BCM implementations follow a logical sequence of activities by which information flow and analysis are conducted. These activities and implementations are grouped in phases or stages, where each phase or stage makes use of the others. The progressive, continuous sequence of these phases or stages is called the BCM life cycle.
I find the term “life cycle” very descriptive and fit for the overall BCM purpose and concept. The first word “life” indicates progression, development, growth, and maturity.
The second word “cycle” indicates continuity, iteration, and persistence. Both provide strong indicators to many of the features that successful BCM programs should possess.
Now we have finished the setup of the different elements of the BCM governance model, we can move on to the implementation of the BCM model, or the BCM life cycle.
The BCM program will include a set of initiatives, projects, and task packages that achieve certain goals. There are two main approaches that can be followed here:
The first approach is useful when the organization has already implemented some phases or stages in previous projects, sometimes through different specialties, like information security or IT disaster recovery. What will be needed is to complement and build upon the other stages or phases to complete the life cycle.
The second approach is preferred when the organization has not implemented the BCM life cycle before. It is more beneficial when an experienced consultant is recruited to implement the life cycle. With such an approach, effort and resources are more dedicated and more attention is given to the project than the regular tasks being executed on a daily basis.
The focus here will be on using the second approach. The reason for this selection is to show the integration and sequence features of the BCM life cycle. Nevertheless, different phases or stages of the BCM life cycle can still be implemented separately.
The BCM project will include all the BCM life cycle phases or stages. The project will lay the foundations for the BCM program and implementations in the organization along with the BCM governance setup. As with all projects, launching the BCM project will require a set of components. Of particular importance among these components are the following:
These components include vital and critical information for initiating the project.
The business case answers the very fundamental question of why the organization should undertake the BCM project. It includes all the rationale and drivers behind performing the project.
For BCM projects, the business case may not be so easy to define. However, there are some common drivers and needs that can significantly help in defining it:
The most important features of your business case should be relevance, flexibility, and practicality. Asking for too much might prematurely kill the effort. On the other hand, promising too much will very probably damage the program’s credibility and put the whole BCM program at risk.
The terms of reference (ToR) of a project define the scope, deliverables, project structure, project roles and responsibilities, resources and budgets, and timelines. In the case where an external consultant is hired, the ToR provide the basis for their contract.
For the scope, you should identify what the scope of the project activities will be for:
Such scoping of the project may be the same as for the BCM program or could be a subset of it.
For the deliverables, the BCM project should include the following deliverables. Please note that these deliverables are delivered through different phases of the BCM life cycle:
As with the business case, the golden rule is to be relevant, flexible, and practical.
Roles and responsibilities list the various stakeholders of the BCM project and what their roles are. A good place to start is the list of roles and responsibilities defined within the BCM governance model. Make sure that you have all the various roles assigned to their owners.
Resources and budgets need to be defined here. Seek help to design your budget requirements from professional bodies, consultants, and peer organizations. Add a margin as a cushion for expected delays or scope changes. Make sure you challenge your budgeting assumptions carefully as you will need to defend your requirements in the face of budget cuts and shrinkages. It’s also beneficial to have the stakeholders review and communicate their views on the budgets and resources as this can help rationalize the decisions and make them more relevant to the organization. The same applies for the timeline. The golden rule of being relevant, practical, and flexible should always be considered in this area.
The communication plan controls what messages and reports are to be communicated between the project’s stakeholders. It also defines how these messages and reports are delivered.
For a BCM project, it is very useful to draft the communication plan to ensure all the stakeholders are involved. A proper communication plan will enable progress, risks, and issues to be correctly communicated and addressed.
The project risk register documents the identified threats to the project and how to manage them. For a BCM project, some of the risks can be:
It is worth noting here that the types of risk facing the project are highly dependent on the dynamics of your organization. Seek help from your project management office (PMO) or similar functions, peer organizations, industry forums, or consultants to define your risks and establish your risk register. Risk registers are living documents. They should be periodically reviewed before, throughout, and after the completion of the project.
Now all the start-up documentation is ready, we can define the BCM project hierarchy:
It is clear now that the previously established governance model becomes more consistent and integrated throughout the implementation of the BCM life cycle.
Business impact analysis is the most important phase within the BCM life cycle. It constitutes the foundation or basis upon which all later stages and phases depend. The objectives of BIA are to identify:
Identifying the above would allow the BCM program to be built to “serve and protect” the most critical aspects of the organization, thus ensuring the survival of the organization should disasters and crises occur.
The BIA process needs careful planning, follow-up, and coordination to succeed. It also requires relatively extensive resources to complete it. The BIA process would follow the logical sequence of:
1 gathering data and requirements;
2 challenging, validating, and signing off data and requirements;
3 analyzing and reviewing;
4 reporting and approving BIA results.
The scope of the BIA should be same as that of the BCM program. Nevertheless, if the BIA is expected to take a very long time or needs extensive unavailable resources, then the BCM project manager can start with a BIA limited to certain parts of the original scope and then cover the other parts in later BIA implementations. Naturally, the BCM owner’s approval is essential for following such approach.
Gathering data and requirements starts with selection of the right tools to use, which are mainly summarized within three tools:
For successful data and requirements gathering, the BCM manager should use all three tools. Workshops generate results of good quality, but they are relatively difficult to conduct. Questionnaires generate large amounts of data in a short time, but the quality is not that good. Interviews are useful when there are some specific questions that need answering. Knowing that, your data gathering may be something like:
When designing the questionnaires, you may use whatever methods are appropriate for your organization, from paper questionnaires to spreadsheet or word-processing software to specialized software designed especially for business continuity. Whatever the method selected, the questionnaire should gather details about:
There are some specifications that are globally adopted in BCM programs and are identified within the BIA:
When specifying impacts, there is a set of common areas of impact to investigate and identify. While the set of impact areas varies from one organization to another, there are some principal areas to consider.
On another level, when investigating specific impacts, the impact measurement and rating scheme should be established: qualitatively or quantitatively. If numbers are available and accessible, quantitative impacts are more accurate, yet at the end there should be some lines drawn to determine criticalities and priorities; that’s when we go back to the qualitative approach. Otherwise, the qualitative approach seems more usable and applicable.
Now, once the questionnaires have been designed, they should be reviewed with the BCM owner to get endorsement and capture other requirements that might be needed in later phases or stages of the BCM life cycle.
After obtaining the BCM owner’s approval of the questionnaires, they should be distributed to the BCM coordinators. Group workshops or one-to-one meetings are conducted to introduce the BCM coordinators to the questionnaires and explain how the BIA process will be performed. It is important here to highlight and stress the importance of the deadlines set for completing the BIA. This step is important since it will help the BCM coordinators plan how best to contribute to the BIA process.
Now the BCM coordinators have the BIA questionnaires, there should be constant follow-ups with the BCM coordinators to check on their progress and whether they have inquiries or questions that need answers. There may also be a need to hold workshops or meetings for coordinators, especially to resolve dependency issues.
The information provided from the first phase of data and requirements gathering should be put through several challenge and validation cycles at different levels. The main reason for this is to ensure that correct data are provided and requirements documentation is properly produced. The main concerns about the provided data are incompleteness, inaccuracy, and unfair (overestimation or underestimation) ratings of requirements.
The first challenge and validation level is with the process/activity owner and BCM coordinator. For this level, all sections of the BIA should be visited, making sure that all data and ratings are provided and are justifiable. If there are noticeable points or concerns to highlight, they need to be brought up for discussion in order to be resolved.
If they are not resolved, these concerns need to be raised to the next validation level: the business unit head. For this, a one-to-one meeting between the business unit head and the BCM coordinator should be held. Within that meeting, the questionnaire should be introduced and its various sections walked through. This meeting is the right place to raise any unresolved issues or noticeable points that require clarification and decisions to be made. Once finalized, the business unit should sign off the questionnaire for completeness and accuracy of data provided.
There’s one guideline to follow here; the data contained within the BIA questionnaire is owned by the business unit. The people at the various business units are the experts in their areas and they are responsible for the validity of the information they provide. The BCM team’s role is to help them follow the process properly. The more the BCM team follows this guideline, the more successful it is in the BCM program.
The analysis of data and requirements provided through the BIA questionnaire focuses on defining the RTO, RPO, and criticality of processes/activities within the scope. It also defines the resources required to continue working and recover the processes/activities at alternative work locations. Achieving such a results is not easy and it involves many variables. Impacts related to staff well-being, adherence to regulations and laws, financial implications, reputation and image, and other impacts should be investigated taking into consideration the dependency map of the processes/activities.
There’s also the concept of “seasonality” of processes. The season of a process/activity is when the criticality of this process/activity becomes higher due to more severe impacts being expected. Examples of seasonal processes/activities are payroll, regulatory reporting, stock inventories, etc.
When defining the BIA results, there should be room for scenarios where some processes/activities may be highly utilized in disasters or crises while they enjoy moderate utilization in normal working conditions. For example, the organization’s website or portal may not be critical to the operations and business but during a disaster it could be very helpful for internal and external communications. Thus its criticality is upgraded and a more demanding RTO and RPO are required.
Once all the requirements have been defined, a report should be produced for the BCM owner and committee containing all of the BIA results. A typical BIA report would include:
Approval of the BIA results is the responsibility of the BCM owner and committee. Their approval should be documented for audit purposes.
Now that the critical aspects of the organization have been identified, we should start our proactive approach towards protecting them. BCM is not only about reacting to and recovering from disasters; it is also about mitigating the probability of their occurrence and their impacts when they do occur.
A comprehensive look at the critical aspects of an organization would identify the main components of these. In almost all organizations, these components are:
Having this component breakdown should make the process of threat identification easier and more focused. The list of threats facing the above components of critical aspects of an organization is highly dependent on the organization’s environment and nature. But the main point here is to keep an open mind, not only about external threats but also any internal weaknesses that may introduce high impacts.
External threats and internal weaknesses are translated into risks by defining probabilities and impacts where:
Risk = probability x impact
Graphically, a matrix is used to illustrate the various ratings of risks. A selection should be made here between using a quantitative approach or a qualitative approach for defining probabilities and impacts. It is suggested that it is kept simple and consistent with the approach used in the BIA.
Identifying external threats and internal weaknesses is only one step; deciding how to treat them comes next. Risk treatment should be in line with the organization’s risk appetite and risk tolerance. Risk appetite is simply how much risk the organization is willing to take, or manage. Related to risk appetite is risk tolerance, which defines the amount of risk the organization is willing to accept. It is the organization’s pain threshold for risk.
There are common risk and threat treatment options to select from:
As a rule, managing certain risks requires a mix of treatment options, for example managing risks to continuity and protecting your organization’s critical aspects in a cost-effective manner.
The process of threat and risk assessment starts with looking at the components forming the critical aspects of the organization and trying to identify the threats that face them and which could affect their operations. There are suggested sources that can help you identify the threats and risks:
After defining the risk and threat sources, define what will be used for the scoring methods for both probability and impact. Then obtain approval from the BCM owner and committee on the list of identified threats and the scoring methods.
The next step is to decide how to treat identified threats and risks, bearing in mind both applicability and cost. Obtain approval from the BCM owner and committee on these decisions.
The final step in this process is to document your selected options to treat threats and risks along with the estimated costs in a risk treatment plan. The BCM owner and committee should approve this document.
We now move to the next stage of the BCM life cycle; strategies and risk treatment plans (RTPs). The BIA defined the critical aspects and the continuity requirements of the organization. Threat and risk assessment defined the threats and risks for those critical aspects and what the management actions would be for those risks and threats. What we need to do now is to decide what strategies should be selected to satisfy the continuity requirements and how the threat and risk assessment management actions will be translated into practical and applicable plans. This phase in the BCM life cycle is called determining the BCM strategy. In this context, the BCM strategy may be referred to as the
BCM continuity options. The two terms are used interchangeably.
The main outcomes of the strategies selected will be:
The guidelines for choosing the right BCM strategies and RTPs are:
The scope of the strategies and RTPs is mapped to the organizational components listed previously:
People are the core BCM objective and ensuring their protection and continuity is not an easy thing to build in and establish. The strategies and RTPs for the people component should serve four main goals:
To achieve these goals, there are suggested continuity strategies:
The RTPs should focus on the following techniques:
Strategies and RTPs focusing on premises ideally concentrate on scenarios resulting in the non-usability of the sites and locations of the organization.
The most common approach for BCM strategies for premises is the use of alternative locations if disasters or incidents occur. There are, however, other BCM strategies that may be useful to the organization such as:
There are several points that need an extra degree of focus and attention. The first of these is that when selecting alternative locations, the risks and threats that surround the primary location should be minimized as much as possible in the alternative one. Some of the preferable features that alternative locations should have are as follows:
The definition of each of the above features is left to the organization and how much they are willing to invest in their alternative locations. Alternative locations may be left unused except for times of testing and invocation or may be locations that are already active and in use.
The second point is that when selecting professional hosting service providers, extra care should be given to the contractual terms covering the type and length of use, invocation, testing, and security, and the privacy issues of both parties and the information situated at those sites. The same concepts apply for reciprocal agreements.
As for the RTP focusing on premises, the range of options should focus on:
Technology plays a very important role in an organization, where it is now considered the backbone of operations and information usage. When designing and selecting BCM strategies to deal with technology, the restricting factors are:
The selected BCM strategies list can contain:
The selected strategy should be flexible enough for update and enhancement due to the evolving nature of technology in terms of complexity and advancement.
There’s a chapter later in the book dedicated to the technological aspects of BCM.
The RTPs covering technology are highly integrated with the continuity strategy as they should focus on introducing more resilience to technology. Resilience means the ability and capability of the organization to recover from incidents in a rapid manner without the organization being affected.
The integration between BCM and information security is highly visible in this context. Most of the RTPs handling technology are within the domain of information security where the above-mentioned four main requirements are met in a cost-effective and practical manner.
Information is the lifeblood of an organization. Interactions of the various types of information define many of the organizational components. Strategies selected for information should satisfy four main requirements:
The strategies should also cover all types of information: electronic and hard copy:
RTPs for information are shared with the technology RTPs and are covered through a robust information security program. RTPs should meet the four main requirements mentioned earlier:
Organizations today exist in a world of interactions and interdependencies. An organization’s products serve as inputs and supplies to other organizations. Therefore, it is critical for an organization not only to look after its internal operations and environments, but also to consider its reliance on others to maintain its operations and environment.
The BCM strategies for supplies should focus on:
RTPs for supplies should also cater for:
Internal and external stakeholders are those who are linked to the organization and have an interest in it. They are consequently affected when disasters and incidents affect the organization. Different types of stakeholder require different needs to be met. It is difficult to identify the appropriate BCM strategies for all stakeholders. The main point here is to identify the organization’s key stakeholders, discover their requirements, and design your strategies to meet such requirements. In particular, stakeholders with special needs should be catered for with regard to their welfare and protection.
Once the strategies and RTPs are selected, the BCM owner and committee should sign them off in order to mandate other stakeholders within the organization to start implementation and execution of the selected set of strategies and RTPs.
Now that we have defined the continuity specifications for the organization and decided the strategy to follow to meet such specifications, we get into the phase of documenting the continuity plans and implementing selected strategies and RTPs.
Starting with BCM planning, let’s consider the situation when a disaster hits. Most probably there will be some chaos. There might also be some haphazard decisions made that make the situation even worse. If we want to plan for managing disasters and crises, then we should be focusing on two main plans:
The main purposes of the CMP are to:
The main features of the CMP are simplicity and effectiveness and it should meet the continuity specifications set earlier. The CMP should also be linkable to the BCPs that may be invoked in later stages.
There are two main approaches to follow when developing the organization’s CMP:
A typical CMP should contain the following sections:
CMPs are for managing the disaster at the organization level. They are responsible for ensuring that the organization, as one entity, goes through the disaster safely and with minimum losses and impacts. CMPs provide the basis from which more specific plans are created and used.
BCPs, on the other hand, are those plans developed to recover specific functions, processes, activities, or assets from disasters and ensure they provide their services internally within the organization and externally to clients, vendors, and other stakeholders within acceptable levels and specifications. Within BCPs fall the IT disaster recovery plans (DRPs), which we will cover in more detail later in the book.
A typical BCP’s contents should allow the recovery of specific functions according to approved continuity specifications. These contents include:
We have now progressed a good way into the BCM life cycle, from initiating the life cycle to BIA, risk and threat assessment, BCM strategies and RTPs, and planning. Now we need to communicate all of this progress to the relevant stakeholders for the organization. This communication has two main processes:
The BCM training and awareness processes start with the training needs analysis (TNA). Within the TNA, you can identify the existing level of BCM knowledge and skills within the organization. Once existing levels are defined, you need to define the desired levels of BCM knowledge and skills needed for the organization and how these will be delivered. As well as delivering BCM training and awareness, we need to measure the effectiveness of these processes. Useful tools for this may be:
When delivering the training and awareness messages, make sure that the language used is relevant to the recipients’ levels of knowledge and interest. The methods used to deliver the training and awareness messages vary from one organization to another. Common methods may include:
Training and awareness programs should be consistent and continuous, without burdening the recipients or diluting the importance of the messages.
As mentioned above, BCM awareness aims to create a sufficient level of knowledge across the organization relevant to the BCM program, its components, and deliverables. The BCM awareness process should trigger the organization stakeholders to:
The BCM training process builds advanced knowledge and skills within specific stakeholders to ensure that their contribution to the BCM program, both in normal business conditions and in disruptions, is up to the level required. The BCM training process splits into two main streams:
The testing phase of the BCM life cycle aims mainly to validate the plans and documentation against recovery objectives and continuity specifications. There are, however, other goals that testing serves. Testing is a very good tool to leverage the awareness and training levels of the relevant stakeholders, since active participation and the iteration of tests and exercises instill good levels of knowledge and skills. It also increases the level of confidence in the BCM program both inside and outside the organization as people see that the plans they participated in developing are actually working and come into action when they are needed. Overall, improving the testing processes increases the level of BCM program maturity for the organization. Proven evidence of testing is now a regular internal and external audit area as well as a regulatory requirement.
There are some guidelines that the BCM professional should follow when developing the testing and exercising process. Certain types of test need careful planning as they themselves can turn into disasters to the organization. Every test should serve a certain goal and have a specific objective. Doing haphazard tests serves no one and will waste resources. They can easily make you lose support and momentum inside the organization for the BCM program.
The BCM testing process starts with a testing plan. The testing plan is prepared at the beginning of each year and it identifies the scope, types, dates, resources, and objectives of all tests. At a minimum, the scope of the testing plan should cover the critical aspects of the organization at least once a year. Make sure to consult the BCM owner and committee, process owners, auditors, and other stakeholders when preparing the testing plan. The plan should be reviewed and approved by the BCM owner and committee.
Before the planned test date, the BCM professional should introduce the test to the participants and obtain their sign-off on the test scope, type, date and time, and steps.
After that, the tests are conducted and after execution the results reported to the BCM owner and committee with observations and recommendations.
BCM tests and exercises vary in terms of resource requirements and complexity:
A BCM program is continuous and ongoing by nature. BCM is not a project; neither is it a set of templates and documents developed two years ago. The BCM life cycle is iterative by nature and the phases are rerun either periodically or when needed to keep the BCM program fit for purpose and relevant.
Organizations are dynamic entities which are continuously in a state of change and evolution. The BCM program should be kept up to date, current, and relevant to the organization. Not doing this would jeopardize an organization’s readiness to manage disasters and can increase the probability and impact of threats facing the organization.
The BCM life cycle rerun is triggered by two types of triggers.
Most standards and best practices suggest reviewing the BCM life cycle phases and components at least once a year. Best practices suggest that critical aspects of the organization and their relevant documentation and preparations should be revisited twice or more a year.
There are triggers other than time for rerunning the BCM life cycle, such as:
Successful BCM programs incorporate both triggers for rerunning the BCM life cycle.
Rerunning the BCM life cycle does not necessarily require the same resources and time required in the first run. The BCM manager and his/her team should plan the life cycle rerun carefully with the best utilization of resources and the achievement of the required goals.
We need to define the scope of rerunning the life cycle. This means defining the aspects to be reviewed and updated organizationally (departments, processes, etc.) and functionally (locations, technology, products and services, etc.).
Once the scope is defined, you need to plan for the rerun and get approval from the relevant stakeholders, including the BCM owner and committee, department heads, and process owners. The planning should be flexible in order to get the buy-in from them. Departments and process owners in particular have a lot more to do than updating the BCM life cycle. The rerun can be in a small area that only needs a work package or an agreed task list. It can also be a big rerun affecting a large part of the organization and so needs to be delivered through a dedicated project.
Once buy-ins and approvals are there, we can start the rerun activities. Periodic and as-needed reporting should be made available to the BCM owner and committee as well as relevant stakeholders. The result will be an up-to-date and current BCM program that effectively minimizes threats and manages disasters.
3.135.192.141