Business Continuity Management | BCM

PgM 2: What is BCM Program Management?

Written by Moh Heng Goh | Mar 29, 2021 2:54:43 PM

Once the BC project is completed, the next challenge is to keep the BCM Program effort alive. It is therefore essential to continuously emphasize that, in the event of a disaster, BCM is the key to ensuring the safety of all people in the organization as well as the survivability of the organization.

Objective

The objective of the program management phase is to establish an on-going system to ensure the validity of critical business functions, recovery strategy and documented recovery procedures. The ultimate goal is the recoverability of the business processes in the organization.

Tasks

The tasks that have to be completed under the program management phase include:

  • Ensuring that the BC Plan is consistent with the most current business operational setup
  • Ensuring the availability, accessibility and distribution of the BC Plan
  • Ensuring that the BC Plan is maintained to an acceptable standard, efficiency and effectiveness
  • Keeping the BC planning effort going to ensure prompt and correct response of the staff in a disaster
  • Ensuring consistency with international standards

What Does Program Management Encompass?

It is important that the BC Plan be continually maintained and updated and kept effective. The major considerations in this process include:

  1. Maintenance
  2. Training & Awareness
  3. Advanced Testing & Exercising Program
  4. Audit
  5. BCM Mindset & Culture


The expected deliverables at each stage of a typical program management phase are further elaborated in the respective chapters of this book.

1. Maintenance

Key elements in the organization’s BCM Program should be reviewed on a periodic and systematic basis. These key BCM elements include:

  • Change control and review of BC Plan such as BCM objectives, roles and responsibilities of respective committees and teams, and its operating environment
  • Formalization of the BC Plan maintenance process to control the availability, access, editing and distribution of the BC Plan
  • Maintain standard, efficiency and effectiveness of BC Plan
1.1 Change Control

The BCM Steering Committee should conduct BC reviews on a systematic and periodic basis or when there are significant changes to the business operations and/or environment.
 
For example, reviews should be conducted when the organization relocates to a new premise or if there is a major re-structuring of the organization. These reviews should include the following:
  • Environmental and operational risks
  • Risk acceptance
  • Risks and their impact on critical business functions
  • BC recovery strategies
1.2 Review of BC Plan

The BC Plan should be reviewed in its entirety and approved once a year by the BCM Steering Committee or equivalent. The frequency is determined by the BCM policy. Personnel with the relevant expertise should be assigned to review appropriate segments of the organization’s BC Plan.
 
External consultants should be engaged if such expertise cannot be found within the organization. However, the responsibility and decision making should rest with the BCM Steering Committee.

The review should cover the content and currency of the BC Plan.
1.3 Review on Roles & Responsibilities

The roles and responsibilities of the following should be reviewed on a periodic and systematic basis:
  • BCM Steering Committee
  • Crisis Management Team
  • Organization BCM Coordinator
  • Business Unit BCM Coordinator
  • Disaster Declaration Officer
  • Teams involved in executing the BC Plan
1.4 Content
 
The BC Plan should:
  • Contain a set of well defined and sequenced procedures to guide various recovery activities so that the number of decisions that need to be made are minimized, for example the steps to determine and declare a disaster
  • Specify the resources needed to carry out the activities in each procedure
  • Specify the tasks to be accomplished by each designated team
  • Highlight the critical data to be recovered at each phase of the recovery
1.5 Currency
 
In order to maintain the currency of the BC Plan, it should be:
  • Related to the most recent organization’s structure to ensure that it supports the BCM needs of different business units
  • Tested and maintained on a predefined basis

Independence should be maintained for each review. For example, staff member from another functional area should be appointed to review the specified area; the results of each review should be appraised by another independent party.

1.6 Plan Documentation Automation

Whenever possible, the documentation of the BC Plan should be maintained using automated means. This helps to reduce errors and ensure consistency and quality of the BC Plan. For example, an automated piece of BC Plan software which supports inputs from various BCM teams and consolidation into the final BC Plan document may be employed.

1.7 Review of Vendors Contracts

Appropriate BCM requirement clauses should be incorporated in contracts with vendors providing goods and services that support Critical Business Functions (CBFs). Examples are contracts with vendors providing outsourcing services, telecommunications, power supply and utilities.

The Organization BCM Coordinator should review contracts with vendors providing such services on a periodic and systematic basis with a view to adding or changing the BCM requirements.

1.8 BCM Budget

The budget for BCM will be submitted by the Organizational BCM Coordinator to the BCM Steering Committee for its review and approval of any new budget request.
The budget could include the following:
  • Maintenance contract for specialized BC software
  • Attendance of external BC training courses
  • Annual payment for contract for alternate sites
  • Engagement of consultant to assist in the testing and the review of the BC plan
  • Payment for renewal of BCM organizational certification e.g. TR19:2005 or BS25999
1.9 Management Reporting

All reviews and findings of reviews should be adequately documented and reported to the BCM Steering Committee.

Keep the BC Plan up-to-date and in line with the most current business operational setup.

2. Training & Awareness

 
Training and awareness form a crucial component to support and maintain the developed BC Plan and keep BCM vibrant in the organization.
 
Appropriate resources should be allocated specifically for BC training and awareness programs on a yearly basis. These can form part of yearly training budget and used for engagement of external help.

BC training and awareness programs should be conducted on a periodic and systematic basis. For example, refresher awareness program for all employees should be conducted annually.
2.1 Levels

The training and awareness needs for BC in the organization should be identified and drawn up. The programs should cater to the following levels of staff:
Basic
  • New staff members to the organization
Management
  • Executive Management, managers and supervisors
Specialized
  • Staff members assigned with BC responsibilities

All existing staff members should undergo BCM training and awareness programs. All new staff members should be scheduled to attend such training and awareness programs at the earliest possible opportunity. Appendix 8: Comprehensive List of Training Courses contains the types and levels of training courses and awareness program.
2.2 Assessments
 
Assessment of BC training and awareness programs should be carried out at two levels:
Program Level
  • The programs are drawn up meet the needs of business units supporting CBFs
People Level
  • Participants are assessed after each program to check that training received meets the objectives set forth
2.3 BCM Appointment Holders
 
Staff members holding key BCM responsibilities, for example the Organization BCM Coordinator, should be adequately trained and qualified. These appointment holders should:
  • Attend BCM planning conferences and seminars
  • Participate in BCM user groups and associations
  • Peruse BCM publications
  • Enroll in formal BCM courses that are internationally recognized and accredited
2.4 Entire Organization

Training should be conducted for all staff members on a periodic and systematic basis to ensure that they remain constantly alert and are able to respond to stipulated activities including the following:
  • Activation of alarm
  • Evacuation and assembly
  • Emergency response
  • Reporting to the appropriate authority to handle the emergency situation
2.5 Specific BCM Staff Members
 
Staff members directly involved in the recovery operations should be identified, assigned recovery tasks and given appropriate training.

Relevant external parties, for example, suppliers providing equipment and services during recovery should be trained in the appropriate procedures so that they can synchronize with the organization’s recovery efforts.

In addition, specific staff members should be trained in the handling of hazardous materials which are used or encountered during incidents, emergencies or disaster situations.
2.6 Internal Update & Awareness
 
Internal staff members in the organization should be updated periodically on the latest BCM trends and developments in the industry. This can take one or more of the following forms:
  • Publishing periodic newsletter on Intranet
  • Organizing internal seminars or conferences
  • Providing Executive Management with BCM update

3. Advanced Testing & Exercising Program

 
Upon completion of the BC project, some initial (elementary) testing and exercising are usually carried out. These tests and exercises include notification call tree and walk-through exercises.

The end of the BC project also marks the start of the BC Program. At this stage, the organization will embark on its advanced level tests and exercises with the following considerations:
  • Awareness of regulators’ and authorities’ expectations
  • Zone transaction testing with critical third parties
  • Positive testing outcomes imperative
  • Lessons learnt BUT, proof of concept outcomes critical
  • Management of work effort and costs
  • Practical cross business testing policy and program
  • Meeting all stake holder requirements
  • Making best use of test window – planning critical
  • Raising the bar
  • Considering processing loads e.g. 30-day window cross functional capability
  • Business, audit and client input
  • Manageable incremental testing improvements

4. Audit

4.1 BCM Audit Plan

There should be regular BCM audit based on an established BCM audit plan. The BCM audit plan should specify and document:

  • The audit cycle, frequency and program
  • The external parties whom the organization is dependent upon for the business and supporting the CBFs

A BCM audit should be conducted when there are significant changes to the business operations and/or environment. The BCM Steering Committee should review the results of BCM audits.

Once the result of the audit is reported, such as, in a separate section on BCM, it should be included in the organization’s annual audit report. There should be procedures established to ensure that deficiencies identified in BCM audit are rectified.

Effort must be made to ensure that the auditors conducting BCM audit are competent in undertaking the task. These auditors should be sent for training on BCM so that they acquire the necessary skills and knowledge to conduct BCM audit.

BCM audit also helps the organization fulfill the following:
  • BCM and Corporate governance
  • Compliance requirement
  • BCM standards and related guidelines
4.2 BCM & Corporate Governance
 
Corporate governance, in short, is the responsibility of a corporation to its stakeholders. Of particular relevance to BC concept is the evaluation of the vulnerability of the corporation against its capability to safeguard tangible and intangible assets (for example, cash reserves and branding respectively).
4.3 Compliance Requirement

The compliance with legal requirements such as Sarbanes-Oxley Act and Basel II Accord reaps a host of benefits:
  • Reduced risk exposure
  • Increased stakeholder confidence
  • Increased efficiency by having a proactive policy towards compliance
  • Ability to build internal operational efficiencies caused by compliance constraints and controls
  • Increased value to possible partners by showing compliance
  • High availability plus protection from site loss

5. BCM Mindset & Culture

 
The correct understanding of crucial terms and terminology is necessary to inspire BCM buy-in. A common language within the organisation also helps to instill, and subsequently enhance, a BCM culture. For example:
  • BCM Versus BCP
  • Program Versus Project

In order to maintain a healthy BCM mindset and culture, there is a need to:
  • Benchmark against BCM best practices
  • Assess the level of BCM maturity
  • Identify changes in BCM reality
  • Update on BCM trends
5.1 BCM Versus BCP
 
It is incorrect to use the terms BCM and BCP interchangeably. BCP involves the planning of continuity measures while BCM involves the control and management of these continuity measures. Therefore, BCP always precedes BCM.
5.2 Program Versus Project
 
Following from the above explanation, it can be seen that BCP is a one-off project while BCM is an on-going program that needs to be reviewed at least once annually. Therefore, the completion of the BCP project marks the start of the BCM program.
5.3 Benchmark

Benchmarking the BCM Program against similar industry or international BCM related standards and guidelines in general will create effective discussion and even debate among the organizations. It usually provides meaningful comparisons for internal and external analysis. The process should consist of simple scoring and metrics and the end result is improved confidence of being able to continue during a disruption.
5.4 Assess BCM Maturity
 
Whilst it is impossible to implement all stages of BCM at one go, a forward-looking, vigilant organization should take one step at a time to ensure that the BCM processes gradually mature over a two- to three-year period. For instance, a full re-location exercise may be conducted a year after a partial simulation exercise. This would ensure that the organization has honed its capability to safeguard the interests of its key stakeholders, reputation, brand and value creating activities.
5.5 Change to Reflect New Views

In our dynamic world, what is considered critical or not do change over time. Not so long ago, some organizations did not consider their website and electronic mail (or email) worth protecting as these were seen to be not mission-critical.

Now, with the advent of e-commerce, email is deemed to be a viable and trusted medium for taking orders, giving approvals, formalizing contracts, and discussing sensitive human resource issues. In fact, e-mail is admissible in courts as paper-based records.
 
It is thus “worth protecting” as emails carry an increasing amount of strategic information than ever before.  As the perception of criticality changes, so should BCM objectives change to reflect contemporary developments despite the invariable underlying methodology.
5.6 Update BCM Trends

It is critical for the Organization BCM Coordinator and BCM Steering Committee to keep abreast of the BCM trends. Only with such continuous update will management be in a position to implement short and long term BC strategies.

For example, with the heavy reliance on e-commerce and the rising expectations of customers, BCM must be geared towards providing solutions which guarantee recovery of huge volumes of data within a relatively short period of time (one to two hours).

Besides constantly monitoring, evaluating and assessing threats to businesses, organizations should also consider new threats resulting from new initiatives from terrorism and evolving infectious diseases.

Reference

Goh, M. H. (2021). Managing & Sustaining Your Business Continuity Management Program. Business Continuity Management Planning Series (3rd ed.). Singapore: GMH Pte Ltd.

Extracted from "Chapter 2: What is Program Management?"

 

More Information About Blended Learning BCM-5000 [BL-B-5]

To know more about our blended learning program and when the next course is scheduled, feel free to contact our friendly course consultant colleagues via sales.ap@bcm-institute.org.  They are the BL-B-3 Blended Learning BCM-300 ISO22301 BCMS Implementer and the BL-B-5 Blended Learning BCM-5000 ISO22301 BCMS Expert Implementer.

 

Please feel free to send us a note if you have any of these questions to sales.ap@bcm-institute.org