Service Continuity: A Project and Work Management Process Area at Maturity Level 3
Purpose
The purpose of Service Continuity (SCON) is to establish and maintain plans to ensure continuity of services during and following any significant disruption of normal operations.
Introductory Notes
Service continuity is the process of preparing mitigation for significant disruptions to service delivery so that delivery can continue or resume, although perhaps in a degraded fashion. These practices describe how to prepare service systems and the resources they depend on to help ensure that a minimum critical level of service can continue if a significant risk is realized. Part of service continuity is identifying which services cannot be disrupted and which can be disrupted and for what amount of time.
The Service Continuity process area builds on the practices in the Risk Management process area. The Risk Management process area describes a general systematic approach to identifying and mitigating all risks to proactively minimize their impact on the work. Service continuity practices are a specialization of risk management that focuses on dealing with significant disruptions of normal operations. If risk management has been implemented, some of the resulting capability can be used to provide for more effective service continuity. However, generic risk management does not guarantee that service continuity is accomplished. Therefore, the specific practices of the Service Continuity process area are required in addition to the practices of the Risk Management process area.
Service Continuity can be applied at both the organization level and the work group level. Therefore, the use of the term “organization” in this process area can apply to a work group or the organization as appropriate.
Typically, service disruption is a situation that involves an event (or sequence of events) that make it virtually impossible for a service provider to conduct business as usual.
A service provider may only have a short period of time in which to recover and resume providing services.
The Service Continuity process area covers developing, testing, and maintaining a service continuity plan. First, the following should be identified:
• The essential functions that support the services the organization has agreed to deliver
• The resources that are required to deliver services
• The potential hazards or threats to these resources
• The susceptibility of the service provider to the effects of each hazard or threat
• The potential impact of each threat on service continuity
This information is used to develop a service continuity plan that, in the event of a disruption, enables the organization to resume service delivery. Creating the service continuity plan typically involves the following three activities conducted after the information listed above has been collected. All of these activities, including the collection of information, are repeated periodically to keep the plan current:
• Documenting the service continuity plan based on the information previously collected
• Documenting the tests to validate the service continuity plan
• Documenting the training materials and training delivery methods for carrying out the service continuity plan
Finally, service continuity plans should be validated. Because it is unwise to wait until an emergency occurs to first execute the service continuity plan, staff who will perform the procedures in the service continuity plan should be trained in how to perform these procedures. In addition, periodic tests should be conducted to determine whether the service continuity plan would be effective in an actual emergency or significant disruption and what changes to the plan are needed to enable the organization to continue to deliver service reliably.
Related Process Areas
Refer to the Service Delivery process area for more information about delivering services in accordance with service agreements.
Refer to the Decision Analysis and Resolution process area for more information about evaluating alternatives.
Refer to the Organizational Training process area for more information about delivering training.
Refer to the Risk Management process area for more information about identifying and analyzing risks.
Refer to the Work Planning process area for more information about developing a work plan.
Specific Practices by Goal
SG 1 Identify Essential Service Dependencies
The essential functions and resources on which services depend are identified and documented.
The first step in service continuity planning is to identify and prioritize essential services so that a plan can be created that enables these services to be provided during an emergency.
The second step is to identify and document the functions and resources on which these services depend. Essential functions can include manual processes, automated processes, end-user activities, and service delivery activities themselves whether prescheduled or a result of on-the-fly service request management.
Identified and prioritized services, functions, and resources are effectively the requirements for service continuity and can be managed as such.
Refer to the Requirements Management process area for more information about managing requirements of products and product components and ensuring alignment between those requirements and the work plans and work products.
SP 1.1 Identify and Prioritize Essential Functions
Identify and prioritize the essential functions that must be performed to ensure service continuity.
To identify essential functions, an intimate understanding of all service system operations is required. Although many functions are important, not every activity performed is an essential function. Essential functions are those functions that must be sustained in an emergency or significant disruption of services.
The priorities of essential functions should reflect which services can be disrupted and for what period of time (i.e., long versus short disruption). Understanding which services are critical drives which essential functions are required to provide critical services.
Establishing correct priorities requires involvement of a wide range of stakeholders.
Refer to the Integrated Work Management process area for more information about coordinating and collaborating with relevant stakeholders.
Example Work Products
1. A business impact analysis
Subpractices
1. Identify and prioritize the essential services of the organization.
2. Identify the essential functions on which services rely.
3. Analyze the criticality of providing those functions and the impact to services if the essential functions cannot be performed.
Refer to the Decision Analysis and Resolution process area for more information about analyzing possible decisions using a formal evaluation process that evaluates identified alternatives against established criteria.
4. Prioritize the list of essential functions that must be provided despite a significant disruption.
SP 1.2 Identify and Prioritize Essential Resources
Identify and prioritize the essential resources required to ensure service continuity.
Essential resources are resources necessary to the continued functioning or reconstitution of services during and after an emergency. These resources are typically unique and hard to replace. Essential resources therefore include key staff as well as essential assets, data, and systems. Essential resources may need to be protected. Suitable substitutes may need to be provisioned in advance. In the case of data, backups and archives may need to be established.
Many organizations make the mistake of identifying systems, staff, and infrastructure inside the organization while overlooking resources outside the organization on which service continuity also depends. Resources that are commonly overlooked include consumables and vital records (e.g., documents describing legal, financial obligations).
Essential resources can be identified through analyses of the following:
• Delivery of services
• Functions essential to service continuity
• In-service agreements, supplier agreements, and standard service definitions
• Dependencies among service system components, relevant stakeholders, and the delivery environment
Common resource dependencies include information and data sources from both inside and outside the organization and the key staff who make decisions regarding the service delivery or who are significant contributors to performing service delivery tasks.
Refer to the Integrated Work Management process area for more information about coordinating and collaborating with relevant stakeholders.
Essential resources generally fall into one of the following categories:
• Emergency operating resources (e.g., key staff, equipment, consumables) necessary to resume disrupted services
• Legal and financial resources (e.g., contractual documents) that are essential to protect the rights and interests of the organization and individuals directly affected by the emergency
Refer to the Plan Data Management specific practice in the Work Planning process area for more information about data management activities.
Example Work Products
1. Orders of succession
2. Delegations of authority
3. Directory of critical staff with contact information
4. Data and systems required to support identified essential service functions
5. Records of service agreements and contracts
6. Records of legal operating charters (e.g., articles of incorporation, authorization by local, state, national government agencies)
7. Staff benefit balances, payroll, and insurance records
8. List of internal and external resources required
9. List of dependencies and interdependencies of resources
Subpractices
1. Identify and document internal and external dependencies.
2. Identify and document key staff and their roles in relation to service delivery.
3. Identify and document organizational and relevant stakeholder responsibilities.
4. Identify and document resources required by essential functions to ensure continuity.
5. Prioritize resources based on an evaluation of impact from their loss or from lack of access.
6. Ensure that safety provisions are made for staff, both internal and external, within the delivery environment and for organizational supporting functions.
7. Ensure that records and databases are protected, accessible, and usable in an emergency.
SG 2 Prepare for Service Continuity
Preparations are made for service continuity.
Preparing for service continuity involves creating a plan, delivering training to execute the plan, and putting resources into place such as backup sites or systems.
Not all services must be resumed immediately following a disruption. The service continuity plan identifies those services that must be resumed and the priority sequence for recovery of those services.
In addition, training to execute the service continuity plan should be developed and delivered to those who may have to implement the plan.
Refer to the Integrated Work Management process area for more information about integrating plans.
Refer to the Work Planning process area for more information about developing a work plan.
SP 2.1 Establish Service Continuity Plans
Establish and maintain service continuity plans that enable the organization to resume performing essential functions.
A service continuity plan provides explicit guidance to the organization in the event of a significant disruption to normal operations. An organization can maintain multiple plans covering different types of disruptions or different types of services. Conversely, there may be need for only one service continuity plan.
Example Work Products
1. Formal statement of who has the authority to initiate and execute the service continuity plan
2. List of communication mechanisms needed to initiate the execution of the service continuity plan
3. List of threats and vulnerabilities that could impede the ability of the organization to deliver services
4. List of alternate resources and locations that support the organization’s essential functions
5. Documentation of the recovery sequence
6. List of key staff roles and responsibilities
7. List of stakeholders and the methods used for communicating with them
8. Documented methods for handling security related material as appropriate
Subpractices
1. Identify and document threats and vulnerabilities to ongoing service delivery.
Information on threats and vulnerabilities is usually developed in other processes and activities and used as an input to the service continuity plan. In the service continuity plan, the events, threats, and vulnerabilities most likely to lead to enacting the plan are recorded. Different actions can be planned for categories of events. Risk information gathered about individual services can also be an input to this portion of the plan.
Refer to the Risk Management process area for more information about identifying and analyzing risks and mitigating risks.
2. Document the service continuity plan.
3. Review the service continuity plan with relevant stakeholders.
4. Ensure that secure storage and access methods exist for the service continuity plan and critical information and functions needed to implement the plan.
5. Ensure that vital data and systems are adequately protected.
Addressing the protection of vital data and systems can include developing additional service system components.
6. Document the acceptable service level agreed to by the customer for when a shift between the normal delivery environment and the recovery environment (e.g., site affected by disruption, alternate site) is necessary.
Document the acceptable service levels for various outage scenarios (e.g., site, city, country).
7. Plan for returning to normal working conditions.
8. Develop procedures for implementing the service continuity plan.
9. Revise the service continuity plan as necessary.
SP 2.2 Establish Service Continuity Training
Establish and maintain training for service continuity.
Training the staff who will be involved in executing the service continuity increases the probability of success in the event that the plan must be executed. It may be appropriate to include the customer and end user in service continuity training.
Example Work Products
1. Service continuity training material
Subpractices
1. Develop a strategy for conducting service continuity training.
2. Develop and document service continuity training for each category of threat and vulnerability to service delivery.
3. Review service continuity training material with relevant stakeholders.
4. Revise the training material as needed to reflect changes in the service continuity plan and feedback on training effectiveness.
SP 2.3 Provide and Evaluate Service Continuity Training
Provide and evaluate training in the execution of the service continuity plan.
Training provides instruction to staff who might have to participate in executing the service continuity plan in the event of a significant disruption. In addition, training provides a mechanism for gathering feedback on whether the service continuity plan should be updated or clarified.
Refer to the Organizational Training process area for more information about providing training.
Example Work Products
1. Training records
2. Evaluations of training effectiveness by students and training specialists
3. Suggested improvements to the service continuity plan
Subpractices
1. Deliver training that covers the execution of the service continuity plan to appropriate staff.
2. Maintain records of those who successfully complete service continuity training.
3. Solicit feedback on how well service continuity training prepared those who will execute the service continuity plan.
4. Analyze training feedback and document suggested improvements to the service continuity plan and service continuity training.
SG 3 Verify and Validate the Service Continuity Plan
The service continuity plan is verified and validated.
Verifying and validating the service continuity plan helps to ensure preparedness for various threats and vulnerabilities before a significant disruption occurs. This practice enables reviews, tests, and demonstrations to be conducted in a relatively benign environment.
Accomplishing verification and validation includes selecting appropriate methods, conducting verification and validation, and analyzing results.
SP 3.1 Prepare for the Verification and Validation of the Service Continuity Plan
Prepare for the verification and validation of the service continuity plan.
Verification and validation should be conducted on a periodic and event-driven basis. Typically, the verification and validation of the service continuity plan is performed periodically (e.g., annually). However, when major changes are made to the service system or to the delivery environment, the service continuity plan should be reviewed or tested to confirm the service continuity plan is still correct and current.
Example Work Products
1. Verification and validation plan for assuring service continuity
2. Evaluation methods used for verification and validation
3. Description of environments necessary to conduct verification and validation
4. Verification and validation procedures
5. Criteria for what constitutes successful verification and validation
Subpractices
1. Develop a plan for conducting service continuity verification and validation.
The strategy for conducting service continuity verification and validation documents the requirements for verification and validation and addresses the key principles, activities, resources, and environments required for effective verification and validation of the service continuity plan.
Verification and validation is not a one-time event. The strategy should address the frequency with which verification and validation should be performed.
2. Review with relevant stakeholders the verification and validation plan, including evaluation methods and the environments and other resources that will be needed.
Relevant stakeholders should understand and agree to the verification and validation strategy, methods, activities, environments, and resources.
3. Determine the procedures and criteria for verification and validation of the service continuity plan.
Procedures and criteria are used to ensure the elements of the service continuity plan are correct, effective, and current relative to the categories of threats and vulnerabilities.
4. Identify changes to the service continuity plan from the preparation for verification and validation.
SP 3.2 Verify and Validate the Service Continuity Plan
Verify and validate the service continuity plan.
Verification and validation is conducted according to the defined plan, methods, and procedures to confirm that the service continuity plan is complete, reasonable, and effective.
Example Work Products
1. Roster of staff and relevant stakeholders involved in service continuity verification and validation
2. Results of service continuity plan verification and validation
Subpractices
1. Prepare the environment to conduct verification and validation.
2. Conduct verification and validation of the service continuity plan.
3. Record the results of verification and validation activities.
SP 3.3 Analyze Results of Verification and Validation of the Service Continuity Plan
Analyze the results of verifying and validating the service continuity plan.
Results of service continuity plan verification and validation are analyzed against defined verification and validation criteria. Analysis reports identify elements to improve in the service continuity plan and identify problems with verification and validation methods, environments, procedures, and criteria.
Example Work Products
1. Verification and validation analysis reports
2. Improvement recommendations for the service continuity plan
3. Verification and validation improvement recommendations
Subpractices
1. Compare actual to expected results of service continuity plan verification and validation.
2. Evaluate whether restoration to agreed service levels or some other planned state was achieved or not.
3. Document recommendations for improving the service continuity plan.
4. Document recommended improvements to the verification and validation of the service continuity plan.
5. Collect improvement proposals for services or service system components as appropriate based on the analyses of results.
6. Provide information on how defects can be resolved (including verification methods, criteria, and the verification environment) and initiate corrective action.
Refer to the Work Monitoring and Control process area for more information about managing corrective action to closure.