Friday, August 8, 2008

PDCA

Establish the BCMS [PLAN] Print
An organisations business continuity programme is defined in a management system, termed the Business Continuity Management System or shortened to BCMS (sorry, another acronym to learn)

The general requirement of the standard is that the organisation, fairly obviously, develops, implements, maintains and improves a business continuity management system in line with familiar the PLAN-DO-CHECK-ACT model

BS25999.COM PLAN DO CHECK ACT model

PLAN

Establish business continuity policy, objectives, targets, controls, processes and procedures.

DO

Actually get on an implement ones plans

CHECK

Monitor and review performance against objectives and policy

ACT

Take preventative and corrective actions to ensure continuous improvement

Establish and Manage the BCMS

This section requires that the organisation defines its business continuity requirements in terms of its overall objectives and that the scope of the BCMS is clearly defined, for example is it just for the London office or the whole organisation.

In what is a potentially large task it also requires that the organisation assures itself, by whatever demonstrable method, that it's key suppliers and outsourced agencies also have effective BCM in place. Probably the easiest way to demonstrate that suppliers have effective business continuity is to require them to have BS25999, a somewhat difficult task to complete admittedly. Other means might include inspections, questionnaires etc

The BCMS must as a minimum contain;

  • A business continuity policy
  • Responsibilities
  • Management Processes
  • Topic Specific Processes
  • Documentation

A BCM policy is required that demonstrates commitment and details the scope and objectives of the BCMS. This policy also has to be regularly reviewed and made available to all relevant parties. Very similar to a quality policy or security policy this forms the foundation of the BCMS because it demonstrates clear management commitment and sets out responsibilities.

The organisation has to demonstrate that an appropriate level of resources are allocated and that a person is nominated to be accountable and for implementation/maintenance of the BCMS. This does not have to be the same person and in larger organisations means that a senior manager, perhaps a Board member is accountable but a Business Continuity Manager is responsible for implementation and maintenance.

Any person who is assigned responsibilities in the BCMS also has to have appropriate competency. There also has to be documented evidence to support this. How organisations choose to demonstrate competence is up to them and might include interview notes, professional qualifications, references, training records, tests, copies of published work or a mix of various items. Of course with a nod to the various professional organisations out there one of the quickest ways to demonstrate competence would be to have copies of their professional qualifications on file.

Training and competency management for those involved in the BCMS either by virtue of their day to day role or involvement in a recovery or incident is required.

Embedding Business Continuity Management in the Organisations Culture

BCM has to become a central part of its management outlook and an ongoing BCM education and information programme must be in place.

Business Continuity Management Systems Documentation and Records

The documentation that forms part of the BCMS has to be fully controlled and protected by document release and authorisation processes

As a minimum the BCMS must contain the following documentation

  • Scope
  • Policy
  • Resource provision
  • Staff competency and records
  • BIA, risk assessment and BC strategy
  • Incident response structure, incident response plan and business continuity plan
  • Exercise arrangements
  • Maintenance, review and audit procedures
  • Preventative and corrective actions
  • Management reviews and evidence of continual improvement

Record management, in order to support the Plan Do Check Act model forms a key part of the standard, for example, retention, location, authorisation, issue status etc

The BCMS documentation may be maintained in hardcopy or soft copy formats.

Document Author: Harvey Fawcett

Posted by at No comments:

Understanding the Organisation

Understanding the Organisation Print
Arguably the most important step in a Business Continuity Management programme is to understand the organisation, its products, services, resources, facilities, suppliers, customers, other stakeholders and their interdependencies.

In order to protect key products and services it vital that the organisation identifies critical activities and the resources needed to produce those products and services. In understanding the organisation the business continuity management programme can be closely aligned to the business continuity strategy and ultimately the overall goals of the organisation

These steps can be summarised as

01 Business Impact Analysis; what would happen if?

02 Identification of Critical Activities and Resources; what is important

03 Continuity Requirements; what will we need to carry on

04 Risk Assessment; look at the threats and likelihoods

05 Risk treatment; choose what to do about the risks

01

Business Impact Analysis

Much has been written about business impact analysis and sometimes it is over complicated but essentially a BIA determines the impact of disruption to activities that support the organisations output, its products or services.

The impact may be different over time so the BIA should be able to show a time element and their may be different categories of impact.

The BIA should be carried out by personnel familiar with the process being assessed usually with assistance from business continuity or risk management staff so that not only is the method suitable and applicable to the organisation but that the information contained within it is correct.

The maximum tolerable period of disruption for each activity should be defined so that critical functions may be identified.

Spreadsheets and scoring matrices can be useful in helping organise and collate the results as can the many BIA management software applications currently available if the organisation is large, complex or dispersed but a simple Word document may also be sufficient.


There are no fixed methods of carrying out a BIA; each organisation must find a method that suits it best but the standard contains broad principles. There is no 'magic method' that will provide all the answers.

The key factors in achieving an effective Business Impact Analysis are

  • Identify what you want out of it
  • Identify activity experts (i.e. don't ask the facility manager about accounting software)
  • Develop a plan for gathering the data
  • Summarise the findings
  • Validate
  • Present

Organisations can sometimes fall in to the traps of over complications, trying to reduce the BIA to an exact statistical exercise and worrying about getting it 100% right the first time around. As we have seen in the previous section, BCM is an iterative management process which can and should be revisited often. The BIA may therefore be in summary format in the first pass.

It is much more valuable for a BIA to show only the largest impacts yet available within a reasonable time than one with every eventuality covered but not available to senior managers for a year. Don't laugh, this is a very easy and common mistake to make.

One of the most effective BIA's I have seen is one that was done in an afternoon with all company directors present. Why was it so effective?

It focussed on the most immediate and likely impacts and was turned into a plan of action the next morning.

Of course it was light on detail and missed a lot of minor systems, some with a greater impact that imagined. The organisation recognised that its initial BIA was flawed and implemented a back filling exercise to catch the errors and omissions whilst mitigating the impacts of those it found in its first pass.

Perfect is the enemy of good enough

An example of a BIA is shown below

BS25999.COM Sample BIA


















The definition of LOW, MEDIUM or HIGH impacts should be done before the BIA process commences, they might be split as shown above or combined. Again the exact nature of the BIA should be determined by the organisation.

An excellent way to gather information to support the BIA is via a simple interview process. Sending blank spreadsheets out and asking people to fill them in, a more common activity than one might imagine, is doomed to failure with poor quality information resulting in incorrect assumptions and flawed plans. Speak to people, this is the single most effective way of creating a BIA.

A valuable time saving can also be made if during the BIA interview, interviewees are asked how long could they make do without one resource or the other before it became critical. For example, email or the building.

02

Identification of Critical Activities

What is a priority for recovery?

The identification of critical activities should be obtained from the BIA.


These activities can then be prioritised for recovery and resources allocated according to this priority. The maximum disruption that can be tolerated will feed into the recovery time objective when determining BCM strategies.

03

Continuity Requirements

We have determined critical activities and the impact of disruption on them from the above processes.

The continuity requirements to support each activity can then be determined. These may include;

  • Staff
  • Facilities and premises
  • Supporting technology
  • Information
  • External services
  • Suppliers
  • Raw materials or assemblies

For example

BS25999.COM Recovery Requirements Diagram

04

Risk Assessment

The risk to the organisations critical activities should be clearly understood

For each resource supporting these critical activities a risk assessment should be undertaken to determine the threats, vulnerabilities and impacts.

There are many techniques for carrying out risk assessments and the method chosen should be suitable for the organisation, wherever possible aligning with other risk assessment methods in use, for example in an Information Security Management System.

Sample Risk Assessment

BS25999.COM Sample Risk Assessment

05

Risk Treatment

Once the risks have been determined there are a number of options available to organisations, what to do about them.

There are 4 options

  • Use business continuity to reduce the risk
  • Accept the risk, it might be low enough to tolerate or there may be nothing that can be done with a reasonable degree of resource allocation or effort
  • Transfer the risk to some other, for example insurance
  • Change or stop the activity under question, permanently or temporarily

Document Author: Harvey Fawcett
Posted by at No comments:
Subscribe to: Posts (Atom)