Based on our analysis, the Business Continuity Plan should be created if there are specific continuity requirements identified in the contract and detailed in the Business Impact Analysis.

The Business Continuity Plan will contain strategies that are selected on various factors like contractual obligations during a disaster, cost implications of continuity requirements, minimum service levels required, etc. The Business Continuity Plan describes how an incident causing discontinuity for the engagement will be handled. It addresses:Objectives of continuity, scope and scenarios of discontinuity being covered

• Mitigation plan for business continuity risks, to minimize disruption probabilities
• Procedures for backup to ensure data availability for business continuity. This would include:
  • Backup frequencies
  • Backup data retention policy
  • Physical location of backed up data (e.g. separate servers, tapes, datacenters, etc.)
  • Testing plan for backed up data
• Procedures for escalation of incident and decision to invoke continuity plan, including incident management coordination with Client and key stakeholders (if applicable)
• Procedures for communication aspects (within Capgemini, with Client, with third parties, with authorities on need basis)
• Different continuity options planned for and steps to be taken to execute them with identification of
  • Key people and their contacts (in Capgemini teams, in Client teams on need basis)
  • Roles and responsibilities of the key resources during disruption
  • Means to be mobilized (locations, network aspects, assets etc.)
  • Step to resume and recover critical priority activities (incident response structure)
• Test plan that includes scenarios which should be tested in continuity plan, how they will be tested, platforms & tools to be used, how often and who will be involved, including suppliers.
• Plan for developing content for the business continuity training, evaluating training feedback and updating content appropriately.
• Plan for team awareness and training that include initiation and implementation of continuity plans
• Procedures to recover data after a disaster.

Factors like minimum target Service Levels during disaster as well as impact of cost must be considered while planning for business continuity. Remediation actions should planned based on severity of impact. For example services where impact is early, high preventive measure should be taken planned for, whereas for services where impact is low and takes longer time to develop, recovery measures should be planned. 

Many times where Capgemini Service model include provisioning of critical services through suppliers, Engagement Manager must ensure the relevant Business Continuity Plan and objectives are established and aligned within the supply chain. These must be mutually agreed as a part of the Supplier Contract and Supplier Service Level Agreement.

Also, the scenarios where Capgemini operates within a multi-vendor Service Model for the customer critical services, handshakes with other vendors may need to be identified as a part of the overall Business Continuity Plan to collectively resume the operations. The requirements and the obligations thereof, must be agreed with the Client and reflected in the contract.
The Business Continuity Manager must collaborate with the Security And Data Protection Manager to understand cyber-security threats, the resilience built in and then come up with an adequate recovery plan for Cyber-security incident that can cause disruption, so that the service can be resumed.

The Engagement Manager must ensure all business continuity management and disaster recovery procedures are designed in line with the Capgemini policies at respective site and country level. The Engagement Manager must also collaborate with respective Capgemini Business Continuity stakeholders (ICRES team, IT team, etc .) for setting up business continuity solutions in accordance with the plan.

The plan should then be reviewed and approved.