ABC Bcms Policy Strategy Draft

8/12/2019 ABC Bcms Policy Strategy Draft

http://slidepdf.com/reader/full/abc-bcms-policy-strategy-draft 1/21

of 21

Business Continuity Management System (BCMS)

Policy & Strategy Framework

**ABC**

Version 1.2 DRAFTINTERNAL USE ONLY

Objective: The purpose of the BCMS is to provide a clearly defined and documented policy,framework and operational direction to ensure the resilience and continuance of the businesscritical activities.

Scope: **ABC** (**ABC**) business activities within **Location1**, **Location2**.

Audience: All officers, senior personnel and staff of the organisation who are involved in theprovision of the Incident and Business Continuity capability of the organisation.



of 21

Table of Contents1 Overview ................................................................................................................. 4

1.3 Best Practice ............................................................................................................ 4

1.4 Purpose .................................................................................................................... 5

1.5 Objectives ................................................................................................................. 5

2 Policy and Organisation ........................................................................................ 6

2.3 Executive Management - Policy Statement .............................................................. 6

2.4 Incident Response & Business Continuity Structure ................................................ 7

2.5 Roles & Responsibilities ........................................................................................... 8

3 Understanding The Business ...............................................................................10

3.3 Business Impact Analysis ........................................................................................10

3.4 Risk Assessment & Risk Register ...........................................................................10

4 Determining BCM Strategies ................................................................................12

4.3 BCM Strategy Models..............................................................................................12

4.4 Process Level BCM Strategies ................................................................................13

4.5 Resource Recovery BCM Strategies .......................................................................14

5 Developing & Implementing BCM Response Plans............................................15

5.3 Business Continuity Plans .......................................................................................15

5.4 Incident Response & Management Planning ...........................................................16

6 Embedding BCM in the Culture ............................................................................17

6.3 Awareness, Training and Culture ............................................................................17

7 Exercising, Maintenance & Review ......................................................................18

7.3 Exercising ................................................................................................................18

7.4 Maintenance ............................................................................................................21

7.5 Audit & Review ........................................................................................................21



of 21

DATA STATEMENTThe information and data provided herein shall not be duplicated, disclosed or disseminated by the recipientin whole or in part for any purpose whatsoever without the prior written permission from **ABC**.

REVISION HISTORY

Version/Revision

Release Date Originator Reason(s) for Change

1.0 **Date** **Person1** First draft

1.1 **Date** **Person1** **ABC** Feedback

DISTRIBUTION LIST

Recipient Role

**Person1** BCM Project Documentation

BCM Repository **ABC** Network



of 21

1 OVERVIEW

This document provides an overview of the framework for Incident and Business ContinuityManagement within **ABC**. It is intended to be a „top down‟ living document which providesvision, direction and unification of business continuity related activities.

Its outline approach is based on best practice in order to develop an effective businesscontinuity management capability through an established and robust process.

1.3 Best Practice

The approach taken is based on best practice anduses the business continuity lifecycle as per ISO22301 – Business Continuity Managementstandard. (Figure 1) illustrates the corecomponents as per the standard.

The PDCA methodology as laid by the BSI (Figure2) Focussing on successful planning, doing,checking and acting. The aim being to ensure that**ABC**‟s BCM provision is both holistic andsupports the strategy and business need.

Figure 1 : Business Continuity Lifecycle – ISO22301

Adopting the PDCA - „Plan Do Check Act‟ approach alsoensures alignment with other quality and managementsystems such as ISO 9001 and 27001 for InformationSecurity Management.

P lan – Establish (Policies, objectives, processes,controls etc)

Do – Implement & Operate (as above)

Check – Monitor & Review (Against policy & objectives)

Act – Maintain & Improve (Through preventative &corrective actions)

Figure 2 – PDCA

BCM (Business Continuity Management) requires planning across many parts of thebusiness, which is demonstrated in this policy and strategy document, which in turn



of 21

becomes a key focus and of vital importance to all **ABC** management and staff inrecognising the links between business activities, facilities, IT/Telephony and peopleresourcing.

1.4 Purpose

The purpose of the BCMS Policy & Strategy Framework document is to provide **ABC**with an effective, fit for purpose, predefined and documented framework and process, inconjunction with best practice.

1.5 Objectives

To provide a consistently clear view of the approach to be taken regarding IncidentResponse & Management and Business Continuity Management (BCM) within**ABC**

To develop a BCM capability in line with best practice

To ultimately recover and protect the business critical activities of **ABC**, therebyreducing any subsequent financial impact to the organisation

To protect the **ABC** brand and minimise any adverse impact to it

To be able to continually service the best interests of customers & stakeholders interms of delivering the core objectives of the business, without compromise



of 21

2 POLICY AND ORGANISATION

2.3 Executive Management - Policy Statement

Unwanted events such as floods, fire, terrorism or even system failures and data loss, allhave the potential to cause severe disruption to the continuity of any organisation and itsoperations.

The potential impact to **ABC** could have very real consequences, affecting employeehealth and safety, revenue, public reputation, stakeholder, customer confidence andabove all our operating efficiency. Clearly this is undesirable and we must takeappropriate measures as a business to ensure that we are prepared to respond in orderto maintain both our operational capability and customer service focus.

On this basis, the Executive Management Team and the Board has decided toincorporate Business Continuity Management (BCM) as part of its overall risk

management strategy and corporate governance. It also demonstrates that we are aresponsible and trustworthy organisation, capable of providing services to our customers.

As a result of this challenge, the quality and completeness of our business continuityprocesses, strategies and plans are vital, as these could be crucial following an incidentby underpinning the success of our recovery effort.

This is not a one off exercise and will remain as an ongoing programme for theorganisation and it is the duty of us all to ensure that we protect our future as we embarkon new challenges to continue demonstrating the highest possible standards in allaspects of what we do.

**Person2**Chief Executive - **ABC**



of 21

2.4 Incident Response & Business Continuity Structure

The Incident Response Team (IRT) consists of a group of nominated individuals (differs byIncident type and area) who make up the initial IRT. The IRT is the group of key seniormanagement that commands and controls the resources needed to respond to a situationwhich could impact **ABC** business operations.

As the nature of an incident can be unpredictable, it is not possible or indeed wise toprovide strict roles for the team members. Ultimately it is for the Incident response teamLeader and the team members to organise themselves in an optimal manner, calling onany additional resource it requires. The following roles provide guidance of key areas ofresponsibility and potential activities.

The Incident & Business Continuity structure is made up of Strategic, Tactical andOperational levels (often referred to as Gold, Silver and Bronze). The „Strategic ‟ level isrepresented by the Incident Response or Management Team, with „Tactical ‟ forming theBusiness Continuity response. Th e „O perational ‟ layer consists predominantly of businessas usual activities; hence the roles will already be present or well defined within theexisting structure at **ABC**.



of 21

2.5 Roles & Responsibilities

INCIDENT RESPONSE

Role Responsibilities

Incident Response Team(IRT) Leader

From the initial Incident notification, the IRT Leader has overall responsibility for declaring and dealing with the situation and for co-ordinating the strategic response.

Communications To provide internal communications and liaise with the outside worldincluding; ultimately ensuring that everyone is kept fully informed andbriefed on any actions they need to take

IT To ensure the IT systems, applications, data and communicationsinfrastructure is recovered in a timely manner as per the business

recovery profile

HR To ensure the safety and well being of all **ABC** Staff

Corporate Services To maintain the building environment and associated support services

Finance To safeguard the financial security and stability of the organisation

Core Functions/Depts Depending on the incident and functions which are impacted – decidewhich of the „Core Functions ‟are required as part of the IRT.

BUSINESS CONTINUITY

Role Responsibilities

Business ContinuityManager/Sponsor

Overall „fitness for purpose‟ of Business Continuity capability /BCMS,including management of contracts with 3rd parties such as work arearecovery and IT resilience, exercising, testing and maintenance.

Business ContinuityCo-ordinators/PlanOwners

Co-ordinators are responsible for the ongoing maintenance of theirfunctions in line with the schedule set out by the BC Manager and are alsoresponsible for co-ordination of the head office and primary location planactivities during execution, including resourcing and recovery.

This includes all levels of content, including Business Critical Activities,Recovery Timeframe Objectives, strategies, resourcing, IT requirements,as well as all supporting documentation and appendices. They shouldalso ensure that any dependencies are documented and verified, as beingin place.



of 21

2.5.1 EMT (Sub BCM Steering Committee or Working Group)

The BCM Steering Committee or Working Group should consist of a group of high-levelstakeholders who are responsible for providing guidance on overall strategic direction onbusiness continuity related matters.

They do not take the place of a BCM Sponsor, but help to spread the strategic input andbuy-in to a larger portion of the organisation. The meeting is most likely to be chaired bythe Business Continuity Manager or natural stakeholder, with representatives from IT,Facilities 3 rd party suppliers, project managers and selected business/directorate leaderswhere appropriate.

The committee or group should look to meet on a predetermined but regular basis (everyquarter as a minimum) in order to review potentially relevant matters, such ITinfrastructure changes, strategic/business change or personnel amendments.

It may also be appropriate for business continuity to form a part of the ExecutiveManagement meeting as a regular agenda item.



of 21

3 UNDERSTANDING THE BUSINESS

3.3 Business Impact Analysis

Understanding the business and what we do is pivotal to the foundations and success ofthe **ABC** Business Continuity Programme.

Defining the Mission or Business Critical Activities within the organisation is a key andprimary activity and is based largely on two key metrics; namely.

RTO (Recovery Time Objective) – Timescale in which mission, business criticalactivities must be recovered

RPO (Recovery Point Objective) – Point in time to which work should be restoredfollowing a business continuity incident that interrupts or disrupts the organisation

Understanding the risks, threats and impacts that surround these key activities will enable**ABC** to quantify and qualify the risk to the business and therefore take appropriateaction to protect and recover the required operations.

Once this exercise has been conducted, the EMT/BCM Steering Committee will be betterplaced to form a view or setting of their „risk appetite‟, which defines the level of risk that itis willing to accept.

Other key outcomes from conducting the Business Impact Analysis include:

Financial and non-Financial impacts, (Tangible and Intangible)

A minimum level of resources required, phased over time, such as personnel, IT Applications, Systems, Data and Vital Records. This will form the ResourceRecovery Profile for the Strategy Development.

A defined Recovery Profile built on verified and signed off RTO‟s and RPO‟s.

Any additional constraints, such as legal, contractual and regulatory.

3.4 Risk Assessment & Risk Register

Reducing risk is a key activity for the business. Not only does it enable us to understandthe potential likelihood (frequency and probability) of something affecting us, but it alsoassists the business in developing its risk appetite.

The purpose of the risk assessment and register is to effectively identify, define andevaluate the risks potentially faced by the Business Critical Activities and to put in place aset of controls or countermeasures to manage or reduce the risk.

Key outcomes include:



of 21

Vulnerability and exposure or likelihood of occurrence to **ABC** from a specific typeof incident

Risk concentration – where a number of risks are located within the same function,activity or building

Overall risk appetite view of BIA information and the associated risks

Prioritised list of risks and their controls, which may be put forward to the existing riskregister for monitoring and review



of 21

4 DETERMINING BCM STRATEGIES

Business continuity strategy models involve the identification and selection of alternativemethods of operating the primary „Business Critical Activities‟ following an incident, to theminimum acceptable level required.

There are a number of generic strategies to mitigate the impact of a disruption or reducethe probability of a threat event. Each strategy has parameters of speed of resumption,reliability of availability and cost which will be appropriate to different parts of the businessso an organisation may require several elements to form an appropriate solution,depending upon the individual business functions.

4.3 BCM Strategy Models

There are four basic strategic BCM Models to bear in mind;

1. Active/back up model – this involves having an „active‟ backup site for the rapidresumption of the Business Critical Activities (BCA). This relies on the relocation ofstaff from the active site to the backup location with access to IT.

2. Active/active (split operations) – This model relies upon two or more geographicallysplit „active‟ operational or production sites for BCA. There is likely to be reciprocalbackup and work/load balancing between sites.

3. Alternative site model – The use of an „active‟ operating or production site with acorresponding backup site that occasionally functions as the primary site

4. Contingency Model – alternative ways of delivering services to cater for the loss ofnormal operational processes and components, such as a the loss of a critical ITsystem which requires the use of manual processing or workarounds

4.3.1 Functional relocation measures

A ‘do nothing’ strategy may be acceptable for certain non-urgent functionsidentified in the BIA. Purchasing buildings and installing utilities may take severalmonths

Budge up makes use of existing in-organisation accommodation such as atraining facility or canteen to provide recovery space or increasing the officedensity. This will require careful planning and some technical preparation.

Displacement involves the displacing staff performing less urgent businessprocesses with staff performing a higher priority activity. Care must be taken whenusing this option that backlogs of the less urgent work suspended do not becomeunmanageable.

Remote Working includes the concept of “working from home” and working from

other non-corporate locations e.g. hotels (Internet Cafes should not be



of 21

considered). Working from home can be a very effective solution but care must betaken to ensure Health and Safety issues are addressed and sufficient bandwidthcapacity is available.

Third party alternative site arrangements from a commercial or serviceorganisation, (Easy Continuity Ltd), or **Location1** may be an option forconsideration if these can ensure the organisation‟s recovery time objectives(RTO) are achieved.

o Dedicated space (Work Area Recovery) provides guaranteed andimmediate availability but is more expensive than syndicated space.

o Syndicated space (Work Area Recovery) usually provides access within 4hours and enables „warm to hot ‟ recovery of key functions, telephony andback office in order to continue supporting the business

‘Ship in’ Contracts includes generators, IT equipment such as PCs, servers andprinters and specialist hardware and equipment such as telephony systems. Thismay be an appropriate strategy if an unprepared building is to be equipped toprovide an appropriate working environment. Most ship-in contracts permit thedelivery location to be nominated at invocation, allowing a more flexible responseto a specific incident compared to a fixed site recovery capability. Contract termsvary from „best efforts‟ to guaranteed delivery.

Insurance ; combined with other BCM measures would provide a potentially goodlevel of „risk portfolio‟ protection for the business

4.4 Process Level BCM Strategies

Process level strategies should be developed for every mission or Business Critical Activity (BCA) that has been identified in order to provide a clear view on how **ABC** willprovide protection for its most critical activities. Once defined, this will enable thedevelopment of an organisation Resource Recovery Strategy so that a complete BCMcapability exists for that activity.

Outcomes for process level strategies include;

An effective BCP for each critical activity, location or directorate.

Any principles relating to the development of the strategy for the activity, includingthe level of risk or appetite that is acceptable

Any linkages to the Incident Management and response team



of 21

4.5 Resource Recovery BCM Strategies

A resource recovery strategy involves the deployment of appropriate resources as part ofthe continuity planning, in other words, what the requirements of the business are asdefined in the BC plans.

For example, if Work Area Recovery (WAR) is necessary, then the strategy shouldevaluate the specific requirements for syndicated work area, location and syndicationratios.

Therefore the overall purpose of the resource recovery strategy is to provide apredetermined level of resources available to the business to enable the successfulrecovery of the process level strategies and options.

Outcomes for resource recovery level strategies include;

The identification of effective and fit for purpose solutions to enable the restorationof business critical activities

A clear framework of the time criticalities or specified timeframes, resources andactions to achieve prioritised recovery of activities, their dependencies and singlepoints of failure



of 21

5 DEVELOPING & IMPLEMENTING BCM RESPONSE PLANS

5.3 Business Continuity Plans

Each plan owner, leader or co-ordinator is responsible for the development of their ownplan or component part thereof, in order to cover their department, key functions,processes and activities.

To assist in this development, there are two key resources available for guidance;

Business Continuity Plan Template - This template will provide the basis andinitial high level headings that should be included; such as

o Plan Administration (title, purpose, role, scope, objective, version, owner)

o Introduction (Overview, Purpose, Objectives, Assumptions)

o Initial Response and Assembly Tasks, Ongoing Activities.

o Critical Activities and IT Needs (RTO‟s & RPO‟s)

o Resource Requirements & Strategies

o Procedures and Tasks

o Appendices Reference (Team Contact Details, Overall Structure, logs, pro

formas,) Plan Development Guidance – Provided in conjunction with the template, this

guidance aims to reinforce the necessary actions required at the plan developmentstage.

The plan should not contain unnecessary information which is likely to distractaway from the primary objective which is to aid the recovery of the relevantbusiness area

The business continuity plan is only as good as the team around it and the information

within it; therefore it is paramount that any solutions, strategies, procedures etc are fullyimplemented and operational.



of 21

5.4 Incident Response & Management Planning

A clear, strong Incident Management Response, team and plan is vital capability for**ABC**. The ability to co-ordinate, command and communicate is paramount if thebusiness is to minimise impact and initiate an effective recovery. Failure to develop and

maintain a Incident capability could lead to significant exposure to **ABC** brand andreputation.

Outcomes for the Incident Management Planning include:

A fit for purpose framework which interacts and compliments the Business Continuity(Tactical) response.

Clear and defined ownership for Incident Management

An established Incident Response Team

An effective and rehearsed Incident Response plan

Clear, defined and fit for purpose response procedures and tasks, includingemergency evacuation, emergency services liaison, and internal and externalcommunication strategies.



of 21

6 EMBEDDING BCM IN THE CULTURE

6.3 Awareness, Training and Culture

Creating a BCM culture can be a challenging exercise, however, embedding such a processand ensuring the success of BCM will be enhanced with the following;

Visible support from the Executive Management & Board

o Making our BCM Policy known to all in the business

BCM becoming part of **ABC** strategic and day to day thinking

o Effecting changes in our thinking where required e.g. business changeand new projects which require resilience or contingency as part of thebusiness case and project delivery

o Conducting regular exercises and training across Incident Response,Business Continuity and IT Continuity or Disaster Recovery.

Appropriateness levels of ownership, responsibility and accountability

o Building BCM into the role of each employee within the organisation thathas a particular focus regarding overall risk approach and capability

o Recognising and developing performance or appraisal systems to

acknowledge contribution towards BCM responsibilities

Using appropriate methods of culture delivery

o Intranet site development including a policy statement

o Downloadable pdf & overview presentation

o Briefing content for new employees in key areas, with defined BCresponsibilities

o BCM awareness aide-memoires; e.g. trifolds, wallet cards,



of 21

7 EXERCISING, MAINTENANCE & REVIEW

7.3 Exercising

Continued exercising and evaluation will ensure that **ABC** continue to have a fit forpurpose Business Continuity capability. The following table illustrates the various types,methods and approaches available depending on frequency and level of complexity.

Type Techniques Process Who Frequency Complexity

Desktop Audit

Validation

Verification

Review and challenge thecontents of the plan

Plan Author

IndependentReviewer

High

Low

Low

High

WalkthroughPlan and orInfrastructure

Scenario

Free play

Controlled

Time lapse

Unannounced

Live

Tabletop

IndividualComponents

IntegratedComponents

Extended to desktop tocheck interaction androles of participants

Plan Author

Main participants

Simulation Incorporates AssociatedPlans

o Business

o Site/Buildings

o Communication

o Public Relations

o ITDR

o BCM ResourceRecovery Suppliers(WAR)

Main Participants

Facilitator

Observers

Coordinators

Umpires

Functions Move to and recreatesone or a number ofbusiness functions at analternative pre-plannedsite

Employees and staffin specific businessareas

Facilitator

Observers

Coordinators

BC Providers

Full Plan Close down of buildingand relocation of work

As above



of 21

7.3.1 Schedule

Below is an outline exercising schedule based on suggested best practice, however, eachbusiness function or directorate should agree it‟s own exercising schedule and scope withthe business continuity manager or body responsible for programme oversight.

Area Who Frequency Notes

Desktop/Walkthrough

Business Continuity PlanReview

Plan Author

IndependentReviewer

Monthly/Quarterly These tests can be conducted ad hocand require very little preparation.These tests can also be passed aroundthe team as a means of reducingcomplacency.

Non-Critical Business Areas (Non- BCA‟s)

Plan Team

All interactingelements

Bi Annual/Annually Whilst Non- BCA‟s are unlikely tochange significantly in terms of theirplans, requirements and strategies,they should still be tested to theminimum required level

Business Critical Areas(BCA)

Plan Team

All Interactingelements

Bi-Annually Due to their very nature and potentialbusiness impact, BCA‟s should betested more regularly than Non- BCA‟s.Those which are subject to continual ormore frequent change may requiretesting on a more regular quarterlybasis.

Technology/DR Technical Teams

SelectedBusiness Users

Bi Annually As new technologies or recoveryproviders are brought online oroperational, a test of the capabilityshould also take place.

Incident Response Team(IRT)

Incident Team

Scenariodependent„guests‟

Bi Annually The Incident Response Team needs tomaintain a high level of preparednessin the event of an incident or Incident.

Full Scale Test (one ormore sites)

Incident Team

All Recovery &BusinessContinuity Teams

All recovery &strategyproviders

Min. Annually This exercise should be conducted atleast annually Due to the time andresource investment in organising anexercise of this type,



of 21

7.3.2 Scenario Based Event Profiles

Scenario based event profiles can be used for generating specific responses to particularevents or scenarios, for an additional level of preparedness over a standard response set.Understanding these events, scenarios and profiles may also benefit the production of

more meaningful exercises, which can be targeted.Area Who

Business & Strategic Functions – standalone, inward facing, isolated

Process – straddles functions, higher degree of organisation

Activities, Contact Centre etc

Facilities

**Location1** (Head Office)

Fire

Flood Bomb Alert

Power Loss

Denial of Access (Temporary/Prolonged)

Technical Recovery Strategies, Backups & Restore, Testing Days,

Backup and Restore testing

Major component failure (Single Points of Failure)

o IT

o Telecoms

Recovery Solution Work area recovery - 3 rd Party (As provided by Easy Continuity)

Remote/Home

People Flu Pandemic

Fuel Incident – Shortage

Strike/Industrial Action/Walkout

ABC Bcms Policy Strategy Draft

Documents

Transcript of ABC Bcms Policy Strategy Draft