A BCMS emphasizes the importance of understanding the organization's needs and the necessity for establishing business continuity management policy and objectives, implementing and operating controls and measures for managing an organization's overall capability to manage disruptive incidents, monitoring and reviewing the performance and effectiveness of the BCMS, and continual improvement based on objective measurement.
A BCMS, like any other management system, has the following key components: a policy; people with defined responsibilities; management processes relating to policy, planning, implementation and operation, performance assessment, management review, and improvement; documentation providing auditable evidence; and any business continuity management processes relevant to the organization. Business continuity contributes to a more resilient society. The wider community and the impact of the organization's environment on the organization and therefore other organizations may need to be involved in the recovery process
BCM-readiness provides reassurance to your internal and external stakeholders that your operations are able to meet the needs of the contingency and you are prepared for the 'worst case scenario' situations. As a robust BCM system also requires the collaboration of your key suppliers, the upgrading of your key suppliers' BCM plans will improve your entire supply chain. The ability to weather adversity will give you company an edge against your competitors. In Summary, BCM is more than just insurance for your business. A BCM ready organization is able to:
Business Continuity Management (BCM) is a management process that identifies risk, threats and vulnerabilities that could impact an entity's continued operations and provides a framework for building organizational resilience and the capability for an effective response.
The Professional Practices are a body of knowledge designed to assist the entity in the development and implementation of a BCM program. Use of the Professional Practice framework can increase the likelihood that no significant gaps will be present in your program as well as increase the likelihood that the various parts of the program will work cohesively in an actual event.
These Professional Practices are intended to serve as both a guide for BCM Program development, implementation and maintenance and as a tool for conducting audits of an existing program. Using the Professional Practices to audit a program can identify program gaps or deficiencies so they may be corrected before an event occurs
The Professional Practices have been developed and maintained by experienced Business Continuity professionals to provide a consistent framework for the industry, to assist others who wish to enter this field with the body of knowledge to develop the skills needed and to assist organizations in benchmarking their program against accepted and proven practices.
The sections within these practices are not presented in any particular order of importance, as it may be necessary to undertake or implement sections in parallel during the development of the BCM Program.
Professional Practice Subject Area Overview
Establish the need for a Business Continuity Management Program within the entity and identify the program components from understanding the entity's risks and vulnerabilities through development of resilience strategies and response, restoration and recovery plans. The objectives of this professional practice are to obtain the entity's support and funding and to build the organizational framework to develop the BCM program.
The objective of this professional practice is to identify the risks/threats and vulnerabilities that are both inherent and acquired which can adversely affect the entity and its resources, or impact the entity's image. Once identified, threats and vulnerabilities will be assessed as to the likelihood that they would occur and the potential level of impact that would result. The entity can then focus on high probability and high impact events to identify where controls, mitigations or management processes are non-existent, weak or ineffective. This evaluation results in recommendations from the BCM Program for additional controls, mitigations or processes to be implemented to increase the entity's resiliency from the most commonly occurring and/or highest impact events.
During the activities of this professional practice, the entity identifies the likely and potential impacts from events on the entity or its processes and the criteria that will be used to quantify and qualify such impacts. The criteria to measure and assess the financial, customer, regulatory and/or reputational impacts must defined and accepted and then used consistently throughout the entity to define the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each of the entity's processes. The result of this analysis is to identify time sensitive processes and the requirements to recover them in the timeframe that is acceptable to the entity.
The data that was collected during the BIA and Risk Evaluation is used in this professional practice to identify available continuity and recovery strategies for the entity's operations and technology. Recommended strategies must be approved and funded and must meet both the recovery time and recovery point objectives identified in the BIA. A cost benefit analysis is performed on the recommended strategies to align the cost of implementing the strategy against the assets at risk.
This professional practice defines the requirements to develop and implement the entity's plan for response to emergency situations that may impact safety of the entity's employees, visitors or other assets. The emergency response plan documents how the entity will respond to emergencies in a coordinated, timely and effective manner to address life safety and stabilization of emergency situations until the arrival of trained or external first responders.
The Business Continuity Plan is a set of documented processes and procedures which will enable the entity to continue or recover time sensitive processes to the minimum acceptable level within the timeframe acceptable to the entity. In this phase of the Business Continuity Management Program, the relevant teams design, develop, and implement the continuity strategies approved by the entity and document the recovery plans to be used in response to an incident or event.
In this professional practice, a program is developed and implemented to establish and maintain corporate awareness about Business Continuity Management (BCM) and to train the entity's staff so that they are prepared to respond during an event.
The goal of this professional practice is to establish an exercise, testing, maintenance and audit program. To continue to be effective, a BCM Program must implement a regular exercise schedule to establish confidence in a predictable and repeatable performance of recovery activities throughout the organization. As part of the change management program, the tracking and documentation of these activities provides an evaluation of the on-going state of readiness and allows for continuous improvement of recovery capabilities and ensures that plans remain current and relevant. Establishing an audit process will validate the plans are complete, accurate and in compliance with organizational goals and industry standards as appropriate.
This professional practice provides the framework to identify, develop, communicate, and exercise a crisis communications plan. A Crisis Communications plan addresses the need for effective and timely communication between the entity and all the stakeholders impacted or involved during the response and recovery efforts.
This professional practice defines the need to establish policies and procedures to coordinate response, continuity and recovery activities with external agencies at the local, regional and national levels while ensuring compliance with applicable statutes and regulations.