Professional Documents
Culture Documents
BCI GPG 2018 From the Pubic Domain
BCI GPG 2018 From the Pubic Domain
Guidelines
2018 Edition
The global guide to good
practice in business continuity.
Risk
Management Communications
Facilities
Emergency Management
ANALYSI
Management S
N
TIO
PP6
VA LI DAT ION
VALIDA
PP5
EMBEDDING IMPLEMENTATION
DESIG
PP4
T
PL
IM
D E SIGN
EN
EM
ENT
PO
EM
IC ATION Physical
AG
L
Y AN Security
Crisis D A N PP3
PROGRAM ME M
A NA LYS IS
Management Human
Resources PP2
E m b e dd ing
B u sine ss
Business Continuity Management C ontin uity
CONTENTS
GLOSSARY
How to use these guidelines.
Each stage of the BCM Lifecycle is a Professional Practice which has its
own unique icon and colour. This is an interactive PDF which allows you
to move between the Professional Practices. Click on any of the links
within the document to read further information. There are also tabs on
the right hand side which allow you to move to other sections and the
glossary. You can use the keyboard code ‘Altß’ to return to the page you
were reading.
PP2 - Embedding
PP3 - Analysis
PP4 - Design
PP5 - Implementation
PP6 - Validation
General Principles
Process
2
Icon for Hint/tip; These hints and tips have been provided by
experienced practitioners.
Please note: There will be no CBCI exam questions about the hints and tips.
H OW TO USE these g u i d e l in es
British National Library
This publication has been legally deposited with the British National Library
BCI Copyright
bci@thebci.org
10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF, UK.
www.thebci.org
GLOSSARY
3
contents
Introduction 6
Acknowledgements 9
Glossary of Terms 10
PP2 - Embedding 26
Understanding and Influencing Organizational Culture 28
Competencies and Skills 31
PP3 - Analysis 36
Business Impact Analysis 38
The Initial BIA 44
The Product and Service BIA 45
The Process BIA 46
The Activity BIA 48
Risk and Threat Assessment 50
Emergency
Management
Risk
Management Health and
Safety
Communications
4
PP4 - Design 54
Designing Business Continuity Solutions 56
Risk and Threat Mitigation Measures 66
PP5 - Implementation 68
Response Structure 70
Developing and Managing Plans 76
Strategic Plans 80
Tactical Plans 82
Operational Plans 84
PP6 - Validation 86
Developing an Exercise Programme 88
Developing an Exercise 91
Maintenance 95
Review 98
Physical
Information
Security
Crisis Security Human
Management Resources
Facilities
Management
5
BCI Good Practice Guidelines 2018 Edition
The BCI is built on the principle of professionalising business The GPG forms the foundation of the BCI’s world class, award winning
continuity practice, and continues to be the authoritative and reliable education programme, delivered through the BCI’s delivery partners
source of information on all aspects of business continuity theory and approved BCI instructors.
and practice for professionals, and offers a wealth of online resources
via www.thebci.org. The Good Practice Guidelines have been revised The GPG forms the syllabus for the Certificate of the BCI (CBCI)
as part of the BCI’s process of continual improvement and ongoing examination leading to the internationally recognised CBCI credential.
development of our body of knowledge to remain relevant to
The CBCI credential is an entry route to the higher levels of certified
professionals worldwide.
BCI membership. The GPG is used by higher education and in
academic institutions in both undergraduate and post-graduate
courses and in continuing education establishments. The GPG is
recognised as industry best practice for professionals, by professionals
in organizations all over the world.
6
© Copyright 2017 The Business Continuity Institute
I n trod uct i o n
GPG and standards? in the language used, but all fundamental concepts and actions
are aligned. The terminology used is listed in the GPG glossary,
The international standard for business continuity management
and additional terminology is contained in the BCI and Disaster
(ISO 22301:2012) specifies requirements for a business
Recovery Journal (DRJ) glossary available on the BCI website.
continuity management system for organizations. Organizations
Those needing to know about business continuity can be
can choose to seek ISO certification from a recognised standards
confident that they are guided by internationally accepted best
body for their business continuity management system.
practices as described in the GPG.
ANALYSI
S
N
TIO
VALIDA
EMBEDDING
DESIG
N
PL
IM
EN
EM
ENT
PO
EM
IC ATION
AG
L
Y AN
D PROGRAM MAN
ME
GLOSSARY
7
BCI Good Practice Guidelines 2018 Edition
ANALYSI
S
What are the benefits of the GPG?
N
TIO
For those individuals who wish to gain an internationally recognised
VALIDA
credential in business continuity, and become certified members of
the BCI, competence needs to be shown in all six BCI Professional
EMBEDDING
DESIG
Practices (PPs). The Certificate of the BCI (CBCI) examination tests the
knowledge of the Good Practice Guidelines subject matter across all
N
six Professional Practices.
T
PL
IM
EN
Successful candidates will gain a post nominal designation of CBCI EM
ENT
PO
EM
which demonstrates the individual’s knowledge of the Professional IC ATION
AG
L
Practices in business continuity, and will become certified members
Y AN
D A N
of the Business Continuity Institute. CBCI certification is just PROGRAM ME M
the beginning. Individuals are encouraged to progress to more
senior certified membership grades to demonstrate technical
and professional competency. Employers increasingly specify BCI
professional credentials for individuals seeking promotion or wishing
to embark on, or change career in the industry. It is proven that The Professional Practices 2018
those with BCI credentials; CBCI, DBCI, AMBCI, MBCI, AFBCI, and FBCI Management practices
command higher salaries and enjoy enhanced career prospects.
PP1 Policy & Programme Management
Organizations that can demonstrate the competency of the PP2 Embedding
individuals that they employ in business continuity roles benefit from
enhanced reputation and in some industry sectors, compliance with Technical practices
legal and regulatory requirements.
PP3 Analysis
By using the Good Practice Guidelines and having competent PP4 Design
individuals employed to manage and implement business continuity, PP5 Implementation
organizations are better protected and prepared to deal with
PP6 Validation
disruption.
The focus and emphasis of this edition of the GPG has adapted as
What has changed from the GPG 2013? business continuity practices have become established and more
organizations maintain embedded programmes. The 2018 edition
The GPG 2018 edition reflects the progressive evolution of business provides guidance to business continuity professionals who are
continuity management as a discipline. reviewing or revising an existing programme as well as continuing
This revised version retains the six Professional Practices that make to be relevant to those who are initiating a new business continuity
up the stages of the business continuity management lifecycle, and programme.
which lie at the core of good practice. The six Professional Practices
are sub-divided into two management practices and four technical
practices. Several other changes have been undertaken throughout the 2018
edition to assist the reader’s understanding and navigation. They
include:
8
© Copyright 2017 The Business Continuity Institute
• An increase in cross-references throughout the guidelines to • Recognise relevant changes within the business continuity
the other stages of the lifecycle and to other BCI publications management discipline.
and ISO standards.
• Ensure the BCI global good practices remain aligned with
• References to additional sources of information for further relevant international standards.
reading and guidance.
• Ensure the GPG remains internationally relevant.
• Many examples and hints and tips shared by industry
professionals to add context to the concepts presented in The BCI would like to acknowledge the following individuals
each stage of the lifecycle. for their contribution to this project:
To reflect the evolving business continuity discipline, the Working group leaders:
use of terminology in the 2018 edition has been carefully Chris Oliver FBCI, Lynda Vongyer AFBCI, Brian Zawada FBCI,
considered and in most cases the BCI has adopted ISO terms Mohan Menon AFBCI, Matthias Rosenberg FBCI, Kenny Seow
and definitions. For example, ‘prioritised activities’ replaces MBCI.
‘most urgent’, ‘critical activities’, ‘key activities’, and ‘important
Volunteers:
activities’. This is for consistency with the international
Alberto Mattia MBCI, Anton Wroblewski MBCI, Brigitte
technical specification for performing the Business Impact
Theuma MBCI, Charlie Maclean-Bristol FBCI, Des O’Callaghan
I n trod uct i o n
Analysis ISO/TS 22317:2015.
FBCI, Ian Charters FBCI, John Worthington, Marc Decaffmeyer
In other cases, where there is no equivalent ISO definition, the MBCI, Mel Gosling FBCI, Nathaniel Forbes MBCI, Norman
2018 edition proposes its own definitions in the interests of Powell MBCI, Rudy Muls MBCI, Malcolm Brooke, Gianna
clarity and improved understanding. For example: Detoni FBCI, Alex van Os de Man MBCI, David Window MBCI,
Iain Taylor Hon FBCI, James Royds Hon FBCI, Jim Burtles
• The term ‘continuity’ is used throughout the GPG 2018 Hon FBCI, Kevin Shaughnessy MBCI, Michael Crooymans
edition, and should be taken as a collective term to include MBCI, Saul Midler FBCI, Malin Lundkvist MBCI, Rina Bhakta,
response, recovery and resumption of activities impacted by Chris Green Hon FBCI, Jon Castle AMBCI, Paul Breed MBCI,
a disruption. Frederik Linde CBCI, Hassan Mashhadi, Shane McMahon
AMBCI, Zech Wong MBCI, Adam Barrett MBCI, Ron Miller
• The business impact analysis described in the Analysis stage MBCI, Chris Bakowski AFBCI, Wasim Malik AFBCI, Tim Rippon
of the business continuity management lifecycle identifies MBCI, Nalin Wijetilleke AFBCI, Tim Janes Hon FBCI, David
the business continuity requirements, providing information Parsons Hon FBCI, Matthew Coffey AFBCI, Brendan Jones
to determine the most appropriate business continuity MBCI, David Porter AMBCI, Henri Haenni MBCI, Julie Goddard
solutions. MBCI, Louise Perkins, Rebecca Robinson AMBCI, Reginald
Atta-Kesson MBCI, Nashikta Authar AMBCI, Heather Merchan
• The previous use of the term ‘business continuity strategies’
MBCI, David Danher AFBCI, Margaret Millett MBCI, Kimberly
in the Design stage of the business continuity management
Hirsch MBCI, Raymond Ee MBCI, Paul Trebilcock FBCI, Toby
lifecycle has caused some confusion with organizational level
Marriner MBCI, Robert Grosso Ciponte MBCI.
strategies. Consequently, the GPG 2018 edition adopts the
term “business continuity solutions”. The BCI Central Office GPG 2018 editorial team:
Deborah Higgins FBCI – Editor in Chief
• Business continuity requirements are defined as the time
Lesley Grimes FBCI – Assistant Technical Editor
frames, resources, and capabilities necessary to continue
Anne Greenish – Assistant Editor
to deliver the prioritised products, services, processes, and
activities following a disruption. Special thanks to Tim Janes Hon FBCI for additional editorial
contributions and advice.
• There is a clear distinction made in this edition between
incident and crisis management and the level of response Permission to reproduce extracts from ISO 22301:2012 and
and capability required. This concept is introduced in the ISO/TS 22317:2015 is granted by BSI. British Standards
Policy and Programme Management stage, covered in detail can be obtained in PDF or hard copy formats from the BSI
in the Implementation stage and referenced throughout. online shop: www.bsigroup.com/Shop or by contacting BSI
Customer Services for hardcopies only: Tel: +44 (0)20 8996
CONTENTS
9001,
Email: cservices@bsigroup.com.
9
BCI Good Practice Guidelines 2018 Edition
Glossary of Terms
Business Continuity
The ongoing cycle of activities of the business continuity programme, that
Management (BCM) GPG 2013
build organizational resilience.
Lifecycle
Business Continuity
Part of the overall management system that establishes, implements, operates,
Management System ISO 22301:2012
monitors, reviews, maintains and improves business continuity.
(BCMS)
Business continuity plan Documented procedures that guide organizations to respond, recover, resume,
ISO 22301:2012
(BCP) and restore to a predefined level of operation following disruption.
Business impact analysis The process of analysing activities and the effect that a business disruption
ISO 22300:2012
(BIA) might have upon them.
Competence The ability to apply knowledge and skills to achieve intended results. ISO 22301:2012
A situation with a high level of uncertainty that disrupts the core activities
Crisis ISO 22300:2012
and/or credibility of an organization and requires urgent action.
G l ossary of terms
Personnel People working for and under the control of the organization. ISO 22301:2012
Policy and Programme management is the Professional Practice that establishes the
Policy and Programme
organization's policy relating to business continuity and defines how the policy should GPG 2018
management (PP1)
be implemented throughout the business continuity programme.
The activities to which priority must be given following an incident in order to
Prioritised activities ISO 22300:2012
mitigate impacts.
Process A set of interrelated or interacting activities which transforms inputs into outputs. ISO 22301:2012
Risk assessment The overall process of risk identification, risk analysis and risk evaluation. ISO/IEC Guide 73
Risk management Coordinated activities to direct and control an organization with regard to risk. ISO/IEC Guide 73
Test An exercise whose aim is to obtain an expected, measurable pass/fail outcome. ISO 22300:2012
ANALYSI
S
N
TIO
VALIDA
EMBEDDING
DESIG
N
NT
PL
IM
ME
EM
PO
ENT
IC ATION
GE
A
L
Y AN N
D PR MA
OGRAMME
12
© 2017 The Business Continuity Institute
PP1
Policy and Programme Management
P P 2 - E m be dd i n g B usi n e ss C on ti n u it y
Policy and Programme Management is the Professional Practice that establishes the
organization’s policy relating to business continuity. It defines how this policy should be
implemented, through an ongoing cycle of activities within a business continuity programme.
This stage of the business continuity management lifecycle requires top management
action, support, and commitment to set up, draft and review the policy relating to business
continuity and the programme used to implement it.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
13
BCI Good Practice Guidelines 2018 Edition
Introduction
Business continuity is a key management discipline that builds carried out by following the business continuity management
and improves organizational resilience. An effective business lifecycle.
continuity programme is essential for any organization that
Whilst the business continuity programme is being
seeks to develop and enhance organizational resilience.
implemented and embedded into business as usual activities,
The business continuity policy is the key document that it is important that an organization has some capability to
sets out the purpose, context, scope, and governance of the manage an incident or crisis. If there is no such capability in
business continuity programme. place when implementing a business continuity programme
for the first time, an interim structure and plan should be
The business continuity programme is an ongoing cycle of
put in place to ensure the organization can respond to an
activities that implements the policy. These activities are
incident.
In a large or complex organization, where a fully scoped business continuity programme may take many months to complete,
an interim response structure and plan may be a sensible temporary measure. This may involve completing an initial BIA to
identify high-level organization priorities, producing a strategic-level business continuity plan and conducting a short discussion-based
exercise. These interim measures can then be reviewed and expanded as part of the fully scoped business continuity programme.
The business continuity policy sets the boundaries and • The policy should be supported, approved, and owned by top
requirements for the business continuity programme and states management to provide effective governance and leadership.
the reasons why it is being implemented. It defines the guiding
• The policy should state how it supports the strategic objectives of
principles which the organization follows and measures its
the organization and other relevant policies.
performance against. It also defines how the organization should
build and maintain the programme to continue to deliver products • The policy should be appropriate to the size, complexity, and type of
and services in the event of an incident. organization and aligned to its culture and operating environment.
• The policy should identify any standards or guidelines that are used
as a benchmark for the business continuity programme.
General Principles
• The policy should be communicated, and made available to all
The business continuity policy provides the guiding principles interested parties.
around which the business continuity programme is designed
and built. The policy acts as a statement to communicate the
organization’s principles to interested parties. As its primary
A long and complicated policy will be a barrier to
purpose is communication, it should be short, clear, precise and to
effective communication and embedding business
the point.
continuity. The policy should focus on ‘what’ the organization
The following general principles should be considered when will do, not ‘how’ it will be done.
creating or revising a business continuity policy:
• The policy should provide the strategic direction from which the
business continuity programme is delivered.
14
© Copyright 2017 The Business Continuity Institute
• The business continuity professional should work with those • Control the distribution of the policy using an appropriate
individuals in the organization who have the responsibility for version control system.
creating policies where appropriate.
• Use an existing template or policy (where one exists in the
organization).
7.
Circulate the PP2
E m b e dd ing
draft policy for
consultation with
8. B u sine ss
C ontin uity
Amend the
top management
draft policy, as 9.
and other relevant Facilitate the PP1
appropriate, based P OLIC Y &
interested parties. approval and sign-
on consultation P ROGR A M M E
feedback. off of the policy by MANAGEMENT
top management.
10.
Ensure the
approved policy CONTENTS
is communicated
to all interested
parties.
GLOSSARY
15
BCI Good Practice Guidelines 2018 Edition
The business continuity policy should include: • An acquisition, merger, or disposal.
• A definition of business continuity for use in the organization. • Changes to products or services (including those that are
outsourced).
• A statement of governance and leadership commitment to the
policy. • Changes to legal or regulatory requirements.
The business continuity policy should be regularly reviewed • There is clear and documented ongoing commitment to business
at pre-agreed intervals or following significant changes, continuity and continual improvement.
including:
• Opportunities for adapting to change can be identified.
• A change in the organization’s approach to risk which can be
prompted by an incident or change.
16
© Copyright 2017 The Business Continuity Institute
CONTENTS
GLOSSARY
17
BCI Good Practice Guidelines 2018 Edition
Process 4.
Consider the
2. requirements of other
Define and related policies, for
The process to document the example, information
determine the relevant products security and health
scope of the and safety.
business continuity
1. and services in an
Establish a steering appropriate level of
programme is as detail.
group or team to
follows:
oversee, advise
and make 3.
recommendations to Consider the requirements for
top management. delivery of the organization’s
products and services and
related activities against its
strategy, objectives, culture, and
legal and regulatory constraints
(which should include those
provided by outsourced service
providers where
appropriate).
A manufactured Car insurance. Waste collection (for Payroll. Logistics (for Telephone support
product or range of a municipality or local a distribution (for a software
products. government). organization). organization).
Decisions on which products and services to include in the • Interested parties who may be impacted by the loss of the product
scope may be prompted by: or service, for example, a medicine that is only made by one
organization.
• Products which make a significant contribution to the
organization’s reputation, income, or success. • Reputational damage resulting from an incident or termination in
the supply of the organization’s products or services.
• A customer contractual requirement.
• The impact on legal or regulatory requirements.
• A legal or regulatory requirement.
• The needs and expectations of customers and other interested
• Physical threats, for example, proximity to other industrial
parties.
premises such as a chemical manufacturing plant or hazards such
as flooding. Reasons for excluding a product or service, together with an
alternate solution to the loss of that product or service, need to be
documented and agreed by top management. It is also important
Reasons for why a product or service may be excluded from the
that the risk to the organization is fully understood and managed
scope include:
(this is covered further in the Analysis stage). When reviewing an
• Nearing end of life (and would be terminated if disrupted). existing policy and programme, the scope should be reconsidered to
reflect any change in the organization’s overall strategy or operating
• Low margins or low volumes (could be terminated or externally environment. Those products and services that are out of scope
sourced if disrupted). should be managed outside of the business continuity programme.
When deciding whether to exclude a product or service, the Top management should fully understand the implications of these
following issues should be considered: choices, and document and sign off any decisions as part of the
governance process.
• Financial loss.
18
© Copyright 2017 The Business Continuity Institute
19
BCI Good Practice Guidelines 2018 Edition
Process 2.
A clear definition
of the authority and
accountabilities relating to
Establishing
1. business continuity:
An understanding
governance for
of the organizational • Top management oversight and
business continuity
structure, requirements, roles responsibilities.
requires the
and responsibilities, and • Ownership of business
following:
reporting lines to support the continuity management.
implementation and ongoing
management of the business
continuity policy
and programme.
6.
Alignment of the 3.
governance of the Identification of
business continuity key performance indicators for
programme with the validation of the business continuity
overall governance programme.
framework of the Examples of high-level metrics are:
organization.
4. • Annual organization-wide exercising as part
Definition of the types of the organization’s exercise programme.
of decisions, risks, events, • Annual reviews of the business continuity
investments, and other plans.
5. significant business
An outline • An annual management review
continuity management
of the type and (validation of the business continuity
related matters that
frequency of reporting programme is covered
should be reported to top
and communication in PP6).
management.
to top management
required.
20
© Copyright 2017 The Business Continuity Institute
Top management should ensure that the business continuity • Act to address any areas of weakness or gaps in the business
policy states what measurement is required to ensure an continuity programme objectives.
effective business continuity programme. The appropriate
• Monitor the effectiveness of the programme.
methods are part of the Validation stage of the business
continuity management lifecycle and are included in the • Ensure that the relevant information is retained as evidence of
business continuity programme. the results.
The organization’s top management should agree: Governance of the business continuity policy and programme
should be regularly reviewed at pre-agreed intervals or following
• What needs to be measured and monitored. significant change as defined within the business continuity
policy.
• How this should be achieved.
21
BCI Good Practice Guidelines 2018 Edition
Process 1.
A business
Additional individuals
continuity steering
A competent individual should be or teams may be 2.
group to give advice,
identified and appointed to manage assigned to assist Teams that will
guidance, and
the implementation of the business with the ongoing respond to an
oversight.
management and incident and that can
continuity policy and programme.
delivery of the business contribute towards
Depending on the size of the
continuity programme. developing the
organization, this may be a full or part These could include:
time role. incident response
plans.
The following table defines the skills and competencies required within the roles identified as part of the business continuity
programme:
Table 1.
Role Responsibility
Top management Provide leadership, commitment, and resources as part of governance.
Oversee, advise, and manage the business continuity programme, making recommendations, and
Steering group
reporting to top management.
Ensure that the business continuity plan adequately reflects the organization’s business continuity
Business continuity plan owner
capability.
Develop and deliver an effective business continuity programme. This includes facilitation and
Business continuity professional
coordination of plans throughout the organization.
Communicate the implications of departmental changes that may impact the business continuity
programme.
Departmental representative Collect information for the BIA.
Develop, implement, and maintain departmental plans on behalf of the plan owner.
Conduct and participate in exercises.
Interested parties Act where relevant within the business continuity programme or in response to an incident.
22
© Copyright 2017 The Business Continuity Institute
PP6
VA LI DAT ION
General Principles In a small or medium sized organization,
management of the business continuity
The business continuity programme is an ongoing process, which programme may be given to one individual as part of their
adapts in response to the changing nature of an organization’s job role. PP5
IMPLEMENTATION
internal and external operating environment.
Implementing a programme for the first time should involve Other relevant policies and programmes within the organization
undertaking all activities detailed in the business continuity should be identified and opportunities for collaboration PP4
D E SIGN
management lifecycle, however revisions to the programme will should be considered and coordinated. For example, the
be likely to involve less activity if there is no significant change in human resources department may have policies for internal
the organization’s requirements. communications and the corporate communications
department may have predetermined agreements for external PP3
During the initial implementation, sufficient time should be A NA LYS IS
communication due to a regulatory or customer requirement.
allocated to undertake the activities in each stage of the business
These should be identified and incorporated within the business
continuity management lifecycle. PP2
continuity programme.
E m b e dd ing
A flexible and comprehensive programme that is actively B u sine ss
The documentation in a business continuity programme has C ontin uity
managed should be in place to ensure the organization maintains
three purposes:
its business continuity capability and continues to develop and
PP1
enhance organizational resilience. • To help manage the business continuity programme effectively. P OLIC Y &
P ROGR A M M E
MANAGEMENT
• To demonstrate effective management of the programme.
GLOSSARY
23
BCI Good Practice Guidelines 2018 Edition
Process 3.
Coordinate the
appropriate activities
Implementing and managing the programme involves managing many within the organization
interrelated tasks to achieve the objectives stated in the policy. (adjusting projects
within the programme
as necessary). 4.
Manage change
The business 2. and coordinate
continuity Identify the with other areas of
professional or team, appropriate activities the organization as
in consultation with for the programme appropriate.
1. based on each stage of
top management
Develop the the business continuity
should:
business continuity management
management lifecycle.
programme. 5.
Promote the
benefits of the programme
through communication
6. and create awareness both
9.
Manage the inside and outside of the
Report to top
programme organization. Creating
management on 7. budget. awareness is covered
a regular basis, 8. Maintain and in PP2.
highlighting any Ensure manage all
issues the relevant legal programme
identified. and regulatory documentation.
requirements identified
in the policy have
been taken into
consideration.
Project management methodology is a useful approach when • Legal and regulatory advice.
implementing the business continuity programme. Effective project
management should increase the chances of successful delivery of • Internal and external audits (where appropriate).
the overall programme, within the agreed time frames and budgets. • Reviews and change management requirements.
Examples of projects as part of the business continuity Business continuity software options can be considered a useful
programme are as follows: tool to support the business continuity programme. Specialist
• Developing and managing an exercise programme. software may offer some advantages when managing large volumes
of documents and projects. It is important to consider that this and
• Developing and delivering training and awareness activities. any other technology selected as part of the programme may incur
ongoing licence, maintenance, and training costs.
• Selecting suppliers to deliver a defined product or service.
24
© Copyright 2017 The Business Continuity Institute
The outcome of managing and implementing a business • Training and awareness activities.
continuity programme is to maintain business continuity
• BIA questionnaires and information.
capability to build and improve organizational resilience using
an adaptable and comprehensive approach.
• Risk assessment.
A business continuity management programme consists of
• Papers supporting the choice of business continuity solutions.
the following:
• Response structure.
• A business continuity policy.
PP4
• Project management documentation. D E SIGN
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
25
BCI Good Practice Guidelines 2018 Edition
ANALYSI
S
N
TIO
VALIDA
EMBEDDING
DESIG
N
PL
IM
EN
EM
ENT
PO
EM
IC ATION
AG
L
Y AN
D PR A N
OGRAMME M
26
© 2017 The Business Continuity Institute
PP2
Embedding Business Continuity
Embedding business continuity is the Professional Practice that defines how to integrate
business continuity awareness and practice into business as usual activities and
P P 2 - E m be dd i n g B usi n e ss C on ti n u it y
organizational culture. Embedding business continuity should be a collaborative approach
between related management disciplines to improve overall organizational resilience.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
27
BCI Good Practice Guidelines 2018 Edition
Introduction
Embedding business continuity includes: •E
nsuring required competencies and skills are in place.
•R
aising awareness about business continuity through •E
nsuring appropriate training and learning opportunities are
communication. provided.
•E
ncouraging buy-in from interested parties.
Understanding
and Influencing
Organizational Culture
The following general principles should be considered when Although difficult to observe and measure, culture plays an important
developing or revising the approach to embed business continuity role in the effectiveness of embedding the business continuity
into the organization’s culture. programme and the overall level of organizational resilience.
The goal of embedding business continuity is to ensure that it An existing programme would require a review of the embedding
becomes part of business as usual across the organization. activities already in place. For example, a change in ownership,
acquisition, or top management of an organization can result in
Embedding business continuity activities should be aligned with changes to its culture as well as its strategic objectives and business
the organization’s strategic goals and culture. operations.
Business continuity should also be considered and integrated into Embedding activities are not unique to business continuity; other
project and change management practices where appropriate. management disciplines are also embedded in a similar way. For
example, health and safety, information security, and data protection
The skills and competencies required to implement the
practices are often part of personnel inductions.
business continuity policy and programme include both general
management and technical skills.
28
© Copyright 2017 The Business Continuity Institute
The following 2.
steps are required Determine how best
when understanding 1. to engage with these
and influencing Identify the interested parties by
organizational culture interested parties understanding their
to ensure successful within the key interests and
embedding of business organization who priorities.
continuity: require
engagement.
3.
Engage and
communicate with
the interested parties
identified using the
most appropriate
channels.
4.
Use existing events
and communication
channels where possible
to communicate the
benefits and return on PP6
VA LI DAT ION
investment for business
continuity within the
organization.
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
Build a network of influential individuals in the B u sine ss
C ontin uity
organization who understand the benefits of business
continuity and building organizational resilience. These individuals
PP1
can act as advocates or ‘champions’ who make a significant P OLIC Y &
contribution to successful embedding of business continuity. P ROGR A M M E
MANAGEMENT
In organizations where such representatives exist in related
management disciplines, there may also be opportunities to
collaborate.
CONTENTS
GLOSSARY
29
BCI Good Practice Guidelines 2018 Edition
30
© Copyright 2017 The Business Continuity Institute
The table below shows the specific core competencies and general management skills required of the business continuity
professional:
Table 2.
Professional Practices Core Competencies Management Skills
Management Practice
Project management skills and an understanding of the PP6
PP1 – Policy and
importance of continual improvement. VA LI DAT ION
Programme Management An understanding of the context
of the organization and the
environment in which it operates,
An understanding of the organizational culture and how to PP5
Management Practice as well as its approach to
influence it. IMPLEMENTATION
PP2 – Embedding business managing risk.
continuity Knowledge of the business continuity competencies and skills
required and training and awareness raising capabilities. The ability to form an
organization-wide view. PP4
D E SIGN
Analytical skills relating to the BIA, including the ability to An ability to understand and
Technical Practice analyse information, identify problems, and develop workable collaborate with personnel in
PP3 - Analysis solutions. related management disciplines.
An understanding of risk assessment and mitigation measures. PP3
A NA LYS IS
Effective communication and
interpersonal skills.
Technical Practice The ability to design and select appropriate continuity PP2
PP4 - Design solutions for the organization. Negotiating and influencing skills E m b e dd ing
B u sine ss
to gain and keep top management C ontin uity
buy-in and commitment.
An understanding of incident and crisis management, PP1
Technical Practice including knowledge of emergency response. Facilitation skills to guide and P OLIC Y &
PP5 - Implementation direct workshops, planning P ROGR A M M E
The ability to develop, implement and manage plans. MANAGEMENT
sessions, meetings, training, and
exercises to achieve productive
The ability to develop, manage, coordinate, and deliver an outcomes.
Technical Practice exercise programme. CONTENTS
PP6 - Validation Evaluation skills to validate the effectiveness of the business
continuity programme.
GLOSSARY
31
BCI Good Practice Guidelines 2018 Edition
When responding to an incident, there are additional skills that Concepts and Assumptions
may be required in an organization that might be considered
outside of the core competencies and skills required of a Top management should provide appropriate resources to cover
business continuity professional, these include: all current and ongoing training and awareness activities to ensure
the relevant skills and competencies are maintained. For example,
• Emergency evacuation direction. annual licence fees for online training, maintenance of professional
credentials, and continuing professional development for relevant
• Security.
personnel.
• Welfare and first-aid.
The organization’s approach to determining and measuring
• Crisis management and leadership. competencies and skills should be used to define the professional
development of those with business continuity roles and
• Information and communication technology (ICT) service responsibilities. For example, an individual may be required to
continuity and disaster recovery. undertake specific training as part of their role, to hold a specific
academic qualification, or to hold and maintain a professional
• Damage management, asset salvage and equipment restoration.
credential.
• External and internal communications to include public relations,
The organization may have existing competency requirements such
brand, and reputation management.
as a list of skills in a job description. It should also carry out training
The assessment of competencies and skills should extend to all needs analysis and have learning and development activities in
contractors who work at the organization’s site or who provide place as part of the human resources or learning and development
incident related services. department. If no such process is in place, the organization should
determine the most appropriate methods for ensuring that the
Awareness of the business continuity programme among an business continuity skills and competencies of relevant personnel can
organization’s suppliers, customers, contractors, and other be developed, measured, and documented.
interested parties can generate confidence and reassurance and
help build reputation. However, as some business continuity
information may be sensitive or confidential, the business
continuity professional and top management should consider and
agree the type of information and level of detail that is appropriate
to share with interested parties.
2.
Process Determine the training
and awareness needs with
learning outcomes for all
1. individuals involved in
Define the the business continuity
competencies and skills programme (this should involve
To ensure for all individuals involved establishing the current level
that the appropriate in the business continuity of awareness or
level of awareness, programme using new competence).
education and training is or existing requirements
established for successful appropriate to the
embedding, the organization.
following steps should 3.
be taken: Design and
deliver the
appropriate level
4. of training and
Evaluate and report awareness
on the effectiveness and activities.
continual improvement as part
of overall reporting, covered
in the Validation stage
of the business continuity
management lifecycle.
32
© Copyright 2017 The Business Continuity Institute
It may be appropriate to carry out a training needs analysis or • No training or awareness activities are required.
gap analysis specifically for the business continuity programme.
Alternatively, this could be incorporated into an existing activity • Some training or awareness is needed.
as part of a wider learning and development programme in the
• Extensive training and awareness is required.
organization.
• Recruitment of an experienced person is required.
Training and awareness
• Specific skills are required for a short time only and can be
For each role involved in the business continuity programme,
provided by an outsourced service provider.
the required skills and competencies should be identified. The
individuals in these roles can then be assessed based on their
current level of competence and any additional training and Training and awareness activities should be arranged or
awareness requirements can be identified. Requirements should revised as appropriate based on the findings of the gap
be relevant to the individual’s role in the business continuity analysis. Types of activities may include:
programme and their position in the organization.
• Internal training and awareness activities (including exercises
where appropriate).
Some organizations use intranet based modular
• Self-study options.
training, meaning personnel only need to complete
the sections relevant to them. • External training or awareness sessions.
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
33
BCI Good Practice Guidelines 2018 Edition
Competence reviews following training and awareness Examples of information resources for training and awareness
activities can be assessed using the following: campaigns include:
• Verbal or written tests. • Business continuity and resilience related websites, blogs, and social
media groups.
• Self-evaluation.
• Books, journals, and other industry publications.
• Observation of the individuals or teams.
• Conferences, workshops, webinars, and seminars.
• Assessment during continued coaching or mentoring.
• Regional forums and working groups.
• Participation in exercises designed to evaluate competence.
• Industry sector working groups.
• Group coaching.
The content and delivery of any communications aimed at raising
• Recognition of academic qualifications. the levels of awareness of the business continuity programme should
be carefully considered. Coordination and collaboration with other
• Recognition of professional credentials and continuing
departments and disciplines is recommended to ensure a consistent
professional development activities, for example, the BCI’s CPD
message is delivered and resources are not wasted. For example, a
programme.
combined security, business continuity, and health and safety briefing
may be more informative and effective than separate briefings.
Examples of competence records include:
Communication should be brief and relevant but should provide
• Personnel training records, including attendance at courses, information on how to access further guidance.
seminars, and conferences.
Suitable topics for awareness raising communications include:
• Education and academic qualifications.
• A report based on a recent exercise which outlines the scenario and
• Previous relevant experience. learning points.
• Skills or competencies demonstrated during the initial interview. • An ICT recovery test at alternate facilities which might include a
photograph and participants’ comments.
• Professional qualifications.
• A commentary on a recent incident which affected the organization.
• Personnel appraisals.
• Examples of real-life incidents that are relevant to business
continuity.
34
© Copyright 2017 The Business Continuity Institute
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
35
BCI Good Practice Guidelines 2018 Edition
ANALYS
IS
N
TIO
VALIDA
EMBEDDING
DESIG
N
PL
IM
EN
EM
ENT
PO
EM
IC ATION
AG
L
Y AN
D PR A N
OGRAMME M
36
© 2017 The Business Continuity Institute
PP3
Analysis
P P 2 - E m be dd i n g B usi n e ss C on ti n u it y
Analysis is the Professional Practice within the business continuity management lifecycle
that reviews and assesses an organization to identify its objectives, how it functions and
the constraints of its operating environment.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
37
BCI Good Practice Guidelines 2018 Edition
Introduction
The main technique used for the analysis of an organization impact over time caused by any potential or actual disruption
for business continuity purposes is the business impact to this activity on the delivery of products and services.
analysis (BIA). The business continuity professional uses
Business continuity requirements can be defined as the time
the BIA to determine the organization’s business continuity
frames, resources, and capabilities necessary to continue
requirements. There are four types of BIA:
to deliver the prioritised products, services, processes, and
• An initial BIA. activities following a disruption.
• A product and service BIA. A risk assessment should be undertaken at this stage so that
mitigation measures can then be identified in the Design
• A process BIA.
stage of the business continuity management lifecycle.
• An activity BIA.
A thorough understanding of the organization, using these
There are many approaches to undertaking a BIA. analysis techniques can often highlight inefficiencies and
Organizations do not have to undertake all four BIA types. A areas for improvement to top management. This may provide
combination of the above is sometimes the most appropriate opportunities for collaboration between related management
approach depending on the size, complexity, and type of disciplines to contribute to, and build resilience. It is therefore
the organization, and the scope of the business continuity important to identify and invite the most appropriate
programme. individuals to provide input into the BIAs, which may not
be limited to individuals directly involved in the process or
The BIA identifies business continuity requirements, providing activities themselves.
information to determine the most appropriate business
continuity solutions. The BIA identifies the urgency of each
activity undertaken by the organization by assessing the
Depending on its size, complexity and type, an organization may choose to combine these different types of BIAs.
38
© Copyright 2017 The Business Continuity Institute
P P 3 - A N A LYSIS
The BIA can be used to ask top management questions which reputational, legal, or regulatory nature, or may relate to a failure
relate to the organization’s objectives and priorities, relating to of the organization to meet its strategic objectives.
products and services.
The ‘recovery time objective’ is defined as “the period of time
The BIA considers both the products and services that an following an incident within which a product or service must
organization delivers as well as the processes, activities and be resumed, or activity must be resumed, or resources must be
dependencies that ensure the delivery of these products and recovered.” (Source: ISO 22301:2012)
services.
The terminology used in the BIA by an organization is not as
• Products and services are defined as “beneficial outcomes important as understanding when the disruption will result in
provided by an organization to its customers, recipients and unacceptable consequences. The words ‘critical’, ‘mission critical’
interested parties.” (Source: ISO 22301:2012) and ‘key’ are often used to describe the products and services,
processes, activities, and resources required following an incident.
• A process is described as “a set of interrelated or interacting These words are often understood as meaning ‘important’,
activities which transforms inputs to outputs.” (Source: ISO however this can lead to misunderstandings and exaggerations
22301:2012) A process may be divided into a number of when collecting information for the BIA. It could also result in an
activities. For example, a process could be manufacturing (from incorrect assumption that plans are not required for ‘non-critical’
goods receipt to delivery), managing investment, or collecting activities or ‘non-key’ personnel. It is therefore recommended
waste. that these terms are replaced with ‘prioritised activities’, which is
defined as “activities to which priority must be given following an
• An activity is defined as one or more tasks undertaken by, or incident in order to mitigate impacts.” (Source ISO 22301:2012)
for an organization, that produces or supports the delivery of
one or more products and services. For example, performing Everyone involved in performing an activity (personnel,
quality control, undertaking home care visits, raising invoices, contractors, volunteers, etc.) is important at some point, however PP6
and answering calls through a help desk. the focus should be on the personnel whose absence would cause VA LI DAT ION
immediate or rapid unacceptable impacts.
The level of detail to which activities need to be analysed
may depend on their complexity and whether their maximum It is possible that in some organizations, information will be PP5
tolerable period of disruption (MTPD), maximum acceptable market or industry sensitive and should not be visible to the IMPLEMENTATION
outage (MAO), and recovery time objectives (RTOs) can be business continuity professional. Not having this information
identified. Similar activities can be grouped together. should not stop the BIA being undertaken but could affect the
accuracy of the end results and therefore should be noted in the PP4
The terms ‘maximum tolerable period of disruption’ or ‘maximum conclusions. D E SIGN
acceptable outage’ are used to describe “the time it would
take for adverse impacts, which might arise as a result of not
providing a product/service or performing an activity, to become
PP3
unacceptable.” (Source: ISO 22301:2012) A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
39
BCI Good Practice Guidelines 2018 Edition
Process
1.
Prioritise the 2.
organization’s Prioritise the
products and services process or processes
by determining the required to deliver the
MTPD for each. organization’s most urgent
products and services,
The BIA process
including identification of
can be summarised
the activities that make up
as follows:
those processes,
if required.
3.
Prioritise the
activities that deliver
the most urgent products
and services, and determine
the resources required for the
continuity of these activities
following an incident, as
well as their
interdependencies.
4.
5. Perform a final
Seek top analysis or consolidation
management of analyses which should
approval of BIA lead to the determination
results. of business continuity
requirements.
When conducting a BIA, the following points should be • The method used should be robust enough to ensure that the
considered: information is collected consistently and impartially. This ensures
that individuals do not over or under estimate the urgency of their
• The scope of the business continuity programme can be clarified, activities.
or may need to be modified following the initial BIA findings.
• Only relevant information to be used in the analysis should be
• Determining impacts over time should demonstrate to top collected.
management how quickly the organization needs to respond to a
disruption. • Impacts do not need to be precisely determined and can be
estimated.
• A consistent approach to performing the BIA should be used
throughout the organization.
40
© Copyright 2017 The Business Continuity Institute
Methods used to perform the business impact analysis vary from Examples of documents to review as part of the BIA include:
one industry sector to another, as well as from one organization
to another. • Existing BIA information, where relevant.
Depending on its size, complexity and type, an organization • The organization’s strategic plan.
may choose to combine the different types of BIAs. • Annual reports.
Examples of these combinations include:
P P 3 - A N A LYS IS
• Departmental or business unit plans.
• Combining product and service, and process BIAs.
• Legal or regulatory requirements.
• Conducting separate product and service, and process BIAs.
• Service level agreements.
• Conducting only a process BIA.
• Risk assessments or risk registers.
Whichever approach is taken, the information is identified and
recorded in the same way. There are a variety of software products available which
are designed to assist with the BIA that may be useful but
are not essential. The key benefits of using a software tool
Combining the different types of analysis can be a include:
more efficient way to achieve an organization-wide
view of key products, services, and processes. However, a • Ease of collating results.
combined approach can make the BIA process complex and
• Storage of information.
challenging, therefore it is important to identify the most
appropriate BIA approach for the organization. • Automated reporting of results.
• Workshops.
Evaluating impacts to determine the MTPD
• Questionnaires. and RTO PP6
VA LI DAT ION
• Interviews. The BIA information collected will include identification of
all products and services, processes, and activities, which are
Workshops can be used to collect information from individuals
prioritised by determining the maximum tolerable period of PP5
and teams in person, and provide an opportunity to raise
disruption (MTPD). IMPLEMENTATION
awareness and embed business continuity. Interdependencies can
be identified, issues can be raised and solutions explored. This The MTPD has been reached when acceptable levels of damage
method can provide information in a shorter time frame than have been exceeded and the failure of the organization is
other methods. imminent. PP4
D E SIGN
41
BCI Good Practice Guidelines 2018 Edition
• Failure to meet the strategic objectives of the organization. The duration or lead time of the process or activity delivering the
product or service may be a significant consideration in the MTPD
In the BIA, no attempt is made to quantify the impacts to interested estimate. For processes or activities that take significant time,
parties caused by the disruption. Instead, it assesses the impact assumptions may have to be made when setting the MTPD. The
that could be imposed on the organization in response, for example organization should consider at what point during the activity the
financial penalties or bad publicity. disruption occurs, and how much of the process or activity needs to
be repeated.
It is important to consider the time frame when determining
the impact of a disruption on product and service delivery. Top For example, a laboratory experiment may need to be restarted from
management should decide what is unacceptable to the organization scratch if disrupted, however a manufacturing process may be able to
based on the impact over time. resume at several different points.
• Financial impacts, for example, loss of sales income or cash flow The MTPD is usually expressed in terms of minutes,
problems caused by delayed payments, resulting in penalties from hours, days, weeks, and months.
contractual breaches.
Changes in demand for products and services may affect the MTPD
and therefore make it difficult to determine. In such instances, the BIA
should focus on a product or service disruption during vulnerable time
frames. For example, fluctuation to delivery times due to seasonal
change in demand, changes to regulatory requirements, or limited
resource availability.
42
© Copyright 2017 The Business Continuity Institute
P P 3 - A N A LYSIS
continuity policy.
The RTO should always be less than the MTPD. The RTO for a
specific resource for example a software system, is the shortest
RTO of the various activities that require that resource, unless
an alternate process or manual workaround is viable without
the resource. The BIA establishes the RTO as part of the business
continuity requirements, however the most appropriate solution
needed to achieve the RTO is determined in the Design stage of
the business continuity management lifecycle. As a result, the
RTO may need to be revised based on the agreed solution and
the resources available to the organization.
The minimum level defined may be less than, the same as,
or higher than business as usual levels, and the product or
service may be delivered using a different approach. The MBCO PP3
A NA LYS IS
should be achieved at a specific time after a disruption. It
may be appropriate to set several MBCOs for different times
after a disruption, and for each product group. Where MBCOs PP2
rely on outsourced service providers, the objectives should E m b e dd ing
B u sine ss
consider service level agreements and any legal or regulatory C ontin uity
requirements.
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
43
BCI Good Practice Guidelines 2018 Edition
• Any non-standard or unique activities which are difficult to • A breakdown of internal and external activity dependencies.
recover and could unexpectedly affect the continuity of the
process. • A list of products, services, processes, and activities that have been
excluded, along with the justification for the exclusion.
44
© Copyright 2017 The Business Continuity Institute
P P 3 - A N A LYSI S
and service BIA This includes reviewing any
terms of products and services. process should exclusions and considering
A product and service BIA can be used to determine the impact include: the inclusion of new
of a disruption before implementing a significant organizational products or
change. services.
7. PP4
Estimating the D E SIGN
MTPD for each
product or
service group. Outcomes and Review PP3
A NA LYS IS
9. CONTENTS
Proceeding
to the process
BIA.
GLOSSARY
45
BCI Good Practice Guidelines 2018 Edition
5.
6. Collect
Identify how the information
Use the MTPD of 7. disruption to the necessary to
the product group Define the time process could result perform the
as a guide. frame within which in disruption to the process BIA.
the disruption to each delivery of the
process would become products and
unacceptable and cause services.
failure to deliver
products and
services. 12.
Publish
8. the results of
Define any impacts the process
not considered by top BIA.
management, such 10. 11.
as backlogs and Obtain Obtain
capacity issues. confirmation from support from top
9. the process owner management for the
Consider the concerning the accuracy conclusions of the
duration or lead of the information in process BIA.
time of the the process BIA.
process.
46
© Copyright 2017 The Business Continuity Institute
The outcomes of the process BIA are: • The MTPD, RTO, and RPO where appropriate for each process.
• A list of processes that contribute to the delivery of the • Identification of any processes that have been outsourced
P P 3 - A N A LYSI S
organization’s prioritised products and services within the scope by the organization and therefore present an increased risk.
of the business continuity programme. Service level agreements and more frequent reviews should be
considered for these processes.
• Identification of the interdependencies of the processes.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
47
BCI Good Practice Guidelines 2018 Edition
• “People.
• ICT systems.
• Transportation.
• Finance.
48
© Copyright 2017 The Business Continuity Institute
P P 3 - A N A LYSIS
that deliver the
prioritised products
and services.
2.
Collect the information
necessary to perform the
activity BIA, including:
3.
Consider any
• An understanding of activity details additional activities
and interdependency information. that may be created
• An understanding of activity specific during a disruption,
RTOs. including the need to
• A breakdown of the resources required clear backlogs.
to maintain the activities at an
agreed level and within the
MTPD and RTO. 4.
Obtain approval
by the activity
owner to confirm
the accuracy of
the information.
5. PP6
VA LI DAT ION
Obtain
the support of
top management
for the PP5
IMPLEMENTATION
conclusions.
PP4
D E SIGN
PP3
A NA LYS IS
49
BCI Good Practice Guidelines 2018 Edition
General Principles Risk assessment methods can be effective when analysing known and
anticipated risks, however, the business continuity professional should
During the Analysis stage, the BIA is typically conducted first so that
be aware of some limitations to risk assessment techniques when
the risk and threat assessment and mitigation measures can focus
they are being used to evaluate threats and the causes of disruptions.
on the organization’s prioritised activities and supporting resources.
This can maximise the benefit of any investment, and reduce the Significant disruptions typically occur infrequently, meaning
frequency or impact of disruptions. estimations based on the probability of a threat occurring are based
A risk is defined as “an effect of uncertainty on objectives” (Source: on limited data sets and historic information, and the time frame
ISO Guide 73). under consideration.
50
© Copyright 2017 The Business Continuity Institute
Process
P P 3 - A N A LYSI S
assessment.
threat assessment as
The business continuity professional will benefit from a general part of the business
understanding of risk management, and should use their continuity programme 1.
are as follows: List the known
knowledge of the organization and its operating environment
and anticipated
to decide how much time to spend on the risk and threat internal and
assessment, and the level of detail that is appropriate for the external threats.
organization.
2.
The business continuity professional should Estimate the
have access to information contained in the impact of each
organization’s risk register. They should collaborate with threat on the
organization. 3.
the risk management professional or department as
appropriate. Determine the
probability of
disruption for
Many organizations carry out horizon scanning at pre-agreed each threat.
intervals. Horizon scanning is an activity used to monitor and
identify potential threats to an organization and considers longer 4.
term change and underlying trends. Information provided by the Calculate a risk
horizon scan is useful when undertaking a risk assessment as part score of each threat
of the business continuity programme. by combining the
scores for impact and PP6
probability. VA LI DAT ION
The organization can consider the use of a
monitoring service or system, news websites and
social media as part of its horizon scanning activities. PP5
IMPLEMENTATION
5.
Prioritise the threats
PP4
based on the D E SIGN
risk score for the
6. prioritised
Identify activities.
unacceptable areas PP3
of risk, which may A NA LYS IS
include single
points of failure.
PP2
8. E m b e dd ing
Use the information B u sine ss
resulting from the risk and C ontin uity
threat assessment to identify
options for mitigation 7. PP1
Share the P OLIC Y &
measures in the Design stage P ROGR A M M E
of the business continuity outcomes with the MANAGEMENT
management lifecycle. relevant interested
parties.
CONTENTS
51
BCI Good Practice Guidelines 2018 Edition
The tables below are examples of a simple 3x3 risk assessment matrix. Many organizations use more detailed matrices
(4x4 or 5x5), which may produce different risk score results, for example, Extreme, High, Medium, Low.
Table 3.
Impact of Disruption Duration Financial Reputation Health and Safety
Note - The impact categories and examples should be specific and relevant to the organization.
3-Major More than 5 days Over $1 M cost/lost National damage to Potential for
revenue reputation/customer irreversible injuries/
or community fatalities
support
1-Minor Up to 1 day Less than $100k Local damage to Potential for minor
cost/ lost revenue reputation/customer injuries (time off
or community work)
support
Table 4.
Probability of Disruption 3 - Likely 2 - Possible 1 - Unlikely
Combining the probability and impact scores for each threat produces a risk score (High/Medium/Low)
If an organization has an established risk management Organizations may find the following sources provide
function, consider collaborating with the risk professionals useful information to carry out a risk assessment:
to adapt the pre-existing risk assessment methods for the
• Risks and threats identified during the BIA process.
business continuity programme.
• Risks and threats identified during previous exercises.
52
© Copyright 2017 The Business Continuity Institute
The outcomes from the risk and threat assessment as part • Identification of potential options for measures to reduce the
of the business continuity programme are: frequency or scale of impact of the prioritised threats.
• An awareness of the range of potential threats that could The risk and threat assessment process can be ongoing,
disrupt the organization’s activities. depending on the size, complexity, and type of the organization.
However, the methods used should be regularly reviewed at
• A prioritised list of the threats based on the risk of disruption pre-agreed intervals or following significant change as defined
P P 3 - A N A LYS IS
to the organization’s activities. within the business continuity policy.
• Identification of any unacceptable risks and single points of
failure.
53
BCI Good Practice Guidelines 2018 Edition
ANALYSI
S
N
TIO
VALIDA
EMBEDDING
DESIG
N
PL
IM
EN
EM
ENT
PO
EM
IC ATION
AG
L
Y AN
D PR A N
OGRAMME M
54
© 2017 The Business Continuity Institute
PP4
Design
P P 2 - E m be dd i n g B usi n e ss C on ti n u it y
Design is the Professional Practice within the business continuity management lifecycle
that identifies and selects appropriate solutions to determine how continuity can be
achieved in the event of an incident. The Analysis stage identifies the business continuity
requirements and the Design stage determines the solutions that should then be
implemented to best achieve these requirements.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
55
BCI Good Practice Guidelines 2018 Edition
Introduction
At this stage in the business continuity management lifecycle, For organizations implementing a business continuity
the business continuity professional should design solutions programme for the first time, the Design stage identifies
that enable the organization to respond to an incident, and and selects solutions that deliver the business continuity
continue to provide its prioritised activities. requirements identified during the Analysis stage.
The requirements that support the implementation for each For existing programmes, the Design stage should consider
proposed business continuity solution are determined, and the the following:
most appropriate ones are selected in consultation with top
• Reviewing existing solutions to ensure that the most
management. Some solutions will be dependent on suppliers,
appropriate and cost effective options are in place.
their supply chains, and outsourced service providers.
• Identifying and selecting solutions that are required to adapt
An important part of this stage of the business continuity
to changes in the prioritised activities or the impacts over
management lifecycle is to consolidate the selected
time as identified during the Analysis stage. For example,
solutions to ensure that opportunities for organization-wide
a legal or regulatory change in requirements that the
collaboration are considered prior to progressing to the
organization must meet.
implementation stage.
• Maintaining or improving capability.
Proactive mitigation measures are designed to address the
risks and threats identified in the Analysis stage. Mitigation
measures can be implemented to protect the organization and
reduce the impact of disruption to the prioritised activities.
Designing Business
Continuity Solutions
Designing solutions for how an organization is going to continue Concepts and Assumptions
operating following a disruption is based on the business continuity
requirements identified in the BIA, and the outcomes from the risk Organizations that already have a business continuity programme in
and threat assessment. place may have solutions that have been designed and implemented
but are no longer relevant due to changing threats.
For any solution being designed, it is not only the business continuity
General Principles requirements which should be met, but consideration should be given
to any interdependencies identified, particularly when the solutions
The business continuity requirements and the outcomes of the rely on suppliers and their supply chains.
risk and threat assessment are reviewed and appropriate business
continuity solutions designed. For example, a supplier whose machinery becomes unavailable may
no longer be able to meet the existing RTO or provide the service.
Once the solutions are designed, top management should agree
Without a service level agreement in place, this unavailability may
the most appropriate solutions, and projects should be initiated to
not be discovered until the business continuity plan is invoked.
implement these solutions.
Price versus performance, and cost versus benefit are often used
to guide top management when agreeing the most appropriate Service level agreements can be put in place with
solutions. suppliers to support the selected solutions. Such
agreements can offer some assurance that the organization
will be notified of any changes in the supply chain to avoid
The selection of solutions can also be influenced by
undesirable consequences.
legal or regulatory requirements or a commercial
decision to gain competitive advantage.
56
© Copyright 2017 The Business Continuity Institute
Organizations that have an existing business continuity departmental representatives. This process should involve
programme and those implementing a programme for the first reviewing lessons learned from any disruption or significant
time will probably have some level of continuity capability changes in the organization, industry sector or locations that are
already in place. Designing or redesigning business continuity in scope.
solutions is required where current continuity capabilities do not
meet the requirements identified in the Analysis stage of the When additional information is required to support decision
business continuity management lifecycle. making, a cost benefit analysis can be used. A cost benefit
analysis identifies in detail the costs of implementing and
P P 4 - D E S IGN
The difference between current capability and business maintaining the solution and compares these to the benefits.
continuity requirements indicates either:
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
57
BCI Good Practice Guidelines 2018 Edition
Process
1.
Identify and
document the 2.
organization’s existing Identify suitable solutions
The solution
continuity capability that enable each RTO, RPO
design process
(if this has not yet and MBCO to be achieved.
should include
the following been done). This may include:
steps: a. Identifying new solutions that close
the gap and meet the business continuity
requirements.
6.
5. Consolidate the selected
Provide top solutions by resource type.
management with an
evaluation of the range Consolidation
of solutions and obtain requires the following steps:
management approval a. Combine the continuity requirements
on those selected. from the selected solutions.
b. Review the requirements for the selected
solutions to check that they:
• Are consistent across the organization.
• Do not conflict with one another or with corporate policies.
• Are achievable.
c. Review the requirements for the
selected solutions to:
• Identify opportunities for optimising resources.
• Identify opportunities for improving the
procurement of resources and the
7. logistics for their delivery during
Provide top a disruption.
management with
an evaluation of the
consolidated requirements
and budgetary
requirements for
procurement.
8.
Obtain agreement
from top management
to provide the financial 9.
and resource provisions Establish the
for the implementation projects required
of the agreed to implement
solutions. the agreed
solutions.
58
© Copyright 2017 The Business Continuity Institute
There are many well established business continuity solutions Post-incident acquisition: When prioritised activities have RTOs
that can be used within an organization. that are measured in days or weeks, organizations can consider
a business continuity solution where the required resources are
These solutions include: acquired after the disruption occurs. This solution relies on the
organization having a predefined and prioritised list of resource
Diversification: Separating activities and resources and running
requirements. It also depends on suppliers’ ability to provide the
live activities at two or more locations so that in the event of
resources in suitable quality and quantity within acceptable time
disruption at one location, the activities can continue at the
frames. This would not be an appropriate continuity solution
alternate location. This solution can be costly and may not
P P 4 - D E S IGN
where there is a requirement for specialised resources, for
protect an organization if the disruption is not confined to a
example, equipment, facilities, supplies, or skills, that might be
single location or area. Consideration should be given when
difficult to obtain or which have long lead times that exceed the
designing this solution, so that in the event of disruption at one
identified RTOs.
location, the alternate location can cope with any extra workload
that has been displaced from the disrupted site. This may involve Do nothing: This solution involves waiting until after the
the suspension of non-essential operations at the alternate incident to decide what to do. This may be an appropriate
location until the disrupted location can recover. This solution solution where the RTO is measured in weeks or months, or
may be appropriate where the RTO is measured in seconds, where it is impossible, too difficult, or too expensive to provide
minutes, or hours, rather than days. alternate facilities or resources before an incident occurs.
Replication: Duplicating resources to enable activities to be The business continuity professional should always document
recovered quickly is a variation on diversification. The replicated the reasons why doing nothing is the selected solution, to avoid
site is maintained at a high state of readiness with all required disputes or conflicts should an incident occur.
resources in place. It does not become operational until it is
required to take over any disrupted activities displaced from the
site of the incident.
Organizations will usually find the best
outcome is in combining business continuity
An alternate location solution that is pre- solutions, so that the solutions reflect the priority and
equipped and can be activated in a very short RTOs of the processes and activities. This combined
time frame can also be referred to as a ‘hot site’. However, approach also allows limited resources to be allocated
this can be an expensive solution as it means having in advance to the continuity solutions that support the
PP6
resources in place but unused until they are required for highest priority activities, while providing low, or no up VA LI DAT ION
business continuity purposes. front cost solutions for lower priority activities.
PP5
This business continuity solution may be suitable where the RTO IMPLEMENTATION
ranges from a few hours to a few days, as long as personnel can Solutions and their implementation might require technical
be moved to the alternate location within their activity RTOs. skills beyond those of a business continuity professional.
However, it relies on personnel being both able and willing to Technical advice might need to be sought from experts in other PP4
work away from their primary location for an unknown time management disciplines or departments in these instances. D E SIGN
frame. For example, specialists in ICT, procurement/purchasing and
supply, inventory management, and capacity planning may be
Standby: Where the RTO allows for a longer response time,
required to identify and implement solutions. PP3
measured in days rather than hours, an appropriate solution A NA LYS IS
may be to have a standby facility available that can be made
operational within the RTO. This solution can be referred to as
PP2
a ‘warm site’ and is particularly suitable where an organization E m b e dd ing
has access to a facility that has been temporarily shut down, but B u sine ss
C ontin uity
can be reactivated and become operational at short notice. This
solution relies on personnel being both able and willing to work
PP1
away from their primary location for an unknown time frame. P OLIC Y &
P ROGR A M M E
MANAGEMENT
GLOSSARY
59
BCI Good Practice Guidelines 2018 Edition
Suitable premises can be acquired which may or Remote working is generally not ready but can
Post-incident acquisition may not already have the facilities required to be made ready through the acquisition of office
undertake an activity. equipment and ICT.
People Table 6.
Diversification People in separate locations that are concurrently undertaking the same activity.
People in another location that are experienced and able to undertake the same activity, but not yet doing
Replication
so.
Individuals in another location that have been trained to do the same activity, but are not yet experienced
Standby
and will require guidance.
External people skilled in undertaking an activity that can be hired, or internal personnel that can be
Post-incident acquisition
trained to undertake an activity.
Diversification Two copies of a system and its data in separate locations that are kept synchronised and live.
An operational copy of a system and its data held in a separate location that is periodically synchronised
Replication
with the live version and needs switching to be made live.
An operational copy of the system held in a separate location and a backup of its data that needs to be
Standby
loaded and tested with manual switching to be made live.
Backup copies of the system and its data that need to be installed on equipment acquired after the
Post-incident acquisition
incident.
60
© Copyright 2017 The Business Continuity Institute
Equipment Table 8.
Duplicated operational equipment held in a separate location, with an automatic transfer from one to
Diversification
the other.
An exact non-operational copy of the equipment held in a separate location that can be rapidly made
P P 4 - D E S IGN
Replication
live.
Standby Replacement equipment held in a separate location that needs to be made operational.
Consumables Table 9.
Diversification Duplicated items held in separate locations with stock being supplied from both locations.
Replication Duplicated items held in a separate location that is not currently being used.
Standby Replacement items held in a separate location that could be used with modification.
Diversification Separate suppliers that are currently providing the same product or service.
PP5
An alternate supplier that has already been contracted to provide the same product or service as an IMPLEMENTATION
Replication
existing supplier, but is not currently doing so.
A pre-agreed supplier that can provide the same product or service as an existing supplier and has
Standby
agreed to do so when required, but there is currently no contract in place. PP4
D E SIGN
PP3
Business continuity solutions for other types of resources will usually fit into one or a combination of the examples above. A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
61
BCI Good Practice Guidelines 2018 Edition
Further considerations
Remote working: Many organizations have adopted policies and Finance: It is essential to plan for short and long term funding
technologies that enable personnel to work away from their primary of personnel and the organization in the event of an incident.
place of work. This may be a regular or temporary arrangement and Agreements should be drawn up with banks and easily accessible
is a variation on the standby solution. Where remote working is assets should be identified that can fund an organization during
possible, it provides organizations with further options to include in a disruption. The organization should also agree and document
the combination of business continuity solutions. the terms for payments to non-essential personnel that are not
actively employed during an extended disruption. This should include
Key requirements to support remote working at any location are consideration of any legal, regulatory, or duty of care responsibilities.
stable electric power and other utilities, adequate ICT facilities,
appropriate data security, and a suitable work space to conduct Insurance: Insurance can provide financial compensation for loss of
business activities. The organization should also have the ability to assets, increased costs, recovery, and protection for associated legal
cope with larger than usual requirements for remote ICT access. liabilities. However, it is unlikely to provide cover for the full expense
of a disruption, including intangible impacts such as the loss of
customers, personnel, or reputation. There can also be a long period
Working remotely has the benefit of isolation of time between a disruption and insurance payments being agreed.
during a pandemic based incident or crisis. It is also Therefore, it is important that those responsible for developing the
effective when being at work or commuting to work is no longer business continuity solutions are aware of the organization’s level of
reliable or safe, for example, during industrial action, terrorist insurance.
attack, or severe weather.
Business interruption insurance is most closely associated with
business continuity. It is not a complete solution unless RTOs are
measured in months, and specialist equipment, facilities, or skills are
If selected and implemented as part of the business continuity plan, easy to obtain.
remote working is a solution that should be tested as part of the
exercise programme. It is important to note that business interruption insurance typically
covers loss of business revenues (gross margins) and additional costs
Partial failures: Although solutions are sometimes discussed in of working which are related to other insurable losses (such as loss of
terms of total site or facility failure, depending on the scope of the premises). More recently, some insurers have started providing cover
business continuity programme, it is often necessary for the solution for a wider range of disruptions, for example, supplier failure due
to be flexible to cover isolated failures, for example, the loss of only to socio-economic or geo-political changes, however these broader
one ICT system, a single production line, or partial loss of a large scope policies can be expensive.
building.
62
© Copyright 2017 The Business Continuity Institute
Safe separation distance: Many incidents, for example, Service levels: Many organizations will have identified only
earthquakes, wild fires, or major floods and other natural the minimum level of service that is acceptable to achieve its
disasters, can result in the loss of access to a wide geographic immediate business obligations during a disruption. This has been
area, so the organization should consider the need for adequate defined in the Analysis stage as the minimum business continuity
separation distance between the original and duplicate resources objective (MBCO). Other organizations will have identified a
that form the basis of the business continuity solution. phased level of resources required to enable service levels to
be increased over a specific time frame from the minimum
The following should be considered: acceptable level to a normal level.
P P 4 - D E S IGN
• Keep duplicate copies of vital resources in a remote location. Where alternate sites or facilities are involved in the business
continuity solution, it is recommended to have service level
• Use multiple suppliers.
agreements (SLAs) to formalise the commitments of the
• Replicate operations in different locations or designated alternate facility provider during an incident.
recovery sites.
Design detail: The extent and detail to which business continuity
The selection of a safe separation distance will define solutions need to be designed should depend on the urgency
the maximum geographic extent of an incident that the with which they are required and the complexity of the product
organization’s business continuity solutions can effectively or service, process, or activity being recovered.
respond to. That selection should consider the following
A detailed business continuity solution is required for processes
factors:
and activities with short RTOs. Less detail is needed when the
• The organization’s strategy, objectives, and culture. RTO is in weeks or months, unless deemed necessary by the
organization.
• The organization’s target market.
Classification schemes: Some organizations may choose to
• How far personnel are able or willing to travel to a relocation classify activity and resource RTOs. For example, an A/B/C/D
site. classification scheme may be used where category ‘A’ delivers
the prioritised activities and resources, based on metrics such
• RTOs and RPOs.
as the RTO and RPO. Category A will use the most advanced or
• The organization’s geographic environment and it’s susceptibility sophisticated solutions compared to Category D whose activities
to natural disasters. and resources require less urgent and less sophisticated solutions.
PP6
• How the spread of a natural disaster is likely to affect the Interested parties: There may be many individuals and groups VA LI DAT ION
organization. For example, a hurricane can have a diameter affected by a disruption. For example, in a fire, contractors may
of hundreds of kilometres whereas floods are generally more be injured, residents evacuated from their homes, and local
localised. businesses experience reduced trade. PP5
IMPLEMENTATION
• Any existing legal or regulatory requirements relating to safe The organization’s level of responsibility in such situations should
separation distance. be clearly understood.
PP4
Geographical separation usually decreases the likelihood of two The organization should ensure that the needs of various D E SIGN
sites being affected by the same incident. However, this may not interested parties are identified, prioritised, and agreed when
provide protection for threats that are not location specific, for designing business continuity solutions.
example, outbreaks of disease, or cyber attacks. PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
63
BCI Good Practice Guidelines 2018 Edition
Emergency responders: The organization should be familiar with Subcontracting during incidents: Outsourced service providers
the procedures of the local emergency responders and may benefit can provide a product or service, provide process infrastructure, and
from contacting these groups in advance. They may provide useful takeover disrupted activities. Subcontracting can be particularly
information relating to the Design stage of business continuity suitable for manufacturing, where the added cost of having alternate
solutions. For example, law enforcement agencies may have identified sites replicated or on standby is too expensive. However, in some
exclusion zones that result in denial of building access which lasts situations, the only option for subcontracting may be to use another
longer than the RTO. organization operating in the same market, which could be a
competitor. Collaboration with competitors should be considered,
Supply chain: In the Analysis stage, key suppliers of products, services where appropriate.
or activities are identified. Solutions for the loss of these suppliers
and the disruption to the products, services, and activities need to be Reliability: When the business continuity solutions being considered
identified in the Design stage to enable their RTOs to be achieved. involve an outsourced service provider, there is often a need for
compromise between the cost and reliability of the outsourced
The organization should consider that the required products and provider. Arrangements may vary from verbal agreements through to
services may not be commercially available. For example, there may a service level agreement. The shorter the RTO, the more important
be commercial competition restrictions or environmental, legal, the reliability of the delivery becomes.
quality, security, or ethical constraints.
Similarly, where the outsourced supplies or services have been
Outsourced service providers may be best placed to perform duties prioritised by the organization, care should be taken to determine the
which are commonly available, for example, cleaning, security reliability of the supplier and to have a suitable solution in place to
services, and transportation. address supplier failure.
64
© Copyright 2017 The Business Continuity Institute
Consolidation
There is usually an opportunity to combine certain elements of the design process to remove duplication and ultimately make the
design more efficient. The following examples highlight the concept of consolidation:
P P 4 - D E S IGN
Purchasing leverage: If the total Logistics: The logistics for the phased Conflict: Two or more areas of the
requirement for recovery resources is delivery and acceptance of consolidated organization may be planning to use the
known, then the organization is more likely resources across multiple departments same resource as part of their continuity
to obtain better terms from its supplier can also be streamlined through solution and would therefore be in
than if each individual requirement is consolidated procurement and delivery. conflict during an incident, for example,
separately negotiated. This consolidated meeting rooms in another office.
approach should be undertaken by
personnel who are experienced in
procurement and contract negotiation.
Optimisation: Two or more activities may Consistency: The approach to Capability: When applied throughout
require a resource, for example, a printer, continuity solutions may be inconsistent the organization, a continuity solution,
photocopier, or projector, but may be able within the organization, for example, for example, remote working, may
to share its use with others. Consolidation the implementation of information not be achievable using the existing
can optimise the use of resources by security. Consolidation can highlight the infrastructure. This may work when only PP6
VA LI DAT ION
identifying opportunities for sharing. additional resources needed to ensure a few individuals work remotely, but not
consistency. when everyone in the organization with
the capability tries to do so at the same
PP5
time. Consolidation may identify further IMPLEMENTATION
resource requirements to support such
Care should be taken to ensure consolidated solutions do not conflict
situations.
with other common or unique individual solutions, organizational
policies, supplier accreditation, or legal and regulatory constraints. PP4
D E SIGN
PP3
A NA LYS IS
65
BCI Good Practice Guidelines 2018 Edition
5.
Obtain agreement 3.
and sign-off from top
4. Determine
Analyse the which risks and
management for the
mitigation threats can be mitigated
recommended mitigation
measures for by having a business
measures, including acceptance
effectiveness continuity
of any identified risks and
and cost. plan in place.
confirmation that financial and
resource provisions
will be available.
6.
Establish and
implement projects
for each of the
agreed mitigation
measures.
66
© Copyright 2017 The Business Continuity Institute
P P 4 - D E S IGN
measure with the likely benefit to be gained. When undertaking organizations also publish good practice guidance regarding
a cost benefit analysis, the time frame in which the solution risk management and mitigation measures in their specific
or measure should be effective and the likelihood of the threat areas of expertise.
being realised in that time frame need to be determined.
For measures that reduce the likelihood, the benefit is calculated Managing supply chain risk: The threat of disruption to the
by estimating the reduction in likelihood of the threat being organization’s products and services caused by failure in suppliers
realised after the mitigation measure has been put in place, and and their supply chains can be reduced by ensuring that suppliers
multiplying it by the impact on the organization if the threat was have effective and adequate business continuity arrangements in
realised, in terms of cost. place. This can be achieved by:
For measures that reduce the impact, the benefit is calculated • Including business continuity requirements in supply contracts.
by estimating the reduction in the impact of the threat to the
• Seeking evidence of compliance with a recognised business
organization in terms of cost, after the mitigation measure has
continuity standard.
been put in place and multiplying it by the likelihood of the
threat occurring. • Reviewing each supplier’s business continuity programme to
ensure that it is effective and adequate.
Examples of specific measures that can be implemented are
as follows: • Undertaking joint exercises with suppliers.
• Agreeing realistic service levels for supply disruption.
• Physical security to prevent theft and unauthorised entry.
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
Outcomes and Review P OLIC Y &
P ROGR A M M E
MANAGEMENT
The main outcomes when designing risk and threat mitigation The mitigation measures should be regularly reviewed at pre-
measures are projects for implementing the agreed measures agreed intervals or following significant change as defined within
to reduce the likelihood or impact of a disruption to the the business continuity policy. CONTENTS
organization’s prioritised activities.
GLOSSARY
67
BCI Good Practice Guidelines 2018 Edition
ANALYSI
S
N
TIO
VALIDA
EMBEDDING
DESIG
N
PL
T
IM
EM
EN
ENT
PO
EM
IC ATION
AG
L
Y AN
D PR A N
OGRAMME M
68
© 2017 The Business Continuity Institute
PP5
Implementation
P P 2 - E m be dd i n g B usi n e ss C on ti n u it y
Implementation is the Professional Practice within the business continuity management
lifecycle that implements the solutions agreed in the Design stage. Implementation is
achieved by developing business continuity plans to meet the organization’s agreed
business continuity requirements and solutions identified in the Analysis and Design stage
of the lifecycle. The Implementation stage also includes the development of a response
structure that defines the necessary roles, authority and skills required to manage an
incident.
The aim is to identify and document the priorities, procedures, responsibilities, and
resources that will support the organization when managing an incident. This should
achieve continuity of the prioritised activities and ensure recovery of disrupted activities
to a predefined level of service (the minimum business continuity objective) within the
PP6
planned time frames. VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
69
BCI Good Practice Guidelines 2018 Edition
Introduction
The term ‘business continuity plan’ (BCP) suggests a single The business continuity plans are not intended to cover every
document. However, a variety of plans can exist at any eventuality as all incidents are different. The plans need to be
organizational level. The BCP may in fact comprise several flexible enough to be adapted to the specific incident that has
documents. It can cover a complete organization or part of occurred and the opportunities it may have created. However,
an organization and can be structured according to the size, in some circumstances, incident specific plans are appropriate
complexity, and type, for example, by products, services, to address a significant threat or risk, for example, a pandemic
locations, divisions, or departments. plan, or a product recall plan.
Response Structure
The purpose of establishing a response structure is to ensure that General Principles
the organization has a clearly documented and well understood
The response structure identifies:
mechanism for responding to an incident, regardless of its cause. The
response structure establishes command, control, and communication • The individuals and teams responsible for response activities.
systems to help the organization manage the incident and minimise
the impact of the disruption. • The roles and responsibilities of the individuals and teams.
70
© Copyright 2017 The Business Continuity Institute
Business continuity can become embedded in an An incident, while unexpected, creates a level
organization more easily if the response structure of disruption that falls within anticipated
makes use of familiar organization terms that are already conditions and limits, and so can be managed using plans
P P5 - I M P L E M E N TATI O N
part of business as usual, for example team names, titles, that were developed with those parameters in mind. For
and roles. example, a business continuity plan may be designed to
address operational disruption in a particular building, or
an ICT service continuity plan that may be designed to
An effective response structure includes mechanisms that enable deal with the loss of a specific cluster of servers.
information to be communicated quickly and accurately to
A crisis involves a severe level of disruption that exceeds
relevant individuals and teams throughout the organization. It
the anticipated conditions and limits, or may be a
should also recognise and include external suppliers related to
situation that an organization had not forecast during the
prioritised activities.
planning process. For example, a regional power outage
may simultaneously disrupt multiple buildings and sites
operated by an organization. A major cyber attack could
impact numerous suppliers at the same time causing
significant and unpredicted disruption to an organization’s
Concepts and Assumptions supply chain.
An organization’s response structure should be flexible and
capable of dealing with many types of disruption. There are two
main types of disruption:
Disruptions can be immediate and obvious, but can also develop
• An incident, defined as “a situation that might be, or could lead slowly over time. The response structure should include a
to, a disruption, loss, emergency or crisis.” mechanism for individuals and teams to promptly identify an
(Source: ISO 22300:2012) incident, so that the situation can be assessed by experienced
and authorised personnel and the appropriate response taken.
• A crisis, defined as “a situation with a high level of
uncertainty that disrupts the core activities and/or credibility The key requirements for an effective response structure are:
of an organization and requires urgent action.” (Source: ISO
• The ability to recognise and assess threats when they occur.
22300:2012) PP6
VA LI DAT ION
• Clear procedures for escalation when a disruption has occurred
Incidents and crises are linked, but are distinctly different from
or may soon occur.
each other and so require a different level of response.
• Individuals and teams with the authority and capability to PP5
An organization’s management of an incident is likely to be IMPLEMENTATION
develop and select an appropriate response to an incident.
addressed using established plans and procedures.
• Clearly understood procedures in place for the activation and
A crisis is an unpredictable situation which exceeds anticipated
control of the response to an incident or crisis.
limits and requires a flexible, creative, and strategic level PP4
D E SIGN
response. The existing response structure, information, and • Responsible personnel with the authority and capability to
procedures in the business continuity plan should be built on and implement the agreed business continuity solutions as defined
adapted when responding to a crisis where relevant. within the organization’s plans.
PP3
• An ability to communicate effectively with internal and external A NA LYS IS
interested parties.
PP2
• Access to sufficient resources to support the implementation of E m b e dd ing
the continuity solution. B u sine ss
C ontin uity
• An ability to recognise when key external suppliers should be
notified and included in the implementation of the continuity PP1
P OLIC Y &
solution. P ROGR A M M E
MANAGEMENT
• An agreed budget for supporting the response structure.
CONTENTS
GLOSSARY
71
BCI Good Practice Guidelines 2018 Edition
There can be many different types and levels of response teams in an organization’s response structure. Response teams should address the
strategic, tactical, and operational levels which are appropriate to the organization. Therefore, the number of individuals or teams, and the plans
that support them, are determined by the size, complexity, and type of organization.
In some organizations, it may be appropriate to have up to three levels of teams in the response structure. The strategic, tactical, and
operational teams in a response structure undertake different activities as follows:
The strategic team focuses on strategic issues that impact the organization’s core objectives, and products and
services and is usually led by top management. The strategic team is often called a crisis management team
and has primary responsibility for addressing any crisis impacting the organization. As these are unpredictable
events that have a high level of uncertainty, they require a flexible and creative response by experienced
managers with the authority to apply the organization’s full resources to the response. This includes crises that
may not disrupt the organization’s ability to deliver products and services, such as events that can damage an
organization’s reputation. For this reason, strategic plans commonly include communication plans and media
response plans.
The strategic team may also provide command and control guidance during less severe incidents and provide
communications support to tactical and operational teams.
CONTROL
ESCALATION
The tactical teams manage and coordinate the continuity of the processes required to deliver the impacted
products and services, and ensure that the resources are allocated appropriately. Tactical teams are often
responsible for the assessment and management of the medium and short term effects of an incident. Tactical
level plans provide a framework to coordinate strategic goals and decisions with the operational response
teams.
The operational teams focus on the continuity of the activities that contribute to the process or processes
that deliver the prioritised products and services. Operational teams deal with the immediate effects of an
incident by containing it where possible and managing the direct consequences. An operational response
establishes the necessary capability required to continue to deliver prioritised products and services.
In some organizations, one or more of the levels may be combined into a single team, for example a combined tactical and operational team.
72
© Copyright 2017 The Business Continuity Institute
Process
Each organization
P P5 - I M P L E M E N TATI O N
should develop a response
structure that meets the
requirements of the business
continuity policy and supports
the agreed continuity
solutions. The key steps when
establishing a response structure
are as follows: 1. 2.
Identify, Identify the
understand, and responsible
work within the individuals and
organization’s existing roles in any existing
management and response teams or
leadership plans.
structure.
3.
Understand the
requirements and
4. scope of the
Consider the business continuity
continuity solutions programme.
6. agreed in the Design
Present the 5. stage of the business
response structure Develop a continuity
to top management draft response management
and seek structure. lifecycle.
feedback.
PP6
VA LI DAT ION
7.
Update the PP5
response structure 9. IMPLEMENTATION
based on top Document
management and publish the
approved
feedback. 8. PP4
response
Obtain top D E SIGN
structure. 10.
management
approval for the Implement the
updated response approved response
structure. structure in any PP3
A NA LYS IS
existing business
continuity plans.
PP2
E m b e dd ing
B u sine ss
11. C ontin uity
Rehearse the
In some organizations, response plans may have been response structure PP1
P OLIC Y &
developed and implemented before the introduction of as part of business P ROGR A M M E
business continuity. In this case, the teams and roles that are continuity MANAGEMENT
exercising.
responsible for implementing the existing plans should be
incorporated into the response structure.
CONTENTS
GLOSSARY
73
BCI Good Practice Guidelines 2018 Edition
The response structure needs to include all teams and individuals • Procedure escalation.
that are identified in the organization’s business continuity policy
and programme. These teams and individuals should cover all aspects • Plan activation.
of emergency response, business continuity management, and crisis
• Command and control.
management. The response structure should consider which of these
teams and individuals are competent to undertake the strategic, • Resource allocation.
tactical, and operational roles.
• Cost management.
The following should be considered:
• Personnel welfare.
• The existing management structure.
• Interested party communication.
• The skills, competencies, and authorities of response teams and
individuals. • Incident monitoring and assessment.
• The communication channels and escalation process. • Changing priorities as the situation evolves.
• The organization’s size, complexity, and type, as well as process The required competencies and skills should be identified and the
infrastructure. appropriate training and awareness provided for those individuals
with roles and responsibilities.
• The agreed continuity solutions.
The strategic, tactical, and operational response levels provide a
general model for all organizations, but need to be implemented in a
The responsibilities of the individuals and teams identified in the way that fits the organization’s size, complexity, and type. The table
response structure should be documented and include: below shows how the levels might be implemented in different types
of organization:
• Team mobilisation.
Table 11.
Large organization
In a large organization, the levels of response might be implemented as follows:
74
© Copyright 2017 The Business Continuity Institute
P P5 - I M P L E M E N TATI O N
A global crisis management plan,
with a response team consisting
Each region or country could have
of top management with global Each department or location covered
several plans, each covering a major
responsibilities, and an incident by the business continuity plan may
division, product, or service, with its
management plan for each territory, have its own detailed operational plan,
own response team consisting of the
with a response team consisting of top with its own response team consisting
functional leaders or divisions, or
management from those territories. of the operational managers of the
product or service heads responsible for
Multinational organizations may also department or location.
the areas covered by the plan.
have another level of strategic plan
focused on regions.
Business continuity professionals should apply a combination of general business experience, knowledge of the organization, and
business continuity expertise to find the most suitable response structure for their organization. Feedback from various plan users
and analysis of exercise results can also assist in further improving the response structure as part of the ongoing validation process, as
described in PP6.
The outcome from establishing a response structure is an The response structure is necessary to support the development
organization that has the capability to implement an effective of the detailed response plans which should document how to
response to a disruption. The response structure should define: implement the organization’s continuity solutions. PP6
VA LI DAT ION
• The required number and type of individuals or teams. The response structure should be regularly reviewed at pre-
agreed intervals or following significant change as defined within
• The relationships between the individuals and teams. the business continuity policy. PP5
IMPLEMENTATION
• The roles and responsibilities of the individuals and teams.
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
75
BCI Good Practice Guidelines 2018 Edition
By contrast, the strategic level plan does not usually contain such
detailed procedural information. As a result, they can be implemented
Concepts and Assumptions at the start of the business continuity process to provide an initial
response capability before the other plans are developed.
Plans at all levels should contain the following:
Whichever type of plan is being developed, it should not be done in
• Purpose and scope. isolation. To achieve a successful outcome, it is essential to involve
users of the plans, including top management, in the development
• Objectives and assumptions.
and implementation process.
• The response structure which is specific to the organization.
76
© Copyright 2017 The Business Continuity Institute
Process
P P 5 - I M P L E M E N TATI O N
The key steps when 2.
developing and Define the
managing a plan 1. objectives and
should include the Appoint an scope of 3.
following: owner or the plan. Create a plan
sponsor development
of the plan. process and budget,
and obtain
approval.
4.
Create a
6. planning team
Establish the 5. (if appropriate).
response team Agree the
with the relevant responsibilities of the
authorities and response team and their
competencies. relationship with other
7. plans and response teams
Define the (at a strategic, tactical
structure, format, and operational level if
components, and appropriate).
contents of the
plan.
8. PP6
Gather VA LI DAT ION
information to
populate
the plan. PP5
10. IMPLEMENTATION
9. Circulate 11.
Draft the draft plan for Gather
the plan. consultation and feedback from the
review. PP4
consultation and D E SIGN
review stage.
15. PP3
Agree a A NA LYS IS
maintenance schedule 12.
for the plan to ensure Amend the
it remains current 13. plan as PP2
and response team 14. Agree and appropriate, E m b e dd ing
B u sine ss
information remains Develop, formally based on C ontin uity
up to date. implement, and plan the approve feedback.
exercise programme to the plan. PP1
regularly rehearse team P OLIC Y &
P ROGR A M M E
response capabilities and MANAGEMENT
validate the plan
content.
CONTENTS
GLOSSARY
77
BCI Good Practice Guidelines 2018 Edition
78
© Copyright 2017 The Business Continuity Institute
People Welfare
Organizations have a responsibility to safeguard the health, At least two locations or options should be predefined. One
safety and welfare of their personnel, contractors, visitors, and should be on-site or close to the site where the response team is
customers (this is a legal requirement in some industry sectors). based with the other being at a more remote off-site location.
The business continuity plan should address personnel and
welfare issues. The organization’s personnel are more likely to The off-site physical location does not
P P5 - I M P L E M E N TATI O N
support the extra demands placed on them in an incident if their have to be owned by the organization. By prior
welfare needs are met. arrangement, a location that provides secure, 24-hour
The issues listed below should be included in a dedicated welfare access, such as a hotel or serviced office may provide the
plan, or be incorporated in the body of a more general business required resources.
continuity plan.
During an incident, and where relevant, one or more team
For large scale incidents or multisite organizations, a virtual
members should be assigned responsibility for:
incident response team with a virtual command centre may be
• Verifying the results of site evacuation. more appropriate. An effective virtual command centre requires
• Accounting for the organization’s personnel and visitors. reliable communications capability and real time access to
information by all team members.
• Communicating with personnel and others on site.
• Communicating with emergency services.
Consideration should be given to how the following will be
• Setting up communications systems, for example, a help line or
facilitated:
intranet pages.
• Incoming and outgoing communication.
• Contacting next of kin.
• Recording of incident events, team decisions, actions, and issues.
• Arranging transport assistance.
• Monitoring public information about the incident.
Subsequently there may be additional needs to consider, • Physical and information security.
including: The availability of the following resources should also be
• Dealing with issues relating to casualties, in consultation with considered when setting up a meeting room:
the emergency services and in accordance with local regulations • A continuously available and stable power supply.
and customs.
• An appropriate number of landline telephones, as well as
• Counselling and rehabilitation services (which may be provided teleconference equipment and voice recording facilities. PP6
as part of existing personnel benefits). VA LI DAT ION
• A computer and printer.
• Liaison with specialist services when dealing with next of kin.
• Cell phones and mobile communicators with chargers.
• Family support (especially where families have been affected by PP5
• Secure access to email, internet, and fax. IMPLEMENTATION
the incident).
• Printed copies of relevant plans and urgently required
• Temporary accommodation.
information.
• Translation services. PP4
• A supply of log sheet templates.
D E SIGN
• Access to emergency cash or facilities.
• Whiteboard/flip charts and pens for recording incident details
• Welfare needs at alternate locations: along with actions taken and decisions made by the team.
- Personal safety and security. • Access to: PP3
A NA LYS IS
- Special needs. - Stationery.
- Transport and accessibility. - Television and radio equipment.
PP2
- Appropriate training on replacement equipment. - Refreshments. E m b e dd ing
B u sine ss
- Toilet and washing facilities. - Transport. C ontin uity
79
BCI Good Practice Guidelines 2018 Edition
Strategic Plans
A strategic level, or crisis management plan is a high level plan that • Devising short, medium, and long-term strategies, depending on the
defines how strategic issues resulting from a crisis or incident should type of crisis or incident.
be addressed and managed by top management. It has some special
• Managing communications with all involved interested parties,
characteristics which differentiate the document from the tactical
including the media.
and operational plans.
• Approving external statements before they are issued and
Some crises or incidents do not involve physical disruption to monitoring and adjusting the communications strategy, as
the organization and may not require invocation of a business necessary.
continuity plan, however, they still require a strategic level response,
for example, fraud or negative media exposure that threatens the • Monitoring the overall response to the crisis or incident.
organization’s reputation. • Resolving implementation issues or resource conflicts during the
response.
This type of incident may result in the mobilisation of the teams with
responsibility for managing the area of the business affected and the • Ensuring the response and recovery is in line with the long term
potential reputational damage. In these situations, it is almost always objectives of the organization and meets the organization’s legal
necessary to involve the strategic level team, if only to make them and regulatory requirements.
aware of the situation in case it escalates.
• Identifying and maximising opportunities or advantages arising
from the crisis or incident.
The strategic level plan should also address the need to communicate
with, and control activity between, all involved, or impacted Communication and Media Liaison
interested parties. The content of a strategic level plan should be The communication response during a crisis or incident is usually
relevant to the size, complexity, and type of organization. guided by top management, working with specialist communication
The strategic plan should be designed as a high level, generic plan. teams within the organization.
It should contain summary information on different parts of the Depending on the organization’s response structure, there may be
organization and generic organization-wide response procedures. a separate communication plan or it may be included as part of the
The aim is not to encourage micro-management of an incident but strategic plan.
to provide the strategic team with summary information to assist
assessment and decision making. The communication plan should:
80
© Copyright 2017 The Business Continuity Institute
• Include a selection of communication methods and channels, so The volume, type, and urgency of communications after an
that the team can guarantee availability of at least one method incident can vary significantly. The communications plan can
or channel. accelerate the response if it includes pre-formatted messages or
pre-written statements. The communication plan can:
P P 5 - I M P L E M E N TATI O N
• Identify the group or individual in the organization who has
the responsibility, authority, and technical knowledge to • Anticipate much of the information required by known
deliver communications via each of the available methods and interested parties, for example personnel, customers, and
channels. Where possible, existing methods should be used to shareholders.
communicate with interested parties.
• Contain pre-written statements for these anticipated
• Decide in advance who the organization’s spokesperson should communications, allowing messages to be adapted to individual
be and then ensure that: requirements.
- The spokesperson has been trained in their role and is • Contain answers to general questions that are applicable in most
available at the location or can get there at short notice incidents or crises.
during an incident or crisis.
• Contain a general background statement about the organization
- The process to create and issue media statements which can be distributed in public statements.
is known, including how they should be approved
• Include development of a website or web pages which can be
internally prior to release.
activated during an incident or crisis and be used as a focus point
- There are individuals available to brief the media at a to communicate specific and relevant information.
central location as well as representatives who can be
on-site of a local incident or crisis.
Media Liaison
- There is a designated technology proficient
The strategic level plan should address how the organization
spokesperson if appropriate.
manages communication with the media. The strategic plan
• Assign responsibility for monitoring and reviewing the interested should ensure that only appropriately trained personnel liaise with
party response to communications to assess and adjust as the media and communicate with interested parties.
required.
All plans should include instructions for personnel on what they
The organization may choose to work with specialists such as should do if approached by the media during an incident or crisis.
PP6
public relations organizations to develop the media response. VA LI DAT ION
Plans should also contain information on what actions the
Some organizations may also benefit from developing
organization’s personnel should take if they are involved in an
relationships with key media organizations.
incident which has, or is likely to attract media attention, and who
PP5
they should escalate media attention to. IMPLEMENTATION
PP4
D E SIGN
CONTENTS
GLOSSARY
81
BCI Good Practice Guidelines 2018 Edition
Tactical Plans
Tactical level plans focus on coordinating the response to an incident • Amending the agreed priorities and response actions to take
and facilitating the continuity of prioritised activities. Tactical plans into account the current situation, business conditions or based
should provide guidelines to help the tactical team analyse the on direction from the strategic level team.
impact of the incident, implement the appropriate solutions from
those available in the plans, ensure the continuity of prioritised • Requesting or receiving progress updates and other information
activities, and provide progress updates to the strategic team. from the operational teams.
• Personnel.
Where there are multiple operational level • Welfare services.
plans, one of the roles of the tactical response
team is to prioritise response activities to ensure that the • Alternate locations.
response remains focused and is coordinated. The tactical • Security services.
response team may alter the agreed priorities and business
continuity solutions if directed by top management. • Technology, communications, and data.
82
© Copyright 2017 The Business Continuity Institute
Other details to be included in the tactical plan might If a proposed solution relies on access to resources from an
include: outsourced service provider, it is important that a service
• Organization contact information. level agreement is in place for the arrangement and that the
P P5 - I M P L E M E N TATI O N
arrangement is reviewed and validated in line with the tactical
• Key interested party information and contact details, including plan review process. It is important that such arrangements are
customers, clients, and service providers. included the exercise programme.
• Secure location of legal documents, for example, contracts,
service level agreements and insurance policies.
Emergency services liaison
• Details of contracted work area recovery space, and how and
when it will be made available to response teams. If the organization is responsible for its own site or premises,
• Procedures for obtaining emergency funds. personnel with an appropriate level of capability and authority
should be appointed to liaise with emergency services
throughout the incident or crisis. As the tactical team has a
Suppliers and business partners central coordinating role, this emergency services liaison role is
often assigned to this team.
Tactical plans should consider aspects of the business continuity
solution that may involve prioritised activities and resources During an incident, the emergency services will require
available outside the organization. The plan should consider key information on the location of any casualties, the current status
suppliers to the organization’s supply chain and other business of the incident or crisis, and any known hazards they may
partners who are able to support the continuity solution and encounter. They may also need access to a dedicated contact
response activities. person from the organization to update and obtain further
information from.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
Outcomes and Review E m b e dd ing
B u sine ss
C ontin uity
The outcomes of developing the tactical level business • Guidelines for coordinating continuity solutions and response
PP1
continuity plan include: activities with interested parties. P OLIC Y &
P ROGR A M M E
• Documented business continuity plans to support tactical The tactical level business continuity plan should be regularly MANAGEMENT
teams during an incident or crisis. reviewed in line with the strategic and operational-level plan
reviews at pre-agreed intervals or following significant change as
• A framework for coordination of response activities and defined within the business continuity policy. CONTENTS
resource allocation between the strategic and operational
teams.
GLOSSARY
83
BCI Good Practice Guidelines 2018 Edition
Operational Plans
Operational level plans determine the individual departments or Examples of operational level plans include:
business units involved in the incident response. Lower level plans
are likely to become complicated if all continuity procedures for an • A department or business unit plan.
organization are included in a single document. When this is the case,
the response procedures of each business unit may be separated into • Specific procedures implemented in response to an incident, such as
one or more plans that each become the responsibility of the related equipment salvage and document restoration.
business unit. • An ICT department’s response to the loss and subsequent recovery
of ICT applications and services.
84
© Copyright 2017 The Business Continuity Institute
P P 5 - I M P L E M E N TATI O N
• Special or non-standard procedures.
• Human resources and people's welfare.
• Redeployment of personnel and visitors.
• Access to, and use of facilities.
• Personnel contact numbers.
• Departmental activities (listed in order of priority).
• Other key interested party contacts.
• Liaison with ICT service continuity teams.
• Communications with personnel following plan activation.
• Mobilisation of teams and allocation of resources.
• Space, seating, and resource requirements.
• External support.
• A list of ICT equipment and software required.
• Building evacuation and shelter-in-place procedures.
• Details of off-site data with document storage and access
• Location and layout of evacuation points. instructions.
• Security. • Restoration instructions that a technical person unfamiliar with
the system(s) can use.
• Accounting for personnel.
• Salvage arrangements and contracted assistance.
• Health and safety.
• Stand down procedures.
• Escalation procedures to advise top management about
unexpected issues. • Counselling and rehabilitation resources.
PP6
VA LI DAT ION
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
85
BCI Good Practice Guidelines 2018 Edition
ANALYSI
S
N
TIO
VALIDA
EMBEDDING
DESIG
N
PL
IM
EN
EM
ENT
PO
EM
IC ATION
AG
L
Y AN
D PR A N
OGRAMME M
86
© 2017 The Business Continuity Institute
PP6
Validation
P P 2 - E m be dd i n g B usi n e ss C on ti n u it y
Validation is the Professional Practice within the business continuity management lifecycle
that confirms that the business continuity programme meets the objectives set in the
policy and that the plans and procedures in place are effective.
The purpose of Validation is to ensure that the business continuity solutions and response
structure reflects the size, complexity, and type of the organization and that the plans are
current, accurate, effective, and complete. There should be a process in place to continually
improve the overall level of organizational resilience.
PP6
VA LI DAT ION
PP5
IMPLEMENTATION
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
87
BCI Good Practice Guidelines 2018 Edition
Introduction
Validation is achieved through a combination of the • Maintenance: A process to ensure that the organization’s
following three activities: business continuity arrangements and plans are kept relevant,
up-to-date, and operationally ready to respond.
• Exercising: A process to train for, test, assess, practise,
and improve the business continuity capability of the • Review: A process for assessing the suitability, adequacy,
organization. and effectiveness of the business continuity programme and
identifying opportunities for improvement.
• Validating the business continuity solutions and the assumptions on • Logical: Do the procedures work together in a logical manner?
which they are based. • Timeliness: Can the procedures achieve the required recovery
time objective for each activity?
• Verifying that the documented procedures in the business continuity
plan are relevant, complete, and current. • Administrative: Are the procedures manageable?
• Verifying the adequacy and practicality of resources that support • Personnel: Are the most suitable individuals involved and do
the continuity solutions. they have the required competencies, skills, authority, and
experience? Does everyone know their role and responsibility?
• Identifying areas for improvement or missing information.
• Resources: Are the right resources identified in appropriate
• Validating competency and building confidence in personnel with quantities from known and reliable sources?
relevant roles and responsibilities.
• Information: Is all necessary information available to implement
• Developing team work. the plan?
• Raising awareness of business continuity throughout the The frequency of exercising is determined by the exercise schedule
organization as described in PP2. in the business continuity programme and may be influenced by
the size, complexity, and type of organization.
Prioritised products and services, processes and activities, and
every member of the organization’s incident response teams
should be involved in exercises in line with the planned exercise
schedule.
88
© Copyright 2017 The Business Continuity Institute
Concepts and Assumptions Where the delivery of a product or service has been outsourced,
the responsibility for exercising remains with the organization
The organization’s business continuity policy and programme that owns the product or service. The organization should make
establishes how the exercise programme is to be planned and sure, through exercising, that the outsourced company can
managed, as well as any training to be undertaken and necessary continue to meet its obligations in the event of a disruption.
resources to be identified. It may be appropriate to consider joint exercise arrangements
P P 6 - VALIDATI ON
with outsourced service providers and key suppliers. In addition,
An exercise is defined as “a process to train for, assess, practice, if other suppliers of prioritised products and services, processes,
and improve performance in an organization.” (Source: ISO and activities have been identified in the Analysis stage of the
22301:2012) business continuity management lifecycle, they should be asked
to demonstrate their own business continuity capability through
their own exercises.
Process
The following
should be
considered in the
exercising 1.
process: Define the 2.
exercise Review past
programme goals, exercises (plans,
3.
objectives, and resources, and
Discuss with top
scope. activities) to identify
management any
areas excluded from
perceived areas
previous
of weakness and
exercises.
exercising
priorities.
PP6
VA LI DAT ION
7.
Check the PP5
availability of 4. IMPLEMENTATION
required personnel, Review
facilities, and other 6. 5. and assess
Decide on current risks
resources. Determine
the types of and threats. PP4
a budget for
exercise to be D E SIGN
the exercise
undertaken.
programme.
PP3
8. A NA LYS IS
Create an
exercise schedule that
includes validating the PP2
E m b e dd ing
business continuity
B u sine ss
arrangements of C ontin uity
relevant interested
parties. 9. PP1
Submit to 10. P OLIC Y &
P ROGR A M M E
top management Identify any MANAGEMENT
for approval. training requirements for
exercise participants or
planners, and integrate CONTENTS
them into the exercise
programme.
GLOSSARY
89
BCI Good Practice Guidelines 2018 Edition
Types of Exercise The exercise participants are asked to deal with the updates or
requests for information as if it were a real incident, and develop and
There are many names given to different types of exercises, but
implement a suitable response to the unfolding scenario. Simulation
in principle they fall into the following five categories. These
exercises also allow the participants to rehearse relevant procedures
exercise types have common features, and organizations may find it
in detail, for example, notification and escalation, decision making,
appropriate to combine elements from different exercise categories to
communication, media response and team coordination, in addition
achieve their exercise objectives.
to testing command centre equipment and other resources required
to support the team.
• Discussion-based exercises
These exercises are the simplest to organize and to facilitate and the • Live exercises
least time consuming of the exercise types. They are structured events
where participants can explore relevant issues and walk through plans Live exercises can range from a small-scale rehearsal of one part of
in a low pressure environment. This type of exercise can focus on a a response, for example, an evacuation, to a full-scale rehearsal of
specific identified area for improvement with the aim of finding a the whole organization, potentially involving interested parties in
preferred solution. real time. Live exercises are designed to include everyone likely to be
involved in that part of the response.
• Scenario exercises Live exercises are particularly useful where there are legal or
regulatory requirements or where a high risk to an organization has
A scenario exercise is a commonly used discussion based activity, been identified and the response plans need to be fully evaluated.
using a relevant scenario with a time frame. The exercise may either They are the most realistic way to train individuals and exercise the
run in real time or include time ‘jumps’ to allow different phases of plans. However, there are several challenges that may mean a live
the scenario to be exercised. A scenario exercise is usually conducted exercise is not the most appropriate exercise format. For example,
in a table top environment. Participants are expected to have the resources required can be significant and there may be financial
some familiarity with the plans being exercised and are required implications. Care should be taken to avoid disruption to the
to demonstrate their understanding of how the plans work as the organization’s business as usual tasks and any reputational impacts
scenario unfolds. They can involve some practical rehearsal of relevant should be considered.
response activities, such as completing assessment checklists or use
of log sheets.
• Test
Scenario exercises can be a realistic, cost effective and efficient A test is defined as “a unique type of exercise, which incorporates an
method. This type of exercise can be enhanced using media and expectation of a pass or fail element within the goal or objectives of
other injects which can make a scenario more realistic. Practical the exercise being planned.” (Source: ISO 22301:2012) It is usually
outputs such as media releases or employee communications may be applied to equipment, recovery procedures or technology, rather than
produced by the response teams during the exercise. teams or individuals. For example, the rebuilding of a server from
back-up tapes within a predefined time frame.
• Simulation exercises
90
© Copyright 2017 The Business Continuity Institute
The outcomes of developing an exercise programme are as The organization’s exercise programme should be regularly
follows: reviewed at pre-agreed intervals or following significant change
as defined within the business continuity policy, to ensure that it
• A complete exercise programme which defines:
is validating the effectiveness of the overall business continuity
- The objectives to be achieved. programme.
P P 6 - VALIDAT IO N
- The methods required to achieve the objectives.
Developing an Exercise
General Principles
Every exercise within the exercise programme needs to be
carefully planned to justify the use of resources required when The introduction of technology or external party
developing and delivering it. The exercise development process injects can add an air of uncertainty and generate
should be approached like a project, using the appropriate greater interest in the exercise. However, the addition
planning steps and controls associated with good practice in of technology or external parties should not become a
project management. distraction from the agreed objectives of the exercise. PP6
VA LI DAT ION
GLOSSARY
91
BCI Good Practice Guidelines 2018 Edition
Exercise objectives
The first step when preparing an exercise is to determine the Participants: Those involved in exercises may include:
objectives and outcomes. Criteria should be defined for measuring
• Facilitators.
the effectiveness of the exercise.
• Umpires.
• Observers.
Measures can be both qualitative (assessing the
quality of outcomes) or quantitative (achieving a • Safety officers.
specific measurable outcome).
• Role players.
• Strategic, tactical, and operational level incident response teams.
Examples of measures that can be used during an exercise are as
follows: • Departmental representatives.
• Suppliers of resources and services involved in the exercise.
• Can the appropriate personnel initiate the alert, invocation, and
escalation process? • Emergency services.
• Can the on-duty manager activate the callout procedure? • Emergency managers.
• Relevant subject matter experts.
• Is the incident manager able to call an initial management meeting?
• Auditors.
• Have response team members demonstrated effective decision-
making capabilities?
• Have key personnel established and maintained an incident log? External support and participation
As the organization’s exercise experience and business continuity
• Can a priority system be recovered and restored within the expected
management capability increases, it may be appropriate to consider
recovery time objective?
involving a wider range of interested parties in the exercises. For
• Can a department resume services from the alternate site using the example, customers, suppliers, regulators, statutory and professional
resources available? bodies, agencies, emergency services, and the voluntary sector.
• Was the response structure established as defined within the The continuity capability of suppliers and outsourced activities that
business continuity plan? have been prioritised should be considered an important part of
validating the organization’s business continuity plan. Including them
• Were roles and responsibilities allocated as per the business in the exercise programme is not only part of ongoing relationship
continuity plan? management with interested parties, but could form part of the legal,
regulatory, or contractual arrangement.
• Were lines of communication established with interested parties?
Inviting observers and external visitors to participate in an exercise
Preparation: The scope and complexity of the exercise should
requires careful consideration. The advantages and disadvantages of
determine the competencies needed by the team designing and
allowing visitors to observe the exercise should be discussed with top
running the exercise. Members of the team should ideally have good
management. The organization should consider any operational or
project management skills, possess skills in exercise design and
reputational risks involved with external participation together with
delivery, and know the organization or have experience within the
any health and safety implications.
industry sector being exercised.
Although it is sometimes necessary to conduct an unannounced
Although it is often appropriate for existing personnel to develop
exercise, for example, an ‘out of hours’ call-out cascade, it is more
and run exercises, there are other options which can involve the
common for exercises to be pre-announced to key participants to
engagement of external parties. For example, the emergency services
minimise the risk of the exercise causing unintended disruption. The
may be willing to be involved in some types of exercises such as an
warning time and the number of pre-warned participants may reduce
evacuation drill or where the exercise scenario may have broader
as the organization becomes more confident in its business continuity
community impacts.
capability.
Whether internally or externally facilitated, an individual or team
should be nominated to run the exercise. This individual or team
should manage the exercise in accordance with the exercise plan and
schedule, initiating and controlling the various stages as the exercise
progresses.
92
© Copyright 2017 The Business Continuity Institute
Process
1.
Although a Agree the scope,
range of different exercises aims, objectives and 2.
are undertaken in the expected outcomes Identify the
P P 6 - VALIDATIO N
Validation stage of the business of the exercise. exercise planning
continuity management team and team
lifecycle, the following roles.
process can be applied to any
individual exercise:
3.
Plan and
design the exercise,
including setting a budget
and time frame as well as
4. conducting a risk assessment
Conduct to identify the risks of impact
the on business as usual tasks,
5. where appropriate.
Assess and report the exercise.
outcome and lessons
learned, including
a debrief with the
participants
immediately after
the exercise. 6.
Follow up
to address any issues
raised by the exercise
and take corrective
action as
required. PP6
VA LI DAT ION
that demonstrates how the exercise elements come together. the business continuity plan, where relevant.
This should be a chronological sequence of the steps that show
Prior to the exercise starting: All participants should be aware
when and how each event, action, or procedure should occur. The PP4
of what is required of them before, during and after the exercise. D E SIGN
schedule can also list the anticipated participant response to an
Participants can be informed via written communication in
event, especially if this is defined in the business continuity plan.
advance of the exercise and a briefing at the start of the exercise.
The individuals coordinating or facilitating the exercise use the
It is essential the briefing does not reveal information that may
schedule to ensure the exercise runs as planned and to prompt PP3
adversely affect the intended aim of the exercise. A NA LYS IS
participants to refer to specific business continuity plan content
or procedures so that they can be validated. Topics for the pre-exercise briefing may include:
PP2
Individual scheduled exercise events are commonly known as • Exercise aims and objectives. E m b e dd ing
B u sine ss
‘injects’ which can be delivered by the facilitator or role players.
C ontin uity
• Roles and responsibilities during the exercise.
Each inject should consider the following information:
PP1
• Information, communication tools, and technology to be used. P OLIC Y &
• Exercise objective. P ROGR A M M E
• Action in the event of unforeseen circumstances. MANAGEMENT
• Designated event time frame.
• Post-exercise activities.
• Event description. CONTENTS
To prevent misunderstanding or unintended organizational
• Delivery method of the inject. disruption, it is essential that participants and the wider
organization are aware of when and where an exercise is taking
• Participants or teams who should receive the inject.
place and that the incident is part of an exercise. GLOSSARY
93
BCI Good Practice Guidelines 2018 Edition
If the exercise requires that there is no notice or there is limited carried out to promote organizational learning and encourage open
notice given, participants should be briefed as soon as possible after and honest feedback.
the exercise starts.
Debriefing should:
Starting the exercise: The start of the exercise should be clearly
communicated to all participants and may involve the use of an • Respect the rights of the individuals.
announcement or an inject.
• Value all participants equally.
During the exercise: Exercise events and injects should occur in a
• Acknowledge identified issues but focus on opportunities for
predefined way as outlined in the exercise plan and schedule.
enhancement.
Communication injects such as telephone calls, emails etc. should
• Follow-up individual, group or organizational understanding and
include an obvious warning or code word such as ’Exercise Only’ to
learning.
ensure the information is not mistaken for a real message.
There are several ways of obtaining information for the debrief:
Suspending the exercise: It may be necessary to pause or stop
an exercise. Participants need to understand how this may occur. • Hot debrief: This is held immediately after an exercise, prior to
One way is to use a distinctive code word which should prompt personnel leaving the exercise location. It gives the participants the
an immediate suspension. This should be a word not usually used opportunity to highlight a variety of immediate issues and concerns.
within the work environment. The exercise may have to be stopped
if participant safety is, or could be compromised, or where an actual • Formal debrief: This should be held within one week of the exercise
incident or crisis has occurred. taking place and may address wider organizational issues rather
than individual or group concerns. It should look for strengths and
For complex exercises, the individual or team responsible for weaknesses as well as ideas for future learning.
planning and managing the exercise should ensure that there are
agreed stop and go points at key stages throughout the exercise. • Surveys: These can be issued to obtain feedback from participants.
These points can be applied if the team is making decisions that The surveys could contain a rating system that allows respondents
would not be appropriate in the given scenario, or to re-focus if the to score the effectiveness of the exercise. Surveys are particularly
exercise participants have become distracted from the main exercise helpful for participants who prefer to respond in writing, or if
objectives. Taking time out can also be a useful learning opportunity an exercise group is spread over many locations. It also provides
to discuss exercise decisions or concerns, or to address a significant opportunities for reflective responses. A scoring system, if used, can
deviation from an expected participant action which could, if not allow for future benchmarking and performance review.
rectified, affect the progress and successful outcome of the exercise.
• Interviews: These should be held within one week of the exercise.
Following a suspension, the exercise should be restarted or in extreme The interview could be conducted one to one or with a small group
cases, terminated. of participants.
Ending the exercise: The decision to end the exercise should rest • Post-exercise report: The results of the debriefing should be used
with the individual or team managing the exercise. Consideration to prepare a post-exercise report including recommendations for
should be given as to whether the objectives have been achieved improvement.
within the allocated time frame for the exercise.
To ensure any lessons identified are accepted and addressed by the
Sufficient time should be allowed at the end of the exercise for an organization, the post-exercise report should be distributed to all
immediate debrief to take place. exercise participants, other relevant personnel and interested parties.
Debriefing: The aim of exercise debriefing is for participants to It is essential that there is a management process to ensure that the
share their experiences of the exercise, and the scenario if used, so findings of the post-exercise report are included in the organization’s
that lessons can be identified, agreed, and incorporated into the review and considered in the business continuity programme update.
business continuity programme. Plans, procedures, training, and The organization should create and seek top management approval
awareness activities can then be modified to reflect lessons learned, for action plans to implement the recommendations, as they may
and therefore improve the organization’s ability to respond to future involve changes to the wider business continuity programme.
incidents. This style of debrief should not be confused with a detailed
investigation that may be used following a real incident. If significant issues have been identified in an exercise, the
organization should consider repeating the exercise, after corrective
As part of the debrief, the exercise should be evaluated against the actions have been put in place.
objectives defined when the exercise was planned.
94
© Copyright 2017 The Business Continuity Institute
The outcomes of the exercise development and delivery • Validation of suitability of the continuity infrastructure
process are: (command centres, work areas, technology, and
telecommunications resources).
• An exercise plan or brief which outlines the objectives, scope,
roles and responsibilities, and approach of how the exercise • Confirmation of the availability of personnel and processes for
should be conducted. relocation.
P P 6 - VALIDAT IO N
• Exercise delivery materials and resources required to conduct • Enhanced awareness of business continuity, crisis management,
the exercise. and emergency response procedures.
• One or more completed exercises. • An increased awareness of the significance of business
continuity.
• A post-exercise report, with recommendations for corrective
actions. • Ideas for further exercises and scenarios relevant to the
organization.
The outcomes that exercises should seek to achieve include:
The exercise development process should be regularly reviewed
• Confirmation that personnel are familiar with their roles, at pre-agreed intervals or following significant change as defined
responsibilities, and authority in response to an incident. within the business continuity policy.
• Validation of the technical, logistical, and administrative aspects
of the business continuity plan.
Maintenance
Maintenance of the business continuity programme keeps the Requirements for maintenance activities can be identified
organization’s business continuity arrangements up to date. This using the following: PP6
VA LI DAT ION
ensures that the organization remains ready to respond to, and
manage the impacts from incidents effectively, despite periodic • Lessons learned through exercising.
organizational change. PP5
• Changes to the organization’s structure, products and services,
IMPLEMENTATION
infrastructure, processes, or activities.
CONTENTS
GLOSSARY
95
BCI Good Practice Guidelines 2018 Edition
Process
A formal process for maintaining the business continuity For example, the plans containing contact details may need to be
programme needs to be established. The process should be maintained monthly or quarterly, whereas maintenance of the
undertaken at planned intervals and embedded into the business continuity policy should be scheduled once a year.
organization’s change management process. The frequency at
which maintenance is carried out will depend on the nature and
expected pace of change in the activity being maintained.
Responsibility
for undertaking
the planned
maintenance process 2.
should be given to an Analyse the 4.
individual or team impacts of any Make the
who should: changes. agreed changes
3.
Agree the as required.
1.
Review changes to be
what has changed made to specific
since the last elements of the
business continuity 5.
update. Identify and
programme.
advise interested
parties of any changes
that have an impact
on them.
6.
Assess additional
requirements to
8. 7. training, awareness
If plans and and communications,
Provide training,
documents have based on
awareness, and
changed, distribute changes.
communications
the new versions as
as required.
appropriate.
9.
Identify the
date for undertaking
the next planned
maintenance,
and schedule the
maintenance.
96
© Copyright 2017 The Business Continuity Institute
P P 6 - VALIDATI ON
• Determining the adequacy and availability of external services
that might be required, such as asset restoration, recovery sites
and subcontracts.
PP6
VA LI DAT ION
97
BCI Good Practice Guidelines 2018 Edition
Review
The purpose of a review is to evaluate the business continuity policy • Quality Assurance (QA): A process that ensures that the various
and programme for continuing suitability, adequacy, and effectiveness. outputs from the business continuity programme meet the defined
requirements.
Methods and Techniques • The alignment and integration of the business continuity
programme in relation to other organizational response procedures
which may include:
The following criteria can be considered for assessment to
support the review of the organization’s business continuity - Emergency management procedures.
programme:
- Health and Safety procedures.
• Whether the programme is up to date and aligned to the
organization’s: - Security procedures.
- Governance structure and strategic objectives. - ICT recovery plans and processes.
- Culture and operating environment. • The frequency and effectiveness of training and awareness sessions
and whether these enhance the overall level of awareness and
- Technology systems (primarily ICT specific business understanding of business continuity.
applications and critical operating systems).
• An assessment of the competency of the individuals assigned roles
- Other prioritised resource dependencies (non-ICT specific). in the business continuity programme (including alternates).
- Business continuity policy. • The frequency and effectiveness of exercising and whether it is used
to validate the effectiveness of the business continuity programme.
• The effective use of resources and procedures, for example, systems,
tools, and response and recovery procedures etc. within the business • The performance of the personnel who are directly accountable for
continuity programme. management of the business continuity programme.
98
© Copyright 2017 The Business Continuity Institute
Audit
Auditing is designed to verify that the business continuity An audit assumes that if the process is undertaken correctly and
process has been followed correctly, not that the solutions properly applied, then the outcome should provide evidence
adopted are necessarily correct. of an effective programme. It also assumes that the method
adopted by the organization is effective and provides a suitable
P P 6 - VALIDAT IO N
The purpose of a business continuity management audit is to
framework for audit.
analyse an organization’s existing business continuity programme
and verify it against predefined standards and criteria to deliver a The assessment method adopted by the organization should have
structured audit report. been defined in its business continuity policy document.
Audits should be conducted at planned intervals to confirm that The person carrying out the audit should have the relevant
the organization is conforming with its own business continuity competencies and skills to perform this task.
policy or the organization’s audit and governance policies where
relevant.
Process 5.
4. Compiling
Reviewing
and summarising
The business continuity management audit is a detailed information
interview notes,
process and requires interaction with a wide range of gathered by the
questionnaires and
managerial and operational roles from both business and audit activities.
other information.
technical perspectives.
3.
2. Defining
Defining the audit 6.
The audit
1. approach.
Developing the audit Identifying
process should scope. gaps in content and
an audit PP6
include: level of information
plan. VA LI DAT ION
gathered then
7. conducting follow-
Obtaining and up interviews as
8. comparing relevant PP5
appropriate. IMPLEMENTATION
Reference documentation
to secondary sources, relating to the
for example, standards, business continuity
9. regulations, and programme. PP4
legislation to validate D E SIGN
Finalising a draft
audit report that preliminary
reflects both the interests findings.
of the audit sponsor and PP3
the measurements set 12. A NA LYS IS
by external sources, for Finalising a
example, regulatory, monitoring process PP2
legal, and industry to ensure that the E m b e dd ing
standards. audit action plan is B u sine ss
C ontin uity
implemented within
11. the agreed time
10. Finalising frame.
PP1
P OLIC Y &
Presenting the
an agreed remedial P ROGR A M M E
draft audit report for MANAGEMENT
action plan including time
discussion and approval
frames to implement the
with key interested
agreed recommendations of
parties, incorporating CONTENTS
the audit report. This should
recommendations as well
also form a key element
as audited responses where
of the business continuity
differences of opinion
programme.
persist. GLOSSARY
99
BCI Good Practice Guidelines 2018 Edition
The methods used for auditing should be determined by those The definition of the audit scope should include:
undertaking the audit and should comply with the organization’s
• Corporate governance, compliance, or other issues to be audited.
business continuity policy, as well as the organization’s established
auditing procedures where relevant. • Area, department, or site of the organization to be audited.
• The audit objectives, which in part should be driven and governed, • The auditing activities that should be undertaken, for example,
or restricted by, legal or regulatory requirements. This includes key questionnaires, face to face interviews, document reviews, and
issues of high priority. solution reviews.
• A standard audit framework (where appropriate) which is to be used. • An activity timetable and due dates.
The audit framework should be governed or restricted by legal or • Identification of the audit evaluation criteria.
regulatory requirements.
• Any requirements for specific subject expertise or outsourced service
provider assistance to conduct the audit.
100
© Copyright 2017 The Business Continuity Institute
Self-Assessment
P P 6 - VALIDAT ION
Self-assessment can be carried out between audits to identify
progress against audit recommendations.
PP5
IMPLEMENTATION
GLOSSARY
101
BCI Good Practice Guidelines 2018 Edition
Quality Assurance
Quality Assurance is the process of determining whether the outputs Quality Assurance is an ongoing process throughout the business
from the business continuity programme meet the organization’s continuity management lifecycle. It assumes that the requirements
requirements and expectations, which may or may not have been for the outputs of the business continuity programme have been
formally defined. identified.
2.
Comparing
3. the output to the 1.
4. Identifying requirements or Identifying
Acting to any shortfall in expectations. requirements or
remedy any requirements or expectations.
shortfall. expectations.
Requirements can be identified by reviewing the business The outcome of Quality Assurance should be:
continuity programme, however identifying expectations involves
interviewing personnel and interested parties. • An improvement in the way the outputs from the business
continuity programme meet the organization’s requirements
The organization can use the following questions when and expectations.
comparing business continuity programme outputs to the
requirements or expectations and identifying shortfalls: The Quality Assurance process should be regularly reviewed at
pre-agreed intervals or following significant change as defined
• Does a document conform to the document control standards?
within the business continuity policy.
• Has the plan been verified by its owner?
• Does a BIA identify the MTPDs of all prioritised activities?
• Have the appropriate details (quantity, time frame, and source)
of required resources for continuity and recovery of an activity
been identified?
• Have the recommended continuity and recovery solutions been
agreed by top management?
• Does the business continuity plan have an agreed scope signed
off by top management?
• Have any previous quality assurance reports been reviewed and
actions or recommendations addressed?
102
© Copyright 2017 The Business Continuity Institute
Performance Appraisal
Roles and responsibilities for the business continuity programme An organization’s performance appraisal process assumes that
should have been defined as part of business continuity policy. the roles and responsibilities for business continuity positions
Performance appraisals should be used to check how well those have been defined.
roles and responsibilities are being undertaken.
P P 6 - VALIDAT IO N
4.
Incorporating
Process measures in
annual
3. appraisals.
The performance appraisal process can be undertaken as part of Defining
a regular personnel appraisal process, or to review an individual’s success
performance of their responsibilities in the business continuity factors.
programme specifically.
5.
Evaluating
1. 2. and reviewing
Defining performance
Confirming
appropriate measures against
the individual’s role
for the role, for measures.
and responsibilities
example, objectives,
The process in the business
measurement targets
involves: continuity
and standards.
programme.
6.
Producing
performance
scores.
7.
Providing a PP6
remedial action VA LI DAT ION
plan to remedy
any shortfall in
performance. PP5
IMPLEMENTATION
PP4
D E SIGN
GLOSSARY
103
BCI Good Practice Guidelines 2018 Edition
Supplier Performance
The review process of the business continuity programme of any Supplier performance should be reviewed against contractual
supplier on which the organization depends should be similar to the service level agreements (SLAs), which in the case of key suppliers
process employed for reviewing the organization’s own programme. should relate to their business continuity programme.
Increased supplier performance and capability can be achieved by
including and assessing their exercise activities.
The process for reviewing key suppliers’ business continuity • An action plan for improving supplier performance.
programmes and reviewing suppliers of recovery services should be
defined in their contracts. The business continuity programme of key • Increased readiness and assurance of prioritised supplier
suppliers should be reviewed as if they were part of the organization activities.
itself. This is in the same way that the business continuity
The performance of the supplier’s business continuity
arrangements of any internal department, location, or outsourced
programme should be regularly reviewed at pre-agreed intervals
service provider that provides products and services would be
or following significant change as defined within the business
reviewed.
continuity policy.
104
© Copyright 2017 The Business Continuity Institute
Management Review
A management review provides opportunities for top A management review should include information
management to understand the performance of the business relating to the following:
continuity programme. It should be aligned to organizational
• The status of actions from previous management reviews.
objectives, and their adequacy to address governance and the
P P 6 - VALIDAT ION
overall approach to managing risk should be understood. • Changes to the internal and external environment,
if relevant to the organization’s business continuity
programme.
• Results of exercising.
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
105
BCI Good Practice Guidelines 2018 Edition
Thought
Membership
Leadership
Corporate Global
Partnership Community
106
BCI Membership Grades
FBCI
AFBCI
MBCI
AMBCI
DBCI
CBCI PP6
VA LI DAT ION
PP5
Affiliate IMPLEMENTATION
Student
PP4
D E SIGN
PP3
A NA LYS IS
PP2
E m b e dd ing
B u sine ss
C ontin uity
PP1
P OLIC Y &
P ROGR A M M E
MANAGEMENT
CONTENTS
GLOSSARY
Good Practice
Guidelines
2018 Edition
The global guide to good
practice in business continuity.
Berkshire education@thebci.org
RG4 5AF, UK advertising@thebci.org
Correct at November 17