gpg_2010_edited_highlights

8/7/2019 GPG_2010_Edited_Highlights

1/16


2/16

[] BCI Good Practice Guideline 2010 | GLOBAL EDITION

iStockphotos.com/lorrainedarke

Content

BCM Management Professional Practices

BCM Lifecycle ...................................................................................................................................................................... p.3

01 Policy and Programme Management.........................................................................p.4

02 Embedding BCM in the Organizations Culture .......................................p.6

BCM Technical Professional Practices

03 Understanding the Organization.........................................................................................p.7

04 Determining Business Continuity Strategy.....................................................p.9

05 Developing and Implementing a BCM Response.................................p.11

06 Exercising, Maintaining and Reviewing BCM .............................................. p.13

Copyright the Buine Continuity Intitute.Any reproduction or distribution of the Good Practice Guide Practice Guidelines is prohibited without the express

written permission of the Business Continuity Institute. All content, unless otherwise indicated is that of the Business

Continuity Institute. All references to the Good Practice Guidelines must credit the Business Continuity Institute.


3/16

Introduction

Thi publication contain edited Highlight rom the Good PracticeGuideline (GPG) 2010. The ull (100+ page) verion o the GPG

i available or purchae rom www.thebci.org and i the ocialtextbook or thoe tudying or the BCI Certicate examination.

Who Should Read the Guide?

T GPG no ony or o BCM praconr ookn or proona crfcaon. A a boy oknow, GPG u o norm BCI rann cour an awarn brfn or coaua n o unran BCM br. T coau may ncu PR an cr manamnproona o uppy can praconr, an uman rourc pronn.

BCM no rrc o any parcuar nury cor; n, appyn Sanar Inura

Cafcaon co o oranzaon rprn amon BCI mmbrp rvarprnaon n a caor. Lkw, u o rm bun o no man a BCMony rr o commrcay-rvn oranzaon: a cor can ray bnf rom aopnBCM pracc an kw vounary an no-or-prof oranzaon. W BCM can monraay aopon amon mum-z an arr oranzaon, r a rconz ap n aoponamon mar bun. Tr non nrny corpora abou BCM; owvr BCIrconz a w ma bun ownr av m or rourc o oow GPG compyo mpr arnav mara, roun n GPG, av bn prouc o a m.

What has Changed rom the Earlier Version?T man componn rman am bu r av bn om rfnmn o anua an mor mpaon oba rn an u. Tr ar no onr any cro rrnc o BS25999 an no mp rccorraon bwn GPG 2010 an BS25999, or an a v xpr by Lcyc mo.

The Good Practice Guidelines 2010 still covers the six phases o the BCM Liecycle but now links themmore directly to what are now dened as Proessional Practices (PP). The six PPs are sub-divided into twoManagement Practices and our Technical Practices.

Management Practices Policy and Programme Management

Embedding BCM in the Organizations Culture

Technical Practices

Understanding the Organization Determining BCM Strategy

Developing and Implementing a BCM Response

Exercising, Maintaining and Reviewing

What is Business Continuity Management?T fnon u n prvou on o GPG uncan an conn w Br SanarBS25999. Bun Connuy Manamn (BCM) an oc proc a nf pona ra o anoranzaon an mpac o bun opraon a o ra, raz, m cau. I prov aramwork or bun oranzaona rnc w capaby or an cv rpon a auar nr o ky akor, rpuaon, bran an vau-cran acv.

BCI Good Practice Guideline 2010 | EDITED HIGHLIGHTs []


4/16

[] BCI Good Practice Guideline 2010 | EDITED HIGHLIGHTs

The BCI Proeional Practice

Embedd

ingBCMint

heOrganizationsCu

lture

BCM Policy andProgramme

Management

Exercising,Maintaining

and Reviewing

DeterminingBCM Strategy

Developing andImplementing aBCM Response

Understanding

the Organization

BCM Liecycle

BCM | Management Professional Practices


5/16


Policy and Programme Management

IntroductionThe BCM policy i the key document that et

out the cope and governance o the BCMprogramme, and refect the reaon whyBCM i being implemented. It provide thecontext in which the required capabilitie willbe implemented, and identie the principleto which the organization apire and againtwhich it perormance can be audited.

When an organization embarks on a BCM programme it isunlikely to have a BCM policy in place or to understand the

decisions it needs to make to produce one. The key steps are: To develop the BCM Policy

To align the BCM Policy with the organizations strategy,objectives and culture

To decide upon the scope o the BCM programme

Once a BCM policy has been agreed, a project or series oprojects should be initiated to enable the organization toundertake the activities required to implement it.

In many organizations, a high level assessment o the threatsto achieving the organizations strategic and operationalobjectives will have been undertaken as part o the business

planning process. The output o this exercise can provide auseul input when setting the overall context or the BCMprogramme. In some regulated environments a ormal Riskassessment is a mandated activity.

Aligning BCM Policy to Organizational CultureA BCM programme needs to refect the organizations strategy,objectives and culture to ensure that the programme isrelevant, eective and appropriate.

BCM Programme Scope and Determining ChoicesThe purpose o setting the scope is to ensure clarity owhat areas o the organization are included within the BCM

programme, dened by identiying which products andservices all within it. This ocuses on the key success criteriao most organizations the delivery o products or services. Anunderstanding o the organizations strategy, objectives andculture is required beore the scope o the BCM programme canbe determined and choices selected.

Developing the BCM PolicyThe BCM Policy o an organization provides the rameworkaround which the BCM capability is designed and built.The organization, governance and management o theimplementation o BCM are prerequisites or developing a

successul BCM programme. These are set out in the BCMPolicy, which is owned by Top Management.

Outsourced ActivitiesIt is important that the BCM Policy also covers outsourcedactivities. The organizations delivery o products and servicesshould not be disrupted by a ailure o a third party supplier ogoods or services which are provided either to the organizationor direct to the customer on the organizations behal. Ipart or all o a product or service delivery is outsourced, theresponsibility or its continuity remains with the organization.Stakeholders will assume the organization to have made aninormed choice about their partners and taken appropriatemeasures to assure delivery. Statutory and regulatoryrequirements usually emphasise that ultimate responsibility oroutsourced services remains with the organization.

BCM Programme Management OverviewBCM is an iterative process, and needs to be actively managed.The initial aim o this stage will be to successully complete animplementation o the BCM Liecycle, but the long term goal oBCM programme management is to improve the organizationsBCM capability, and hence its operational resilience, with

successive iterations o the BCM Liecycle.

Policy and Programme Management 01


6/16


Assigning ResponsibilitiesA successul BCM programme is dependent upon the earlyidentication o clearly dened roles, responsibilities and

authorities to manage the BCM programme and processthroughout the organization. This will have been established inthe BCM Policy.

Implementing BCM in the OrganizationImplementing a BCM programme involves managing anumber o related projects, and the coordination o activitiesthat balance:

Awareness-raising events which maintain the enthusiasmor undertaking a BCM programme

Data collection to determine the choice o continuity

options to support the organizations objectives Planning the development o plans to respond to incidents

that might not occur

Mitigation measures the implementation o measures tomitigate the impact o an incident should it occur as theprogramme is being developed

Exercising exercising contingency plans

Project ManagementWhen undertaking an initial implementation o a BCMprogramme in an organization, project management disciplines

should be adopted. The project management method selectedshould be appropriate to the size and complexity o theorganization and its implementation o BCM.

Ongoing Business Continuity ManagementOnce implemented, the BCM programme needs to be managedin a continuous cycle o improvement i it is to be eective. Thiswill involve the participation o various managerial, operational,administrative and technical disciplines that need to becoordinated as outlined in the Guidelines.

BCM DocumentationAn important part o the BCM process is to manage the BCMdocumentation. This needs to be carried out in a manner that isconsistent, easy to understand and provides both operationaland audit/review support. The level and type o documentationshould be appropriate to the type and size o the organization.

BCM | Management Professional Practices



7/16


Embedding BCM in the Organizations Culture 02

Embedding BCM inthe Organizations Culture

IntroductionThe ucceul etablihment o BCM within

the organization culture i dependentupon it integration with the organizationtrategic and day-to-day management a wella it alignment with buine prioritie.

Assessing the Level o BCM Awareness and TrainingThe BCM Policy provides the ramework, which supports theneed or cultural change. Beore planning and designing thecomponents o an awareness campaign, it is important tounderstand what level o awareness currently exists, and what

level is desired. It is also important to identiy how the desiredlevel o awareness will be measured and what changes will bemaniested in the new BCM culture.

BCM competence and capability must be appropriate to thenature, scale and complexity o an organization, thus refectingits culture and support o the business objectives.

T oranzaon v o awarn w b conany canna pronn jon an av. Inrna an xrna vn may aoa o a un ncra n awarn an know o BCMu. A on a qucky, BCM proramm oub ray o z on an vop opporun wn y ar.

Consideration should be given to extending the scope o theBCM awareness programme to the organizations suppliers,customers, contractors and other stakeholders.

Developing BCM within the Organizations CultureThe BCM Policy provides the ramework or supporting therequirement or cultural change. Within the BCM cultureand awareness activity, the design and delivery o education,training and awareness must be derived rom a justiableTraining Gap Analysis. The responsibilities o individualswithin the BCM programme need to be assigned beore theprogramme is designed. The purpose o this activity is to dene

the BCM messages to be assimilated by sta, and select themost eective means to deliver those messages.

Monitoring Cultural ChangeThe purpose o education, training and awareness monitoringis to maintain the quality and eectiveness o the campaign,

ensure currency with corporate, industry and other pertinentBCM issues, and ensure that the required level o BCMawareness is achieved.

Clearly, both the overall achievement o the campaign andthe success or otherwise o specic components, must bereviewed in order to continuously improve the relevance andeectiveness o the work done.

Furthermore, the awareness campaign should be viewedas an ongoing task, and periodic reviews made to checkawareness and identiy any eort required to maintain it atan acceptable level.

Achieving Cultural Change Through ManagementSystems StandardsAlthough the implementation o a ormal Business ContinuityManagement System (BCMS) does not in itsel result in culturalchange, it does provide some o the pre-requisites or success.These are:

Top Management commitment

A ormal process or perormance measurement

The need to demonstrate how well BCM has been embedded

Assurance o the quality and accuracy o documentation

Assurance o mandatory processes and procedures The involvement o a wide range o individuals at all levels

Training needs and appropriate budgets to be established


8/16


BCM | Technical Professional Practices

Undertanding the Organization

Introduction

Undertanding the Organization i the

proeional practice within the BCM Liecyclethat review an organization in term o whatit objective are, how it work unctionallyand the contraint o the environment inwhich it operate. The inormation collectedmake it poible to determine how bet toprepare an organization to be able to managediruption which might otherwie erioulyor atally damage it.

The tools or understanding your business or BusinessContinuity purposes are:

Business Impact Analysis (BIA) or evaluating theimpact over time o a disruption to an organizations abilityto operate

Continuity Requirements Analysis (CRA) to estimate theresources, acilities and external services that each activitywill require at both resumption and return to normal atera disruption

Evaluating Threats through Risk Assessment to estimatethe likelihood and impact on specic unctions rom known

threats

Business Impact AnalysisThe Business Impact Analysis (BIA) is the oundation onwhich the whole BCM process is built. It identifes, quantifes

and qualifes the business impacts o a loss, interruptionor disruption o business activities on an organization andprovides the data rom which appropriate continuity strategiescan be determined.

A BIA can be used to identiy the timescale and extent o theimpact o a disruption at several levels in an organization. Forexample, to examine the eect o:

Strategic: The loss o the ability to deliver each productor service to assist in deciding the scope o the BCMprogramme

Tactical: An interruption to the internal and externalactivities that would disrupt the delivery o productsand services to provide the inormation or selection ocontinuity options and their resource requirements

Operational: A disruption o a business areas activities toassist the preparation o a detailed plan or the department

It is necessary to obtain the ull support o the TopManagement beore a Business Impact Analysis is attempted.It is unlikely that managers will be prepared to dedicate timeto this exercise unless this top tier support is demonstrated.A decision about which products and services are within thescope o the BCM programme may have been made beore aBIA is undertaken, and will be documented within the Business

Continuity Management (BCM) Policy. Alternatively the BIAmethod can be used to understand the impact o the ailure todeliver the product or service which can be used to decide thescope o the BCM programme.



9/16


Understanding the Organization 03

Continuity Requirements AnalysisThe Continuity Requirements Analysis (CRA) collectsinormation on the resources required to resume and continue

the business activities to support the organizations objectivesand obligations. This step is usually undertaken at the sametime as the BIA inormation is being gathered.

Its purpose is to:

Provide the resource inormation rom which an appropriaterecovery strategy can be determined/recommended

Identiy resource requirements resulting rom activitydependencies that exist both internally and externally

Evaluating Threats Through Risk AssessmentThe purpose o evaluating threats is to identiy measures thatcan be put in place to reduce the likelihood o interruption

to the organizations most urgent activities and the impact,should the risk be realised.

A BIA should be completed in advance, to identiy theorganizations most urgent activities.

Evaluating Threats through Risk Assessment helps inidentiying potential causes o interruption to an organization,the probability o occurrence and the impact o the threatoccurring. Measures can then be identied that attempt toreduce the probability o occurrence or reduce the impact oan incident arising rom these specic threats. Within the BCMprogramme, this stage should ocus on the inherent threatsto the business activities identied as most urgent in the BIAresults rather than on all threats to the organization.


10/16



Determining BuineContinuity strategy

Introduction

Determining Buine Continuity strategy

i the proeional practice within theBCM Liecycle that determine which BCMtrategie will meet the BCM Policy andorganizational requirement and electtactical repone rom available option.

Identiying and Selecting StrategiesThe organization needs to select BCM strategies that willenable it to protect the continued delivery o its products andservices. This section covers the identication and selection othese strategies.

A number o previously established parameters will be used asaids in the identication and selection o appropriate strategies.

The MTPD (Maximum Tolerable Period o Disruption) isthe duration ater which an organizations viability will beirreparably damaged i a product or service delivery cannot beresumed. The target time or resuming the delivery o a productor service ollowing its disruption is known as its Recovery TimeObjective (RTO). The Maximum Tolerable Data Loss (MTDL) isthe loss o currency o data (electronic and other) rom whichan organization would be unable to recover its operationalcapability. The age or value o the lost data could makeresumed operations impossible. The target time or the worstcase data loss in planning terms is known as its Recovery PointObjective (RPO).

An up to date BIA and CRA will provide the MTPD and MTDL oreach product and service in the scope o the BCM programme.It will also quantiy the recovery requirements or the activities

that support the delivery o the products and services. TheRTO and RPO parameters or each product and service aredetermined in this section. This leads to the selection o themost appropriate BCM strategies.



11/16

BCI Good Practice Guideline 2010 | EDITED HIGHLIGHTs [0]

Identiying and Selecting Tactical ResponsesThe purpose o this step is to select appropriate tacticalcontinuity options or each activity that supports the delivery

o the organizations products and services, and to identiywhat needs to be done to implement the selected options.These tactics will be based on the BCM strategies selected oreach product or service.

Appropriate tactics or each activity will need to be selected tocover the requirements in the relevant areas o:

People (skills and knowledge)

Premises (buildings and acilities)

Resources> Inormation technology (IT)> Telecommunications

> Non electronic (paper) inormation> Equipment

Suppliers (products and services supplied by third parties)

For manuacturing organizations, particular attention willalso need to be given to:> Production processes> Materials, logistics and inventory> Power and utilities

In order to undertake this stage, both RTO and RPO parametersmust be available with an up to date CRA that identies therecovery requirement. The agreed BCM strategies or eachproduct and service must also be available.

Consolidating Resource LevelsThe purpose o consolidating resource levels is to:

Ensure that the selected tactics are consistent across the

organization Ensure that the selected tactics do not confict with one

another (e.g. that dierent activities are not planning to usethe same internal resource or recovery)

Determine how best to source external requirements(e.g. third party recovery sites)

Assist in determining the number and structure o theBusiness Continuity Plans

Having selected appropriate tactical continuity options or eachimportant and urgent activity, the resource requirements o thetactics need to be consolidated.

Determining Business Continuity Strategy 04


12/16


Developing and Implementinga BCM Repone

Introduction

Developing and Implementing a BCM

Repone i the proeional practice withinthe BCM Liecycle that implement agreedtrategie through the proce o developing aet o Buine Continuity Plan.

The aim o the various plan(s) covered in this stage is toidentiy, as ar as possible, the actions and the resourceswhich are needed to enable the organization to manage aninterruptionwhatever its cause, back to a position wherenormal business processes can resume.

The key requirements or an eective response are:

A clear procedure or the escalation and control o anincident (incident response structure)

Communication with stakeholders

Plans to resume interrupted activities

T oucom can b acv by varou man anrucur, an wavr rucur aop, mporana con ray f w cuur o oranzaon.T acon oun n pan ar no nn o covr vryvnuay a, by r naur, a ncn ar rn.

Procedures may need to be adapted to the specic event thathas occurred and the opportunities it may have opened up.

Incident Response StructureRegardless o the cause the incident which causes a businessinterruption or impact, there must be a documented and ully

understood incident response structure in place. This structurewill cover three types or levels o management activities.

1 Strategic

2 Tactical

3 Operational

The response structure adopted by an organization needs toaddress all these levels, and or each plan that is developedand implemented as part o the structure, a response teamwith clear procedures or escalation and control needs to beestablished.

Incident Management Plan (IMP)Although this is part o the Business Continuity Planningprocess, it is oten considered as a unique BCP in its own right.It has some special characteristics which dierentiate it romthe tactical and operational plans which orm the bulk o theBCP portolio. It is dened as:

A documented plan o action or use at the time o an incident,covering key personnel, resources, services and actions neededto implement the incident management process.

This is a strategic level BCP that denes how strategic issuesresulting rom a major incident would be addressed and

managed by Top Management.

Tactical Level PlansTactical level plans oten orm the bulk o an organizationsportolio o BCPs. These plans address business disruption,interruption or loss rom the initial response to the point atwhich business operations are recovered, and are based uponthe agreed Business Continuity Strategies. A tactical level plancoordinates the recovery, ensuring that the operations coveredby the plan work together to a common purpose, and that,where resources are scarce, they are allocated to the mosturgent activities.



13/16


Operational Level PlansOpraona v pan prov or rumpon o bun uncon covr by pan rom bnnn o

ncn rou rcovry pa back o bun a uua.Ty ar ba upon ar rcovry rqurmn anBun Connuy acc, an prov procur an procor rcovrn acv o ar v o opraon.

Developing and Managing PlansThe incident response structure selected, the BCM strategy,and the size and diversity o the business will determine thenumber and type o plans to be put in place.

Iay, acca an opraona pan w no b vop un oranzaon Sray a bn rmn an ar,

aou or oranzaon w no arranmn n pac, rac v rpon (ypcay an IMP) may b mpmnboran o prov m procon n manm.

Each plan should always contain assumptions about themaximum scale o the incident in terms o extent, duration orsta impact.

Strategic PlansAlthough the basic principles and approach to producing BCPsis similar in all situations, dierent degrees o emphasis areneeded or dierent levels o plan. The need to involve Top

Management in the development and implementation o BCPsis essential both to immediate successul response and toongoing Business Continuity. Case studies o major incidentssuggest that eective and rapid management o a crisis is thesignicant actor in protecting an organizations brand romnancial and reputation damage.

Tactical PlansTactical level plans are the most common orm o BCP. Theypull together the response o the whole organization to a

disruptive incident by acilitating the resumption o businessactivities. Those using the plans should be able to analyzeinormation rom the response teams concerning the impacto the incident, select and deploy appropriate strategiesrom those available in the plans, direct the resumption obusiness units according to agreed priorities and pass progressinormation to the strategic level response team.

Operational PlansTactical level plans will rapidly become unwieldy i all recoveryprocedures are included in a single document. When thisbecomes the case, the response and recovery plans o each

business unit should be made into one or more separateoperational plans that become the responsibility o thebusiness unit to which they relate.

Operational level plans cover the response by eachdepartment or business unit to the incident. Examples ooperational plans are:

A business department plan to resume its unctions within apredened timescale

Procedures to assist an incident response team, usuallylead by a Facilities department that deals with the specicincident and its physical impact

A Human Resources response to welare issues during anincident

An IT departments logistical response to the loss andsubsequent resumption o IT services to the business

Developing and Implementing a BCM Response 05


14/16


Exerciing, Maintaining andReviewing BCM

Introduction

Exerciing, Maintaining and Reviewing BCM

i the proeional practice within the BCMLiecycle that eek to enure continuouimprovement i achieved through theongoing and cheduled action. The activitieundertaken in thi ection will be underpinnedby the BCM Policy.

General PrinciplesMost organizations exist in a dynamic environment and

are subject to changes in people, processes, market, risk,environment, geography and business strategy. To ensure thattheir BCM capability continues to refect the nature, scaleand complexity o the organization it supports, it must becurrent, accurate, complete, exercised and understood by allstakeholders and participants.

Developing an Exercise ProgrammeThe purpose o the Exercise Programme is to ensure that over aperiod o time:

All inormation in plans is veried

All plans are rehearsed All relevant personnel (including deputies) are exercised

Business Continuity Management (BCM) capability cannotbe considered reliable until it has been exercised. An ExerciseProgramme should ocus on maximizing business benets whileminimizing business disruption. A planned Exercise Programmeis required to ensure that all aspects o the plans and personnelhave been exercised over a period o time, avoiding disruptionto the whole business.

Exercising can take various orms, including technical tests,desktop walkthroughs and ull live rehearsals. No matter howwell designed a BCM Strategy or Business Continuity Plan(BCP) is, a series o robust and realistic exercises will identiyissues and assumptions that require attention.

Tm an rourc pn xrcn BCP ar cruca par o ovra proc a y vop compnc, n confncan mpar know a ar na n m o cr.

Validating technical recovery capabilities is an important parto an exercise programme but an equally key element is therole o people. The programme should ensure that their skilllevels, knowledge o their role, management capability anddecision-making are exercised in a sae environment.

While a service may be outsourced, the accountability orBusiness Continuity cannot. The organization outsourcing theservice must ensure that the suppliers can cope with disruption.Ideally, BCM will orm a part o the outsourced contract andwill include a shared exercise programme relevant to therecovery objectives o the customer.

The BCM Policy should outline the responsibilities or theExercise Programme.



15/16


Exercising BCM ArrangementsExercising is a generic phrase used here to describe theexercising o Business Continuity Plans, rehearsing team

members and sta, and testing technology and procedures.Three terms are in general use:

1 Desktop: Theoretically try out the capability without anyactual physical actions being taken. An example is a scenariobased event when decision-making abilities during a majorincident are examined

2 Rehearsal: The practice o a specic set o procedures ortechnologies that require physical actions. This is achievedby ollowing a script to impart knowledge and amiliarity. Anexample is a re drill

3 Test: A check to see i a procedure or technology works,where the result can be either a pass or ail (or the

procedure or technology, not an individual). It is usuallyused when the procedure or technology is being tried, otenagainst a target timescale. An example is the rebuilding o aserver rom back-up tapes within a set number o hours

Maintaining BCM ArrangementsThe BCM Maintenance Programme ensures that theorganization remains ready to manage incidents despitethe constant changes that all organizations experience. Tobe eective, the BCM Maintenance Programme should beembedded within the organizations normal managementprocesses rather than be a separate structure that can be

ignored or orgotten.

An eective change management process is a prerequisite omaintenance o the BCM programme. Many o the issues thatshow up in tests and exercises are the result o internal changeswithin the organization sta, locations or technology.

Reviewing and Auditing BCM ArrangementsThere are several ways to review a BCM programme, whichinclude sel-assessment (rst party), internal audit (second

party) and external audit (third party).A ormal BCM Audit process ensures that an organization hasan eective Business Continuity programme. BCM Audit hasve key unctions:

1 To validate compliance with the organizations BCM policiesand standards

2 To review the organizations BCM solutions

3 To validate the organizations range o BCM plans

4 To veriy that appropriate exercise and maintenanceactivities are taking place

5 To highlight deciencies and issues, and ensure their

resolution

Auditing is designed to veriy that the process has beenollowed correctly, not that the solutions adopted arenecessarily correct

Exercising, Maintaining and Reviewing BCM 06


16/16

Business Continuity Institute10 Southview ParkMarsack StreetCavershamBerkshire RG4 5AFUnited Kingdom

T: +44 (0)118 947 8215W: www.thebci.orgE: [email protected]

s.com/lorrainedarke

gpg_2010_edited_highlights

Documents