Business Continuity Management (BCM) program
“The success of an organization lies in the pre-planning for an emergency”.
We notice that the Business Continuity Management (BCM) program has recently been adopted in certain companies and organizations that aspire to be ranked among the global companies. Not only that, we rather see that such program has been further adopted by governments too. Why do such entities give great importance for this system enforcement? Before answering this question, I would like to set out the definition of the Business Continuity Management program:
It is an administrative system which aims at raising the performance level of the organizations and companies, in case their tasks are subject to standstill, hence suspension of the vital functions of such organizations. The question that may come up in the minds of some people is: How can this system be put into force.
Definition:
Business Continuity Management Program: a holistic management process that identifies the potential threats to an organization and their impact on the main operations of such organization which provides a business plan for building up the organization resilience and raising the capability for an effective response that safeguards the interest of the organization’s key stakeholders, reputation and brand.
Step 1: In BCM program it starts with the obligation of the senior management of an organization to achieve the key elements of the program and provide complete support to the BCM project manager who is previously selected in such system. It is conditional that a BMC manger would be bound to implement the program terms and conditions and develop an executable program, in the event of an emergency occurring to such organization or company, God Forbid. Accordingly, the program scope would be determined. The program may be limited to a specific department or may include all departments and sections of an organization.
Sept 2: the program manager would identify the program vitality by implementing one of the most important elements in the program namely: the Business Impact Analysis (BIA). By this analysis, the program manager can be aware of the Recovery Time Objective (RTO) and can further realize the Maximum Allowable Outage (MAO).
Step 3: Subsequent to BIA completion, the program manager would assess the risks that may affect such organization vital functions. The probability of a risk and its impact on the organization would be determined. Then, the program manger would enter into a process for addressing the risks, including a risk radical addressing, shortening the outage, transforming a risk or accepting a risk as it is.
Furthermore, financial consequences may be incurred by the organization, in the event of a risk that must be totally addressed. For instance, if an organization has one major server and by the BIA and the risk assessment, which was previously made, it is evident that there is a p[atrial/full reliance, on electronic systems hosted on such servers, it would put the organization in a position in which it must invest in building up a reserve server, if the main server is broken down or completely interrupted. This instance may be simple; however, it might be taken into account depending on the nature of the organization or the services provided thereby.
Step 4 (Recovery Strategy): it is pre-determined, pre tested procedures and approved by the management so that they can be activated during an emergency. Therefore, each organization should look at the highly important vital functions from which it intends to recover, taking into consideration the following resources:
- Human Resources;
- Information and data;
- Buildings and work environment;
- Service utilities;
- Informatics and Communication Technology (IT)
- Transport;
- Financial resources;
- Partners and suppliers.
An organization should select and approve an appropriate recovery strategy. It may depend on several elements, including:
- Maximum Allowable Outage;
- The financial consequences arising from the adoption of this strategy(s)
- The consequences of default in action.
Step 5: (Incident Response Plan) and (Business Continuity Plan):
Preparation of an Incident Response Plan: an organization must coordinate the activities of the respondents to the incident, carry out an initial assessment of the damage, organize the management team to be in charge of identifying the requested procedures, coordinate the activities of the teams participating in the response and approve contact with internal and external stakeholders.
An incident Response Plan includes:
- An activation of the Crisis Management Team; and
- Role & Responsibilities.
A Business Continuity Plan would contain several actions by which the activation of the sub-plans for business continuity would be organized. There may be other nomenclatures of the plans, but they would have such characteristics:
- Activation Criteria;
- Crisis Management Team;
- Media Response Plan;
- Disaster Recovery Plans (DR Plans);
- Continuity of Operation Plan;
- Contingency Plan;
- Pandemic Plan; and
- Service Continuity Plan.
A Business Continuity Plan has been designed to be accomplished under psychological pressure which is to be taken into account so that such instrument would be based on the event specialized and easy to use. A Business Continuity Plan has main characteristics, including:
- Controlled: plans must be clear to ensure easy application .
- Variable: it must conform to a wide range of incident types;
- Briefed: It shall utilize the information, guidance and tools that are likely to be utilized while any confusion or aimless element should be excluded .
- Relevant: the available information must be updated and applicable with respect to the teams that would use them.
An organization must observe that the incident recovery phase would be documented to be used as learning chapters for the continuous development process.
Step 6: Education and Training: an organization must be keen to periodically feed the employees with the culture of business continuity so that such culture would be well established in the minds of the employees who are at the end the ones responsible for applying the contents of the business continuity program. An employee education program includes:
- Laying down foundations for the evaluation of the program effectiveness;
- Spreading the culture of the ability for business continuity;
- Ensuring continued development; and
- Ensuring that the personnel are familiar with their roles and responsibilities in the BCM program.
Moreover, subsequent to the spread of the culture of the BCM program, BMC- related periodic trainings must be conducted. It is advisable that a training schedule would be distributed all the year round at the different job levels so that we ensure that benefit would be efficiently and effectively made from the training. A program manager must record all the training courses which are approved and conducted during the year.
Step 7: Exercises and Tests:
An organization must perform periodical and regular exercises to ensure the effectiveness of the approved plans. We may face through tests that there are unexpected and sudden depressions. Therefore, we must record what is called the learned chapters so that there would be periodic exercises of which the concerned entities and individuals would be notified to avoid downtime in the organization because of the exercises. In this part of the program, exercises must be taken seriously.
In some organizations there is whole or partial reliance on an infrastructure or devices related to the provided services. Without them an organization cannot provide its services. In addition, we must not cause an accident or a disaster to occur because of a test.
The foregoing explanation of a BCM program addresses the seven main steps which must be implemented. In the next topics, each step is to be detailed separately.