Question 1

When planning and implementing recovery/resumption procedures, what is the most important aspect?
A)That work proceed as quickly as possible
B)That business proceed as normal regardless of the cost
C)That each Crisis Team member is contacted prior to work beginning
D)That all decisions are document with justification

Accepted Answer

When creating a plan for recovery/resumption and deciding on priorities, it is essential that the plan and the justification for the decisions be documented thoroughly. This will aid in communication and avoiding rework during the process.
Documenting each decision with justification will assist with conversations with both senior management, as well as the media. Additionally, the process of documenting decisions will ensure that there is clarity in the decision and plan going forward.

Question 2

When is a crisis normally declared "over"?
A)When the business is no longer under continued threat from the crisis
B)When the business has a plan to implement to recover from the crisis
C)When the business is able to function with its core processes up and running
D)When the business is able to operate as it was pre-crisis

Accepted Answer

Although it can vary from organization to organization, a crisis is normally declared as "over" when all operations have been returned to their normal state. If it is not possible to return to the pre-crisis normal state, then a new normal state must be defined for the organization.
A crisis can be declared "over" at any time, however, it is customary to only declare the crisis situation "over" when the organization is able to function at its normal pre-crisis level.

Question 3

Which of these tasks are appropriate tasks for declaring a crisis to be "over"? Select all that apply.
A)Holding a press conference
B)Sending communication to employees
C)Documenting the decision
D)All of the above

Accepted Answer

All three of these tasks should be considered when declaring a crisis "over." Depending on the nature of the crisis, the decision might be made to skip one or more of these tasks, however, all of these are appropriate and should be considered.
The most important task when declaring a crisis to be "over" is to document the decision. Additionally, depending on the nature of the crisis and the size of the organization, it is recommended to communicate that decision to both the employees and the media as needed.

Question 4

Indecisive wants to return the organization back to its normal, pre-crisis state. However, he is unable to do this as a result of the impact of the crisis. What should he do instead?
A)Continue to try to achieve pre-crisis normal state regardless of the cost
B)Declare the organization failed and file for bankruptcy
C)Declare a "new normal" state for the organization to operate in
D)Continue to react in crisis mode indefinitely

Accepted Answer

Mr. Indecisive should establish a new normal state in which the company can still operate and conduct business, even if it is not identical to the pre-crisis state.
By declaring a new normal state, the organization will be able to function and move forward after the crisis. This new state should enable the organization to keep its critical processes intact.

Question 5

What is the best definition for "alternate worksite"?
A)A work location that is rarely used
B)A work location to supplement the primary work location when it is full or occupied
C)A work location which can be used when the primary work location is not available
D)A work location which is located in a different state or country than the primary work location

Accepted Answer

An alternate worksite is defined as a work location which can be used when the primary work location is not available, often due to a crisis situation.
An alternate worksite location should be established so that the Crisis Management team and other employees have a location to work from if the primary worksite is compromised during the crisis event. The alternate worksite should be sufficient distance from the primary worksite so that it is not likely that the same crisis would impact both sites.

Question 6

Which term is used to describe the process of returning an organization to its normal state after a crisis?
A)Recovery
B)Resumption
C)Readiness
D)Evaluation

Accepted Answer

The process of recovery will help the organization move past the crisis, while the process of resumption will return the organization to its normal pre-crisis state.
While it is usually ideal to return to the pre-crisis state, sometimes it is not possible. At this point in the resumption process, it is necessary to declare a new normal state so that the organization can continue to move forward.

Question 7

An organization has identified that the recovery time objective (RTO) criteria as the most critical criteria for its risk management strategy. The company might consider investing in which of the following?
A)Insurance
B)Hot site
C)Cold site
D)Warranty

Accepted Answer

A hot site is a contracted commercial disaster recovery service that provides all of the equipment needed for an enterprise to continue operation, which includes office space, furniture, communications equipment and computers. The setup also has all of the working data necessary to continue operators.
Having a hot site comes with a high financial cost, but in some cases is absolutely necessary. The BCP planner must determine whether it is worth the cost by consulting with stakeholders and performing an analysis.

Question 8

Once a company has determined its continuity and recovery plans, the plans have to be tested for any problems. What would be the most thorough approach to this undertaking?
A)Parallel testing
B)Full-interruption testing
C)Simulation testing
D)Structured walk-through test

Accepted Answer

Once a company has determined its continuity and recovery plans, the plans have to be tested for any problems and the most thorough approach would be full-interruption testing. This type of test is the most intrusive to regular operations and business productivity. The original site is actually shut down and processing takes place at the alternate site. The recovery team fulfills its obligations in preparing the systems and environment for the alternate site. All processing is done only on devices at the alternate offsite facility. Full-blown drill takes a lot of planning and coordination, but it can reveal many holes in the plan that need to be fixed before an actual disaster hits. Full interruption tests should be performed only after all other types of tests have been successful.

Question 9

Once a company has determined its continuity and recovery plans, the plans have to be tested for any problems. What type of testing provides a specific scenario?
A)Parallel testing
B)Full-interruption testing
C)Simulation testing
D)Structured walk-through test

Accepted Answer

Once a company has determined its continuity and recovery plans, the plans have to be tested for any problems. Simulation testing is best for testing specific scenarios. In this situation, all employees who participate in operational and support functions or their representatives come together to practice executing the disaster recovery plan based on a specific scenario. The scenario is used to test the reaction of each operational and support representative. Again, this is done to ensure specific steps were not left out and that certain threats were not overlooked. It acts as a catalyst to raise the awareness of the people involved.

Question 10

Newbie has recently joined the Crisis Management team as part of his work on the Business Continuity Plan. When should he schedule his training on the current version of the Business Continuity Plan?
A)As soon as possible
B)During the next regularly scheduled training session
C)Official training is not needed
D)None of the above

Accepted Answer

Mr. Newbie should be trained as soon as possible on the current version of the Business Continuity Plan so that if a crisis should occur, he will be a fully functioning member of the Crisis Management team.
Each new member to join the Crisis Management team should receive initial training upon joining the team. They should then participate with the team in all of the regularly scheduled training as well. However, by ensuring that the new team members are fully trained when they join the team, you will ensure that the team can function if a crisis should occur prior to the next regularly scheduled training event.

Question 11

Richard has gone to see a man about issues involving denial-of-service attacks, malware damages, hackers, electronic theft, and privacy-related lawsuits. What is Richard planning to discuss with the man?
A)Attack Insurance
B)Business Insurance
C)Cyberinsurance
D)Virus Insurance

Accepted Answer

Cyberinsurance discussions involve denial-of-service attacks, malware damages, hackers, electronic theft, and privacy-related lawsuits. Companies are asked questions about their security program such as whether they have IDS, antivirus software firewalls, and other security measures. The company's insurance should be reviewed annually, because threat levels may change and the company may expand into new ventures that need to be properly covered. Purchasing insurance should not lull a company into a false sense of security. Insurance coverage has its limitations.

Question 12

When creating a business continuity plan, which of these decisions should be made first?
A)Who does the business continuity plan need to be distributed to
B)Which portions of the business need to remain active during a disaster
C)What is the allowed spending budget for the business continuity plan
D)What types of disasters should the business continuity plan cover

Accepted Answer

The first item that should be decided when creating a business continuity plan is which portions of the business are essential and need to remain active during a disaster. Without this knowledge, other decisions of the business continuity plan cannot be made effectively.
When creating a business continuity plan, it is not possible to keep every aspect of the business going during a disaster, as it is cost prohibitive. Therefore, the first item that needs to be discussed is which business aspects are "mission-critical" and necessary to keep the business afloat while other aspects are still struggling to recover.

Question 13

How often should a Business Continuity Plan be updated or reviewed?
A)Never. Once the BCP is written, it does not need to be reviewed.
B)Only if new information appears that would change the BCP
C)On a regularly scheduled frequency (with more reviews if data warrants it)
D)Since the BCP is never completely finished, it is always being reviewed and updated.

Accepted Answer

Once completed, the BCP should be reviewed on a regular frequency. The frequency can be determined based on the business need. However, if additional information arises that could impact the BCP, then the BCP should be reviewed at that point as well.
The Business Continuity Plan that is created by the original chartered BCP team will serve as a good starting point for the company's overall business continuity strategy. However, regular periodic reviews of the BCP will ensure that the information is not outdated and that the BCP is still a viable strategy. In addition to the regularly scheduled reviews, the BCP can also be reviewed and updated as needed based on external risk assessments, recent crises or disasters, industry trends, or results of BCP testing.

Question 14

Business continuity planning should only be done for medium or large sized companies. Smaller companies cannot use the principles of BCP.

Accepted Answer

While the principles in business continuity planning are designed with larger companies in mind, these principles can be applied to smaller companies with very few modifications.
If you are working at a larger company, the business continuity planning process should be more rigorous than if you are working at a smaller company. However, smaller companies can follow all of the same guidelines and principles involved in business continuity planning.

Question 15

A Risk Assessment is one of the first tasks to be completed in the creation of a Business Continuity Plan. What is the purpose of the Risk Assessment?
A)To provide a list of risks to the organization, along with potential countermeasures
B)To assemble a list of past crises that the organization has endured
C)To identify and analyze potential risks that may impact the organization
D)To create a matrix of potential risks and who is responsible for the countermeasure for each risk.

Accepted Answer

The Risk Assessment is designed to identify potential risks that may impact the organization and then to analyze the likelihood of those risks occurring, as well as their potential impact if they were to occur.
A Risk Assessment should only identify and rank the potential risks to the organization, such as earthquakes or bomb threats. The Risk Assessment is not designed to assign countermeasures or responsibility for dealing with each potential crisis. Potential risks that could be included in a Risk Assessment are hurricane, flood, tornado, bombing, kidnapping, sabotage, product recall, or power failure.

Question 16

Newbie has recently been asked to join the Business Continuity Planning team. As his first assignment, he is tasked with creating a list of potential threats for the company and ranking them. What phase of the project is he working on?
A)Business Impact Analysis
B)Risk Assessment
C)Strategic Planning
D)Critical Process Planning

Accepted Answer

Mr. Newbie is working on a Risk Assessment. The Risk Assessment identifies key threats to the business, such as floods or terrorist attacks, and then ranks them based on factors such as likelihood of occurrence and severity should the event actually occur.
The Risk Assessment evaluates potential threats and ranks them while the Business Impact Analysis focuses on the different processes within the business and how they will recover should a crisis occur. While they are both key foundations for creating a successful Business Continuity Plan, they are two distinct and separate analyses.

Question 17

Who should be able to discuss the crisis with the media and other external organizations?
A)Only the appointed official media spokesperson
B)Whomever the media contacts
C)Only members of the Business Continuity team
D)Only members of the Board of Directors

Accepted Answer

When communicating with the media and external organizations, only the official spokesperson should speak on behalf of the company. This person should be trained in media relations prior to the crisis.
Using a single point of communication with the media and funneling all communications through the official spokesperson will ensure that a consistent message is being sent. Additionally, people within the organization should be trained to refer all calls or inquiries during a crisis to the single official spokesperson.

Question 18

What is the most important element of a good Business Continuity Plan?
A)Company structure
B)Human resource management
C)Financial predictions
D)Cash flow

Accepted Answer

People and proper human resource management are the most essential components of a good Business Continuity Plan. The management of employees will often determine the success or failure of a Business Continuity Plan.
When creating a Business Continuity Plan, it is essential to not forget the human element involved and plan accordingly for it. Managing people, especially during a crisis, is the most important aspect of a good Business Continuity Plan.

Question 19

If a fatality or injury occurs during a crisis, what should the Business Continuity Plan recommend?
A)That the next of kin be notified by the first person to discover the injury or fatality.
B)That the next of kin be notified by the CEO over the phone.
C)That the next of kin be notified in person by trained senior management.
D)That the next of kin be notified within 24 hours.

Accepted Answer

The Business Continuity Plan should call for all injury or fatality notifications to be completed in person and by a specially trained member of senior management whenever possible.
When someone is hurt or killed during a crisis, it is the responsibility of the company to notify the next of kin as soon as possible, but in a respectful and dignified manner. By sending in a member of senior management who has been previously trained for this role, there will be less of a chance for misunderstanding or un-needed anguish.

Question 20

When should a crisis management center location be identified?
A)During the creation of the BCP
B)During the time period between the warning of a crisis and the full impact of that crisis
C)During the first few hours of a crisis
D)During the first few days of a crisis

Accepted Answer

The crisis management center location and resources should be identified ahead of time during the creation of the Business Continuity Plan.
During the warning period and crisis period, it is likely that there will not be sufficient time to focus on identifying a suitable crisis management center. For this reason, the crisis management center location, as well as backup or alternative locations, should be pre-identified as a part of the Business Continuity Plan.

Quiz 7: Operations

When planning and implementing recovery/resumption procedures, what is the most important aspect?

When is a crisis normally declared "over"?

Which of these tasks are appropriate tasks for declaring a crisis to be "over"? Select all that apply.

Indecisive wants to return the organization back to its normal, pre-crisis state. However, he is unable to do this as a result of the impact of the crisis. What should he do instead?

What is the best definition for "alternate worksite"?

Which term is used to describe the process of returning an organization to its normal state after a crisis?

An organization has identified that the recovery time objective (RTO) criteria as the most critical criteria for its risk management strategy. The company might consider investing in which of the following?

Once a company has determined its continuity and recovery plans, the plans have to be tested for any problems. What would be the most thorough approach to this undertaking?

Once a company has determined its continuity and recovery plans, the plans have to be tested for any problems. What type of testing provides a specific scenario?

Newbie has recently joined the Crisis Management team as part of his work on the Business Continuity Plan. When should he schedule his training on the current version of the Business Continuity Plan?

Richard has gone to see a man about issues involving denial-of-service attacks, malware damages, hackers, electronic theft, and privacy-related lawsuits. What is Richard planning to discuss with the man?

When creating a business continuity plan, which of these decisions should be made first?

How often should a Business Continuity Plan be updated or reviewed?

Business continuity planning should only be done for medium or large sized companies. Smaller companies cannot use the principles of BCP.

A Risk Assessment is one of the first tasks to be completed in the creation of a Business Continuity Plan. What is the purpose of the Risk Assessment?

Newbie has recently been asked to join the Business Continuity Planning team. As his first assignment, he is tasked with creating a list of potential threats for the company and ranking them. What phase of the project is he working on?

Who should be able to discuss the crisis with the media and other external organizations?

What is the most important element of a good Business Continuity Plan?

If a fatality or injury occurs during a crisis, what should the Business Continuity Plan recommend?

When should a crisis management center location be identified?