, exercising an alternative communication network to coordinate service delivery, switching to manual processes)
• Pilots of training materials
• Tests of the service system and its components by end users and other relevant stakeholders
The Service System Development process area contains practices that focus on verifying and validating service system components and services. The guidance found there may be useful when implementing verification and validation of service continuity plans.
SP 3.1 Prepare for the Verification and Validation of the Service Continuity Plan
Prepare for the verification and validation of the service continuity plan.
Verification and validation should be conducted on a periodic and event-driven basis. Typically, the verification and validation of the service continuity plan is performed periodically (e.g., annually). However, when there are major changes to the service system or to the delivery environment, the service continuity plan should be reviewed or tested to confirm that the service continuity plan is still correct and current.
Typical Work Products
1. Verification and validation plan for ensuring service continuity
2. Evaluation methods used for verification and validation
3. Description of environments necessary to conduct verification and validation
4. Verification and validation procedures
5. Criteria for what constitutes successful verification and validation
Subpractices
1. Develop a plan for conducting service continuity verification and validation.
The strategy for conducting service continuity verification and validation documents the requirements for verification and validation and addresses the key principles, activities, resources, and environments required for effective verification and validation of the service continuity plan.
Verification and validation is not a one-time event. The strategy should address the frequency with which verification and validation should be performed.
The plan for conducting verification and validation of the service continuity plan typically includes the following:
• Strategy used for conducting verification and validation
• Categories of threats and vulnerabilities to be evaluated
• Essential functions and resources to be verified and validated for each category
• Methods to evaluate the adequacy of preparation
• Environments needed to support verification and validation
• Schedule of activities to conduct verification and validation
• Assigned resources
2. Review with relevant stakeholders the verification and validation plan, including evaluation methods and the environments and other resources that will be needed.
Stakeholders must understand and agree to the verification and validation strategy, methods, activities, environments, and resources.
3. Determine the procedures and criteria for verification and validation of the service continuity plan.
Procedures and criteria are used to ensure that the elements of the service continuity plan are correct, effective, and current relative to the categories of threats and vulnerabilities.
4. Identify changes to the service continuity plan from the preparation for verification and validation.
SP 3.2 Verify and Validate the Service Continuity Plan
Verify and validate the service continuity plan.
Verification and validation is conducted according to the defined plan, methods, and procedures to confirm that the service continuity plan is complete, reasonable, and effective.
Typical Work Products
1. Roster of personnel and stakeholders involved in service continuity verification and validation
2. Results of service continuity plan verification and validation
Subpractices
1. Prepare the environment to conduct verification and validation.
2. Conduct verification and validation of the service continuity plan.
3. Record the results of verification and validation activities.
SP 3.3 Analyze Results of Verification and Validation
Analyze the results of validation and verification activities.
Results of service continuity plan verification and validation are analyzed against defined verification and validation criteria. Analysis reports identify elements to improve in the service continuity plan and identify problems with verification and validation methods, environments, procedures, and criteria.
Typical Work Products
1. Verification and validation analysis reports
2. Improvement recommendations for the service continuity plan
3. Verification and validation improvement recommendations
Subpractices
1. Compare actual to expected results of service continuity plan verification and validation.
2. Evaluate whether restoration to agreed service levels or some other planned state was achieved.
3. Document recommendations for improving the service continuity plan.
4. Document recommended improvements to the verification and validation of the service continuity plan.
5. Collect improvement proposals for services or service system components as appropriate based on the analyses of results.
6. Provide information on how defects can be resolved (including verification methods, criteria, and the verification environment) and initiate corrective action.
Refer to the Project Monitoring and Control process area for more information about managing corrective action to closure.