Business Continuity Management | BCM

Step 5: Manage the BCP Process

Written by Moh Heng Goh | Mar 16, 2021 1:59:01 PM

 

BCM Planning Process

A BCP project plan should be established to manage the tasks, deadlines, and deliverables. The major phases of the typical BCP project are as shown below. The description of each phase will be further elaborated.

Project Management

The aim of the Project Management phase is to start the BCP project in your organization. It is primarily used to educate your Executive Management about the purpose, process, and importance of BCP.

The first step in implementing BC is to set up the required BC management structure to support the implementation process, seek Heads of Business units and their staff members‟ commitment and resources, and involve these BU BCM Coordinators in the BCM planning process.

The Organization BCM Coordinator will develop the implementation framework, confirm the business units and functions to be included in the BCP project, and the roles and responsibilities of each BU BCM Coordinator for the entire project to ensure its timely completion. The Organization BCM Coordinator will also draw up a BCP project initiation proposal to the Executive Management elaborating on the mission, scope, assumptions, limitations, the composition of the BC teams, roles and responsibilities, and project schedule.

This book is specifically written for the Project Management phase.

Risk Analysis and Review

A risk analysis identifies the type of threats/risks that an organization or a specific location is likely to encounter. It examines the physical infrastructure within the building and within a specific surrounding.

A relative weightage is assigned to each category of disaster with an estimate of duration. A statement of risk is completed and this, in turn, determines what areas should be examined further so that countermeasures may be deployed to mitigate the risks.

In this BCM Planning Series, the content for this phase is provided in the “Analyzing & Reviewing the Risks for Business Continuity Planning” book.

 Business Impact Analysis (BIA)

After the Risk Analysis and Review phase has been performed, a BIA is undertaken. It determines the cost of not being able to continue to transact business. The information is usually not straightforward as the input can be fairly abstract. On many occasions, the Heads of the Business Unit will have to estimate the loss but an exact answer is not crucial.

The purpose is to identify the complete list of critical business functions that is critical to keep the organization in business. Overprotecting by identifying more business functions than is actually needed will cost more while under-protecting will give the organization a false sense of security.

Assessment of the effects of a business interruption on your organization is developed in the BIA. The BIA provides your Executive Management with the information required to make sound decisions about what business functions are critical and need to be recovered, how quickly, and how much to spend to recover them. It identifies very specifically the minimum resources that would be required to continue your operations following any disaster declaration.

The BIA also suggests for each business function, the tolerable downtime before it incurs financial or legal penalties. These are questions answered by managers in interviews, with the Organization BCM Coordinator's advice and help.

Some business functions of your organization will require immediate recovery and resumption of operations, while others may be able to recover gradually, in stages. Through workshops, questionnaires, and interviews with Heads of Business units and staff members, the Organization BCM Coordinator identifies the loss impact, which could result from a disruption. In addition, any weaknesses or inefficiencies identified will be reviewed and alternative practices or policies may be suggested. This step provides essential information for decisions that must be made in the Recovery Strategy phrase.

In this BCM Book Series, the content for this phase is provided in the “Conducting Your Impact Analysis for Business Continuity Planning” book.

 Business Continuity Strategy

During business continuity strategy development, the Organization BCM Coordinator in consultation with the business units will develop possible recovery strategies or alternatives to maintain the continuity of critical business functions.

Throughout the entire development process, the worst-case Key Disaster Scenario is assumed, that is, all critical business functions are rendered incapable of performing their operations at the most critical timing.

 The Organization BCM Coordinator assumes that the organization will need one or more alternative locations from which to continue business operations after a disaster declaration. A determination of the type of recovery or alternate work site or sites required will be made based on decisions by the Executive Management after reviewing the BIA and cost-benefit justifications of the BCP project team. If the organization already owns premises that can serve as recovery sites, it should examine this option first. If a suitable internal facility does not exist, procurement or rental of the alternative facility may be recommended.

Whichever alternatives or options the organization chooses, the alternative recovery location must be suitably equipped and the recovery team personnel be made familiar with the location and equipment. The recovery teams must test the relocating to the alternative site to ensure that all the BCP assumptions have been correctly made. Testing occurs in a later stage of the BCM planning process.

Finally, the report on the integrated enterprise-wide recovery strategy will have to be presented to the Executive Management for approval. In this BCM Book Series, the content for this phase is provided in the “Developing Recovery Strategy for Your Business Continuity Plan” book.

Plan Development

The recovery procedures document is prepared at this phase. The business units create plans to make preparations before a disaster occurs. These preparations will enable the business units to respond to incidents, recover, resume and restore the business in a disaster.

This document lists the tasks to be performed, notifications required, personnel involved and resources needed, in a timetable that identifies which activity must be completed in order to ensure optimal recovery. Each business unit has its own written BC plan with a corporate-wide BC plan being developed by the BCP project team. Written plans for the business units combined together comprise the BC plan for the organization.

The organization is divided into business unit recovery teams and support unit recovery teams. Business unit recovery teams are to develop and execute recovery procedures for immediate, short-term, and long-term recovery of business operations while support unit recovery teams, for example, for administration and information technology, are to develop and execute procedures to support the business unit recovery teams.

The documentation of the BC plan can take several forms. Most organizations use PC-based word processors.

Once the decision to have a PC-based word processing or a BCP specialized software has been made, the BC plan template will be completed by the respective recovery teams to write the BC plan. This plan will be printed and used as a guide when a disaster is declared.

These recovery actions are listed starting with the critical actions to be taken immediately after a disaster declaration. In this BCM Planning Series, the content for this phase is provided in the “Implementing Your Business Continuity Plan” book.

Testing & Exercising

Once the procedures are written, testing (or exercising) is the most vital part of every successful BC plan. The primary goals of the testing phase are to:

  • Verify that the recovery time scale and priority can be met
  • Verify that the BC plan is visible and practical
  • Rehearse and train all personnel involved in recovery
  • Eliminate errors and omissions in the plan
  • Update the BC plan in light of the results of the test

Plan testing prepares the recovery teams to function at the alternate site and verifies the adequacy of the site. Plan testing will ensure that appropriate procedures have been written to handle all likely situations.

Tests can be performed on all aspects of a plan, such as operating at alternative locations, switching over of the IT system activity, the notification call trees, and evacuation. These types of tests will be discussed with the organization's staff to determine the most appropriate approach and the test schedule. Testing should identify vulnerabilities as well as changes to the organizational environment, which require updates. Variations of tests will be designed so as to uncover BC plan weaknesses.

In order to ensure that the BC plan will work when you need it, the BC plan needs to be tested and updated periodically. The Organization BCM Coordinator recommends that each member of a recovery team be involved in some form of test each year. A testing policy and an overall test schedule (for the next few years) to upgrade the readiness of disaster plans will be provided. In this BCM Book Series,

the content for this phase is provided in the “Testing & Exercising Your Business Continuity Plan” book.

Program Management

 By this stage, the BC plan has been completed and is in place. It is, however, vital that the BC plan will work when the need arises. To ensure this, the BC plan must be updated and maintained. In so doing, the BC project becomes an ongoing program. The Program Management phase includes the following:

  • Identify sources of changes in the environment
  • Establish a change management and maintenance policy
  • Define maintenance procedures
  • Evaluate the adequacy of the maintenance process
  • Provide audit and assurance to the readiness of the plan
  • Embed culture within the organization
  • Audit and review BC plan readiness

 In this BCM Planning Series, the content for this phase is provided in the “Managing &Sustaining Your Business Continuity Management Program” book.

 

BCM Project Management Steps

Click to find out more about the detailed requirement for each steps

Back To 1 2 3 4 5
6 7 8 9 10 11

Reference

Goh, M. H. (2021). Managing Your Business Continuity Planning Project. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 2: What is Project Management"

More Information About Blended Learning BCM-5000 [BL-B-5]

To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org.  They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.

 

 

 

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org