Bip 2142-2012
Bip 2142-2012
Bip 2142-2012
Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
Management
John Sharp
Continuity Management
The Route Map to Business
by
London W4 4AL
All rights reserved. Except as permitted under the Copyright, Designs and Patents
Standards Institution 2012
Whilst every care has been taken in developing and compiling this publication, BSI
accepts no liability for any loss or damage caused, arising directly or indirectly in
connection with reliance on its contents except to the extent that such liability
may not be excluded in law.
While every effort has been made to trace all copyright holders, anyone claiming
copyright should get in touch with the BSI at the above address.
BSI has no responsibility for the persistence or accuracy of URLs for external or
third-party internet websites referred to in this book, and does not guarantee that
any content on such websites is, or will remain, accurate or appropriate.
A catalogue record for this book is available from the British Library
Contents
Preface viii
Chapter 1 Introduction 1
Evolution of BCM 2
The business drivers 4
Benefits of BCM 7
Chapter 4 Leadership 29
Setting the business continuity policy 30
Roles, responsibilities and authorities 31
Chapter 5 Planning 33
Actions to address risks and opportunities 33
Business continuity objectives and plans to achieve them 34
Chapter 6 Support 37
Resources 37
Training and competency 37
Awareness 38
Communication 42
Documented information 45
Chapter 7 Operation 49
Operation planning and control 50
BIA and risk assessment 50
Chapter 13 Improvement 97
Standards Institution 2012
References 154
Preface
This book has been written to help those managers who have decided, or
who have been tasked, to introduce business continuity management
(BCM) into their organization. It is based on the new international
standard for BCM – ISO 22301:2012 and on the Plan-Do-Check-Act model
used by the new standard and other management systems, such as
BS EN ISO 9001, Quality management systems and BS EN ISO 14001,
Environmental management systems. The British Standard for BCM,
BS 25999 Parts 1 and 2, on which the first edition of this book was based,
was used extensively in the creation of ISO 22301.
The book includes brief case studies to illustrate the main ideas of BCM,
Standards Institution 2012
and templates to assist with the various stages of the BCM process.
Chapter 1 Introduction
There are three types of risks that organizations now face: known risks
such as utility failures or fires, which can be identified, quantified and
planned for; emerging risks such as animal or human flu pandemics
whose impact cannot be fully determined; and unforeseen risks that can
have a major impact. In 2007, the author Nassim Nicholas Taleb put
forward the concept of ‘black swans’ to describe unforeseen events that
hit organizations without warning: an example is the 2011 Japanese
Standards Institution 2012
Chapter 1 Introduction
sources from around the world. In 2007 BSI published BS 25999-2 that
provided a Specification against which organizations could seek
certification.
The first edition of this book was written to assist those organizations
wishing to comply with the British Standard BS 25999-2. This edition is
designed to help organizations meet the requirements in the new
standard for BCM, ISO 22301, and builds upon the work that many
organizations have already undertaken to gain certification or align their
Standards Institution 2012
BCM to BS 25999-2.
Evolution of BCM
The concept of business continuity was developed in the mid-1980s as a
new way of managing business risks. The basis of BCM is that it is the key
responsibility of company directors to ensure the continuation of business
functionality at all times and under any circumstances.
Unexpected events do not simply happen; quite often they are created by
the organization itself. Every organization has inherent weaknesses:
faulty IT systems that are ‘worked around’, informal communication
channels, lack of operator training, disconnects in structures and local
procedure variations. Examination into the causes of most major disasters
has found that there are several incidents or circumstances that combine
together, leading to the eventual disaster.
BCM is about prevention, not just cure. It is not just about being able to
deal with incidents as and when they occur and thus prevent a crisis and
Evolution of BCM
BCM is about anticipating that things are about to go wrong and taking
planned and rehearsed steps to protect the business and hence the needs
and expectations of interested parties. It is about maintaining their
confidence in the management’s ability to handle a crisis and to prevent
disasters occurring, thus protecting the brand, reputation and image of
the organization as much as its physical infrastructure and employees.
BCM goes beyond recovery from a disaster to establishing a culture that
Standards Institution 2012
Chapter 1 Introduction
company.
Auditors are acting as key external drivers as they look for evidence of
effective BCM being in place to meet regulations and legislation.
Previously they asked if business continuity plans (BCPs) existed. Their
current approach is to look for evidence that the plan is rehearsed and
that BCM has been promoted within the organization.
Chapter 1 Introduction
customers have insisted that their suppliers have quality and project
management processes in place, they are now also demanding that BCM
be established to ensure continuity of supply. This is driven not only by
their need to achieve regulatory compliance, but also by the need to
maintain their market share. The Japanese earthquake/tsunami/nuclear
accident, the volcanic ash cloud in 2011 and the increase in severe winter
weather has highlighted the need for better continuity management
across the supply network.
There are a number of factors that have emerged in recent decades that
might be considered to have increased the level of risk in supply chains.
These include: the adoption of ‘lean’ practices, the globalization of
supply, focused factories and centralized distribution, the trend to
outsourcing, reduction in the supplier base, volatility of demand and the
lack of visibility and control procedures.
Future drivers may include investors and banks that would wish to see
that continuity is built into business plans. Additional pressure may come
from trade and professional bodies and the public in general via the
media and pressure groups.
Time has become a key driver for BCM. The speed of business has
changed and there is very often little time to allow for a gradual
recovery. The emergence of e-commerce and the lack of loyalty among
customers change the need for recovery to one of availability.
Organizations for which this is vital have to ensure that their services are
Benefits of BCM
available 24 hours a day, seven days a week, 365 days a year. Customers
will not wait if a call centre is not answering or a website is not available
to place an order; they will go elsewhere. Failures can be the result of
technical problems, high demand when a site opens for the first time or,
more seriously, denial of service attacks by malicious individuals or
organizations.
Benefits of BCM
Implementing BCM can bring real benefits to an organization aside from
Standards Institution 2012
Further financial gain may occur if effective BCM exists as it can influence
the approach taken by insurers to business interruption insurance. It can
affect the level of cover offered, the amount of excess that is applied to
a policy or reduce the premiums levied. More than 80 per cent of
insurance brokers state that premium discounts are given if business
continuity plans are in place (British Insurance Brokers’ Association and
UK Cabinet Office, 2012).
Chapter 1 Introduction
Benefits of BCM
During the latter part of 2012 or early in 2013, ISO will issue a guidance
document: ISO 22313. This document will take the form of good practice
guidance and recommendations, indicating what practices an
organization should, or may, undertake to implement effective BCM.
Organizations may choose to follow all or part of the guidance, which
may be used for self-assessment or between organizations. The guidance
is not a specification for BCM.
Figure 3 shows how the PDCA cycle is applied to the BCMS as set out in
ISO 22301. The PDCA model produces business continuity outcomes that
meet the requirements and expectations of interested parties.
Standards Institution 2012
Figure 4 could be described as the BCM wheel. The hub (BCM programme
management) and the tyre (Embedding BCM in the organization’s
culture) are the elements that relate to Plan, Check and Act in the PDCA
cycle. The spokes (Understanding the organization, Determining BCM
strategies, Developing and implementing a BCM response and Exercising
and testing) represent the Do element of the PDCA cycle.
The elements of the BCM life cycle as they relate to ISO 22301 are as
follows.
Standards Institution 2012
Exercising and testing covers Clause 8.5 Exercising and testing. The BCM
life cycle in BS 25999-2 included maintaining and reviewing in this
element of the cycle. These have now been incorporated into BCM
programme management (see above).
The way in which ISO 22301 can be used is detailed in Clause 1 Scope. It
states that the standard ‘is applicable to all types and sizes of
organizations that wish to
There have been many other additions and some slight alterations to the
terms and definitions listed in the standard. The additions and changes
Standards Institution 2012
This clause also requires the organization to determine its risk appetite
and the legal and regulatory requirements that apply to the
organization, and to clearly define the scope of the BCMS. Setting the
initial scope of the BCMS is critical and must be done at an early stage.
ISO 22301 requires the organization to determine what will be covered
by business continuity and, just as importantly, what will be excluded.
Scoping has presented challenges to many organizations seeking
certification under BS 25999-2. Organizations are now required to clearly
communicate the scope to relevant internal and external parties.
Clause 5 Leadership
Clause 5 summarizes the requirements specific to top management’s role
in the BCMS, and how they shall articulate their expectations to the
organization via a policy statement.
• ‘ensuring that policies and objectives are established for the business
continuity management system and are compatible with the strategic
direction of the organization,
• ensuring the integration of the business continuity management
system requirements into the organization’s business processes,
• communicating the importance of effective business continuity
management and conforming to the BCMS requirements’.
Clause 6 Planning
This is a new section, covered in Chapter 5, and relates to establishing
strategic objectives and guiding principles for the BCMS as a whole. The
content of Clause 6 differs from establishing risk treatment opportunities
stemming from risk assessment, as well as from the business impact
analysis (BIA)-derived recovery objectives that are covered in Clause 8.
This section requires the organization to address the threats to the BCMS
not being successfully established, implemented and maintained. It is
about understanding the internal culture and the external environment
in which the organization operates and the likely barriers that will
prevent the BCMS being effective. It relates back to Clause 4.1
Understanding of the organization and its context and Clause 4.2
Understanding the needs and expectations of interested parties.
Clause 7 Support
Clause 7, covered in Chapter 6, details the support required to establish,
implement and maintain an effective BCMS. This covers the resources
required, the competence of those involved, awareness of, and
communications with, interested parties, and requirements for document
management.
Clause 8 Operation
Clause 8.1 Operational planning and control is a new clause and relates
back to Clause 6.1, which requires the organization to identify the risks
to the BCMS not being established, implemented and maintained by the
organization. Clause 8.1 requires the organization to ensure processes
that have been developed to manage the risks to the BCMS are being
correctly implemented. This includes any processes that have been
Standards Institution 2012
contracted-out or outsourced.
Clause 8.2.3 Risk assessment draws attention to the fact that ‘certain
financial or governmental obligations require the communication’, at
varying levels of detail, of the risks that could disrupt the prioritized
activities. ‘In addition, certain societal needs can also warrant sharing of
this information’, as appropriate.
Clause 8.5 Exercising and testing. ISO 22301 does not require an
approved exercise programme to be in place. It does require the exercises
to be based on an appropriate range of scenarios. It also links the review
of the exercise back to the requirement to promote continuing
improvement of the BCMS.
Clause 10 Improvement
This clause combines the previous corrective and preventative actions
under one heading: Nonconformity and corrective action.
The rest of this book describes approaches that will enable those
responsible for business continuity in an organization, regardless of size
or sector, to meet the requirements of ISO 22301:2012.
external issues that are relevant to its purpose and affect its ability to
achieve the expected outcomes of its BCMS. Understanding the
organization and how it sits within its environment is an essential step to
ensure any BCMS and BCM solutions developed are fit for purpose and
relevant to the organization and interested parties.
Some of the analysis may already have been undertaken within the
organization by risk or marketing managers. Those appointed to develop
the BCMS for the organization can call upon the previous analysis to
support this important stage. Alternatively they will need to work with
appropriate top management and specialists to develop their own
understanding.
All organizations have unique cultures, built up over time that influence
the behaviours and actions of those involved. At the outset it is
important to understand the culture and relationships that exist. Does a
‘silo’ mentality exist, is there a culture based on blame or is the
organization open to new ideas and ways of working? Is the
organization ‘unionized’? Is it driven by dictate or consensus? If BCM is to
be introduced successfully it must work with the culture.
Some of the questions that have to be answered for each element of the
analysis are:
Figure 6 – STEEPLE
organization and its sector? What are the chances of terrorism and
civil unrest affecting the organization?
• Which laws and regulations apply? Are they regional, national or
international? ISO 22301 requires an organization to identify those
laws and regulations that relate to the continuity of ‘operations,
products and services, as well as the interests of relevant interested
parties’. The BCMS should be established, implemented and
maintained taking into account the requirements of the applicable
laws and regulations.
• And finally, what environmental considerations does the organization
have to take account of? What is the organization’s own impact on
the environment, e.g. pollution? What are the external events that
could impact the organization, e.g. from nature or from neighbours?
The needs and expectations of interested parties and the legal and
regulatory requirements that apply to the organization will have a major
influence upon the scope of the BCMS.
A large and complex body is unlikely to introduce a BCMS for the entire
organization at the initial pass but rather commence with the products
and services that are key to meeting the objectives of the organization
and the requirements of the external stakeholders. It may choose to
introduce BCM to a specific location or function such as information and
communications technology (ICT). A small organization is better able to
encompass all of its activities first time round.
The organization must also identify and document those areas, products,
services and activities that will not be covered by the BCMS scope. In
doing so it is important to ensure that those activities excluded do not
affect the organization’s ability to deliver its key products and services.
Whatever the decision, it is vital that the scope of the BCMS is defined
and documented at the outset of the programme. An example of a
scoping document can be found in Appendix D. It is possible to include
the scope within the policy document.
Chapter 4 Leadership
Top management must ensure that a BCMS is established that aligns with
the strategic direction of the organization. BCM is not a bolt-on activity;
it has to be integrated into business processes and must have the support
of the staff across the organization. Top management needs to
communicate why BCM is important, how it will be delivered and who
will be responsible for the development, implementation and
Standards Institution 2012
Chapter 4 Leadership
The final point relates to how the organization assures itself that the
Standards Institution 2012
The BCM policy document, once approved and signed off by top
management, should be published within the organization and may be
made available to appropriate interested parties. Key public sector bodies
covered by the UK Civil Contingencies Act 2004 are required to make
their BCM policy documents publicly available. These may be published
on their websites or be available on request. There may be commercial
advantage for private companies in similarly publishing their BCM policy
documents. Listed companies could include reference to their policy in
the annual report and accounts, providing assurance to investors and
other interested parties that they take business continuity seriously.
The BCM policy, like all other policies within the organization, should be
subject to regular review at an interval appropriate to the organization
or when significant changes occur to the organization or the
environment in which it operates. A sample policy document is included
in Appendix E.
Chapter 4 Leadership
This group is also responsible for ensuring that the importance of BCM is
communicated throughout the organization and that stakeholders are
kept informed. The approach the high-level working group takes will
have a strong influence on the culture within the organization. In a small
organization this role may fall to the owner or managing director, who
may be assisted by a senior employee. In a larger organization, divisional
liaison managers are responsible for the introduction and maintenance of
Standards Institution 2012
the BCM process within their area of operation. Very often these
individuals have BCM added to their existing roles and responsibilities
rather than being solely dedicated to the process.
Chapter 5 Planning
Conflicting staff incentives can shift focus away from the BCMS, which
can be seen as a nice-to-have process, towards the short-term objectives
based on the must have, e.g. achievement of sales targets. Incorporating
the implementation of the system into management objectives and
ensuring these objectives are regularly reviewed will help focus
management effort. Breaking down the implementation into realistic
steps against which managers can be assessed will help.
It is important for top management to recognize the time and effort that
will be required to develop and implement the BCMS. Agreeing realistic
timescales and ensuring adequate resources are made available at the
Chapter 5 Planning
Not all challenges will be internal. Changes in the laws and regulations
that apply to the organization may force changes to the BCMS. The
needs and expectations of those interested parties that are outside the
organization may also influence the way that the BCMS is developed and
implemented.
Having identified the challenges and risks that surround the BCMS, top
management must ensure that business continuity objectives are
established, documented and communicated for relevant functions and
levels throughout the organization.
acknowledges this, and the BCMS objectives and plans reflect the need to
ensure the effectiveness of the key suppliers’ or partners’ BCM
arrangements.
Chapter 6 Support
Resources
If the introduction and ongoing maintenance of BCM is to be successful
then sufficient resources must be allocated to the programme. Top
management frequently views BCM as a ‘grudge purchase’ and it requires
a return on investment (ROI) to be demonstrated. This can be difficult as
BCM is designed to maintain continuity in the unlikely event of a
disruptive incident occurring.
The arguments for BCM are based more on economics than accountancy.
It is the opportunity cost of failure that has to be weighed against the
Standards Institution 2012
Chapter 6 Support
If the organization does not have the staff resources or competent staff
internally then it may hire or contract appropriate people. It is essential
that the organization ensures that any such person has the necessary
competence and experience to deliver the BCM programme.
Awareness
The outer part of the BCM life cycle (see Figure 4) relates to an
organization’s culture. To be successful, business continuity has to become
part of the way that an organization is managed, regardless of size or
sector. At each stage of the BCM process opportunities exist to introduce
and enhance an organization’s BCM culture.
ISO 22301 requires people doing work under the organization’s control
to be aware of:
Awareness
Chapter 6 Support
Raising awareness is done in two stages. The first is to ensure that all
those in the organization are aware BCM is being introduced and why.
They will need to be convinced that this is a lasting initiative that has the
support of the executive.
The code, which is signed by the Chairman and CEO, sets out
what is expected of the individual employee, stating:
The same principle can be applied to BCM, with the teams being asked to
identify aspects that prevent or impede the continuity of their areas of
operation. The key questions to ask are the ‘what ifs’ since this style of
Awareness
The second stage of raising awareness occurs once the business continuity
plans have been produced. It is important that appropriate interested
parties are made aware that the organization has such plans in place.
This will help to raise their level of confidence in the organization’s
ability to deal with disruptions.
Chapter 6 Support
A good awareness programme will have the effect of making all staff
understand the significance of ‘thinking continuity’ in their everyday
activities. For example the purchasing department in the organization has
an important role to play in ensuring that key suppliers are made aware
of the importance of BCM to the organization and the processes they
should adopt to ensure continuity of supply. This applies to existing and
new supply contracts.
All staff must understand that BCM is a serious issue for the organization
and that they have an important role to play in maintaining the delivery
of products and services to its clients and customers.
Standards Institution 2012
Communication
One of the biggest challenges to any organization suffering a disruptive
incident is the need to maintain communications with interested parties.
There are many cases of companies that have believed they managed a
disruptive incident well and minimized the impacts on the organization.
What then disappoints them is the reaction of the external community
following restoration of service and supply. What they failed to do was to
recognize the importance of communicating with all the interested
parties, both internally and externally.
Communication
The emergence of social media, e.g. blogs, Facebook and Twitter, offers
new opportunities to provide fast communications to staff, the public
and other key parties, e.g. suppliers. If it is intended to use these
channels then their limitations and accessibility to the wider community
must be recognized. It is important to monitor social media to see what
the public, and interested parties, is saying about the organization’s
disruption and how it is being handled. Messages posted by individuals
on Twitter can spread very quickly. The death of an international singer
in 2012 reached 2.5 million people across the world in two hours. In 2012
it has been estimated that 750 million people use social media daily
and/or weekly.
It is not just about having the processes and procedures in place when
things go wrong. It is also about raising the awareness of interested
parties of what the organization has in place to manage disruptions.
Chapter 6 Support
Customers will need to know how their supply of goods and services will
be affected and when they can expect a return to normal working
practices. Suppliers will need to know the alternative locations they will
be required to deliver supplies to and also will need to be confident that
they will be paid. The banks and investors will need to have confidence
in the management being able to handle the disruption effectively and
will need to know their investments are safe.
ISO 22301 states that ‘the organization shall establish, implement, and
maintain procedure(s) for
Documented information
Documented information
Proving that a BCMS is effective is one of the key challenges facing any
organization. Documents should be kept relating to the management of
the BCMS and of exercises, incidents, outcomes, lessons identified and
actions taken. For those seeking certification to ISO 22301 there is a clear
requirement to establish a documented management system and such
documentation will provide significant evidence when an organization is
audited for certification.
BCMS operates in the organization and how the incident was managed.
Being unable to produce such evidence may harm the organization.
Chapter 6 Support
Documentation required
The organization must have documentation covering the following
aspects of the BCMS:
Documented information
Not all documented information required for the planning and operation
of the BCMS may be held within the organization. If this is the case it is
necessary to identify the location and, as appropriate, for it to be
controlled.
Chapter 7 Operation
This section covers the Do element of the PDCA cycle. Its purpose is to
define business continuity requirements, determine how to address them
and develop the procedures to manage a disruptive incident. In relation
to the BCM life cycle (see Figure 4) this section includes:
The direction that BCM has now taken is based on ensuring the
continuity of critical processes and activities that deliver key products and
services to clients and customers. This is more aligned with total quality
management, which is based on supplier/customer relationships and the
processes that serve them.
Chapter 7 Operation
it is the individuals who deliver the key products and services who
actually understand how the processes and activities work and what
resources and dependencies support them.
BCM on the other hand adopts an approach based on impact and time. It
looks at the impact on the organization if critical activities are
A complex organization may have many products and services and, while
all are important, some are more critical than others. For example, one
UK county council delivers more than 200 services to the community.
Following the high-level consultation it was established that 37 of these
activities were key or vital for the community. With this knowledge the
council concentrated its BCM activities on the most important areas for
the authority and the community.
Once the key products and services have been identified the next task is
to determine the point at which the MTPD occurs for each product and
service. The MTPD is defined in ISO 22301 as the ‘time it would take for
adverse impacts, which might arise as a result of not providing a
product/service or performing an activity, to become unacceptable’. An
alternative definition given in BS 25999-2 is that it is the duration after
which the organization’s viability will be irrevocably threatened if the
product or service cannot be resumed.
Chapter 7 Operation
• financial loss;
• the impact on service delivery;
• embarrassment or loss of reputation;
• threat to personal safety;
• personal privacy infringement;
• failure to meet statutory or regulatory obligations; or
• effect on project objectives and schedules.
As an example consider home care for the elderly. Local authorities are
increasingly using third parties to deliver this service. However, if the
service fails or is below standard it will not be the third-party
intermediary that the client or their relatives will hold responsible but
the local authority in whose name the service is being delivered. It is
therefore essential that the local authority ensures the intermediary has
effective BCM in place.
Chapter 7 Operation
Process mapping
Having gained the agreement of the high-level working group or top
management as to which are the key products or services, the next stage
is to identify the critical activities that support these products and
services.
Activities, some formal, some informal, that have been established over
time will support the critical processes. They all draw upon the resources
of the organization and of third parties. The next stage is to identify
these activities and the resources they use.
services. The most dangerous step to take at this stage is for managers to
assume they know how things are done in the organization. Managers
that have risen through the organization usually lose touch with practices
on the ground. It is vital that we understand what actually happens in
order to replicate this at the time of any disruption in order to provide a
seamless continuity of operations. If it is not understood how the
organization works ‘normally’ then there is little chance of keeping it
running at a time of crisis.
It is possible that this has already been carried out in the organization. If
so, the outputs should be examined to see if they are still current and
relevant to BCM.
The mapping starts with the high-level processes, e.g. dealing with a
domestic customer’s faulty heating system (see Figure 11).
There may be further levels of activities below these that also need to be
recorded. The system used to record the activities may be paper-based or
an appropriate software package.
Chapter 7 Operation
When the mapping has been completed for all the activities that support
the critical processes for key products or services, it is possible to identify
Standards Institution 2012
all the resources and functions that are used to support these activities
(see Figure 14).
The inputs and outputs are recorded together with the timescales and
the resources used to complete the activity. The resources are recorded
against the individual activity element. As previously stated, it is
important to recognize that some activities are seasonal and that the use
Chapter 7 Operation
of resources may vary throughout the year, e.g. Christmas mail sorting
and delivery requires temporary staff and additional facilities.
Risk assessment
It is now possible to undertake risk assessments against the resources
identified from the process mapping. If the organization has an
established risk management process in place it is sensible to use this
process for the BCM risk assessment. Single points of failure (SPoFs) exist
in every organization, e.g. a key member of staff, building or supplier.
Using the data from the process mapping exercise, it is easier to identify
which processes and hence which activities will be affected by a single
point of failure.
The 2005 product recall of more than 600 food lines from UK
shops containing Worcester sauce contaminated with Sudan 1
(a carcinogenic food colouring) affected sales of Lea & Perrins®
Worcestershire Sauce despite this product containing no
artificial colouring. Name association by the media and the
public resulted in depressed demand for the Lea & Perrins®
product. Three thousand five hundred customers called the Lea
& Perrins® helpline in the first four days of the product recall
requiring it to draft in extra staff. The company had to launch
an expensive advertising campaign to protect the brand and its
90 per cent market share.
The results of the BIA and risk analysis are then used to create a risk
matrix for the critical activities as shown in Figure 15.
Chapter 7 Operation
Accept
Where the impact would be insignificant and the likelihood of failure is
rare the high-level working group may decide to accept the risk and do
nothing. This is a perfectly acceptable course of action and is driven by
the risk appetite of the organization. The risk appetite will vary
according to the size and style of the organization, the stakeholders and
their interests, the sector in which it operates, the behaviour of
competitors and the senior management’s own approach to risk.
Mitigate
Standards Institution 2012
Where the risk level is high but the impact on the critical activity would
be low the best option is to mitigate the risk, which is to say, manage or
contain the risk. If the risk of power failure is high then the provision of
a standby generator and uninterrupted power supply will minimize the
impact on critical activities. If the use of a single supplier would stop the
activity then a second supplier would provide appropriate resilience to
minimize the risk.
Both BIA and risk analysis must be reviewed at planned intervals and
when significant changes occur to the organization or the environment
in which it operates.
Having identified the critical activities and resources that support the key
products or services of the organization, completed the impact and risk
assessments and agreed the prioritized RTOs, together with the minimum
level of operation required, it is time to consider how continuity will be
achieved.
ISO 22301 states that the organization must determine and select
appropriate strategies for:
Standards Institution 2012
Those responsible for BCM must determine how the organization will
recover each critical activity within its RTO and what resources will be
required; this will generate a continuity resource requirement statement.
In addition they must determine how relationships with key stakeholders
will be managed at the time of disruption. In choosing the appropriate
options or strategies, consideration must be given to the MTPD for each
activity, the costs of implementing the strategy and the consequences of
inaction.
Normally the power was restored within the hour but on this
particular morning it stayed off. On contacting the supply
company the managing director was informed that the
substation had burnt out and it would be at least two days
before restoration.
Backlog trap
If the decision is to suspend or reduce the level of activity for a particular
set of services or products, then arrangements must be made to ‘catch
up’ by carrying out the outstanding work that has built up during the
disruption. This may involve working overtime, outsourcing work or even
Backlog trap
New call centre staff were recruited but went live before being
fully trained. The number of outstanding complaints escalated
even further. At this point the media became involved. The
company could no longer keep on top of complaints and the
backlog built up to such an extent that customers began
leaving. Eventually the company was forced to sell out to a
Standards Institution 2012
national provider.
1. situation assessment;
2. IRS activation;
3. communication capability; and
4. decision-making processes.
1. Assessment
The incident response procedure must identify the authority that
determines the scale and severity of the disruption. There must be a
process in place for undertaking an initial assessment of the situation,
together with an ongoing process of monitoring and reporting to those
who are managing the incident.
2. Activation
The IRS must specify the process to be used to activate the plans, who
should be consulted and informed. Authority for activation should be
invested at the appropriate level. If the disruption is at business unit
level, the local manager should have the authority to invoke the plan.
Investing the authority for invocation at a high level might not be
appropriate and could delay the response, causing the situation to get
out of control and lead to serious consequences for the organization.
For six days in January 1998 freezing rain coated large parts of
Canada, resulting in 7–11 cm of ice being deposited on
telephone and power cables. The weight of the ice brought
down poles and transmission towers, causing massive power
and telephone outages that left four million people without
electricity supply, some for as long as a month. The authority to
invoke the power company’s emergency plan was vested in the
senior executives who were still away at their holiday homes.
Contact could not be made with them as the landline
communications to their remote locations were lost. This
delayed the company’s response to the emergency.
3. Communication
Standards Institution 2012
If the plans are invoked it is essential that all interested parties are
informed and kept up to date. Who is to be informed and who will
manage communication must be established as part of the IRS. This
would include the media, if appropriate: a media spokesperson should be
nominated in the IRS. Clear and concise communication is required at the
time of disruption.
This activity has now been included as a requirement in ISO 22301 under
Clause 8.4.3 Warning and communication. It requires an organization to
‘establish, implement and maintain procedures for
a) detecting an incident,
b) regular monitoring of an incident,
c) internal communication within the organization and receiving,
documenting and responding to communication from interested
parties,
d) receiving, documenting and responding to any national or regional
risk advisory system or equivalent,
e) assuring availability of the means of communication during a
disruptive incident,
f) facilitating structured communication with emergency responders,
g) recording of vital information about the incident, actions taken and
decisions made, and the following shall also be considered and
implemented where applicable:
• alerting interested parties potentially impacted by an actual or
impending disruptive incident;
• assuring the interoperability of multiple responding
organizations and personnel;
• operation of a communications facility.
4. Decision making
It is important that at the time of a major disruption the organization
has in place a structure that will allow the management to make
informed decisions and to take control of the situation. Organizations
whose management style is normally based on debate and consensus will
have to switch to a command and control structure (see Figure 17). The
emergency services and the military have no problem with this approach,
as it is their normal management style. Other organizations will have
problems with this approach if the incident response team has not
rehearsed before an incident occurs.
Team leader: the team leader is responsible for managing the IRT and is
the primary contact with the appropriate company executives. The team
leader is usually the person who decides, against predefined thresholds,
that the incident should be handled by the IRT and assembles the team.
The team leader ensures that all team functions are covered and initiates
the plan to address the incident.
Health and safety: this person co-ordinates the health and safety
response from the corporate level. They may also be responsible for
environmental issues. The health and safety person provides the
high-level contact for the ‘blue light services’ and government agencies,
and provides advice on proper protective equipment and other health
and safety matters. This person may also be responsible for advising the
wider community of potential hazards from the incident, e.g. chemical
discharge.
Human resources: this person ensures people issues are being addressed
and co-ordinates these with the site’s HR people. They provide for crisis
counselling, access to the employee database, support in contacting
family members, and assembling necessary internal and external HR
resources if required.
Legal: this person provides legal counsel to the team and arranges for
external legal support as needed. They participate in communication
preparation and provide advice on securing the incident scene for
Standards Institution 2012
subsequent investigation.
Command centre
Deputies should be appointed to all positions for two reasons. First, this
provides cover for team members’ absence due to holidays, sickness, etc.
and secondly, if the IRT has to operate over an extended period of time
then it is advisable to rotate team members to avoid stress and tiredness.
When first assembled the team should decide on a schedule for meetings,
typically every two or three hours depending on the nature of the
incident. During the ‘heat of the moment’ all key issues are addressed.
The meetings should last approximately 20–30 minutes, allowing time for
the team members to action the decisions taken.
Training
It is essential that all members, including deputies, are competent and
can operate effectively as a team. Training needs must be assessed and
provided; this will include appropriate training for any person who will
be required to be interviewed by the media.
Command centre
The organization must establish an appropriate, prepared, location where
the IRT will meet to manage the incident. This may be a room within the
organization, if not a dedicated command centre, e.g. the boardroom or
The first action for many organizations in establishing BCM has been to
create a business continuity plan without going through the key steps
outlined in the previous chapters. The danger in taking this approach is
that it will not result in a true understanding of the organization and
how it delivers key products or services. Consideration of various
strategies and their resource requirements may have been missed. As a
result the plan produced may not be fit for purpose and may not offer
the protection and benefits that would have been possible. By
completing the processes set out earlier the organization can now
Standards Institution 2012
Incident and continuity plans are used under challenging and stressful
circumstances; they should be concise, simple and easy to follow. In
addition plans should ensure the organization maintains compliance with
applicable laws and regulations during the period of their
implementation.
• What is to be done?
• When?
• Where are the alternative resources located?
• Who is involved?
• How is continuity to be achieved?
A small organization, operating from one site, may only need a single
document that covers incident management and continuity management,
while larger organizations will need integrated corporate, divisional and
business unit plans based on a common structure. These in turn may be
underpinned by action plans for front-line operations, e.g. hospital wards
(see Figure 20). Such plans must be synchronized to eliminate conflicts
and ensure that agreed restoration priorities are achieved. In a large
organization a central BCM team or BCM co-ordinator undertakes this
role.
The organization will need to create plans that detail how it will achieve
continuity of operations (business continuity plans) that are based on the
previously agreed timescales and minimum levels for the activities that
support the key products and services.
Standards Institution 2012
Plans may take various formats. They may be written as text or flow
charts, or be produced by specialist software. They can be held on the
company intranet or secure areas of the internet, or be paper-based, held
on a personal digital assistant (PDA), a tablet computer or in a simple
‘wallet’ format. Plans should not be vast documents as they will have to
be used in times of stress and therefore should be kept as
straightforward as possible, containing the minimum amount of
information to enable the team to deliver continuity. They must be
accessible at all times to those named individuals who are required to use
them.
and even separate locations within the same organization will have
differences. The plan must therefore reflect the organization rather than
the organization being made to fit a standard template.
For many organizations the threat of a global flu pandemic has driven
the requirement to develop business continuity. Plans are written for that
unique scenario, which included specific arrangements covering
occupational health, HR policies and security. While these are important
areas to be addressed if a flu pandemic should occur, these elements of a
business continuity plan should be owned by the specific functions that
are responsible for maintaining the content. Good practice ensures that
these elements are documented separately and the business continuity
plans signpost where the documents are located, e.g. by hyperlinks
within an electronic plan. This ensures that the latest arrangements are
available and minimizes the workload of the business continuity plan
owner.
The plans must also take account of any external arrangements for
managing an incident. These include the actions of the emergency
services, local authorities and other external agencies in the event of a
Plan contents
Plan contents
The following sections discuss the recommended elements of incident
response and business continuity plans.
Objectives: details of the priority order for continuity and recovery of key
products or services and their critical activities must be available together
with their RTOs and recovery levels (MBCOs).
Roles and responsibilities: the plan should identify the roles and
responsibilities of those post holders who will be involved in delivering
the plan. It will identify the team leader, key team members and their
deputies to be assembled at the time of invocation. It will set out their
levels of authority (including financial authority) and to whom they must
report their actions. It will also set out the point at which the
responsibility for incident or continuity management must pass to a
higher level in the organization. There may be separate teams
responsible for incident and continuity plans.
Invoking the plan: the plan must indicate the circumstances under which
it is to be invoked and who can authorize the invocation. It must also
include details of how to manage a disruption and its impact upon the
organization. It is essential that an organization responds quickly if a
crisis or disaster is to be avoided. The invocation of a business unit plan
may need a lower level of authority to deal with a local incident. It is
important that any invocation is flagged to senior management so it is
aware that an incident exists and can consider the wider implications for
the organization. Instructions to that effect should be written into the
plan.
Command centre: details of the main and secondary locations where the
team should proceed to in order to manage the disruption.
System recovery plans: small companies may include basic system recovery
plans within the main document. These may consist of instructions on
how to restore data or transfer telecommunications services to an
alternative location. In larger organizations the recovery plans will be
complex and may be separate documents owned by the unit responsible
for providing the service, e.g. IT recovery plans for a major data centre.
The main plan should identify the recovery plan owners and the key
actions they will take.
Contact details: the plan should include contact details of the IRT
members and their deputies. In addition it may include other details for
internal and external contacts as follows:
• utility companies;
• insurers; and
• media organizations.
Incident log: with any major disruption there may be a requirement for
post-event inquiry and audit. It is vital therefore that a record is
maintained of what actions were taken, why they were taken, when they
were taken and who took them. An example of an incident log is shown
in Appendix O.
Plan contents
Plans must also take account of the welfare of those who will be
managing the disruption, comply with health and safety requirements
and ensure there are sufficient team members available to work shifts in
the event of the disruption extending over a long period.
Returning to normal: a process must exist for standing down the incident
and continuity teams and returning to normal once the disruption is over.
Some incidents are dramatic and could change the very fabric of
‘normality’ for the organization and its stakeholders, so lessons have to
be learned from the response to any incident and any pre-planned
recovery arrangements reviewed. For this reason, the organization may
need to function under new operating norms beyond recovering to
pre-recovery conditions.
Implementation
Having completed the plans, they must be implemented. Those who hold
positions that are named in the plan must be made aware of their role
and have the appropriate training to enable them to fulfil their
responsibilities. The section on training in Chapter 6, including the key
steps for establishing a training programme, provide useful guidance on
training. Exercising plans is one of the principal methods of ensuring that
those who will be involved in managing an incident and implementing
continuity are aware of the contents of the plan and their roles.
Exercising is covered in Chapter 11.
Interested parties, both internal and external, need to be aware that the
organization has plans in place to deal with disruptions. They need to be
conscious of what will be done, what products and services will be
available, and at what levels. Where appropriate, they will also need to
know what activities the organization will not be doing while it recovers.
ISO 22301 requires the organization to have exercised and tested its
business continuity procedures to ensure they are consistent with its
business continuity scope and objectives.
Plans are worthless unless they are exercised. Many examples exist where
organizations have had business continuity plans in place but the plans
failed because they had not been exercised. In the UK, research has
Standards Institution 2012
Testing should ensure that technical systems work correctly and that
operating instructions are clear and valid for the equipment. The tests
should be as close to live working as possible, e.g. full load being taken
by the generator. Another form of test that should be carried out on a
regular basis is a ‘call cascade’. This is used to verify lines of
communication that will be used when invoking the plans.
Exercising is not about achieving a pass or a fail but ensuring the plan
works as intended. It is also a training opportunity for those who are
named in the documents. There are certain key rules to be observed
when planning exercises.
Exercises must have defined aims and objectives that may include:
Lesson: planning your exercise and carrying out impact and risk
assessments is very important.
There are various forms of exercise ranging from desktop review, where
the participants review and challenge the contents of the plan, a
‘walk-through’ where the interaction between players is assessed, to a
full plan test where the site or building is shut down and a move
undertaken to an alternative location. Full plan testing is the only way to
assure all concerned parties that the incident and continuity management
arrangements will work when required. Appendix Q shows the
relationship between the various types of exercises.
to challenge the plan and ensure all its components are examined.
An exercise can be run in real time or compressed time so that a plan can
be exercised in one session. It is important to include timeout periods so
that people and teams can clarify their understanding of the exercise.
Because the exercise will require intense concentration from the players,
careful consideration should be given to the length of time taken by the
exercise and the players’ welfare arrangements.
Different leadership styles are needed and it could be that the initial
teams chosen lack certain skills. Some of these can be acquired through
A log of all actions and outcomes must be made during the exercise and
this must be reviewed as soon as possible after the event. It is a good
idea for this review to be carried out with the participants so they can
express their own views on what went well or otherwise.
This chapter relates to the Check element of the BCMS and covers
monitoring and reviewing of the BCMS and business continuity
performance. It is essential that the organization conduct evaluations at
planned internals or when significant changes occur.
still correct. Plans should be reviewed to ensure they are still appropriate
and workable. An appropriate management level should sign off the
reviews regardless of whether changes have or have not been made.
Staff will need to be made aware of any changes that have been made
to the BCMS or BCM arrangements. The maintenance of document
control is critical; it is important that version control is applied to BCM
documentation and that a mechanism exists whereby updates are issued
and old versions withdrawn.
One way this can be done is by the setting of key performance indicators
(KPIs). These are normally numerical and quantity based and objectively
assessed against targets. Examples are:
Post-incident review
• the quality of the impact and risk analyses, and business continuity
plans;
• the quality, breadth and clarity of exercise scripts and training
materials;
• assessment of effectiveness of awareness and training of staff in
relation to the BCMS and business continuity arrangements;
• the type of lessons identified from exercises;
• the level of impact caused by disruptive incidents;
• the effectiveness of the BCM arrangements when invoked;
• the lessons identified as a result of the post-incident reviews (see
below);
• the stakeholders’ awareness and satisfaction with the organization’s
BCM arrangements.
Post-incident review
If the organization has suffered a disruptive incident that has resulted in
the incident and/or continuity plans being invoked, arrangements should
be in place to carry out a post-incident review to:
Internal audit
The decision to introduce BCM into an organization will be taken at the
highest level. The Chartered Management Institute’s 2012 BCM awareness
survey shows that the need for good corporate governance continues to
provide the biggest reason why BCM is introduced into an organization.
Top management needs to be assured that the BCMS and the BCM
procedures are fit for purpose and are being correctly implemented.
The management responsible for the area being audited shall ensure that
any necessary corrections and corrective actions are taken without undue
delay to eliminate detected nonconformities and their causes. Follow-up
activities must verify the actions taken and the results recorded.
Management review
An important element of performance evaluation is the management
review. Top management must review the organization’s BCMS, at
planned intervals, to ensure its continued suitability, adequacy and
effectiveness.
Management review
adequately;
• output from exercises, including the lessons identified reports;
• observations/recommendations from incidents or near misses
experienced by the organization and others;
• results of the education and awareness programmes;
• ‘monitoring and measurement evaluation results’;
• ‘the status of actions from previous management reviews’; and
• developments in BCM techniques, products, procedures and good
practice.
In developing the output of the review top management must take into
consideration any changes to:
• the business;
• the risk appetite;
• risk and security requirements;
• operational conditions and processes;
• legal, regulatory and contractual requirements; and
• resource and budgetary requirements.
The output from the management review will include decisions and a
timetable for the actions related to opportunities to continually improve
the BCMS and the possible need for any changes to the system. These
may include:
Chapter 13 Improvement
The final element of the PDCA cycle is Act, which requires the
organization to identify and act on BCMS nonconformities through
corrective actions. One of the key elements of a good management
system is that it has the capacity for continual improvement. This is a key
element of Deming’s approach to quality management and it is also a
requirement of ISO 22301. Continual improvement is based on the
Japanese philosophy of Kaizen, which means ‘change for the better’ or
‘improvement’.
Chapter 13 Improvement
frequently know the solutions but the culture of the organization may
prevent their ideas from surfacing. By using a suggestions scheme or
discussing how BCM and the organization’s resilience can be
strengthened at team meetings and on a one-to-one basis, managers will
be able to create a climate where continual improvement is the norm.
There are two actions associated with the final element of the BCMS:
nonconformities and continuous improvement.
ISO 22301 goes on to state that the organization shall also ‘evaluate the
need for action to eliminate the causes of the nonconformity, by
Continual improvement
Continual improvement
Like any management system BCMS must be subject to continual
improvement. The organization must make arrangements to ensure that
it continually improves the suitability, adequacy and effectiveness of the
BCMS through:
Chapter 14 Conclusion
1 Scope 1 Scope
2 Terms and 3 Terms and
definitions definitions, some
terms omitted,
new terms added,
some redefined.
3.1 Planning the 4.1 Understanding of
business the organization
continuity and its context
management 6.1 Actions to address
system risks and
opportunities (to
the BCMS)
3.2.1 Scope and 4.2 Understanding
objectives of the needs and
the BCMS expectations of
interested parties
4.3 Determining the
scope of the
management
system
6.2 Business
continuity
objectives and
plans to achieve
them
3.2.2 BCM policy 5.1 General
5.2 Management
commitment
5.3 Policy
3.2.3 Provision of 7.1 Resources
resources 5.2 Management
commitment
5.4 Organizational
roles,
responsibilities
and authorities
8.3.2 Establishing
resource
requirements
3.2.4 Competency 7.2 Competence
Standards Institution 2012
of BCM
personnel
3.3 Embedding 7.3 Awareness
BCM in the 7.4 Communication
organization’s
culture
3.4 BCMS 7.5 Documented
documentation Information
and records 8.1 c) Operational
planning and
control
4.1.1 Business 8.2.1 General
impact analysis 8.2.2 Business impact
analysis
4.1.2 Risk 8.2.1 General
assessment 8.2.3 Risk assessment
4.1.3 Determining 8.3.3 Protection and
choices mitigation
4.2 Determining 8.3.1 Determination
business and selection
continuity 8.3.2 Establishing
strategy resource
requirements
4.3.2 Incident 8.4.2 Incident
response response
structure structure
9.1 Monitoring,
measurement,
analysis and
evaluation
5.1 Internal audit 9.2 Internal audit
5.2 Management 9.3 Management
review of the review
BCMS
6.1 Preventive and 10.1Nonconformity
corrective and corrective
actions action
9.1.1 General
6.2 Continual 10.2Continual
improvement improvement
…………………….. ………………..…………………
Date to be reviewed
……………………...
These services are delivered from the four regional depots based in London,
Birmingham, Manchester and Glasgow.
The BCMS extends to cover all activities, resources and dependencies utilized by these
key services.
The Acme Organization Ltd BCMS has been aligned to the International Organization
for Standardization’s ISO 22301:2012, Societal security – Business continuity
management systems – Requirements standard.
This scoping document was issued on 1 May 2012 and will be reviewed not later than
1 May 2013.
Signed on behalf of Acme Organization Ltd
Introduction
Application
The policy applies to those divisions and areas of our company set
out in the scoping document. All employees within these divisions
and areas must be aware of this policy. This policy applies in
particular to heads of divisions and business unit managers.
Purpose
Policy statement
Benefits
Responsibilities
The BCM team should demonstrate the ability to apply knowledge and
skills in the areas listed below.
Initiation of BCMS
Incident communication
Exercising plans
Performance evaluation
Improvement
People need training to equip them with the relevant knowledge and
skills, and to build relationships with other team players. Key questions to
be asked in developing a training programme are listed below.
• Senior management.
• ‘Non-essential’ staff who may be needed at the time of plan
invocation.
• Contractors and suppliers.
Training delivery
The training may use external or internal resources and should:
117
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
118
Appendix H Business impact assessment matrix
Level of Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
impact
Category
Level of Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
impact
Category
System Negligible Single failure to Repeated failures 1 to 2 days’ outage. Complete loss of
failure (B) service meet internal to meet Significant impact systems and loss of
disruption. service-level service-level on client/customer data.
No impact on agreements. agreements. service. Major impact on
client/customer No impact on Minimal impact Impact on client/customer
service. client/customer on organization service.
Minimal service. client/customer absorbed with Impact on
disruption to Impact on service. some formal organization
routine organization Impact on intervention by absorbed with
organization rapidly organization other significant formal
activity. absorbed. absorbed with organizations. intervention by
No long-term No long-term significant level Significant other organizations.
consequences. consequences. of intervention. long-term Major long-term
Minimal consequences. consequences.
long-term
119
Appendix H Business impact assessment matrix
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
120
Level of Insignificant (1) Minor (2) Moderate (3) Major (4) Catastrophic (5)
impact
Category
Public Issue of no Local press Limited damage Loss of credibility Prolonged national
confidence public/political interest. to reputation. and confidence in media coverage.
and concern. Local Extended local organization. Major
reputation public/political press National press public/political
(C) concern. interest/regional interest. concern.
press interest. Independent Full public inquiry.
Regional external inquiry.
public/political Significant
concern. public/political
concern.
Failure to Legal challenge. Civil action – no Class action. Criminal Criminal prosecution
meet laws Minor defence. Criminal prosecution – no – no defence.
and out-of-court Improvement prosecution. defence. Executive officer
Appendix H Business impact assessment matrix
121
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
122
E Financial loss
Date of assessment Signed off by
Appendix I
........................................ ………………………………….
Date to be reviewed
………………………………….
BIA template
Process/activity
Date of assessment
Date to be reviewed
Appendix J
People
………………………………….
………………………………….
Skills
Computing equipment
Software applications
Telecommunications
Information/data
Signed off by
Accommodation
Resource record for Acme Organization Ltd
Furniture
Internal dependencies
…………………………………………..
Sample resource record
Suppliers/partners
123
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
124
Appendix K Sample risk mitigation record
……………………………………………… ………………………………………………
Critical Risk Ranking Risk mitigation measures
activity/resource/dependency (H/M/L)
…………………………………. ………………………………….
Resource required
0–24 hours* Within 3 Within 14
days* days*
Activities that
support key
Standards Institution 2012
service/product
People and skills
required
Computing and
telecoms required
Software
applications required
Information required
Non-ICT equipment
required
Accommodation
required
Furniture required
Key
suppliers/partners
Other dependencies
Other comments
Date of assessment Signed off by
………………………… ………………..…………………
Date to be reviewed
…………………………
* Timing set to suit organization’s requirements.
People
Premises
Premises
Worksite strategies can vary significantly and a range of options
might be available. Different types of incident or threat might
require the implementation of different or multiple worksite options.
The correct strategies will in part be determined by the
organization’s size, sector and spread of activities, by stakeholders
and by geographical base. For example, public authorities will need
to maintain a frontline service delivery in their communities.
Technology
Technology strategies will vary significantly between organizations
according to the size, nature and complexity of business. Specific
strategies ought to be developed to safeguard, replace or restore
specialized or custom built technologies with long lead times.
Supplies
Information
Information strategies should be such as to ensure that information
vital to the organization’s operation is protected and recoverable
according to the timeframes described within the BIA….
• confidentiality;
• integrity;
• availability; and
• currency.
location.
Supplies
In office-based environments, supplies might constitute cheques, etc.
Other industries might identify retail stock or just-in-time supplies, or
vehicle fuels.
131
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
132
Name of department: ………………………………………..
Within my department I can confirm that Yes No If your answer to any question is ‘no’ please
the following apply: provide information
regular basis.
7. Business continuity roles and
responsibilities within my
department are clearly defined
and understood.
………………………………………….[Name of department]
to support the business continuity validation and assurance process. We hold a completed business continuity validation
form for each business unit that we selected for validation in this exercise. These are listed below.
No. Name of business unit Location Further comments
1
2
3
4
5
6
7
8
9
10
134
Total number of business continuity plans validated: Percentage total of departmental business continuity plans
.................... validated: ………………..
I confirm that this is a true and accurate picture of the current status of business continuity:
for the period 1 April
…………………………(insert year)
to 31 March
…………………………(insert year)
Signature: Print name: Date:
Position:
Note: if you cannot provide full assurance for your department, complete the box below.
It may be that currently you are only able to provide partial assurance with regards to business continuity arrangements
Appendix N Sample plan review
within your department. If this is the case, please provide details in the box below of what action is being taken by the
department to address those areas where currently you cannot provide full assurance.
…………………………
Date Information/request From Action By whom
and taken
time
Standards Institution 2012
Signature Date
………………………………………. …………………….
The aim of the plan is to enable the emergency call-out service of the
Home Service Midlands Department of the Home Services Division to be
resumed following an incident that disrupts the service. The emergency
call-out service is a key service for the company as this is a contracted
service to the local housing associations.
This plan assumes that the public telephone service has not been affected
by the disruption.
Plan distribution
Copies of this plan are held by:
• internal;
• external; and
• subject experts.
Task checklists
• Mandatory ………………………………….
tasks: ………………………………….
• Discretionary ………………………………….
tasks: ………………………………….
Task completion tracking process: record all actions taken, together with
times, on the action/task worksheet.
Example
• people;
• information/data;
• IT;
• telecommunications;
• vehicles;
• specialist equipment;
• accommodation;
• office equipment;
• furniture;
• stationery, etc.
• Supplier agreements {
Form templates
• Meetings agenda
• Decision and action log
• Task list status report
• Telephone log
142
Appendix Q Types and methods of exercising BCM
arrangements
Rate achievement for each key issue (1 – not started, 2 – 25 per cent complete, 3 – 50 per cent complete, 4 – 75 per cent
complete, 5 – completed).
Context of the Identification of the organization’s Analysis of needs and expectations of 1–2–3–4–5
organization objectives, obligations, statutory and interested parties.
regulatory duties, and environment in Listing of obligations, and statutory
which the organization operates. and regulatory duties.
Identification of the needs and
expectations of the interested parties.
Key services and products delivered by Documented procedures for identifying 1–2–3–4–5
and on behalf of the organization have and reviewing key services and
been identified and have been agreed products.
by the executive board. Executive board minutes confirming key
143
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
144
Stages Key issues Example evidence Rating
Context of the Determination of the organization’s risk Formal risk management in place with 1–2–3–4–5
organization appetite and risk criteria. documented evidence of risk criteria
Appendix R
BCM programme.
Competence requirements documented.
Training programme to establish and
maintain BCM competence.
Leadership Responsibility for business continuity BCM is included in job descriptions and 1–2–3–4–5
issues is well embedded within skill sets of service and support
individual services or management units. managers.
BCM responsibilities enforced by
inclusion in organization’s appraisal,
reward and recognition policies.
Awareness of business continuity issues is There is a programme in place raising 1–2–3–4–5
well embedded within the organization. awareness throughout the organization
and its interested parties.
Feedback mechanisms exist whereby
functional managers and staff can flag
up BCM issues.
Evidenced through minutes of meetings
Appendix R
and reports.
Induction programmes include
awareness of BCM.
146
Stages Key issues Example evidence Rating
BIA.
Risk assessment has been used on the Documented procedures to review and 1–2–3–4–5
critical activities, and supporting rank risk.
resources and dependencies, to focus Identification of ‘single points of
effort on the areas of greatest need. failure’.
Countermeasures exist to minimize risks Documented evidence of risk mitigation 1–2–3–4–5
that have been identified, including covering people, systems, information,
measures to combat potential loss of premises and equipment, and suppliers.
information.
147
Suggested BCM audit checklist
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
Standards Institution 2012
148
Stages Key issues Example evidence Rating
Establishing and Incident response structure in place. Details of incident response structure 1–2–3–4–5
implementing Incident management plans are and procedures.
Appendix R
Establishing and Appointment of teams that are trained Details of incident and continuity team 1–2–3–4–5
implementing to deliver the plans. members.
BCM procedures Competence assessment undertaken.
Training programme for team
members.
Training record for team members.
A clear procedure exists that ensures A communications policy document. 1–2–3–4–5
interested parties, internal and external, Letters, emails, circulars, meeting
are aware of what actions the minutes, and internet and intranet
organization will take if plans are pages that raise awareness of the plans.
activated.
Ensuring communications with Plans containing arrangements for 1–2–3–4–5
interested parties at the time of communicating with clients, customers,
Appendix R
disruption to key services and products. staff, partners, interested parties and
the media.
Plans linked to communications plans.
150
Stages Key issues Example evidence Rating
Establishing and Ensuring latest plans and supporting Copies of plans and essential 1–2–3–4–5
implementing materials are always available. equipment/documents (in electronic or
Appendix R
Exercising Ensuring there is a balanced programme Records of regularly tested contact 1–2–3–4–5
of exercise types that validates the full arrangements and exercises.
range of BCM capabilities. Exercise programmes/test schedules.
Exercise programmes have clear Exercise scenarios and plans. 1–2–3–4–5
objectives.
Ensuring there is a documented process Notes of exercise debriefs and ‘lessons 1–2–3–4–5
for capturing and taking forward the identified’ reports.
lessons identified from exercises and Exercise review reports to relevant
tests. management team.
Action plans.
Review of actions at plan
preparation/review meetings.
Evidence that the lessons learnt from
Appendix R
152
Stages Key issues Example evidence Rating
Performance Assurance of organization’s BCM Key performance indicators (KPIs) set 1–2–3–4–5
evaluation capability. for BCM implementation and
Appendix R
maintenance.
KPIs subject to regular review.
BCM responsibilities reviewed by the
organization’s audit process.
A clear mechanism is in place for BCMS review programme. 1–2–3–4–5
measuring the effectiveness of the Self-assessment reports.
BCMS. Internal audit reports.
Benchmarking against standards (e.g.
ISO 22301) and guidelines.
External reviews by peers from other
organizations.
Ensuring that the plans are kept up to There is an established and 1–2–3–4–5
Suggested BCM audit checklist
Performance Ensuring there is a documented process Notes of incident debriefs, lessons 1–2–3–4–5
evaluation for capturing and taking forward the identified, action reports and results.
lessons identified from incidents or near
misses.
Ensuring that when there are major There is a mechanism that triggers BCM 1–2–3–4–5
changes to the organization or the reviews.
environment in which it operates, or Action plans.
threats, the BCM programme is reviewed Review of actions at plan
and modified as appropriate. preparation/review meetings.
Notes from review meetings.
Ensuring that the review process drives Review reports to relevant 1–2–3–4–5
improvement by identifying lessons, and management team.
appropriate action is taken. Action plans.
Appendix R
153
Suggested BCM audit checklist
Licensed Copy: Mr. Universiti Teknologi Malaysia User, Universiti Teknologi Malaysia, 22/08/2012 04:19, Uncontrolled Copy, (c) The British
References
Airmic (2011) Roads to Ruin – A Study of Major Risk Events: Their Origins,
Impact and Implications, a report by Cass Business School on behalf of
Airmic, London: Airmic
Chartered Management Institute (2012) Planning for the worst. The 2012
Business Continuity Management Survey (March 2012), London: Chartered
Management Institute
Great Britain (2004) Civil Contingencies Act 2004, London: The Stationery
Office
References
Nassim Nicholas Taleb (2007) The Black Swan: The Impact of the Highly
Improbable, New York: Random House
Don’t think you have the resource to implement a business continuity system, or
can’t see the business justification? Then this is the book to get you started.
Simple, tried and tested approaches are set out to enable businesses of any size
and with a minimum of budget, time and staff to put in place effective continuity
solutions that will help keep customers happy during and after a disruption.
An effective business impact analysis (BIA) is vital to the success of any continuity
Standards Institution 2012
plan. But what is it, and how do you do it? This book clearly explains the concept
and benefits, then goes on to deliver a simple and practical method for
conducting a BIA that meets the particular needs of your business.
Why audit your BCM plans? One reason is that ISO 22301 requires an internal
audit of the business continuity management system to be undertaken by all
organizations. Another is that it provides independent assurance that the system is
adequate and properly managed. This book delivers the in-depth information and
knowledge needed by auditors to advise effectively on each part of the business
continuity process.
How can you be sure that your business continuity plans will actually work if called
in to action? By testing them. This practical book will help you to decide what
type of exercises and tests are appropriate to your business and its likely risks, and
Standards Institution 2012