Add to collection(s) Add to saved
  1. Business
  2. Management

- Easy Continuity

advertisement 
Business Continuity Management System (BCMS)
Policy & Strategy Framework
**ABC**
Version 1.2 DRAFT
INTERNAL USE ONLY
Objective: The purpose of the BCMS is to provide a clearly defined and documented policy,
framework and operational direction to ensure the resilience and continuance of the business
critical activities.
Scope: **ABC** (**ABC**) business activities within **Location1**, **Location2**.
Audience: All officers, senior personnel and staff of the organisation who are involved in the
provision of the Incident and Business Continuity capability of the organisation.
Page 1 of 21
Table of Contents
1
Overview ................................................................................................................. 4
1.3
Best Practice ............................................................................................................ 4
1.4
Purpose .................................................................................................................... 5
1.5
Objectives................................................................................................................. 5
2
Policy and Organisation ........................................................................................ 6
2.3
Executive Management - Policy Statement .............................................................. 6
2.4
Incident Response & Business Continuity Structure ................................................ 7
2.5
Roles & Responsibilities ........................................................................................... 8
3
Understanding The Business ...............................................................................10
3.3
Business Impact Analysis ........................................................................................10
3.4
Risk Assessment & Risk Register ...........................................................................10
4
Determining BCM Strategies ................................................................................12
4.3
BCM Strategy Models..............................................................................................12
4.4
Process Level BCM Strategies ................................................................................13
4.5
Resource Recovery BCM Strategies .......................................................................14
5
Developing & Implementing BCM Response Plans............................................15
5.3
Business Continuity Plans .......................................................................................15
5.4
Incident Response & Management Planning...........................................................16
6
Embedding BCM in the Culture ............................................................................17
6.3
Awareness, Training and Culture ............................................................................17
7
Exercising, Maintenance & Review ......................................................................18
7.3
Exercising ................................................................................................................18
7.4
Maintenance ............................................................................................................21
7.5
Audit & Review ........................................................................................................21
Page 2 of 21
DATA STATEMENT
The information and data provided herein shall not be duplicated, disclosed or disseminated by the recipient
in whole or in part for any purpose whatsoever without the prior written permission from **ABC**.
REVISION HISTORY
Version/
Revision
Release Date
Originator
Reason(s) for Change
1.0
**Date**
**Person1**
First draft
1.1
**Date**
**Person1**
**ABC** Feedback
DISTRIBUTION LIST
Recipient
Role
**Person1**
BCM Project Documentation
BCM Repository
**ABC** Network
Page 3 of 21
1 OVERVIEW
This document provides an overview of the framework for Incident and Business Continuity
Management within **ABC**. It is intended to be a ‘top down’ living document which provides
vision, direction and unification of business continuity related activities.
Its outline approach is based on best practice in order to develop an effective business
continuity management capability through an established and robust process.
1.3 Best Practice
The approach taken is based on best practice and
uses the business continuity lifecycle as per ISO
22301 – Business Continuity Management
standard.
(Figure 1) illustrates the core
components as per the standard.
The PDCA methodology as laid by the BSI (Figure
2) Focussing on successful planning, doing,
checking and acting. The aim being to ensure that
**ABC**’s BCM provision is both holistic and
supports the strategy and business need.
Figure 1: Business Continuity Lifecycle –
ISO22301
Adopting the PDCA - ‘Plan Do Check Act’ approach also
ensures alignment with other quality and management
systems such as ISO 9001 and 27001 for Information
Security Management.
Plan – Establish (Policies, objectives, processes,
controls etc)
Do – Implement & Operate (as above)
Check – Monitor & Review (Against policy & objectives)
Act – Maintain & Improve (Through preventative &
corrective actions)
Figure 2 – PDCA
BCM (Business Continuity Management) requires planning across many parts of the
business, which is demonstrated in this policy and strategy document, which in turn
Page 4 of 21
becomes a key focus and of vital importance to all **ABC** management and staff in
recognising the links between business activities, facilities, IT/Telephony and people
resourcing.
1.4 Purpose
The purpose of the BCMS Policy & Strategy Framework document is to provide **ABC**
with an effective, fit for purpose, predefined and documented framework and process, in
conjunction with best practice.
1.5 Objectives
 To provide a consistently clear view of the approach to be taken regarding Incident
Response & Management and Business Continuity Management (BCM) within
**ABC**
 To develop a BCM capability in line with best practice
 To ultimately recover and protect the business critical activities of **ABC**, thereby
reducing any subsequent financial impact to the organisation
 To protect the **ABC** brand and minimise any adverse impact to it
 To be able to continually service the best interests of customers & stakeholders in
terms of delivering the core objectives of the business, without compromise
Page 5 of 21
2 POLICY AND ORGANISATION
2.3 Executive Management - Policy Statement
Unwanted events such as floods, fire, terrorism or even system failures and data loss, all
have the potential to cause severe disruption to the continuity of any organisation and its
operations.
The potential impact to **ABC** could have very real consequences, affecting employee
health and safety, revenue, public reputation, stakeholder, customer confidence and
above all our operating efficiency. Clearly this is undesirable and we must take
appropriate measures as a business to ensure that we are prepared to respond in order
to maintain both our operational capability and customer service focus.
On this basis, the Executive Management Team and the Board has decided to
incorporate Business Continuity Management (BCM) as part of its overall risk
management strategy and corporate governance. It also demonstrates that we are a
responsible and trustworthy organisation, capable of providing services to our customers.
As a result of this challenge, the quality and completeness of our business continuity
processes, strategies and plans are vital, as these could be crucial following an incident
by underpinning the success of our recovery effort.
This is not a one off exercise and will remain as an ongoing programme for the
organisation and it is the duty of us all to ensure that we protect our future as we embark
on new challenges to continue demonstrating the highest possible standards in all
aspects of what we do.
**Person2**
Chief Executive - **ABC**
Page 6 of 21
2.4 Incident Response & Business Continuity Structure
The Incident Response Team (IRT) consists of a group of nominated individuals (differs by
Incident type and area) who make up the initial IRT. The IRT is the group of key senior
management that commands and controls the resources needed to respond to a situation
which could impact **ABC** business operations.
As the nature of an incident can be unpredictable, it is not possible or indeed wise to
provide strict roles for the team members. Ultimately it is for the Incident response team
Leader and the team members to organise themselves in an optimal manner, calling on
any additional resource it requires. The following roles provide guidance of key areas of
responsibility and potential activities.
The Incident & Business Continuity structure is made up of Strategic, Tactical and
Operational levels (often referred to as Gold, Silver and Bronze). The ‘Strategic’ level is
represented by the Incident Response or Management Team, with ‘Tactical’ forming the
Business Continuity response. The ‘Operational’ layer consists predominantly of business
as usual activities; hence the roles will already be present or well defined within the
existing structure at **ABC**.
Page 7 of 21
2.5 Roles & Responsibilities
INCIDENT RESPONSE
Role
Incident Response
(IRT) Leader
Responsibilities
Team
From the initial Incident notification, the IRT Leader has overall
responsibility for declaring and dealing with the situation and for coordinating the strategic response.
Communications
To provide internal communications and liaise with the outside world
including; ultimately ensuring that everyone is kept fully informed and
briefed on any actions they need to take
IT
To ensure the IT systems, applications, data and communications
infrastructure is recovered in a timely manner as per the business
recovery profile
HR
To ensure the safety and well being of all **ABC** Staff
Corporate Services
To maintain the building environment and associated support services
Finance
To safeguard the financial security and stability of the organisation
Core Functions/Depts
Depending on the incident and functions which are impacted – decide
which of the ‘Core Functions’ are required as part of the IRT.
BUSINESS CONTINUITY
Role
Responsibilities
Business Continuity Overall ‘fitness for purpose’ of Business Continuity capability/BCMS,
Manager/Sponsor
including management of contracts with 3rd parties such as work area
recovery and IT resilience, exercising, testing and maintenance.
Business Continuity Co-ordinators are responsible for the ongoing maintenance of their
Co-ordinators/Plan
functions in line with the schedule set out by the BC Manager and are also
Owners
responsible for co-ordination of the head office and primary location plan
activities during execution, including resourcing and recovery.
This includes all levels of content, including Business Critical Activities,
Recovery Timeframe Objectives, strategies, resourcing, IT requirements,
as well as all supporting documentation and appendices. They should
also ensure that any dependencies are documented and verified, as being
in place.
Page 8 of 21
2.5.1 EMT (Sub BCM Steering Committee or Working Group)
The BCM Steering Committee or Working Group should consist of a group of high-level
stakeholders who are responsible for providing guidance on overall strategic direction on
business continuity related matters.
They do not take the place of a BCM Sponsor, but help to spread the strategic input and
buy-in to a larger portion of the organisation. The meeting is most likely to be chaired by
the Business Continuity Manager or natural stakeholder, with representatives from IT,
Facilities 3rd party suppliers, project managers and selected business/directorate leaders
where appropriate.
The committee or group should look to meet on a predetermined but regular basis (every
quarter as a minimum) in order to review potentially relevant matters, such IT
infrastructure changes, strategic/business change or personnel amendments.
It may also be appropriate for business continuity to form a part of the Executive
Management meeting as a regular agenda item.
Page 9 of 21
3 UNDERSTANDING THE BUSINESS
3.3 Business Impact Analysis
Understanding the business and what we do is pivotal to the foundations and success of
the **ABC** Business Continuity Programme.
Defining the Mission or Business Critical Activities within the organisation is a key and
primary activity and is based largely on two key metrics; namely.
 RTO (Recovery Time Objective) – Timescale in which mission, business critical
activities must be recovered
 RPO (Recovery Point Objective) – Point in time to which work should be restored
following a business continuity incident that interrupts or disrupts the organisation
Understanding the risks, threats and impacts that surround these key activities will enable
**ABC** to quantify and qualify the risk to the business and therefore take appropriate
action to protect and recover the required operations.
Once this exercise has been conducted, the EMT/BCM Steering Committee will be better
placed to form a view or setting of their ‘risk appetite’, which defines the level of risk that it
is willing to accept.
Other key outcomes from conducting the Business Impact Analysis include:
 Financial and non-Financial impacts, (Tangible and Intangible)
 A minimum level of resources required, phased over time, such as personnel, IT
Applications, Systems, Data and Vital Records. This will form the Resource
Recovery Profile for the Strategy Development.
 A defined Recovery Profile built on verified and signed off RTO’s and RPO’s.
 Any additional constraints, such as legal, contractual and regulatory.
3.4 Risk Assessment & Risk Register
Reducing risk is a key activity for the business. Not only does it enable us to understand
the potential likelihood (frequency and probability) of something affecting us, but it also
assists the business in developing its risk appetite.
The purpose of the risk assessment and register is to effectively identify, define and
evaluate the risks potentially faced by the Business Critical Activities and to put in place a
set of controls or countermeasures to manage or reduce the risk.
Key outcomes include:
Page 10 of 21
 Vulnerability and exposure or likelihood of occurrence to **ABC** from a specific type
of incident
 Risk concentration – where a number of risks are located within the same function,
activity or building
 Overall risk appetite view of BIA information and the associated risks
 Prioritised list of risks and their controls, which may be put forward to the existing risk
register for monitoring and review
Page 11 of 21
4 DETERMINING BCM STRATEGIES
Business continuity strategy models involve the identification and selection of alternative
methods of operating the primary ‘Business Critical Activities’ following an incident, to the
minimum acceptable level required.
There are a number of generic strategies to mitigate the impact of a disruption or reduce
the probability of a threat event. Each strategy has parameters of speed of resumption,
reliability of availability and cost which will be appropriate to different parts of the business
so an organisation may require several elements to form an appropriate solution,
depending upon the individual business functions.
4.3 BCM Strategy Models
There are four basic strategic BCM Models to bear in mind;
1. Active/back up model – this involves having an ‘active’ backup site for the rapid
resumption of the Business Critical Activities (BCA). This relies on the relocation of
staff from the active site to the backup location with access to IT.
2. Active/active (split operations) – This model relies upon two or more geographically
split ‘active’ operational or production sites for BCA. There is likely to be reciprocal
backup and work/load balancing between sites.
3. Alternative site model – The use of an ‘active’ operating or production site with a
corresponding backup site that occasionally functions as the primary site
4. Contingency Model – alternative ways of delivering services to cater for the loss of
normal operational processes and components, such as a the loss of a critical IT
system which requires the use of manual processing or workarounds
4.3.1 Functional relocation measures
 A ‘do nothing’ strategy may be acceptable for certain non-urgent functions
identified in the BIA. Purchasing buildings and installing utilities may take several
months
 Budge up makes use of existing in-organisation accommodation such as a
training facility or canteen to provide recovery space or increasing the office
density. This will require careful planning and some technical preparation.
 Displacement involves the displacing staff performing less urgent business
processes with staff performing a higher priority activity. Care must be taken when
using this option that backlogs of the less urgent work suspended do not become
unmanageable.
 Remote Working includes the concept of “working from home” and working from
other non-corporate locations e.g. hotels (Internet Cafes should not be
Page 12 of 21
considered). Working from home can be a very effective solution but care must be
taken to ensure Health and Safety issues are addressed and sufficient bandwidth
capacity is available.
 Third party alternative site arrangements from a commercial or service
organisation, (Easy Continuity Ltd), or **Location1** may be an option for
consideration if these can ensure the organisation’s recovery time objectives
(RTO) are achieved.
o Dedicated space (Work Area Recovery) provides guaranteed and
immediate availability but is more expensive than syndicated space.
o Syndicated space (Work Area Recovery) usually provides access within 4
hours and enables ‘warm to hot’ recovery of key functions, telephony and
back office in order to continue supporting the business

‘Ship in’ Contracts includes generators, IT equipment such as PCs, servers and
printers and specialist hardware and equipment such as telephony systems. This
may be an appropriate strategy if an unprepared building is to be equipped to
provide an appropriate working environment. Most ship-in contracts permit the
delivery location to be nominated at invocation, allowing a more flexible response
to a specific incident compared to a fixed site recovery capability. Contract terms
vary from ‘best efforts’ to guaranteed delivery.
 Insurance; combined with other BCM measures would provide a potentially good
level of ‘risk portfolio’ protection for the business
4.4 Process Level BCM Strategies
Process level strategies should be developed for every mission or Business Critical
Activity (BCA) that has been identified in order to provide a clear view on how **ABC** will
provide protection for its most critical activities. Once defined, this will enable the
development of an organisation Resource Recovery Strategy so that a complete BCM
capability exists for that activity.
Outcomes for process level strategies include;
 An effective BCP for each critical activity, location or directorate.
 Any principles relating to the development of the strategy for the activity, including
the level of risk or appetite that is acceptable
 Any linkages to the Incident Management and response team
Page 13 of 21
4.5 Resource Recovery BCM Strategies
A resource recovery strategy involves the deployment of appropriate resources as part of
the continuity planning, in other words, what the requirements of the business are as
defined in the BC plans.
For example, if Work Area Recovery (WAR) is necessary, then the strategy should
evaluate the specific requirements for syndicated work area, location and syndication
ratios.
Therefore the overall purpose of the resource recovery strategy is to provide a
predetermined level of resources available to the business to enable the successful
recovery of the process level strategies and options.
Outcomes for resource recovery level strategies include;
 The identification of effective and fit for purpose solutions to enable the restoration
of business critical activities
 A clear framework of the time criticalities or specified timeframes, resources and
actions to achieve prioritised recovery of activities, their dependencies and single
points of failure
Page 14 of 21
5 DEVELOPING & IMPLEMENTING BCM RESPONSE PLANS
5.3 Business Continuity Plans
Each plan owner, leader or co-ordinator is responsible for the development of their own
plan or component part thereof, in order to cover their department, key functions,
processes and activities.
To assist in this development, there are two key resources available for guidance;
 Business Continuity Plan Template - This template will provide the basis and
initial high level headings that should be included; such as
o Plan Administration (title, purpose, role, scope, objective, version, owner)
o Introduction (Overview, Purpose, Objectives, Assumptions)
o Initial Response and Assembly Tasks, Ongoing Activities.
o Critical Activities and IT Needs (RTO’s & RPO’s)
o Resource Requirements & Strategies
o Procedures and Tasks
o Appendices Reference (Team Contact Details, Overall Structure, logs, pro
formas,)
 Plan Development Guidance – Provided in conjunction with the template, this
guidance aims to reinforce the necessary actions required at the plan development
stage.
 The plan should not contain unnecessary information which is likely to distract
away from the primary objective which is to aid the recovery of the relevant
business area
The business continuity plan is only as good as the team around it and the information
within it; therefore it is paramount that any solutions, strategies, procedures etc are fully
implemented and operational.
Page 15 of 21
5.4 Incident Response & Management Planning
A clear, strong Incident Management Response, team and plan is vital capability for
**ABC**. The ability to co-ordinate, command and communicate is paramount if the
business is to minimise impact and initiate an effective recovery. Failure to develop and
maintain a Incident capability could lead to significant exposure to **ABC** brand and
reputation.
Outcomes for the Incident Management Planning include:
 A fit for purpose framework which interacts and compliments the Business Continuity
(Tactical) response.
 Clear and defined ownership for Incident Management
 An established Incident Response Team
 An effective and rehearsed Incident Response plan
 Clear, defined and fit for purpose response procedures and tasks, including
emergency evacuation, emergency services liaison, and internal and external
communication strategies.
Page 16 of 21
6 EMBEDDING BCM IN THE CULTURE
6.3 Awareness, Training and Culture
Creating a BCM culture can be a challenging exercise, however, embedding such a process
and ensuring the success of BCM will be enhanced with the following;
 Visible support from the Executive Management & Board
o Making our BCM Policy known to all in the business
 BCM becoming part of **ABC** strategic and day to day thinking
o Effecting changes in our thinking where required e.g. business change
and new projects which require resilience or contingency as part of the
business case and project delivery
o Conducting regular exercises and training across Incident Response,
Business Continuity and IT Continuity or Disaster Recovery.
 Appropriateness levels of ownership, responsibility and accountability
o Building BCM into the role of each employee within the organisation that
has a particular focus regarding overall risk approach and capability
o Recognising and developing performance or appraisal systems to
acknowledge contribution towards BCM responsibilities
 Using appropriate methods of culture delivery
o Intranet site development including a policy statement
o Downloadable pdf & overview presentation
o Briefing content for new employees in key areas, with defined BC
responsibilities
o BCM awareness aide-memoires; e.g. trifolds, wallet cards,
Page 17 of 21
7 EXERCISING, MAINTENANCE & REVIEW
7.3 Exercising
Continued exercising and evaluation will ensure that **ABC** continue to have a fit for
purpose Business Continuity capability. The following table illustrates the various types,
methods and approaches available depending on frequency and level of complexity.
Type
Desktop
Techniques
Audit
Process
Review and challenge the
contents of the plan
Validation
Who
Plan Author
Frequency
Complexity
High
Low
Low
High
Independent
Reviewer
Verification
Walkthrough
Plan and or
Infrastructure
Scenario
Simulation
Controlled
Free play
Extended to desktop to
check interaction and
roles of participants
Plan Author
Incorporates Associated
Plans
Main Participants
Time lapse
Facilitator
o
Business
o
Site/Buildings
o
Communication
o
Public Relations
o
ITDR
o
BCM Resource
Recovery Suppliers
(WAR)
Unannounced
Observers
Live
Coordinators
Tabletop
Individual
Components
Integrated
Components
Functions
Main participants
Umpires
Move to and recreates
one or a number of
business functions at an
alternative pre-planned
site
Employees and staff
in specific business
areas
Facilitator
Observers
Coordinators
BC Providers
Full Plan
Close down of building
and relocation of work
Page 18 of 21
As above
7.3.1 Schedule
Below is an outline exercising schedule based on suggested best practice, however, each
business function or directorate should agree it’s own exercising schedule and scope with
the business continuity manager or body responsible for programme oversight.
Area
Who
Desktop/Walkthrough
Plan Author
Business Continuity Plan
Review
Independent
Reviewer
Non-Critical Business
Areas (Non-BCA’s)
Plan Team
Frequency
Monthly/Quarterly
These tests can be conducted ad hoc
and require very little preparation.
These tests can also be passed around
the team as a means of reducing
complacency.
Bi Annual/Annually
Whilst Non-BCA’s are unlikely to
change significantly in terms of their
plans, requirements and strategies,
they should still be tested to the
minimum required level
Bi-Annually
Due to their very nature and potential
business impact, BCA’s should be
tested more regularly than Non-BCA’s.
Those which are subject to continual or
more frequent change may require
testing on a more regular quarterly
basis.
Bi Annually
As new technologies or recovery
providers are brought online or
operational, a test of the capability
should also take place.
Bi Annually
The Incident Response Team needs to
maintain a high level of preparedness
in the event of an incident or Incident.
Min. Annually
This exercise should be conducted at
least annually Due to the time and
resource investment in organising an
exercise of this type,
All
interacting
elements
Business Critical Areas
(BCA)
Plan Team
All
Interacting
elements
Technology/DR
Technical Teams
Selected
Business Users
Incident Response Team
(IRT)
Incident Team
Scenario
dependent
‘guests’
Full Scale Test (one or
more sites)
Incident Team
All Recovery &
Business
Continuity Teams
All recovery
strategy
providers
Notes
&
Page 19 of 21
7.3.2 Scenario Based Event Profiles
Scenario based event profiles can be used for generating specific responses to particular
events or scenarios, for an additional level of preparedness over a standard response set.
Understanding these events, scenarios and profiles may also benefit the production of
more meaningful exercises, which can be targeted.
Area
Who

Functions – standalone, inward facing, isolated

Process – straddles functions, higher degree of organisation

Activities, Contact Centre etc
Facilities

Fire
**Location1** (Head Office)

Flood

Bomb Alert

Power Loss

Denial of Access (Temporary/Prolonged)

Recovery Strategies, Backups & Restore, Testing Days,

Backup and Restore testing

Major component failure (Single Points of Failure)
Business & Strategic
Technical
Recovery Solution
People
o
IT
o
Telecoms

Work area recovery - 3rd Party (As provided by Easy Continuity)

Remote/Home

Flu Pandemic

Fuel Incident – Shortage

Strike/Industrial Action/Walkout
Page 20 of 21
7.4 Maintenance
7.4.1 Plan Maintenance – Guidance
A plan maintenance checklist is available (as additional guidance to this document) to
assist plan owners and developers and potentially internal auditors with the task of regular
and consistent Business Continuity Plan maintenance.
Each phase of maintenance should consider a variety of possible changes which may
affect the plan, its accuracy or validity. These have been listed as ‘Administration’, ‘Minor’
and ‘Major’ tasks within the guidance so as to provide an indication of their importance.
One checklist should be completed per plan per review and should be centrally
maintained within a register of BC plans where a change copy is retained. The **ABC**
standard should be that all plans without exception must be reviewed at least every 12
months as a minimum for completeness and accuracy. Business critical functions should
consider every 6 months as a minimum.
7.5 Audit & Review
The BCM Audit process ensures that the **ABC** capability is fit for purpose and has
been maintained and adapted appropriately. The primary role of the audit function is to;
 Verify compliance with **ABC**’s policies, strategies and overall framework
including any additional guidelines or standards which have been published
 To review any Incident or Business Continuity plans
 To review any solutions
 To ensure all ongoing tasks such as exercising, testing, awareness and
maintenance are being conducted as per the schedule
 To highlight any shortfalls in the programme and ensure these are risk managed,
and resolved.
The organisation policy needs to be determined regarding the frequency of an audit. The
minimum requirement would be to conduct a review at least every year, preferably in
advance and to allow remediation before other audits. Equally, there are other trigger
events, such as a major business change or new business development, which would
initiative a formal review or audit.
7.5.1 Audit Guidance Overview
The business continuity programme is tested and reviewed by internal audit as part of the
outsourced audit programme. The results are subsequently reported to the EMT and the
audit risk committee in line with the governance framework.
Page 21 of 21
Related documents
Business Continuity Management
Business Continuity Management
Unit 10: Course Summary and Final Exam
Unit 10: Course Summary and Final Exam
Battle Box - ABC Solutions
Battle Box - ABC Solutions
(Attachment: 5)BUSINESS CONTINUITY PLANNING
(Attachment: 5)BUSINESS CONTINUITY PLANNING
Scientific abstract
Scientific abstract
Business Continuity
Business Continuity
Continuity Formal Approach
Continuity Formal Approach
Presentation to TRs Changes and Potential Impact 21 August 2014
Presentation to TRs Changes and Potential Impact 21 August 2014
Business Continuity Management (BCM) Strategy
Business Continuity Management (BCM) Strategy
Critically incident technique The Critical Incident Technique (or CIT
Critically incident technique The Critical Incident Technique (or CIT
Download
advertisement