[BCM] [Pgm] [14] Content for Training & Awareness

Content for Training & Awareness

Areas of Concentration

There is a need to distinguish BCP awareness and training programs from other organizational awareness and training programs.

The Organisation BCM Coordinator should scope the programs to concentrate and focus on the main topics of the BCP, which include:

Importance of the BCP to the business, organization and employees
Key components of the BC Plan
Organizational structures and key members of the BC teams
Activation criteria for the BC Plan process
Expectations and roles of the management and employee before, during and after the activation of the BC Plan
Availability of BC Plan information to anyone who needs to refer to one

Content of Training Program

The BC training program should focus on the following areas:

Components of BC Plan

Educating the Executive Management and employees of the organization to understand the importance and fundamental need for a BCP will significantly enhance the effectiveness and efficiency of performing the business recovery activities, thereby reducing the potential loss to the organization.

Contextualizing the detailed technical and business aspects of the BC Plan into layman's terms for different levels of employees in the organization through awareness and training programs will enable the organization to achieve the following key advantages:

Minimize the degree of misinterpreting documented objectives, terms, processes and procedures. This makes the BC Plan readable to the employees appointed with BC responsibilities so that they can execute the processes and procedures quickly. It also makes the BC Plan readable so that the general employees can appreciate the need to support the smooth execution of the BC Plan to ensure the survival of the organization in the event of a disaster.
Reduce the decision-making activities to a minimum, as key confusion areas, doubts, and “blind spots” will be questioned and cleared by the employees during the training and awareness sessions.
Minimize the total business recovery time, as well-informed and well-trained employees are equipped with necessary skillsets and familiarity to carry out the business recovery activities as documented. quickly
Reduce the overall BC Plan expenses, as only necessary resources are required; well-equipped employees will be able to perform the recovery process efficiently and shorten every aspect of the recovery time to have the business back in operation as soon as possible.

The key areas in the BC Plan that are worth highlighting upfront to the employees include topics on employee safety, activities that greatly impact the business's survival, and processes that require special skill sets or special equipment. Examples include emergency response, crisis management, and special financial software recovery procedures.

Why is a BC Plan Important?

For the BC Plan to be successfully executed, a list of key components needs to be communicated to and understood by the BC teams, management, and employees. So, effort should not be spared in planning, preparing, and disseminating these key components of the BCP to everyone in the organization.

The key components of the BC Plan include:

Overview of how the BC recovery activities are interlinked to ensure the continued availability of business activities regardless of the operational status of the resources and environments
BC Plan activation criteria
Emergency response procedures
BC organizations, contacts and roles and responsibilities of the BC team members
Business operation risk analysis and assessments
Critical business function identification through a proper Business Impact Analysis process
Vital resources, including equipment, software, people and records identification and management
Recovery processes and procedures for critical business functions
Returning to regular business operation after a disaster

What is the Role of Business Unit BCM Coordinators?

Knowing the BC teams, the individuals in each team, their corresponding roles and responsibilities, and the interfaces between BC teams will enable each team member to understand his/her role during a disaster.

The general employees should also get to know the BC team members so that information can flow to the correct persons and a BC decision can be made quickly to prevent the situation from worsening.

Where can BC Plan Information be Found?

Executive Management and general employees must know their roles and responsibilities in a disaster event that occurs during regular business operating hours and after the activation of the BCP. This is important for the organization's survival.

Thus, the Organization BCM Coordinator must plan programs to formally and informally explain these roles to each personnel involved. Some of the formal mechanism involves:

Providing induction briefing by working with the Human Resource department to explain to all the new staff members their roles and responsibilities in layman's terms
Including BC formal write-ups as part of the employment handbooks
Conducting regular emergency response and BC exercises
Formalizing mandatory refresher courses with the Training department for employees to attend after a standard period of say, every 24 months

Some of the informal mechanisms include:

Regularly putting up posters in familiar and accessible areas to remind everyone of their roles and responsibilities
Broadcasting messages periodically over the organization’s Intranet or having messages appear regularly on the network login
Highlighting general information on the organization’s notepads or folders

When is the BC Plan Invoked?

Every employee must know the what, the when, the who, and the how when activating the BC Plan processes. This will help reduce the recovery time for critical business operations during a disaster and remove all unproductive false alarms.

We need to clearly understand the key triggers and the appropriate decisions that must be made to activate the BC Plan processes. It is recommended that practice-based training or an exercise be carried out to ensure all the key players in the BC teams have an opportunity to experience every step stated in the BC Plan to verify, experiment with, and justify the activation of the BC planning process.

How is the BC Plan Invoked?

The first step is to provide every employee with a systematic means of locating the BC Plan information, which will familiarize them with the business recovery processes. The organization will also need to ensure that the BC Plan’s sensitive business processes cannot be accessed by unauthorized personnel.

Creating the correct level of awareness and educating the employees on the proper way of accessing the critical BC Plan information are mandatory tasks of the Organization's BCM Coordinator.

The Organization BCM Coordinator should ensure that the following key objectives are achieved:

Information security, control and management
Information storage, dissemination and availability

Information Security, Control and Management

The control and right to access the BC Plan and its related documents should be carefully considered. The BC Manager should:

Ensure that the classification of the BC Plan documents, like any other strategic business information, is according to the organization’s information security standard
Design and post-BC Plan information, which should be of different detail levels, depending on whether areas are accessible, semi-secured (where access is through IDs and passwords), and secured (where only special rights to access the document are given)
Secure access to the BC Plan documents on a “need to know” basis where the depth of information that an employee may access depends on his/her role and responsibility
Provide audit logging mechanisms to track which employee accessed the BC Plan documents (with information on when, what, why, and how) and whether the employee was given a copy of the BC Plan documents based on BC Plan document dissemination criteria.
Ensure all changes to the BC Plan documents are adequately justified, vetted and approved by the relevant authority and documented as history tracks in the documentation.

Information Storage, Dissemination and Availability

The storage, dissemination, and availability of BC-related media must be evaluated carefully.

Availability

It may not be safe for BC Plan documents to be stored only on the organization’s Intranet because the Intranet may not be available to the BC teams should a disaster destroy the office building completely

Information Storage

Employees need to know where the BC Plan information is stored and understand that some critical information must still be printed in hard copy.

Dissemination

We need to identify and establish an effective way to disseminate the appropriate content of the BC Plan documents to all BC teams and employees.

Contents of Awareness Programs

A good awareness program must include the following in its content:

Access to basic documentation
Basic employee BC activities
Liaison with external agencies

Access to Basic Documentation

The fundamental BC information that all the employees are required to know within the organization are:

The organization’s BC Policy Statement

Definitions of standard BC terms so that everyone in the organization speaks the same language
BC organization chart with the photograph and role of each BC team member
Emergency response procedure
Resources committed to the development and maintenance of the BC Plan
Locations and channels to obtain BC information

All employees must be aware that competitors may capitalize on the chaotic situation to steal crucial information, which, if leaked, may endanger the organisation's survivability. They must, therefore, know the additional security procedures that are put in place at the disaster area, alternate site and recovery site during such a situation:

Protocols for reporting any suspicious persons or suspicious activities being carried out there
Checks on people who request sensitive information
Security patrols that are conducted

Basic Employee BC Activities

The fundamental BC information that every employee must be aware of includes:

What to do before, during and after an event?
Who to contact?
Who will contact you?
Where to go?
Where to assemble?
How to deal with the media?
What are the immediate steps to be taken during and after office hours?

Liaison with External Agencies

These are external legal entities that could assist the employees in obtaining information regarding the disasters:

Police
Building a security management team
Fire department
Civil defense
Non-government organizations (NGOs)
Emergency management offices
Hospitals

Checklist on Training & Awareness

A checklist should be developed to ensure that all grounds have been covered and that pertinent legal and compliance issues related to BCM have been addressed adequately so that the organization is not liable for negligence in the face of the law. Evidence relating to these key issues must also be documented, such as attendance records of senior managers at exercises.

Key issues and concerns include:

Key Areas	Self Assessment
Risk Analysis and Analysis (RAR)	Have the Executive Management and Organization BCM Coordinator considered the effects of a significant disruption on services?
Risk Analysis and Analysis (RAR)	Have countermeasures to minimize risk been identified, including measures to combat potential information loss?
Business Impact Analysis (BIA)	Have all business units assessed the potential for disruption by a structured process such as a BIA that identifies risks and their potential impact on services, critical activities and dependencies?
Business Continuity Strategy (BCS)	Is there a short-term recovery strategy for every major service/business unit?
	Do contingency arrangements cover alternative premises & communications arrangements?
	Does the Steering Committee have quality assurance arrangements for the continuity of contracted services?
Tests & Exercise (TE)	Are emergency management arrangements for any business disruption set out and tested through exercises?
	Are BC Plans reviewed and updated regularly, considering lessons learnt from exercises, incidents, and research?
	Are BC Plans and procedures validated through regular tests and exercises, including those for out-of-hours emergencies?
Security	Is the security of critical information reviewed, whether this information is held electronically or on paper?
Security	Is a step taken to minimize the danger of losing the information or losing access to it during an emergency?
Roles & Responsibilities	Who is responsible for ensuring that each business unit or site has a BC Plan in the face of serious disruption?
Emergency Planning	Are there procedures to ensure responsible staff members know what to do in an emergency?
	Do you have an emergency planning specialist responsible for zonal-wide disasters?
	Do you have a standard format/template and terminology for whether there are separate business units or site-based emergency plans?
	Are BC Plans integrated with emergency plans?
Documentation	Are quality checks conducted on written BC Plans?
	Is the BC Plan written in its local language?
	Are copies of BC Plans and essential equipment/ documents (in electronic or hard copy) kept easily available but off-site?
	Are there adequate records of test and exercise results?
	Are there recovery procedures for version control?
Consistency	Are there arrangements to ensure consistency and integration between sites and business units and between BC and emergency plans?
Consistency	Are there procedures to check consistency between BC Plans?
External Vendor	Are there occasional external involvement and challenges in your review arrangements?
	Does the procurement policy or contracts cover risk management and BC arrangements?
	What is the quality assurance arrangement with contractors to cover emergency response?
Priority	Does your BC Plan(s) prioritize between business units’ processes and activities?
Priority	Are prioritized response plans unambiguous, clear and easy to use?
Special Needs	Do your BC Plans cover the special needs of those who are likely to be most vulnerable, such as those with age or disability?

Reference

Goh, M. H. (2021). Managing & Sustaining Your Business Continuity Management Program. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 14: Content for Training & Awareness"