CHAPTER 2: OVERVIEW OF THE BCM PROCESS

This chapter provides an overview of the BCM process and an introduction to Chapters 3 to 9 of this book.

Unlike its predecessor, ISO22301 doesn’t include a ‘model’ for the BCM process – something the former called ‘the BCM Lifecycle’, which was, in fact, quite similar to the ‘Plan-Do-Check-Act’ (PDCA) cycle which does form part of the basis of the Standard.

Whilst the resulting BC plans, and the organisation’s ability to prevent or withstand interruptive incidents should ultimately be the same, the mechanism by which an ISO22301 compliant management system delivers these is distinctly different from BS25999.

This book’s predecessor looked at the rationale for executing all of the BCM lifecycle’s six components, on the basis of the ‘whole is greater than the sum of the parts’. However, the structure of ISO22301 is consistent with other ISO management system standards, and it is really self-evident that for a management system to be compliant, it really must meet all of the specification, not selected parts of it. It is also intuitively obvious that most of the operation of the system simply cannot be done unless the scoping, specification and planning elements are in place.

The key sections of ISO22301 are:

Section	Title	Main components
4	Context of the organisation	Establishing and documenting: What the organisation does, and the potential impact of disruptions Relationship with other policies and wider risk management Contractual and other requirements Who are the interested parties Scope of the management system
5	Leadership	Establishing and documenting: Leadership and commitment with respect to BCM A BCM policy Roles, responsibilities and authorities
6	Planning	Determining and documenting: The risks and opportunities presented by the objectives and requirements BC objectives and plans to achieve them Minimum acceptable levels of output Some form of project plan, with an evaluation mechanism
7	Support	Establishing a range of resources that underpin the BCMS, including: A competence system An awareness programme A communications plan, to include both incident and non-incident situations Documentation and its management
8	Operation	Planning and implementing processes that deliver: Business impact analysis and risk assessment Strategies (Contingency) resources Impact mitigation Incident response structure and plans Exercise and test arrangements
9	Performance evaluation	Determining and documenting arrangements for: Monitoring, measurement, analysis and evaluation Internal audit Management review
10	Improvement	Establishing procedures for: Non-conformance identification, reporting and consequence control Corrective actions (system changes) Continual improvement

Figure 2: Key sections of ISO22301

Context of the organisation

Understanding of the organisation and its context

There are some who see this section as unnecessary, however, it provides evidence that the system is based upon a proper consideration of how the organisation works, its priorities and objectives.

Essentially, the system should include documented information on the following:

• The organisation’s activities, functions, services and/or products, and its relationships with other parties, including its supply chains.
• The potential impact that might arise from a major operational disruption.
• How the business continuity policy fits into the organisation’s overall activities, its other risk management policies and activities, and any other policies (such as information security, environmental management or human resources).
• Risk appetite and risk criteria.
• Internal and external threats – the Standard describes these as ‘the external and internal factors that create the uncertainty that gives rise to risk’.
• The defined purpose of the BCMS.

In a way, the Standard is asking for proof that you really need BCM, that you understand the benefits of having it, and that everything is based upon an identified level of risk, or impact, tolerance – the risk appetite.

Understanding the needs and expectations of interested parties

Another facet of the rationale for the BCMS is understanding the needs and expectations of ‘interested parties’. Aside from the obvious interest of the organisation’s owners, it does make a lot of sense to establish what other interested parties might require, or expect, when it comes to operational resilience and the risks of interruption.

Interested parties may include:

• Customers or clients
• Employees
• Shareholders
• Suppliers
• The local community
• Licensors
• Insurers
• Bankers.

In most cases, the most significant of these is likely to be customers or clients, as they are likely to be the most affected by an interruption to the provision of products or services, and therefore to inflict the greatest long-term impact by, for example, not renewing a contract.

Determining the scope of the business continuity management system

Scope, in the context of organisational resilience, is something of a double-edged sword. On the one hand it means that by defining a narrow scope, an organisation can secure certification under this, and many other, standards, but on the other hand, this would also mean that the organisation is not as well protected as it would otherwise be, and unwitting customers may be duped into thinking that their supplier must be as resilient as possible because they have a BCMS certified to ISO22301. The Standard allows the organisation to decide what its scope should be, and this may come in the form of:

• Products and/or services
• Regions, areas or territories
• Operating divisions or other organisational entities
• Sites, locations or individual buildings
• Departments or divisions within an individual site or operating unit.

The scope should ideally be based upon a rational assessment of the organisation, what it does, its customers, and the needs of other stakeholders. Whilst the Standard doesn’t stipulate how this is arrived at, certification assessment will probably require some explanation.

Business continuity management system

ISO22301 is a management system standard; its rationale is that if the resilience and response capabilities are based upon an operating system, as opposed to just having a plan, for example, then those capabilities are likely to be as good as they can be. The requirement to have a management system therefore seems obvious, and it is arguably similar to what BS25999 referred to as programme management.

BS25999 made a point of requiring a programme management component, but didn’t really explain what the actual requirements were. ISO22301 does an arguably better job by requiring, in section 5 (leadership), that:

‘Top management shall demonstrate leadership and commitment with respect to the BCMS by (inter alia) …

Ensuring that the resources needed for the business continuity management system are available, and;

Directing and supporting persons to contribute to the effectiveness of the BCMS’.

These two specific requirements, from clause 5.2 Management Commitment, suggest that there needs to be a visible programme, with the resources (including staff time) and corporate backing, to deliver a fit-for-purpose management system. To try to do this any other way would almost certainly be at odds with the way that any organisation works, and would simply be counter-intuitive.

The existence of a formal BCM programme usually gives it a much better foothold in the organisation; a visible presence and natural degree of importance that encourages the majority of people to treat it more seriously, and actually to do the tasks that have been assigned to them, or to make time for meetings and workshops.

A formal BCM programme also becomes a legitimate item for progress-reporting to the Board, or governing body of the organisation, on a regular basis, engaging the most senior managers and adding to momentum.

The existence of the management system and programme really go hand-in-hand; the programme provides the momentum, and the management system is a readily identifiable ‘thing’ that managers can develop, operate and own.

Leadership

Some organisations, or more usually departments, have tried to develop BCM arrangements without the genuine commitment and support of their board, or governing body. Often, this may be in response to a particular customer requirement, or perhaps compliance with some code that relates only to the department in question, or what it does. This may be possible in a small minority of cases, but the rationale behind both BS25999 and ISO22301 is that without genuine, demonstrable, commitment and support from the Board, BCM capabilities will simply not be as good, or effective, as they could be.

Policy

The BCM policy is where a number of facets of commitment can be demonstrated. It is:

• A statement of corporate intent (to optimise the organisation’s operational resilience).
• An executive mandate for managers to develop, and operate, the BCMS.
• A marketing asset; to promote the organisation amongst customers, investors, suppliers, potential employees and other stakeholders.
• A summary of BCM objectives and requirements.

The policy is, of course, a document that embodies the organisation’s commitment and authority to optimise its resilience.

Roles, responsibilities and authorities

Another piece of reasonably, undeniable logic, is that if named individuals are not assigned both responsibility and accountability, to develop and maintain the system, and to act in the event of an incident, then the overall capability will be diminished. There are anecdotes of organisations that adopt the ‘whoever gets there first’ approach, and some that assign system maintenance responsibility to a team. However, experience shows that the best way to ensure things get done correctly, and on time, especially in a crisis, is to assign responsibility to named individuals, and to be clear about what each person’s responsibilities, and authority to act, are.

Planning

This is, probably, the most widely-recognised aspect of BCM, and usually the part that gets done when all others do not. The plan is the collateral that the organisation’s response team, if it has one, need to arrive at the best decisions in the event of an incident. However, the planning section of the Standard calls for a whole-range of documented information that logically underpins the BCP, and should make sure that it has the best chance of working as intended.

There should be some actions taken to ‘address risks and opportunities’. Addressing risks is intuitively obvious; it is about the risks of operational interruption, and the actions are likely to include elements of the response part of the BCP, but may also include others in the risk assessment section. Actions to address opportunities may be less obvious, but may well include, for example, using BCM as a promotional and competitiveness tool, optimising expenditure on operational risk management controls, and integrating the BCMS with other management systems.

A clear statement of business continuity objectives is required, and this must be consistent with the BCM policy. The rationale is simple; if you don’t have any BCM (related) objectives, then there is no point in having a BCP, or BCMS, and any sensible policy must have reasons behind it; those reasons being an integral part of the objectives.

It could be argued that ISO22301 is ‘dumbing down’ BCM here; almost suggesting that if you haven’t got a clear, written set of objectives, you might forget why you are developing a BCM capability, and base your resilience and plans on something else!

That said, where a group of people – and there will usually be a group – develops anything like this, it is generally useful to have a clear set of objectives to maintain focus on the outcome.

The standard also asks for plans to achieve the objectives, which is really what the BCMS is; a plan to achieve the objectives. At this planning stage though, an executive summary is probably what is expected, and again, should prove a useful tool in the development of the system itself.

Support

Having carried out the essential outline planning of what the objectives are, and how they are going to be met, the next stage is to identify the resources, and other capabilities, that will ensure the system does as good a job as possible at delivering the desired results.

Provision of resources

It goes almost without saying that a programme requires resources. ISO22301 requires some evidence that these resources have been determined, and are in place. In addition to the obvious budgetary resources that will be required, roles and responsibilities should be identified, and specific individuals appointed who have the responsibility and authority for:

• ‘Ensuring that the management system conforms to the requirements of the international standard, and
• Reporting on the performance of the BCMS to top management.’

It should be borne in mind that these are not necessarily full-time appointments, and will often form a smaller part of one person’s responsibilities.

Over and above what the Standard looks for, it will usually make sense, also, to communicate these appointments throughout the organisation. This will help in raising awareness of BCM – a subject to be covered in Chapter 9.

Competency of BCM personnel

Clearly, people who are going to be involved in the planning, development, implementation and use of the BCMS, should possess the competencies required to do so.

Very often, however, this is dealt with by an intuitive assessment of an individual’s ability to write a procedure, or lead a team. The more systematic and structured approach called for by ISO22301, will ultimately ensure that resource invested in BCM is as effective as possible, and that the resulting BC plans and BCM arrangements are actually fit for purpose.

A simple schedule should be created, setting out the tasks in which individuals might be engaged, and the corresponding competencies that are likely to be required to execute these tasks properly.

An example of a competency schedule can be found in Appendix 2.

Awareness and communication

In many organisations, BCM is the preserve of a small number of people who have developed the business continuity plan and resource contingencies, often because there is no formal programme, and because others do not consider that it is anything to do with them.

In the event of a real incident, the outcome is usually that the people who should be using the business continuity plan have little or no knowledge of it, and therefore cannot use it effectively. In addition, the available resources may not be what are actually required, which means that activities cannot be recovered in the way that they should be.

Very few people in the organisation know what they should actually do, so the overall impact of an incident is much greater than it would have been if everyone in the organisation had an appropriate level of understanding and ‘ownership’ of BCM.

BS25999 referred to this requirement under ‘Embedding BCM in the organisation’s culture’, and ISO22301 addresses the need to get people to treat it as part of their overall working lives, through awareness.

Building genuine awareness is often challenging, and certainly takes some time to achieve. There is, however, often a critical point in awareness raising and engagement at which disinterest turns to interest and active collaboration.

Clearly, a communication programme is an essential part of raising awareness amongst stakeholders, but there should also be communication mechanisms that come into play in the event of an incident. The business continuity procedures that effectively form the BCP, are likely to be most effective if awareness of their communication elements is well understood by anyone affected by them.

Awareness and culture are discussed further in Chapter 9.

Documentation

Much of the BCMS, and its requirements, will be in documentary form. Many people find it difficult to locate documents at the best of times, but given the critical nature of many BCM documents, this becomes more acute, and so it makes absolute sense to have a proper, document management system that includes:

• Version control
• Security
• Availability
• Ease of use.

The standard’s requirements in this area are more specific, however, the often default route of setting up a set of BCM folders on a network drive, is not likely to produce the desired results.

The document management system will need to include those documents required by the Standard as a minimum.

This subject is discussed further in Chapter 10.

Operation

BS25999 launched straight into saying what the core elements of a BCMS should be, without saying that there should be a formal programme, with appropriate operational controls. It did, however, have a more general description of a programme, and referred to it in the BCMS lifecycle, which does not appear in the new standard.

ISO22301 sets out some requirements for operational planning and control which, in simple terms, are that processes (of BCM) should be defined, given criteria, and their completion, or status, documented. The principal procedures are as follows.

Business impact analysis

Any risk control measures, response plans and contingency resources, should ultimately be based upon the relative importance of the activity that they are designed to support. The basis of this element is the business impact analysis (BIA). The BIA should ensure that all activities that the organisation conducts are considered on the same basis, so that none are simply forgotten; and that certain activities are not given unduly high importance, for example, because of the individual responsible.

ISO22301 demands that response plans and contingency arrangements are based upon the outcome of this element, so that the BIA should also establish key details for each activity, including its ‘maximum acceptable outage’, its resource dependencies and ‘single points of failure’.

Many senior managers and executives are tempted to believe that they do not need to conduct an analysis of their organisation. Experience shows, however, that without this element, the resulting plans and arrangements rarely reflect the optimal requirements for recovering the organisation in the event of a major interruption.

Risk assessment

A significant and important part of establishing an organisation’s resilience is identifying what can go wrong, and what sort of negative impact these ‘going wrong’ scenarios might have on the organisation. Distinct from BIA, where we are looking at the impact resulting from interruption of individual business activities, risk assessment is the process of identifying the range of scenarios that could interrupt the organisation’s operational activities and what treatment those risks should be given. Treatment may well include BC response capability, but it may also include controls, such as increasing security, moving premises, or training.

BCM strategy

This element is essentially about working out the best way of minimising the impact of interruption on activities, including the provision of key operational resources upon which those activities depend. Although, for the administrative type of organisation, where no real physical processes are involved, this is often relatively straightforward. In other cases, the strategy might be more complex than simply restoring the IT system to a temporary office facility.

ISO22301 states that the strategy should be based on the outputs from the business impact analysis (BIA) and include approval of recovery time-frames. What it doesn’t do, is recognise that the strategy for each activity may be different; some activities simply cannot be recovered sufficiently quickly for their outputs also to be resumed, or soon enough to limit impact to an acceptable level. This aspect of strategy can really only be identified when the BIA has been carried out, and this is discussed later in the book.

BCM response

This is, essentially, the business continuity planning element, and, whilst it is a fairly obvious requirement, it is not necessarily a ‘no-brainer’. Some organisations prefer to take an entirely fluid approach to response management, on the grounds that every situation is unique, and the number of permutations is almost infinite. Provided such an organisation knows that it has all the required contingencies available, it may satisfy itself that that is good enough.

However, as we shall see, there are several aspects to response management which cannot be left unplanned.

These procedures include a structure and mechanism for response, business continuity plans (BCP), recovery plans and arrangements for exercising, and testing.

A quite significant difference between BS25999 and ISO22301 is that the latter requires procedures to ‘return business activities from the temporary measures adopted …’, and whilst it doesn’t specify returning to the pre-incident operating state, it does refer to supporting normal business requirements.

This may require some strategic thought, as it looks like there is a requirement to move from the ‘minimum acceptable level’ (of activities) referred to by BS25999, to the pre-incident level, yet many organisations simply would not be able to find reasonable ways of resuming pre-incident activity levels.

Exercising and testing

The importance of this element is also fairly self-evident. Because real incidents or interruptions are uncommon, it makes absolute sense to practise responding from time to time. The element also recognises that organisations change continuously, which means that maintaining plans, contingencies and other arrangements, on a regular basis, is an inevitable requirement. In a real incident situation, one wrong telephone number might lead to a whole sequence of failures, seriously compromising the organisation’s response, and its ability to recover.

Performance evaluation and improvement

Consistent with all management systems, ISO22301 requires a methodical approach to continuously monitoring and improving the whole BCMS, relying significantly on documentation to ensure that everything that should happen does. This process is, of course, completely intuitive and makes complete sense, especially in the context of something that isn’t somebody’s full-time job. But even when it is, good corporate governance dictates that the monitoring of a key risk control system should be visible and fully documented.

Performance evaluation and improvement entails establishing which aspects of the BCMS should be monitored. There are three distinct forms of monitoring:

• Ongoing maintenance – usually of documents and data.
• Internal audit – conducted by people without direct involvement in the development, or operation, of the processes.
• Management review – the more formal review of the entire BCMS, on a regular, planned basis.

These monitoring processes should be supported by a documented improvement system for recording and processing non-conformities and the resulting corrective actions, and a further way of ensuring that the BCMS is continually improved, even when no deficiencies are apparent.

The PDCA cycle

ISO22301, refers additionally to the ‘Plan-Do-Check-Act’ (PDCA) cycle, which features in a number of British and international management systems standards. PDCA is simply common sense. First, you plan what you are going to do, then you do it, then you check what you have done, and finally you act upon the results of your checking, to improve what you have done.

Essentially, Part 2 requires that each stage of the life cycle is executed using the PDCA model. Whilst this may indeed be how any competent person would approach such a task, the trick is to make sure that there is documented evidence that PDCA has been applied.

Chapter 12, on certification, contains a fuller description of types of evidence and their uses.

Practical programme management

Once an organisation has decided that it will embark upon BCM, a programme of some sort must be established. Because BCM is a ‘contingent’ discipline, the existence of a proper programme is doubly important.

In organisations where BCM has been sidelined, or delegated, to someone who is not very busy, or who is insufficiently senior, what often happens is that that person is unable to engage the rest of the organisation, so whatever is developed is unlikely to meet the actual needs of the organisation, or to represent good value for money.

An effective programme generally centres around an experienced project or programme manager; usually someone for whom BCM is a substantive, rather than marginal, responsibility, supported by an oversight body with proper authority.

The oversight body might be a committee (or a committee of the Board) specially created for the purpose. It should comprise representatives of all parts of the organisation, for some very sound reasons, including those listed below.

• The actual recovery requirements of each part of the organisation will be properly understood.
• Recovery capabilities provided by support functions will be properly understood.
• Development tasks delegated to different areas are much more likely to be completed.
• The resulting plans will be properly understood by those who would need to use them, and are more likely to reflect actual recovery requirements and priorities.

In addition, the important process of building awareness of BCM, and embedding it in the organisation’s culture, is likely to be expedited if each department, division, or section, has a BCM champion amongst them.

Once the programme has been established, the BCM team, however large or small, can then get on with the business of executing the life cycle more effectively, thanks to the support that it can expect from the rest of the organisation.

Set-up phase

A BCM programme can emerge at a wide variety of stages of commitment, development and resourcing. At some point, the organisation’s governing body will be persuaded that BCM is a strategic imperative.

In fact, what they are more likely to consider is whether or not the organisation needs to have a BCP, because, to a great many people, the BCP is the primary instrument that ensures that the organisation has the most effective resilience in the face of unforeseen incidents.

Many organisations try to ‘get something going’ with no additional resource, financial or human, in the hope that a BCP is just a document that should be capable of being put together by someone with a reasonably good knowledge of the organisation. Where this happens, the result is usually a document that, although it is called a business continuity plan, would not be of very much practical use in the event of a real incident.

An increasing number of organisations, however, understand that, for BCM to be effective, it requires a properly established and resourced programme that is treated as part of the organisation, rather than some ‘special project’ that has little to do with the core business.

The programme manager should establish an appropriate oversight body, as early as possible. This might well be a committee, ideally a subcommittee of the Board, with authority to act upon its decisions, and including representatives from all parts of the organisation.

One of the committee’s first tasks should be to formulate policy, unless this has already been completed by the Board. In any case, this policy should, ideally, be approved formally by the Board. Policy is described in more detail later on.

The ‘rump’ of the programme in the early stages is effectively the first iteration of the life cycle.

Although, in smaller organisations, subsequent iterations may amount to minor adjustments only, these may elsewhere be more substantive, as the scope of BCM is broadened progressively, in order to develop and prove the concept of BCM before roll-out to the entire organisation.

The key tasks for the programme manager and the oversight body or committee, are the seven principal sections of the Standard:

• Context of the organisation
• Leadership
• Planning
• Support
• Operation
• Performance evaluation
• Improvement.

In many cases, it will make sense to complete work associated with the first four of these sections, before embarking on the subsequent development and operation of BCM processes and their improvement mechanisms.

Typically, these first four sections might be approached more as a project, with a defined start, middle and end; and the subsequent three as an ongoing programme. In reality, the first four sections should be revisited on a regular basis, as part of the management review process at least.

Ongoing/maintenance phase

Even with a well-established BCM programme, there is a tendency for it to lose momentum and to be sidelined after the initial launch of the BCP. People who may have been enthusiastic participants in its development, which is often the only part in which they are interested, will return to their normal routine feeling pleased that the BCP, BCM or DR ‘box’ has been ticked.

Maintenance of a BCM programme is much akin to maintenance of anything else. It takes a relatively small amount of effort, on a regular basis, to keep it fit for purpose, but, if left, it becomes increasingly unfit for purpose, and requires a significant amount of effort and resource to get back to serviceability. This is not only common sense, it is also a key part of the return on investment in adopting a good practice approach to BCM.

End products

In the earlier days of business continuity, the BCP was all that really mattered. In reality, most organisations that had a BCP had a document with Business Continuity Plan on the front cover. Inside, the document would often express intentions about returning to business as usual, as quickly as possible, but these so-called ‘plans’ would not be particularly useful in the event of a real incident.

In today’s business and public sector environments, the culture of good governance, accountability, and corporate and social responsibility, means that the old way simply is not good enough.

The BCP remains a key deliverable, not least because, without one, the organisation cannot respond properly to an unforeseen incident. However, another key deliverable today is assurance. The governing body, shareholders, customers and all other stakeholders, now want some assurance that, as well as the organisation’s financial viability being properly managed, the significant operational risks of business interruption are also being managed in the most appropriate way. This assurance is most powerfully supported by some independent verification that the BCP exists, is fit for purpose, and has been developed according to good practice. Certification under ISO22301 is undoubtedly the ultimate form of assurance, but any assurance mechanism is now a key deliverable from the programme.

Resources

This book attempts to dispel a number of myths, probably the greatest of which is that BCM can be ‘done’ with effectively no additional resource.

Many organisations have attempted a BCM programme using purely existing resources, with the fairly common and inevitable result that very little of value is achieved, and that it does, in fact, cost money. Like any new discipline that becomes an inevitable feature of business or public service, BCM has to be seen as an essential part of risk management, and of economic growth. The level of resource required for BCM depends, naturally, upon the size, nature and complexity of the organisation.

• Large organisations often make best use of resources by employing one or more full-time, BCM professionals.
• Medium-sized organisations may include BCM as a key responsibility for an operational manager or director, with a degree of outsourced expertise and programme development.
• Smaller organisations may outsource the entire development process, engaging staff and key managers through the oversight body (committee), and throughout the execution of each stage in the life cycle.

The best approach, where possible, is to establish a budget for BCM, either as part of general risk management, or as a stand-alone item. It should also be remembered that savings delivered through the application of good practice, should also be associated to that budget, so that its true cost and value can be properly assessed.

In addition to this programme resourcing, the engagement of staff throughout the organisation should also be treated as a resource requirement. The fact is that some key staff will need to spend time executing tasks that contribute to the BCM programme; it is arguably better that this resource requirement is visible, than for the programme to struggle because these already busy people simply do not have the time to complete BCM-related activities as well.

Governance and assurance processes

Despite the apparent weight of corporate governance as a driver in developing a BCM programme, the Standard actually makes little mention of it, suggesting that it is about assigning responsibility.

In reality, directors and governors are expected to know that risks are being managed, with some idea of how. In most cases, directors and governors hope, or perhaps assume, that all risks are being managed appropriately.

A sensible addition to the role of the oversight body or committee, is that it should report to the governing body, on a regular basis, the state of the BCM programme, and therefore the extent to which,inter alia, the business interruption risks are being managed.

Successful certification under ISO22301 does provide a very high level of assurance in this respect, albeit as a ‘snapshot’. Equally important is the ongoing and regular assurance that, through proper maintenance and testing of the BCM arrangements and the management review process, these risks continue to be properly managed.

A potential pitfall in the application of documented standards is their ‘normative’ reference to other documents, so that reference to these normative documents is mandatory for successful certification. As in the case of BS25999, ISO22301 has no such references, and can therefore be implemented more or less in isolation, unless an integrated management systems approach is being adopted, in which case reference to the other, relevant, management system standards, is clearly necessary.