Creating, practicing, and maintaining a successful Business Continuity Management (BCM) program requires detailed documentation, diligence, and discipline. It is an involved process that will only succeed when you have the right buy-in, and the right resources working together to develop, implement, and audit it.
“Business Continuity Planning can be described as a three-legged stool,” says Jeff Fulton, a fractional Chief Information Officer (fCIO) at Safety Net. Jeff has decades of experience with BCP for large corporations like American Express and Time, Inc., and he is a Certified Business Continuity Professional (CBCP).
3 Legs of the BCP Stool
- Business Continuity Planning (yes, the first leg is the same as the concept itself) – All about the people, places, and processes. During an event, where do people go? What do they need to do to keep the business running? And what’s the plan for each department within an organization?
- Crisis Management – This is physical safety, employee protection, and related communications. For example, communicating with your staff during a severe weather alert, or relaying information to the fire department or law enforcement during a fire or active shooter situation.
- Disaster Recovery (DR) – The “things” part of a BCM program. How will you recover from a server failure? A network outage? A crypto virus? Do you have backups or workarounds in place? What is the priority for systems recovery in the event of a disaster?
10 Professional Process Steps
There are ten professional practice steps to a successful BCM program. Working through the steps is time consuming, but the benefits are immeasurable. Without a thorough plan in place, many organizations fail to recover from a disaster. Investing the resources to develop, practice, and revisit a BCP will put you in a position to navigate unexpected outages, natural disasters, or dangerous workplace events.
- Program Initiation and Management
Establish the need for a BCM Program and identify the program components from understanding risks and vulnerabilities through development of resilience strategies, and response, restoration, and recovery plans. The objectives of this professional practice are to obtain leadership’s support and funding, and to build the organizational framework to develop the BCM program.
- Risk Evaluation and Control
Identify the risks/threats and vulnerabilities that are both inherent and acquired which can adversely affect the organization and its resources or impact the organization’s image. Once identified, threats and vulnerabilities will be assessed as to the likelihood that they would occur and the potential level of impact that would result. The organization can then focus on high probability and high impact events to identify where controls, mitigations, or management processes are non-existent, weak, or ineffective. This evaluation results in recommendations from the BCM Program for additional controls, mitigations, or processes to be implemented to increase resiliency from the most commonly occurring and/or highest impact events.
- Business Impact Analysis (BIA)
During this step, the organization identifies the likely and potential impacts from events on the organization or its processes, and the criteria that will be used to quantify and qualify such impacts. The criteria to measure and assess the financial, operational, customer, regulatory and/or reputational impacts must be defined and accepted and then used consistently to define the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each of the organization’s processes. The result of this analysis is to identify time sensitive processes and the requirements to recover them in an acceptable timeframe.
- Business Continuity Strategies
The data that was collected during Risk Evaluation and BIA is used to identify available continuity and recovery strategies for the organization’s operations and technology. Recommended strategies must be approved and funded and must meet both the recovery time (RTO) and recovery point objectives (RPO) identified in the BIA. A cost benefit analysis is performed on the recommended strategies to align the cost of implementing the strategy against the assets at risk.
- Emergency Preparedness and Response
Define the requirements to develop and implement the organization’s plan for response to emergency situations that may impact safety of employees, visitors, or other assets. The emergency response plan documents how the organization will respond to emergencies in a coordinated, timely, and effective manner to address life safety and stabilization of emergency situations until the arrival of trained or external first responders.
- Business Continuity Plan Development and Implementation
The Business Continuity Plan is a set of documented processes and procedures which will enable the organization to continue or recover time-sensitive processes to the minimum acceptable level within the timeframe acceptable to the organization. In this phase of the Business Continuity Management Program, the relevant teams design, develop, and implement the approved continuity strategies and document the recovery plans to be used in response to an incident or event.
- Awareness and Training Programs
A program is developed and implemented to establish and maintain awareness about the Business Continuity Management (BCM) Program and to train the organization’s staff so that they are prepared to respond during an event.
- Business Continuity Plan Exercise, Audit, and Maintenance
Establish an exercise, testing, maintenance, and audit program. To continue to be effective, a Business Continuity Management (BCM) Program must implement a regular exercise schedule to establish confidence in a predictable and repeatable performance of recovery activities throughout the organization. As part of the change management program, the tracking and documentation of these activities provides an evaluation of the on-going state of readiness and allows for continuous improvement to recovery capabilities and ensure that plans remain current and relevant. Establishing an audit process will validate the plans are complete and accurate and in compliance with organizational goals and industry standards as appropriate.
- Crisis Communications
Define the framework to identify, develop, communicate, and exercise a crisis communications plan to address how communications will be handled by the entity before, during and after an event. The crisis communications plan is developed collaboratively with the organization’s public information and internal information resources where they exist to ensure consistency of communication. The plan will address the need for effective and timely communication between the organization and all the stakeholders impacted by an event or involved during the response and recovery efforts.
- Coordinating with External Agencies
Establish policies and procedures to coordinate response, continuity, and recovery activities with external agencies at the local, regional, and, if necessary, national levels while ensuring compliance with applicable statutes and regulations.
Diving into the process of business continuity planning is best guided by experienced professionals who are familiar with the intricacies of these ten steps. There are courses and certifications available through Disaster Recovery Institute International (DRI). Because the initial creation of a BCM program is a one-time thing for most organizations, it can be more cost-effective and a better use of internal resources to work with a third-party. Safety Net provides managed service clients with a “Disaster Recovery Lite” plan. It is a document that contains critical operation details and a plan for getting them back online after an event. More extensive planning is available on a project basis.
There’s no question that 2020 changed the business world forever. While COVID-19 gave us all a taste of the drastic measures required to adjust to an unexpected crisis, many organizations still do not recognize the need for a BCM program. Your services, your products, your colleagues, and your success are valuable and deserve the investment!
August 30, 2023 in Blog
August 23, 2023 in Blog, Security