CHAPTER 2: SETTING UP THE BCM PROGRAM

BCM is now an important feature of successful organizations, where it is recognized as a program that is ongoing, maintained, and progressively enhanced. BCM is not a one-shot project. It is also not a piece of documentation that you download off the Internet and fill in its fields, then present to the auditors and regulators once or twice a year, and then return to a dusty shelf. BCM is not rocket science, yet it is not a simple checklist task. It needs careful setup and solid foundations in order to succeed and deliver its goals and objectives.

Gathering key success factors

The setup of the BCM program should be carefully thought out and implemented. History and the results from various implementations suggest several key success factors that can help the program succeed and sustain success. The interpretation and reflection of these key success factors may be different from one organization to another, yet the concept remains very similar.

Effective top-management involvement, commitment, and support

The first and most important success factor is effective involvement, commitment, and support from the top management for the BCM program. Top management refers to the set of executives running the organization and controlling its direction. Top management has the ultimate responsibility for protecting the organization and they are directly accountable for performing this responsibility. Regulations, standards, and laws mandate the top management with responsibility for the effectiveness and ownership of BCM programs. Their support and involvement should be displayed and communicated to lower employee levels in order to facilitate implementation as well as performing effective reviews of the BCM program. The commitment also mandates the top management to ensure alignment of the BCM program to the organization’s strategy and direction and the allocation of sufficient resources in order to run a successful implementation. Top management is also committed to ensure effective embedding of BCM within the organizational processes and continuous enhancement and improvement to the program.

Relevance

To be successful, the BCM program should be relevant to your organization. It should reflect the requirements of your environment and should be in line with the organization’s strategy and goals.

Meeting regulatory requirements and audit guidelines

Regulations are being increasingly introduced and enforced for several industries to mandate BCM implementation in organizations. It is important that the BCM program follows the guidelines issued by the regulators. These regulations can be used as a driving force behind establishing your organization’s BCM program. With similar importance, internal and external audit reports can be very helpful in designing and setting up BCM programs as meeting audit requirements is essential for successful BCM programs.

Sufficient resources

The BCM program, like any other program in the organization, needs to be allocated sufficient resources in order to be successfully implemented. These resources include support and buy-in, budgets, infrastructure, and qualified staff. The resources allocated should by all means be sufficient, but not over-allocated. Cost-benefit analysis should always be present in all resourcing decisions made for the BCM program.

Effective communication

Being of an organization-wide nature, the BCM program needs be communicated across all levels of the organization and to relevant parties or stakeholders outside. Of course, various recipients need different messages, but the most important thing is to keep communication channels open and messages flowing in both directions. Effective and sufficient communication helps in managing expectations and collecting feedback and requirements. The key point here is to speak the organization’s language and keep things as clear as possible between all relevant stakeholders.

Satisfactory coverage

The BCM program should cover the organization’s key products and services as these are the most influential for the operations and survivability of the organization. Covering the key products and services with the BCM program ensures that threats to them are being assessed and managed proactively, thus mitigating the probability and impact of disasters.

Establishing the governance model

The BCM program should be established on a clear and effective governance model in order to facilitate its implementation and success. The model should have the various policies, roles, responsibilities, and accountabilities assigned to relevant stakeholders. The fact that BCM programs are organization-wide dictates that the associated governance model should be effective, adaptive, and enforced across the organization.

Typical BCM governance models should have the following features:

  • Involve the top management and display its commitment.
  • Include all BCM-relevant programs and practices like IT disaster recovery and physical security.
  • Have clear and documented roles and responsibilities.
  • Facilitate decision making, issue and conflict escalation and resolution, and policy enforcement.
  • Have effective representation from key areas across the organization.
  • Is subject to continuous audit and review.
  • Have open and effective communication channels.

The BCM governance models have three main components:

  • BCM policy
  • BCM reporting and management structure
  • BCM roles and responsibilities.

Image

Figure 4: Components of BCM governance models

BCM policy

The BCM policy is the governing document for the organization-wide BCM program. The policy defines the shape and dynamics of the BCM program through its setup as well as its maintenance and enhancement phases.

The BCM policy should be owned by the BCM program owner in the organization. It should be also be communicated and distributed to relevant stakeholders.

It is important that periodic and as-required reviews to the BCM policy are conducted in order to make the policy up to date and relevant.

By devising the BCM policy, the organization sets the boundaries and the goals for its BCM program. Typically, a BCM policy would include:4

  • BCM program objectives;
  • definitions related to the BCM program;
  • BCM program principles, guidelines, and specifications including relevant programs like IT disaster recovery and physical security;
  • the scope of the BCM program;
  • resources allocated for the BCM program;
  • BCM reporting and management structures;
  • integration and links to applicable policies and standards in the organization.

BCM program objectives

Clear and specific objectives of the BCM program should be described. The BCM program should be relevant to the organization and so should the objectives. It’s also very useful to show the links between the overall objectives of the organization and those of the BCM program.

Definitions related to the BCM program

The BCM policy uses some specific terms and vocabulary that may have little meaning to people outside BCM practice. There may also be some terms that are in a generic form and need further customizations to give them more meaning and relevance to the organization. The policy should cover these two cases within the terms and definitions section by listing all the terms that are used and their meanings using the organization’s language and vocabulary.

One important definition is the definition of a disaster. The organization may define a disaster in many different forms since what constitutes a disaster for the organization is unique to it. Nevertheless, we can give a comprehensive definition of a disaster. This definition can then be customized as per the organization’s environment. A disaster may be defined as any or all of the following:

  • The total or large-scale failure of critical business processes, systems, networks, or infrastructure which is irrevocable within required timeframes.
  • Fatalities, injuries, physical threat, or mass absence related to personnel and staff, or situations where they are prevented from carrying out their work for long periods of time.
  • Damage to facilities, data centers, or office spaces that would render them unusable or inaccessible for long period of time.
  • Escalating situations where high impacts are realizing or expected to realize in the near future.

BCM program principles, guidelines, and specifications

This section of the BCM policy would focus on the main guidelines and practices of the BCM program. These guidelines and practices should be specific and categorized, covering all aspects and relevant sub-programs.

Scope of the BCM program

The policy should specify the scope of the BCM program and its activities. The organization may define the scope based on the products and services, geography, organizational structure, or any other aspect of the organization. It is of equal importance that the organization specifies the exceptions to the scope and the reason for such exceptions.

Resources allocated for the BCM program

The resources utilized within BCM program activities should be documented within the BCM policy. The organization is recommended to list the financial, human, IT, and other resources that are allocated for the BCM program. It is also recommended to highlight the key requirements and roles of the allocated resources.

BCM reporting and management structure

The policy should define the overseeing and supervision structure as well as the daily management structure. It should provide the necessary specifications of reporting and information flows between the different stakeholders in the BCM program.

Integration and links to applicable policies and standards in the organization

The BCM program should be integrated and linked with relevant programs and practices within the organization. The policy should define the place of the BCM program relative to these programs as well as the information shared or flowing between the BCM program and these programs.

BCM reporting and management structure

Establishing the BCM governance model starts with the definition of the BCM program owner, or BCM owner. The BCM owner will be responsible for the effectiveness and success of the BCM program. The owner of the BCM program should be from senior or top management and is accountable for the success or failure of the program. This stakeholder may be the CEO or chairperson/president of the organization or another senior officer or executive, such as:

  • chief financial officer (CFO)
  • chief operating officer (COO)
  • chief risk officer (CRO)
  • chief information officer (CIO)
  • chief technology officer (CTO)
  • chief security officer (CSO).

There isn’t a right or wrong formula for determining which title or position is suitable and which is not. It depends on the type and structure of the organization. The key feature is to have a strong and empowered person behind the BCM program. In large organizations, the BCM owner may be helped by a group or a committee that provides assistance and supervision across the organization and would also be responsible and accountable for the effectiveness and success of the program along with the BCM owner.

After defining the owner of the BCM program, we shall give the BCM owner some help in running and implementing the program. This BCM team is headed by the BCM manager. Their main role will be to coordinate all the activities related to the BCM program across the organization.

Again, we will give some help to the BCM manager and the team; a group of coordinators across the organization is named to help the BCM manager coordinate and implement the BCM program. Being native to their areas, departments, regions, or specialties, the coordinators will act like local BCM managers in their areas. Their roles are focused on communicating requirements and helping in documenting, exercising, and maintaining the BCM plans. They will also take part in the BCM knowledge transfer process to other employees in their areas.

Now what else do we need? We talked about including all BCM-relevant programs, like IT disaster recovery and physical security, in the governance model.

Why do we need to do this? Simply put, the readiness of the organization is made up of several components. If any of these components gets affected by a disaster, then the whole of its readiness will be affected. Creating unified BCM governance across the organization would be very helpful in aligning all these programs together to serve one goal; to mitigate disasters as much as possible and be able to manage them if they occur.

Adding these to the governance model may be done in two ways. The first is by making them report to the BCM manager as a centralized coordinator for the BCM activities in the organization. This results in a high level of integration and alignment because it happens on the operational level. The second is by making them report to the BCM owner and committee as ultimate owners of the BCM program across the organization. Both ways should give similar results, yet the dynamics associated with them are different depending on the organization’s environment.

Image

Figure 5: BCM governance structure

BCM roles and responsibilities

So far, we have identified a BCM owner and committee, a BCM manager and team, and the relevant programs included. What we need now are the roles and responsibilities that are assigned to various stakeholders of the BCM program.

We have three levels for which the roles and responsibilities need defining:

  • BCM owner and committee
  • BCM manager and team
  • BCM coordinators.

BCM owner and committee

As mentioned earlier, the BCM owner and committee are accountable for the success and effectiveness of the organization-wide BCM program. They are the ultimate decision makers and the resource providers for the program. That’s their main role. As for the derived responsibilities, the list includes:

  • leading the organization’s BCM program in normal and disaster conditions;
  • reviewing and approving BCM program components;
  • assigning resources (financial and non-financial) to successfully implement the program;
  • monitoring and evaluating the effectiveness of the BCM program;
  • acting as a higher level of escalation and resolving conflicts and issues relevant to the BCM program;
  • handling internal and external communication relevant to the BCM program;
  • enforcing the implementation of BCM policy across the organization.

BCM manager and team

The BCM manager holds the role of coordinating the BCM program implementation across the organization. His/her main duty is to keep the wheels running and report on progress or problems to the BCM owner and committee. The BCM manager has an important role in times of disaster and crisis. His/her roles and responsibilities include:

  • coordinating between all relevant BCM stakeholders and teams across the organization;
  • participating in the BCM decision-making process at operational and strategic levels in normal and disaster conditions;
  • acting as internal consultant and subject-matter expert in BCM-related fields;
  • assisting other team in the organization in assessing and managing risks and threats;
  • creating effective BCM processes, procedures, and service-level agreements, and supervising their implementation;
  • managing BCM-related projects;
  • devising and delivering structured and effective organization-wide BCM awareness and training programs;
  • reporting to the BCM owner and committee on the progress of the BCM program and escalating issues and conflicts for resolution;
  • reporting to the BCM owner and committee on incidents and disasters affecting the organization;
  • managing various BCM coordinators across functional and organizational units;
  • embedding BCM within the organizational culture.

The BCM manager is supported by a specialized and competent group of officers, specialists, and analysts. Reporting directly to the BCM manager, their list of responsibilities includes:

  • assisting the BCM manager in implementing the BCM policies and procedures;
  • assisting the BCM manager in managing BCM coordinators across the organization;
  • assisting in managing crises and disasters;
  • providing consultations to various parties within the organization regarding BCM;
  • assisting the BCM manager in delivering the BCM awareness and training programs;
  • participating in various activities related to the BCM program, e.g. business impact analysis (BIA), plan development, and testing, and reporting on progress to BCM manager;
  • participating in update and change management of BCM documentation.

BCM coordinators

BCM coordinators are the local BCM managers within their departments, groups, or functional units. Their main role is to ensure that BCM activities and requirements are being implemented in line with the BCM policy and guidelines set at the organization level. Their list of responsibilities includes:

  • assisting in collecting and validating departmental BCM requirements;
  • assisting in developing departmental the BCM documentation, e.g. the BCM plan and related update and change management activities;
  • assisting in conducting BCM testing;
  • acting as departmental BCM consultant;
  • helping in the delivery of BCM awareness and training programs.

Establishing the BCM organizational unit

Running the BCM program is a full-time job. All the tasks of coordination, planning, testing, and activation are resource-hungry and require specialty knowledge and involvement.

Implementations of BCM programs across the world are shifting to the establishment of a specialized and recognizable unit of the organizational structure that is dedicated to the BCM program. The head of such a unit has the role of the BCM manager, who is supported by a team of BCM professionals.

In order to create an active BCM organizational unit, we need to answer these questions:

  • Where shall the BCM unit be located?
  • Who will be titled the BCM manager and who will join the team?
  • How many resources do we need for this unit?

Answering such questions is not easy as they have no right or wrong answers. The answers are highly dependent on the nature and dynamics of the organization. There might also be a little bit of politics and negotiations existing here. We will go through each of these questions and try to find the most suitable solution for your organization.

Where shall the BCM unit be located?

To start answering this question, let’s first see what the BCM unit needs from its location on the organizational structure:

  • visibility across the organization
  • sufficient authority and power
  • easy access to all departments and functions
  • easy access to top management, and the BCM owner and committee
  • integration with relevant programs.

The best suggestion here is to place the unit so as to directly report to the BCM owner. As we discussed earlier, the BCM owner could be the chairperson, the CEO, or another executive, like the CRO, CFO, COO, CSO, or CIO.

Reporting to the CEO

This is the optimal case for the BCM unit location, yet it is not the most implemented. The good part of such a placement is that you get support, visibility, and sufficient authority and power. The not-so-good side, and this might be highly debatable, is that it only works in mature organizations where the environment is highly stable and governed. There is also a lot of effort needed to integrate with other programs and disciplines like risk management and quality. Nevertheless, if you have the chance to locate the BCM unit as directly reporting to the CEO, do it.

Reporting to the CFO

The CFO is an important executive and has an almost complete view over the financial dynamics of the organization. The CFO is usually a highly empowered person. Making the BCM unit report to the CFO would give sufficient authority and power, and access to top management and departments. Yet there are some points to consider here. Since CFOs usually deal with numbers, it would sometimes be hard for you to sell them something that is not quantified, which happens very often in the BCM program. Also, they might influence the direction of the BCM program towards financial risks and threats. Financial impacts are very important, but there are also other types of impact that need to be considered and weighed.

Reporting to the COO

The COO is a good candidate to hold the role of BCM owner. Making the BCM unit part of the COO’s team would give the required level of authority and power, and easy access to departments and functions as well as top management. The only point to consider here is integration with other programs, especially that of risk management.

Reporting to the CRO

Risk management is getting more mature and important within organizations these days, especially in the financial sector. Locating the BCM unit within risk management is an increasingly adopted option. Risk management has easy access to top management, even at board level, with the same easy access to departments and functions. If BCM was located within risk management, it would benefit from the existing governance frameworks utilized by risk management. Integration with other relevant disciplines is easier and more effective. The point to remember here is that BCM should not dissolve within the culture of risk management and should be more active in the operational aspects.

Reporting to the CIO/CTO

This is the least adopted option in modern BCM program implementations. BCM is an organization-wide program that includes business, technical, and management elements. Locating the BCM unit within the technical functions would impact its organizational view and might lead to overestimating technical aspects over those that are non-technical. On another hand, technology is a facilitator and enabler of the business and management lines and BCM is not an exception. BCM is driven by business and management and therefore it should be as close as possible to business and management.

Reporting to the CSO

CSOs handle the security aspects of the organization’s assets and operations, covering information security and physical security. BCM is being covered as a principal element within security since they share methodologies and practices. The good thing about having the BCM unit reporting to the CSO is the integration and utilization of existing resources. The points to consider here are the existence of the CSO position and where the CSO is located in the organizational structure.

Who should be the BCM manager and who should join the BCM team?

The BCM manager and his/her team play very important roles within the BCM program. They are the coordinating function across the organization. They interact with almost all stakeholders and play a significant role in times of disaster.

To lead a successful BCM program, the BCM manager should:

  • enjoy a mix of key skills, competencies, and expertise;
  • be familiar with the organization’s business, industry, dynamics, and environment;
  • be familiar with risk assessment and management;
  • have strong analytical skills;
  • have strong negotiations skills;
  • enjoy strong communications skills;
  • have a good financial background;
  • have a strong technical background in the fields of technology that the organization uses, like IT;
  • enjoy a good degree of flexibility;
  • be a good presenter;
  • be familiar with BCM programs’ setup and maintenance;
  • have a project management background and experience;
  • be able to understand various processes;
  • preferably be a member of a specialized BCM body like the Business Continuity Institute (BCI) or Disaster Recovery Institute (DRI).

A BCM manager needs several years of experience to be able to lead a BCM team. Of course, this depends on the personal characteristics of the nominated candidates.

As for the BCM team, members will be helping the BCM manager in daily tasks as well as specialized initiatives and projects. They also should enjoy a group of skills and expertise and should:

  • be familiar with the organization’s environment;
  • have a background in technology;
  • have good presentation and communications skills;
  • be a team player;
  • have effective learning skills;
  • be self-starters and have initiative;
  • have analytical thinking skills;
  • have a positive attitude towards others.

BCM officers, specialists, and analysts should possess some years of experience. Yet there are some cases where juniors and fresh graduates have successfully made their way into the field.

How many resources do we need for the BCM unit?

Now we have defined the reporting lines for the BCM unit as well as the selection requirements for the BCM manager and their team, we need to define one more thing, which is the size of the BCM team.

To determine this variable, we need to consider the following points:

  • Being part of the BCM team requires a certain mixture of specialization and expertise.
  • The BCM unit’s tasks are mainly to coordinate activities within the BCM program.
  • The BCM team is supported by a group of BCM coordinators across the organization.
  • The organization will have its own resourcing policy and culture.

Again, there’s no definite size or ratio for the size of the BCM team. The suggested approach here is to start with a small number and increase it as the BCM program progresses into maturity. When sizing the team, the BCM manager should also consider covering the main areas of his/her tasks:

  • business recovery planning
  • technology and location recovery planning
  • training and awareness
  • crisis management
  • geographical and locations coverage.

Organizations with a regional or international presence

Special consideration should be given to the geographical distribution of the organization. For an organization that has most of its operations, market, and stakeholders within a specific area, most, if not all, of the relevant stakeholders can be involved in the program. On the other hand, when the BCM program spans borders and regions, things become relatively harder and a balance of flexibility and strictness is needed in the implementation.

The first consideration is to have a local BCM “super coordinator”. The BCM super coordinator differs from the usual BCM coordinator in that their assigned responsibilities usually cover multiple departments and, sometimes, smaller organizations. In the latter case, it is becoming more common now to have regional BCM managers and teams reporting to the global BCM manager and team. It is highly dependent on the nature of and the dynamics between the entities of the organization and the governance structures involved.

The other consideration is deciding whether you want a different BCM owner and committee at the remote location or not. There might be different regulations and laws, or impracticalities involved that make oversight and control difficult and ineffective by the original BCM owner and committee. In that case, there should be a link created between the two BCM owners and the relevant committees.

Image

Figure 6: BCM governance model with international presence

4 British Standards. BS25999-1:2006 Business Continuity Management – Part 1: Code of Practice. (2006).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.119.118.180