Business Continuity Management | BCM

PgM 5: Stage 2 - Change Control Procedures

Written by Moh Heng Goh | Mar 26, 2021 6:07:34 AM

Change Management and Control Procedures

Change Management and Control are essential to the proper functioning of the BC Plan maintenance process. It dictates the degree of involvement of the Organization BCM Coordinators in the organization management planning stages, the areas to study for impacts, the means to carry the impact mitigations, performing changes to the BC Plan and distribution of the updated BC Plan.

In addition, change management is critical in establishing the organizational security practices to safeguard the BC Plan distribution, circulation and access.

Step 1 - Review Corporate & Business Plans

A corporate BC Plan provides a ‘road map’ for the organization that addresses the:

  • Business mission, goals and objectives
  • Details of business strategies to achieve the business objectives
  • Key Performance Indicators and Strengths, Weaknesses, Opportunities and Threats Analysis (S.W.O.T.) for the business operations

The Organization BCM Coordinator should get involved in the development of the corporate and business unit BC Plans, so that any impact to the Organizational BC Plan can not only be addressed at both macro (strategic) and micro (tactical) levels, but also together with business decisions.

The Organization BCM Coordinator’s involvement in the corporate BC Plan development will also provide the management with another pair of eyes, to identify the risk and quantify the exposure that planned strategies will have on the organization’s current and future BC program.

Some of the potential changes in the business strategies that will impact the current BC program and the maintenance of the BC Plan in the future include:

  • Change in its IT environment
  • Change in hardware and/or software platforms
  • Outsourcing of part or whole of its IT business operations
  • Change in communication networks
  • Relocation of organization or business units to another city or state
  • Decentralization of its business operations

Organization BCM Coordinators are expected to contribute extensively to the corporate planning activities, especially in the following areas:
  • Documenting the planned changes (including organizational structure, staffing and strategies) which are being considered and approved by the Executive Management
  • Identifying the specific areas where the BCM will be impacted
  • Evaluating the impact on the current BCM
  • Developing new BC strategies and procedures to address the potential impacts that may be identified
  • Determining the cost of developing and implementing new BC strategies and procedures
  • Obtaining the Executive Management’s approval and funding for the implementation of the new BC strategies and procedures
  • Developing an implementation plan for the new BC strategies and procedures
  • Implementing the new strategies and procedures

Step 2 - Develop Procedures to Monitor Organizational & Operational Changes

The objective of maintaining the BC Plan in a “state of readiness” is to:

• Reduce the possibility of making inappropriate decisions due to lack of updated information
• Decrease the level of stress on BC Recovery Teams in the event of a disaster

The Organization BCM Coordinator should collaborate with Business Unit Coordinators to:

  • Maintain the timeliness of all changes that will affect the BCP and address them in the BC Plan as soon as possible
  • Be empowered by the BC Sponsor to ensure that any changes in the organization, no matter how small, are updated promptly

Although BC Plan testing is always used as a starting point to maintain the BC Plan, it should not be the only “impetus” to update the BC Plan. Organizational change should be considered seriously and usually is the primary driver to activate a revision of BC Plan.

Some of the areas of potential changes that will impact on the timeliness of the BC Plan updates include the following areas:
  • Management
  • Operational

Management Aspect

From a management perspective, these are the changes that will affect the BCM Program:
  • Changes in market dynamics such as cost-cutting measures and re-engineering
  • Mergers & Acquisitions
  • Establishment of new business sectors
  • Re-focusing of non-core businesses
  • Organizational structure changes
  • Personnel changes
  • Outsourcing of certain business functions

Operational Aspect

 
It is crucial for the following changes to the business and IT operations to be monitored closely:
  • Procedural changes
  • Physical changes such as facilities
  • Technology changes relating to facility:
    • Air-conditioning systems
    • Fire detection and prevention systems
    • Security systems
    • Electrical systems including lightning rods
    • Water systems
  • IT adoptions and implementations
  • Recovery requirement changes
  • Testing issues

In order to keep abreast of the above organization changes, the Organization BCM Coordinator must have access to the most updated Corporate and Business Unit BC Plans on a regular basis and develop change control procedures to monitor any planned or unplanned changes to the BC Plans.


Challenges to Organization BCM Coordinators are changes which are carried out outside of the change process and therefore not addressed in the BC Plan. Some of the following events, carried out without the knowledge of the Organization BCM Coordinators, will have a direct impact to the overall BCM Program of the organization:
  • Decentralization of the organization where each business unit operates autonomously and reports to the corporate business entity on operational performance only
  • Implementation of changes by the business unit to its operations, which may directly or indirectly affect the business unit or corporate BC Plan

Strong communication should be developed to help the Organization BCM Coordinator maintain a close relationship with all business owners and external partners such as customers and suppliers, so that he/she is promptly informed of the changes via direct and indirect channels. Organization BCM Coordinators will be able to make use of this information to carry out impact analysis on BC Plan, revise the BC Plan to address the impacts and communicate the changes to update all the parties and personnel on the revision of the BC Plan.

Step 3 – Manage Plan Version Control

The BC Plans, both corporate and business unit level, are distributed to authorized personnel for assistance in defining and understanding the responsibilities and procedures related to a business disruption caused by a physical disastrous event.

Upon any business unit’s change of employment status, it is each individual's responsibility to return his assigned copy and all duplicates and duplicate parts thereof, to their respective management. No one outside of the organization will be permitted to read, review, copy or audit the BC Plan without prior written approval from the BCM Steering Committee.
If not managed properly, the version control, distribution and collection of BC Plans become a potential single point of failure for the entire execution of the BC process.

The main task for managing a good version control on BC Plan is as follows:

  • Issue a policy (Appendix 6: BC Plan Maintenance Policy)
  • Develop version control standards and procedures for the edition, re-issue, distribution and collection of the BC Plan updates
  • Maintain a master record that keeps track of the location and the personnel who are given copies of the BC Plan
  • Establish a centrally coordinated process to ensure that distributed BC Plans are updated and old “versions” are collected and destroyed
  • Ensure that standard documents that need to be distributed to the recipients include:
    • Cover Memorandum giving instructions for inserting and removing pages
    • Maintenance History to show the recipients what have been updated 
      • See Maintenance Schedule & Log
      • See Maintenance Sheet
  • Establish a documentation standard for all BC Plan to enhance the version control process. The major items that should be there include:
    • Copy number
    • Date issued
    • Last updated
    • Version number
  • Obtain confirmation note from all BC Plan recipients who have received the current version

The BC Plan is a confidential document. Only personnel who really need to have a copy of BC Plan due to the operational requirement should be given one. The people who need a copy may include the following:

  • Organization BCM Coordinator
  • Business Unit BCM Coordinator(s)
  • Business Unit Team Manager(s)
  • Key Team Manager(s)
  • Executive Management
  • Security Personnel
  • Facilities Personnel
  • Legal Personnel
  • Personnel of affected business units

A lot of sensitive and confidential information such as the critical business processes, critical resources, major customers, suppliers and management’s contacts are documented in the BC Plan and program documentation. Therefore, it is essential that adequate security is maintained over the BC Plan to prevent:

  • Accidental or unintentional information leakages
  • Unauthorized disclosure
  • Misuse of information
  • Misplacement of BC Plan documents

Hence, the Organization BCM Coordinator should periodically review and perform internal audits on the BC recovery teams to ensure that all BC Plan manuals are maintained, kept up-to-date and secured against unauthorized access. Organization BCM Coordinator should at least review the following information on an annual basis:
  • Correct version of BC Plan is distributed to all recipients
  • Copies are issued only to authorized personnel
  • All versions of BC Plan are approved versions
  • BC Plans are collected back from personnel not performing BC planning activities due to re-appointment or resignations
  • All outdated copies of BC Plan documents are properly destroyed
  • All BC Plans are kept in easily accessible yet secured locations

Reference

Goh, M. H. (2021). Managing & Sustaining Your Business Continuity Management Program. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 5: Stage 2 - Change Control Procedures"

More Information About Blended Learning BCM-5000 [BL-B-5]

To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org.  They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.

 

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org