PgM 2: What is BCM Program Management?

Once the BC project is completed, the next challenge is to keep the BCM Program effort alive. It is therefore essential to continuously emphasize that, in the event of a disaster, BCM is the key to ensuring the safety of all people in the organization as well as the survivability of the organization.

Objective

The objective of the program management phase is to establish an on-going system to ensure the validity of critical business functions, recovery strategy and documented recovery procedures. The ultimate goal is the recoverability of the business processes in the organization.

Tasks

The tasks that have to be completed under the program management phase include:

Ensuring that the BC Plan is consistent with the most current business operational setup
Ensuring the availability, accessibility and distribution of the BC Plan
Ensuring that the BC Plan is maintained to an acceptable standard, efficiency and effectiveness
Keeping the BC planning effort going to ensure prompt and correct response of the staff in a disaster
Ensuring consistency with international standards

What Does Program Management Encompass?

It is important that the BC Plan be continually maintained and updated and kept effective. The major considerations in this process include:

Maintenance
Training & Awareness
Advanced Testing & Exercising Program
Audit
BCM Mindset & Culture

The expected deliverables at each stage of a typical program management phase are further elaborated in the respective chapters of this book.

1. Maintenance

IC_Morepost_PgM_BCM Plan Maintenance Key elements in the organization’s BCM Program should be reviewed on a periodic and systematic basis. These key BCM elements include:

Change control and review of BC Plan such as BCM objectives, roles and responsibilities of respective committees and teams, and its operating environment
Formalization of the BC Plan maintenance process to control the availability, access, editing and distribution of the BC Plan
Maintain standard, efficiency and effectiveness of BC Plan

1.1 Change Control

The BCM Steering Committee should conduct BC reviews on a systematic and periodic basis or when there are significant changes to the business operations and/or environment.

For example, reviews should be conducted when the organization relocates to a new premise or if there is a major re-structuring of the organization. These reviews should include the following:

Environmental and operational risks
Risk acceptance
Risks and their impact on critical business functions
BC recovery strategies

1.2 Review of BC Plan

The BC Plan should be reviewed in its entirety and approved once a year by the BCM Steering Committee or equivalent. The frequency is determined by the BCM policy. Personnel with the relevant expertise should be assigned to review appropriate segments of the organization’s BC Plan.

External consultants should be engaged if such expertise cannot be found within the organization. However, the responsibility and decision making should rest with the BCM Steering Committee.

The review should cover the content and currency of the BC Plan.

1.3 Review on Roles & Responsibilities

The roles and responsibilities of the following should be reviewed on a periodic and systematic basis:

BCM Steering Committee
Crisis Management Team
Organization BCM Coordinator
Business Unit BCM Coordinator
Disaster Declaration Officer
Teams involved in executing the BC Plan

1.4 Content

The BC Plan should:

Contain a set of well defined and sequenced procedures to guide various recovery activities so that the number of decisions that need to be made are minimized, for example the steps to determine and declare a disaster
Specify the resources needed to carry out the activities in each procedure
Specify the tasks to be accomplished by each designated team
Highlight the critical data to be recovered at each phase of the recovery

1.5 Currency

In order to maintain the currency of the BC Plan, it should be:

Related to the most recent organization’s structure to ensure that it supports the BCM needs of different business units
Tested and maintained on a predefined basis

Independence should be maintained for each review. For example, staff member from another functional area should be appointed to review the specified area; the results of each review should be appraised by another independent party.

1.6 Plan Documentation Automation

Whenever possible, the documentation of the BC Plan should be maintained using automated means. This helps to reduce errors and ensure consistency and quality of the BC Plan. For example, an automated piece of BC Plan software which supports inputs from various BCM teams and consolidation into the final BC Plan document may be employed.

1.7 Review of Vendors Contracts

Appropriate BCM requirement clauses should be incorporated in contracts with vendors providing goods and services that support Critical Business Functions (CBFs). Examples are contracts with vendors providing outsourcing services, telecommunications, power supply and utilities.

The Organization BCM Coordinator should review contracts with vendors providing such services on a periodic and systematic basis with a view to adding or changing the BCM requirements.

1.8 BCM Budget

The budget for BCM will be submitted by the Organizational BCM Coordinator to the BCM Steering Committee for its review and approval of any new budget request.
The budget could include the following:

Maintenance contract for specialized BC software
Attendance of external BC training courses
Annual payment for contract for alternate sites
Engagement of consultant to assist in the testing and the review of the BC plan
Payment for renewal of BCM organizational certification e.g. TR19:2005 or BS25999

1.9 Management Reporting

All reviews and findings of reviews should be adequately documented and reported to the BCM Steering Committee.

Keep the BC Plan up-to-date and in line with the most current business operational setup.

2. Training & Awareness

IC_Morepost_PgM_BCM Training and Awareness

Training and awareness form a crucial component to support and maintain the developed BC Plan and keep BCM vibrant in the organization.

Appropriate resources should be allocated specifically for BC training and awareness programs on a yearly basis. These can form part of yearly training budget and used for engagement of external help.

BC training and awareness programs should be conducted on a periodic and systematic basis. For example, refresher awareness program for all employees should be conducted annually.

2.1 Levels

The training and awareness needs for BC in the organization should be identified and drawn up. The programs should cater to the following levels of staff:

Basic

New staff members to the organization

Management

Executive Management, managers and supervisors

Specialized

Staff members assigned with BC responsibilities

All existing staff members should undergo BCM training and awareness programs. All new staff members should be scheduled to attend such training and awareness programs at the earliest possible opportunity. Appendix 8: Comprehensive List of Training Courses contains the types and levels of training courses and awareness program.

2.2 Assessments

Assessment of BC training and awareness programs should be carried out at two levels:

Program Level

The programs are drawn up meet the needs of business units supporting CBFs

People Level

Participants are assessed after each program to check that training received meets the objectives set forth

2.3 BCM Appointment Holders

Staff members holding key BCM responsibilities, for example the Organization BCM Coordinator, should be adequately trained and qualified. These appointment holders should:

Attend BCM planning conferences and seminars
Participate in BCM user groups and associations
Peruse BCM publications
Enroll in formal BCM courses that are internationally recognized and accredited

2.4 Entire Organization

Training should be conducted for all staff members on a periodic and systematic basis to ensure that they remain constantly alert and are able to respond to stipulated activities including the following:

Activation of alarm
Evacuation and assembly
Emergency response
Reporting to the appropriate authority to handle the emergency situation

2.5 Specific BCM Staff Members

Staff members directly involved in the recovery operations should be identified, assigned recovery tasks and given appropriate training.

Relevant external parties, for example, suppliers providing equipment and services during recovery should be trained in the appropriate procedures so that they can synchronize with the organization’s recovery efforts.

In addition, specific staff members should be trained in the handling of hazardous materials which are used or encountered during incidents, emergencies or disaster situations.

2.6 Internal Update & Awareness

Internal staff members in the organization should be updated periodically on the latest BCM trends and developments in the industry. This can take one or more of the following forms:

Publishing periodic newsletter on Intranet
Organizing internal seminars or conferences
Providing Executive Management with BCM update

3. Advanced Testing & Exercising Program

IC_Morepost_PgM_Advanced Exercising and Testing

Upon completion of the BC project, some initial (elementary) testing and exercising are usually carried out. These tests and exercises include notification call tree and walk-through exercises.

The end of the BC project also marks the start of the BC Program. At this stage, the organization will embark on its advanced level tests and exercises with the following considerations:

Awareness of regulators’ and authorities’ expectations
Zone transaction testing with critical third parties
Positive testing outcomes imperative
Lessons learnt BUT, proof of concept outcomes critical
Management of work effort and costs
Practical cross business testing policy and program
Meeting all stake holder requirements
Making best use of test window – planning critical
Raising the bar
Considering processing loads e.g. 30-day window cross functional capability
Business, audit and client input
Manageable incremental testing improvements

4. Audit

4.1 BCM Audit Plan

IC_Morepost_PgM_BCM Audit There should be regular BCM audit based on an established BCM audit plan. The BCM audit plan should specify and document:

The audit cycle, frequency and program
The external parties whom the organization is dependent upon for the business and supporting the CBFs

A BCM audit should be conducted when there are significant changes to the business operations and/or environment. The BCM Steering Committee should review the results of BCM audits.

Once the result of the audit is reported, such as, in a separate section on BCM, it should be included in the organization’s annual audit report. There should be procedures established to ensure that deficiencies identified in BCM audit are rectified.

Effort must be made to ensure that the auditors conducting BCM audit are competent in undertaking the task. These auditors should be sent for training on BCM so that they acquire the necessary skills and knowledge to conduct BCM audit.

BCM audit also helps the organization fulfill the following:

BCM and Corporate governance
Compliance requirement
BCM standards and related guidelines

4.2 BCM & Corporate Governance

Corporate governance, in short, is the responsibility of a corporation to its stakeholders. Of particular relevance to BC concept is the evaluation of the vulnerability of the corporation against its capability to safeguard tangible and intangible assets (for example, cash reserves and branding respectively).

4.3 Compliance Requirement

The compliance with legal requirements such as Sarbanes-Oxley Act and Basel II Accord reaps a host of benefits:

Reduced risk exposure
Increased stakeholder confidence
Increased efficiency by having a proactive policy towards compliance
Ability to build internal operational efficiencies caused by compliance constraints and controls
Increased value to possible partners by showing compliance
High availability plus protection from site loss

5. BCM Mindset & Culture

The correct understanding of crucial terms and terminology is necessary to inspire BCM buy-in. A common language within the organisation also helps to instill, and subsequently enhance, a BCM culture. For example:

BCM Versus BCP
Program Versus Project

In order to maintain a healthy BCM mindset and culture, there is a need to:

Benchmark against BCM best practices
Assess the level of BCM maturity
Identify changes in BCM reality
Update on BCM trends

5.1 BCM Versus BCP

It is incorrect to use the terms BCM and BCP interchangeably. BCP involves the planning of continuity measures while BCM involves the control and management of these continuity measures. Therefore, BCP always precedes BCM.

5.2 Program Versus Project

Following from the above explanation, it can be seen that BCP is a one-off project while BCM is an on-going program that needs to be reviewed at least once annually. Therefore, the completion of the BCP project marks the start of the BCM program.

5.3 Benchmark

Benchmarking the BCM Program against similar industry or international BCM related standards and guidelines in general will create effective discussion and even debate among the organizations. It usually provides meaningful comparisons for internal and external analysis. The process should consist of simple scoring and metrics and the end result is improved confidence of being able to continue during a disruption.

5.4 Assess BCM Maturity

Whilst it is impossible to implement all stages of BCM at one go, a forward-looking, vigilant organization should take one step at a time to ensure that the BCM processes gradually mature over a two- to three-year period. For instance, a full re-location exercise may be conducted a year after a partial simulation exercise. This would ensure that the organization has honed its capability to safeguard the interests of its key stakeholders, reputation, brand and value creating activities.

5.5 Change to Reflect New Views

In our dynamic world, what is considered critical or not do change over time. Not so long ago, some organizations did not consider their website and electronic mail (or email) worth protecting as these were seen to be not mission-critical.

Now, with the advent of e-commerce, email is deemed to be a viable and trusted medium for taking orders, giving approvals, formalizing contracts, and discussing sensitive human resource issues. In fact, e-mail is admissible in courts as paper-based records.

It is thus “worth protecting” as emails carry an increasing amount of strategic information than ever before. As the perception of criticality changes, so should BCM objectives change to reflect contemporary developments despite the invariable underlying methodology.

5.6 Update BCM Trends

It is critical for the Organization BCM Coordinator and BCM Steering Committee to keep abreast of the BCM trends. Only with such continuous update will management be in a position to implement short and long term BC strategies.

For example, with the heavy reliance on e-commerce and the rising expectations of customers, BCM must be geared towards providing solutions which guarantee recovery of huge volumes of data within a relatively short period of time (one to two hours).

Besides constantly monitoring, evaluating and assessing threats to businesses, organizations should also consider new threats resulting from new initiatives from terrorism and evolving infectious diseases.

Reference

Goh, M. H. (2021). Managing & Sustaining Your Business Continuity Management Program. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 2: What is Program Management?"

More Information About Blended Learning BCM-5000 [BL-B-5]

To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org. They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.