Accessability Links
Job Search

Introduction to Business Continuity Management


Background

Business Continuity is receiving increasing attention world-wide as the frequency of incidents increases within an interdependent world, associated with a need to counter threats to the organisation that could cause a severe impact to business operations.

Business Continuity Management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.

The main purpose is to prevent any significant impact on the brand, image and reputation of the enterprise, whilst ensuring business continuance. This requires the implementation of a Business Continuity Programme that is an enabling mechanism for information sharing, delivering improvements to the protection of assets and people, and the implementation of plans for major incidents.

This plan should therefore be able to respond to:

“Any unwanted significant incident that threatens personnel, buildings and/or the operational effectiveness of an organisation, which requires special measures to be taken to restore the business back to normal”.
Source: Home Office - How Resilient is your Business to a Disaster)

For the programme to be effective, the ongoing management and governance process should be supported by senior management and resourced sufficiently to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of products/services through thorough training, testing and exercising.

The Business Continuity Institute (BCI) Good Practice Guidelines 2008 provides a management guide to implementing global good practice in BCM, and can be found at
http://www.thebcicertificate.org/bci_gpg.htm. Next step BS25999.

Back to top


The Business Continuity Institute


The Business Continuity Institute (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. The BCI currently has over 4000 members in 85+ countries.

Membership of the BCI is open to business continuity practitioners at all levels of experience, and provides internationally recognised status as this valued certification demonstrates the members’ competence to carry out Business Continuity Management (BCM) to a consistent high standard.

Historically the skills required to achieve certification and ultimately professional membership of the Business Continuity Institute, have been presented as a list of 10 required subject areas. To maintain consistency with the continuation of business continuity management as illustrated by the BCM Lifecycle, the BCI has taken the decision to map these fundamental required skills against stages of the Lifecycle presenting these mandatory requirements in 6 distinct sections as detailed
below. The Business Continuity Institute’s Good Practice Guidelines is published in 6 Chapters which correspond to these sections.

The BCI Professional Recognition Programme provides an international structure for the Certification of business continuity practitioners. It has created a benchmark for the assessment of best practice and encouraged the enhancement and further development of related skills. The Certification is based on a set of standards known as the Certification Standards for Business Continuity professionals, which have been accepted internationally and were developed and published in co-operation with the Disaster Recovery Institute International of the USA. Each element links with the other elements to form the continuum of business continuity management.

Professional Grades of FBCI, MBCI, SBCI and AMBCI are certified grades and members within these grades have undergone a rigorous application process.

Following the introduction of the BCI Certificate in 2007, a non-membership credential was launched in April 2008 – CBCI. Holders of the CBCI have achieved success in the BCI Certificate demonstrating a through knowledge and understanding of the BCI’s Good Practice Guidelines. Holders of the CBCI may proceed to professional membership of the BCI if they can also prove practical experience of BCM to supplement their knowledge and understanding;
http://www.thebcicertificate.org/

2007 saw the launch of the BCI Partnership enabling organisations to work more closely with the Business Continuity Institute to deliver the overall BCI mission of:

Promoting the art and science of business continuity management worldwide

The wider role of the BCI and the BCI Partnership is to promote the highest standards of professional competence and commercial ethics in the provision and maintenance of business continuity planning and services.

Back to top


BS25999


This Standard provides a comprehensive set of controls based on BCM best practice and covers the whole BCM lifecycle. It is intended for use by anyone with responsibility for business operations, from board directors and chief executives through all levels of the organization; from those with a single site to those with a global presence; from sole traders and SMEs to organizations employing thousands of people.

BS25999 Part one

This Standard establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organisation and to provide confidence in business-to-business and business-to-customer dealings.

BS25999 Part two

BS 25999-2 specifies requirements for establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented Business Continuity Management System (BCMS) within the context of managing an organization’s overall business risks.

The requirements specified in BS 25999-2 are generic and intended to be applicable to all organizations (or parts there of), regardless of type, size and nature of business. The extent of application of these requirements depends on the organization's operating environment and complexity.

Therefore the design and implementation of a BCMS to meet the requirements of this standard will be influenced by regulatory, customer and business requirements, the products and services, the processes employed and the size and structure of the organization. It will not be the intent of this British Standard to imply uniformity in the structure of a BCMS but for an organization to design a BCMS to be appropriate to its needs and that meets its stakeholder’s requirements.

BS 25999-2 can be used by internal and external parties, including certification bodies, to assess an organization’s ability to meet its own business continuity needs, as well as any customer, legal or regulatory needs.

This standard is not intended as a beginner’s guide to business continuity management:
http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563


Back to top

Standards and guidelines


UK Turnbull Combines code for corporate governance to address all significant risk in statements and annual accounts. (After Cadbury, Hampel and Greenbury reports)
http://www.frc.org.uk/corporate/internalcontrol.cfm
UK Data Protection Act 1998 Must be able to recover and control information security and personal data. Use for specific and intended purpose, companies that store personal data should be registered http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1
UK IS0 27002 (replaces ISO 1799/BS7799) Information security standard
Section 14 refers to Business Continuity
http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=39612
UK FSA Good Practice Guide Guidance on Business Continuity for financial services http://www.fsa.gov.uk/pubs/other/bcm_guide.pdf
UK BCI Good Practice Guide 2008 Guidance on measures of Business Continuity http://www.thebci.org/GPG2008V1%20Section4.pdf
UK BS 25999-1:2006 British Standard (replaces PAS 56:2003) BS 25999-1:2006 is a code of practice that takes the form of guidance and recommendations. It establishes the process, principles and terminology of business continuity management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings. http://www.bsi-global.com/en/Assessment-and-certification-services/management-systems/Standards-and-Schemes/BS-25999/
UK Unlawful killing
Corporate manslaughter
Directors may be prosecuted if the ‘corporate mind’ is found negligent of contributing to death through lack of policy, systems, procedures or inadequate training and supervision. http://www.cps.gov.uk/legal/section5/chapter_b.html
UK ITIL The IT Infrastructure Library’s Service Management Practices; designed to ensure that IT services are provided and remain as intended
UK Civil Contingencies Act The Civil Contingencies Act received Royal Assent on 18th November 2004 and is split into two parts. Part 1 addresses local arrangements for civil protection and part 2 concerns the conditions and scope of the necessary emergency powers. A comprehensive history of related press releases, letters from the Civil Contingencies Secretariat and further information can be found on the UK Resilience website.
UK, Australia, Israel, Japan, USA ISO/PAS 22399:2007 ISO has published the first internationally ratified benchmark document addressing incident preparedness and continuity management for organizations in both public and private sectors.
The Publicly Available Specification ISO/PAS 22399:2007, Societal security – Guideline for incident preparedness and operational continuity management, is based on best practice from five national standards.
http://www.thebci.org/ISOTC223_N067_ISO.pdf
USA NFPA1600 American National Standard Standard on Disaster/Emergency Management and Business Continuity Programmes; 2007
USA Disaster Recovery Institute International (DRII) Professional Practices for Business Continuity Professionals
USA Disaster Recovery Journal(DRJ) Generally Accepted Business Continuity Practices
Australia HB 221:2004 Definition and process for business continuity management, and provides a workbook that may be used by organisations to assist in implementation.
Australia HB 292 /293:2006 Consists of HB 292 A practitioners Guide to Business Continuity management, and HB 293 Executive Guide to Business Continuity Management.
Singapore TR19:2005 Specifies the requirements for organisations intending to build competence, capacity, resilience and readiness to respond to and recover from events which threaten to disrupt normal business operations and activities.

Back to top


The Business Continuity Management Function


Business Continuity Management

Business continuity management (BCM) is a process that helps manage risks to the smooth running of an organisation or delivery of a service, ensuring continuity of critical functions in the event of a disruption, and effective recovery afterwards.

Good BCM helps organisations identify their key products and services and the threats to these. Planning and exercising minimises the impact of potential disruption. It also aids in the prompt resumption of service helping to protect market share, brand, image and reputation. In order to be successful, BCM must be regarded as an integral part of an organisation's normal ongoing management processes. To achieve this top-level buy-in is vital as it disseminates the importance of BCM throughout the organisation. Engaging senior staff is crucial to the success of any major programme because of the influence they have over resource allocation and the culture of an organisation.

Business Continuity under the Civil Contingencies Act

The Civil Contingencies Act requires Category 1 responders to maintain plans to ensure that they can continue to exercise their functions in the event of an emergency so far as is reasonably practicable.

The BCM duty in the Act relates to all the functions of a Category 1 responder, not just its civil protection functions. Hence the legislation requires Category 1 responders to maintain plans to deal with emergencies (see the
Emergency planning section) and put in place arrangements to warn and inform the public in the event of an emergency (see the Warning and informing the public section). But it also requires them to make provision for ensuring that their ordinary functions can be continued to the extent required. The Regulations also require Category 1 responders to put in place a training programme for those directly involved in the execution of the BCP should it be invoked.

The risk assessment duty for Category 1 responders under the Act should inform the development of appropriate continuity strategies (see the
Risk section for further detail on risk assessment).

The Act also requires local authorities to provide advice and assistance to businesses and voluntary organisations in relation to business continuity management. This duty is an integral part of the Act's wider contribution to building the UK's resilience to disruptive challenges. It should not be seen as a stand-alone duty, but rather in many ways is a logical extension of the work already undertaken to fulfil other duties under the act (e.g. working with commercial and voluntary organisations in the development and exercising of emergency plans).

Back to top


Employee competences

The six subject areas listed below cover the competencies required by a professional practitioner in order to deliver effective Business Continuity Management, and the framework for BS25999: 

 

 

Subject Title and Description
1 BCM Programme Management
a) Establishing the need for a Business Continuity Management (BCM) Process, including: resilience strategies, recovery objectives, business continuity and incident management plans, obtaining management support for such a process.
b) Organising and managing the formulation of the function or process either in collaboration with, or as a key component of an integrated risk management initiative.
c) Developing, co-ordinating, evaluating and creating plans and procedures to communicate with external stakeholders, including the media, during incidents.
2 Understanding the Organisation
a) Business impact analysis (BIA):
Identifying the impacts resulting from disruptions and disaster scenarios that can affect the organisation and developing techniques that can be used to quantify and qualify such impacts.
Establishing critical functions, their recovery priorities and inter-dependencies so that recovery time objectives can be set.
b) Risk evaluation and control:
Determining the events and environmental surroundings that can adversely affect the organisation and its facilities with disruption and/or disaster and understanding the damage such events can cause.
Establishing the controls needed to prevent or minimise the effects of potential loss.
Providing cost-benefit analysis to justify investment in controls to mitigate risks.
3 Determining BCM Strategy
a) Determining and guiding the selection of alternative business recovery operating strategies for continuation of business within recovery time and/or recovery point objectives, while maintaining the organisation’s critical functions.
b) Delivering solutions for continuation of business within the recovery time and/or recovery point objectives, whilst maintaining the organisation’s critical functions.
c) Developing, coordinating, evaluating and creating plans and procedures to communicate with internal stakeholders during incidents.
d) The provision of post-incident support and guidance for employees and their families.
4 Developing and Implementing BCM Response
a) Developing and implementing emergency response procedures for responding to and stabilising the situation following an incident or event.
b) Establishing and managing an Emergency Operations Centre to be used as a command centre during the emergency.
c) Practical experience in handling incidents/emergencies.
d) Designing, developing and implementing business continuity and incident management plans that provide continuity within recovery time and/or recovery point objectives.
5 Exercising, Maintaining and Reviewing
a) Pre-planning and coordinating plan walkthroughs/exercises.
b) Evaluating, updating, improving and documenting the results of exercises.
c) Developing processes to maintain the currency of continuity capabilities, business continuity and incident management plans in accordance with the organisation’s strategic direction.
d) Establishing appropriate policies and procedures for coordinating incidents, continuity and restoration activities with external agencies whilst ensuring compliance with applicable statutes and/or regulations.
e) Practical experience in dealing with external agencies.
6 Embedding BCM in the Organisation’s Culture
a) Preparing a programme to create and maintain corporate awareness and enhance the skills required to develop and implement the business continuity management programme or process and its supporting activities.

Back to top


Glossary of business continuity terms


Activation
The implementation of recovery procedures, activities and plans in response to an emergency or disaster declaration.

Alternative site
An alternative operating location for the usual business functions (i.e. support departments, information systems and manufacturing operations) when the primary facilities are inaccessible. (Associated term: back up site)

Alert
A formal notification that an incident has occurred which may develop into a disaster.

Backlog trap
The effect on the business of a backlog of work that develops when a system or process is unavailable for a long period, and which may take a considerable length of time to reduce.

Building denial
Any damage, failure or other condition which causes denial of access to the building or the working area within the building; e.g. fire, flood, contamination, loss of services, air conditioning failure, forensics.

Business continuity
A proactive process which identifies the key functions of an organisation and the likely threats to those functions, from this information plans and procedures which ensure key functions can continue whatever the circumstances can be developed.

Business continuity co-ordinator
A member of the recovery management team who is assigned the overall responsibility for co-ordinator of the recovery planning programme ensuing team member training, testing and maintenance of recovery plans. (Associated terms: business recovery planner, disaster recovery planner, business recovery co-ordinator, disaster recovery administrator)

Business continuity plan
A collection of procedures and information which is developed, compiled and maintained in readiness for use in the event of an emergency or disaster. (Associated terms: business recovery plan, disaster recovery plan, recovery plan)

Business continuity management
Those management disciplines, processes and techniques which seek to provide the means for continuous operation of the essential business functions under all circumstances.

Business continuity planning
The advance planning and preparations which are necessary to identify the impact of potential losses; to formulate and implement viable recovery strategies; to develop recovery plan(s) which ensure continuity of organisational services in the event of an emergency or disaster; and to administer a comprehensive training, testing & exercising and maintenance programme.

Business continuity programme
An ongoing process supported by senior management and funded to ensure that the necessary steps are taken to identify the impact of potential losses, maintain viable recovery strategies and recovery plans, and ensure continuity services through personnel training, plan testing and maintenance. (Associated terms: disaster recovery programme, business recovery programme, contingency planning programme)

Business critical point
The latest moment at which the business can afford to be without a critical function or process.

Business impact analysis (BIA)
A management level analysis which identifies the impacts of losing company resources. The BIA measures the effect of resource loss and escalating losses over time in order to provide senior management with reliable data upon which to base decisions on risk mitigation and continuity planning. (Associated terms: business impact assessment, business impact analysis assessment)

Cold site
One or more data centres or office space facilities equipped with sufficient pre-qualified environmental conditioning, electrical connectivity, communications access, configurable space and access to accommodate the installation and operation of equipment by critical staff required to resume business operations.

Contingency fund
An operating expense that exists as a result of an interruption or disaster which seriously affects the financial position of the organisation. (Associated term: extraordinary expense)

Contingency plan (a general non-specific point)
A plan of action to be followed in the event of a disaster or emergency occurring which threatens to disrupt or destroy the continuity of normal business activities and which seeks to restore operational capabilities.

Crisis
An abnormal situation, or perception, which threatens the operations, staff, customers or reputation of an enterprise.

Crisis management team (CMT)
A group of executives who direct the recovery operations whilst taking responsibility for the survival and the image of the enterprise.

Crisis plan or Crisis management plan
A plan of action designed to support the crisis management team when dealing with a specific emergency situation which might threaten the operations, staff, customers or reputation of an enterprise.

Critical service
Any service which is essential to support the survival of the enterprise.

Critical data point
The point to which data must be restored in order to achieve recovery objectives.

Decision point
The latest moment at which the decision to invoke emergency procedures has to be taken in order to ensure the continued viability of the enterprise.

Declaration (of disaster)
A formal statement that a state of disaster exists.

Disaster
Any accidental, natural or malicious event which threatens or disrupts normal operations, or services, for sufficient time to affect significantly, or to cause failure of, the enterprise.

Disaster recovery plan (DRF) or Recovery plan
A plan to resume, or recover, a specific essential operation, function or process of an enterprise.

Disaster recovery (DR)
The process of returning a business function to a state of normal operations either at an interim minimal survival level and/or re-establishing full scale operations.

Emergency data services
Remote capture and storage of electronic data, such as journalling, electronic vaulting and database shadowing.

Emergency
An actual or impending situation that may cause injury, loss of life, destruction of property or interfere with normal business operations to such an extent to pose a threat of disaster.

Emergency control centre
The location from which disaster recovery is directed and tracked; it may also serve as a reporting point for deliveries, services, press and all external contacts.

Emergency management team
The group of staff who command the resources needed to recover the enterprise's operations.

Emergency management plan
A plan which supports the emergency management team by providing them with information and guidelines.

Enterprise
An organisation, a corporate entity; a firm, an establishment, a public or government body, department or agency; a business or a charity.

Enterprise (large scale or super)
An enterprise that is large and complex, in the sense that it could absorb the impact of losing a complete location or business unit. The normal terminology, and perspective, needs to be scaled down by regarding individual locations or business units as self-sustaining entities.

Financial impact
An operating expense that continues following an interruption or disaster, which as a result of the event cannot be offset by income and directly affects the financial position of the organisation.

Hot site
A data centre facility or office facility with sufficient hardware, communications interfaces and environmentally controlled space capable of providing relatively immediate backup data processing support. (Associated terms: warm site, cold site)

Human Resource Disaster Recovery
(HRDR) A specific strategy for dealing with risk assessment, prevention, control and business recovery for critical (key) personnel.

Immediate recovery team
The team with responsibility for implementing the business continuity plan and formulating the organisation's initial recovery strategy.

Impact
Impact is the cost to the enterprise, which may or may not be measured in purely financial terms.

Incident
Any event which may be, or may lead to, a disaster.

Invocation
A formal notification to a service provider that its services will be required.

Information security
The securing or safeguarding of all sensitive information, electronic or otherwise, which is owned by an organisation.

Logistics/Transportation team
A team comprised of various members of departments associated with supply acquisition and material transportation, responsible for ensuring the most effective acquisition and mobilisation of hardware, supplies and support materials.

Mobile standby
A transportable operating environment, usually complete with accommodation and equipment, which can be transported set up at a suitable site at short notice.

Mobilisation
The activation of the recovery organisation in response to an emergency or disaster declaration.

Off-site location
A storage facility at a safe distance from the primary facility which is used for housing recovery supplies, equipment, vital records etc.

Operational impact
An impact which is not quantifiable in financial terms but its effects may be among the most severe in determining the survival of an organisation following a disaster.

Outage
The interruption of automated processing systems, support services or essential business operations which may result in the organisation's inability to provide service for some period of time.

Period of tolerance
The period of time in which an incident can escalate to a potential disaster.

Pre-positional resource
Material (i.e. equipment, forms and supplies) stored at an off-site location to be used in business resumption and recovery operations. (Associated terms. pre-positioned inventory)

Reciprocal agreement
An agreement in which two parties agree to allow the other to use their site, resources or facilities during a disaster.

Recovery
See system recovery.

Recovery exercise
An announced or unannounced execution of business continuity plans intended to implement existing plans and/or highlight the need for additional plan development. (Associated terms: disaster recovery test, disaster recovery exercise, recovery test, recovery exercise)

Recovery management team
A team of people, assembled in an emergency, who are charged with recovering an aspect of the enterprise, or obtaining the resources required for the recovery.

Recovery plan
A plan to resume a specific essential operation, function or process of an enterprise. Traditionally referred to as a disaster recovery plan (DRP).

Recovery site
A designated site for the recovery of computer or other operations, which are critical to the enterprise.

Recovery strategy
A pre-defined, pre-tested, management approved course of action to be employed in response to a business disruption, interruption or disaster.

Recovery team
A group of individuals given responsibility for the co-ordination and response to an emergency or recovering a process or function in the event of a disaster.

Recovery Window
The time scale within which time sensitive function or business units must be restored, usually determined by means of a business impact analysis.

Resilience
The ability of a system or process to absorb the impact of component failure and continue to provide an acceptable level of service.

Response
The reaction to an incident or emergency in order to assess the level of containment and control activity required.

Restart
The procedure or procedures that return applications and data to a known start point. Application restart is dependent upon having an operable system.

Restoration
The process of planning for and implementing full scale business operations which allow the organisation to return to a normal service level.

Resumption
The process of planning for and/or implementing the recovery of critical business operations immediately following an interruption or disaster.

Risk assessment & management
The identification and evaluation of operational risks that particularly affect the enterprise's ability to function and addressing the consequences.

Risk reduction or mitigation
The implementation of the preventative measures which risk assessment has identified.

Scenario
A pre-defined set of events and conditions which describe an interruption, disruption or disaster related to some aspect(s) of an organisation's business for purposes of exercising a recovery plan(s).

Security review
A periodic review of the security of tangible and intangible assets which should cover security policy, effectiveness of policy implementation, restriction of access to the assets, accountability for access and basic safety.

Service level agreement (SLA)
An agreement between a service provider and service user as to the nature, quality, availability and scope of the service to be provided.

Site access denial
Any disturbance or activity within the area surrounding the site which renders the site unavailable, e.g. fire, flood, riot, strike, loss of services, forensics. The site itself may be undamaged.

Social impact
Any incident or happening that affects the well-being of a population and which is often not financially quantifiable.

Standby service
The provision of the relevant recovery facilities, such as cold site, warm site, hot site and mobile standby.

Stand down
Formal notification that the alert may be called off or that the state of disaster is over.

Structured walk-through
An exercise in which team members verbally review each step of a plan to assess its effectiveness, identify enhancements, constraints and deficiencies. (Associated term: bench test)

System denial
A failure of the computer system for a protracted period, which may impact an enterprise's ability to sustain its normal business activities.

System recovery
The procedures for rebuilding a computer system to the condition where it is ready to accept data and applications. System recovery depends on having access to suitable hardware.

System restore
The procedures that are necessary to get a system into an operable condition where it is possible to run the application software against the available data. System restore depends upon having a live system available.

Table top exercise
The exercising and testing of a BCP, using a range of scenarios whist not effecting the enterprise's normal operation.

Tolerance threshold
The maximum period of time which the business can afford to be without a critical function or process.

Vendor
An individual or company providing a service to a department or the organisation as a whole. (Associated terms: supplier, third party vendor)

Vital record
A record that it is essential for preserving, continuing or reconstructing the operations of the organisation and protecting the rights of the organisation, its employees, its customers and its stockholders.

Warm site
A data centre or office facility which is partially equipped with hardware, communications interfaces, electricity and environmental conditioning capable of providing backup operating support. (Associated terms: hot site, cold site)

Work area standby
A permanent or transportable office environment, complete with appropriate office infrastructure.


This Glossary of Terms is drawn from information supplied by Jim Burtles, FBCI, and Steve Yates, FBCI, and from the glossary contained in Business Continuity Demystified, an EPS publication.

This glossary can be reproduced under the following conditions:
a) The Business Continuity Institute is informed of the intention to reproduce
b) The Glossary is reproduced in its entirety
c) The source of the material is accredited to the Business Continuity Institute

Back to top
Read more..
Read less..
 
Alexia DemetriouBanking & FS Internal Audit
London
Andrew WhyteInterim Internal Audit & Risk
London
Daniel ClosePresident
New York
Daniel FlynnManager, Internal & IT Audit
London
David HornsbyDirector, Banking & FS Internal Audit
London
David JarroldRegional Internal Audit, Risk & Control
London
Liam HughesInternal Audit, Risk & Information Security
Edinburgh
Marie-Caroline MarchiInternal Audit Europe
London
Nutan JoshiInsurance Internal Audit
London
Russell BunkerAudit, Info Security & Technology Risk
Hong Kong
Steven DriverInternal Audit, Risk & Control
London
Tim SandwellDirector, Europe & Middle East
London
William WilcoxSenior Associate
New York