Full BCM Lifecycle Development
PlanB has considerable experience a delivering full business continuity lifecycle for a large number of different industries and in different countries. This has varied from financial services to housing associations and from building material supplies to the manufacturing of security products. We do not believe that there is an industry which we couldn’t develop business continuity for. Many of our plans developed during a full lifecycle roll out have been tested during incident and so you can be assured that any business continuity full lifecycle roiled out by PlanB Consulting will be tried and tested.
Although every client is different and their requirements may also be different, PlanB Consulting follows the Business Continuity Institute's BCM Lifecyle for the delivery of Business Continuity. The above diagram gives an overview of the different elements of approach. How each item is delivered depends on the requirements of the project.
The diagram shows how all the activities for the delivery of full-lifecycle Business Continuity fit together and complement each other. The timeline for the Business Continuity project moves from left to right. All the phases of the diagram follow the standard Business Continuity Lifecycle as laid out in the Business Continuity Institute’s Good Practice Guidelines and ISO 22301.
1. Gap Analysis (optional)
When developing Business Continuity some organisations may already have elements of business continuity in place so they may want to look at how much work is required to develop Business Continuity, taking into account existing work carried out. PlanB Consulting will always try and use as many existing elements of Business Continuity work as possible and incorporate them within the project as we do not want to carry out unnecessary work. Other clients may want a gap analysis undertaking in order to look at the scope, the work involved and the cost of the Business Continuity project. This enables them to obtain the necessary budget, identify internally those people who are going to help in the development and obtain internal support embarking on the project.
PlanB Consulting Deliverable - Gap Analysis Report
2. Business Continuity Programme Set-Up and “Kick off Meeting’.
The first stage of any project is to set up a robust project management structure to ensure that the business continuity programme is managed and that business buy-in is achieved. Like all projects, the more work that goes into the set-up of the project the easier the project will be to carry out. This will involve the identification of a project board, developing the project plan and the writing of a Project Initiation Document (PID). Those involved with the project will also be identified and will meet with a PlanB consultant to discuss the project. It is also likely that a senior manager ‘kick off’ meeting will take place so that they can be briefed on the details of the project and can discuss their roles within the project. A key part of this part of the project is identifying who will sport the project once it is completed. This is to ensure that they can work alongside out consultants to ensure that once the project is completed you are able to update and manage on an ongoing basis the programme.
PlanB Consulting Deliverable - Project Initiation Document and Project Plan
3. Business Continuity Programme Management & BCMS development
This activity is the ongoing project management that takes place throughout the project. Quality assurance should take place as the Business Continuity Management System (BCMS) is developed. Quality assurance is key throughout the project as each step builds on the next and workbooks and products developed by your staff will always be quality assured before putting into the relevant document. Poor quality data at the beginning of the project can lead to the conclusion of the project not actually satisfying the requirements of the organisation. A key part of the BCMS development is a Policy Statement tailored to the organisation which details their commitment to business continuity. Alongside the policy statement, PlanB Consulting will develop an ‘Operational Manual’. The manual contains information on how business continuity will be managed on an ongoing basis, a governance structure, roles and responsibilities and a set of internal organisation standard which details items such as how often plans will be updated and how often exercise will take place.
PlanB Consulting Deliverable – Policy statement and Operational Manual
4. Analysis - BIA and Risk & Threat Assessment
This is about ensuring that Business Continuity takes into account the aspirations, direction and nature of the organisation. Is this an organisation which needs to provide a constant service regardless of the situation, such as a hospital or a large bank where reputation is key or an Internet retailer where any down time will cost it money? All organisations have different drivers to the way they conduct their business and what is important to them. It is very important that business continuity planning reflects this. The BIA looks at the organisation and ascertains the impact of the loss of the organisation’s activities. If an activity is not carried out could it cause loss of life, such as the 999 emergency service in the UK, or could it be an activity such as public relations and marketing which could be delayed for a month with no major impact on the organisation? Looking at the impacts of the loss of these activities the BIA will help identify the time criticality of the activities of the organisation. During the BIA stage, the minimum requirements to operate the activity will also be recorded. The risk and threat assessment looks at the resources required to operate the activities of the organisation. A resource could be a building, an IT system, a supplier or a production line. All the resources which underpin the organisation’s activities are recorded and then the risks to the resources and the vulnerabilities of the resources are recorded.
PlanB Consulting Deliverable – BIA and Risk and Threat Assessment Report
5. Design – Development of solutions
During the BIA the time criticality of the organisation’s activities will be identified in addition to the minimum requirements to operate the activity. The resources to operate the activity will also be identified. This stage is about devising a solution for the recovery of the most time-critical activities. This could be agreeing on solutions that decrease the likelihood of an incident occurring or will enable the organisation to recover more quickly. At this stage it may require high-level decision making to agree on the strategies as a number of different strategies may be considered, giving different levels of recovery and different levels of cost. There may be risks identified which require further investigation to understand their impact of them materialising and to understand in depth their impact. These will be identified in the BIA and Risk and Threat Assessment Report.
PlanB Consulting Deliverable – BIA and Risk and Threat Assessment Report containing suggested solutions or identified risk.
6. Implementation – Strategic, Tactical and Operational Plans
Once the strategy is agreed then plans need to be written up on how to carry out the strategy and how the coordination of the recovery will take place. PlanB Consulting will develop plans appropriate to the size and complexity of the organisation. They will also develop an incident management hierarchy appropriate to the organisation.
The strategic plan is concerned with looking both inward and outward. A strategic level plan ensures that the recovery is being coordinated in line with the organisation’s objectives, ensuring that the recovery is sufficient to determine the survival of the organisation. The plan includes an external viewpoint to coordinate the message going outside the organisation and checking that the needs of external stakeholders are being satisfied. The organisation’s media strategy is usually coordinated at the strategic level and the team will consist of senior managers.
Tactical plans are concerned with the coordination of a number of operational recovery plans. These plans may also be concerned with the coordination of centrally provided resources such as IT, telecoms and property. They provide an overview of the recovery and make sure that the plans are being implemented, resolve any conflicts between recovering parts of the organisation and ensure that the whole of the recovery is coordinated.
Operational plans are concerned with the recovery of individual business units.
Functional plans include disaster recovery (DR), facilities management (FM) or Human Resources (HR) plans or plans for specific threats such as pandemic flu or a fuel crisis.
When developing plans PlanB Consulting believe that large, unwieldy plans will not be used in an incident and will gather dust on a shelf. We are great believers in developing user friendly, easy to use plans which only contain the key information required to be used during an incident.
PlanB Consulting Deliverable - Plan(s) Appropriate to the requirements of the organisation.
7. Exercises & Incident Management Training
Exercising the newly written plan is vitally important to ensure that the plan is fit for purpose, any flaws or gaps within it are identified and that it would actually work if implemented. PlamnB Consulting also believes passionately that incident management training is vital to ensuring that those allocated a role on an incident team know how to implement the plan and are taught tools and techniques for managing successfully an incident. This stage of the project will consist of training on the plan and then an exercise to ensure that it is fit for purpose.
8. Management review
Management reviews are meeting which have a number of purposes in the ongoing management of business continuity. During the meeting, any changes within the organisation or new threats are identified and so changes can be made to the BCMS to incorporate them. Incident and near misses are reviewed and actions are identified, and owners designated. Actions from the previous incident, exercises, audits and reviews are discussed and updated. The yearly programme and objectives are reviewed, and progress checked. Management will be conducted throughout the project and then the template for running will be handed over to the organisation for ongoing management.
PlanB Consulting Deliverable – Management review template and a series of meetings will be conducted.
9. Strategic Decision-Making and risk mitigation
Senior managers need to be involved throughout the project to make decisions on behalf of the organisation. This could involve deciding on the scope of the project at the start through to subsequently making major strategic decisions on such matters as the movement of key IT systems to the cloud or the splitting of a business unit across two sites to make them more resilient. They will also have a role in making sure that the business continuity solutions delivered to meet the requirements of the organisation. They will be asked to ‘sign off’ the organisation's Recovery Time Objectives (RTO) for all the organisation's activities and will ensure that the suggested solutions meet the requirements of the organisation. The risk assessment is likely to identify a number of risks to the organisation. These risks are then reviewed, and appropriate mitigation measures are identified. These measures may be minor and can be implemented at a low level within the organisation. More major risks may require strategic decision making and it may then take a period of time to implement them, which could last
10. Embedding Business Continuity in the Organisation’s Culture
Throughout the project, activities need to be carried out which embed business continuity within the organisation. This could include seminars and presentations to staff. It could also include making sure that Business Continuity is part of the decision-making process so that, for example, if a new building is purchased or a new part of the organisation is added, business continuity is taken into account as part of the process. For new starters, an element of business continuity should be incorporated in the organisation's induction process.
PlanB Consulting Deliverable – Induction training documents and embedding training
11. Exercises & Incident Management Training
Exercising the newly written plan is vitally important to ensure that the plan is fit for purpose, any flaws or gaps within it are identified and that it would actually work if implemented. PlanB Consulting also believes passionately that incident management training is vital to ensuring that those allocated a role on an incident team know how to implement the plan and are taught tools and techniques for managing successfully an incident. This stage of the project will consist of training on the plan and then an exercise to ensure that it is fit for purpose. For all exercises, an exercise instructions, containing all the information for running the exercise and a post-exercise report is written.
PlanB Consulting Deliverables – ‘Exercise Instruction and Post Exercise Report’ for each exercise.
12. Ongoing Management
To ensure the continued viability of the business continuity plans, and to ensure they are practical, the plans have to be kept up to date and regularly exercised. If major changes take place within the organisation then the whole BCM Lifecycle should be reviewed to see if the existing plans can incorporate the changes or whether a new Business Continuity programme is required to ensure that the business continuity response is still valid. All plans need to be regularly exercised, maintained, reviewed and audited.
PlanB Philosophy for the implementation of BC during this project
PlanB Consulting manages business continuity on an ongoing basis for a number of clients and a number of our staff have had internal business continuity roles. We understand the issues of ongoing management, updating documents and keeping the BCMS up to date. Too often we have seen beautifully written and constructed BC documents developed by consultants which have been handed over to part-time business continuity coordinators. These coordinators are not then given sufficient training, leading to insufficient reviewing procedures being implemented. This in turn can mean that three or four years of work and investment is lost and the organisation needs to start again. In delivering this project, we will prevent this happening by not delivering an over-complex and over-engineered business continuity management solution.
PlanB Consulting will be guided in the delivery of this project by the following principles:
- We will always be aware that the BC solution will be managed on an ongoing basis mainly by non-BC professionals who will often have little BC knowledge; they want a simple, easy-to-update solution.
- The BIA will only contain the information necessary to inform the part of the organisation’s strategy or BC Plan.
- Wherever possible BIA planning will be done centrally, particularly in the development of Maximum Tolerable Periods of Disruption (MTPDs) and Recovery Time Objectives (RTOs), so that they are consistent across the organisation. This will ensure that parts of the organisation carrying out the same activities have a consistent RTO. It will also reduce the size of individual site BIAs and hence the updating burden.
- Plans will be action-orientated and contain only the information needed on the day of an incident. Half the plan will be concerned with the process of managing an incident and how the plan fits and integrates with the tactical and crisis plans.
- The second part of the plan will be very bespoke to the location and will detail how staff will respond to a number of scenarios. Depending on the risk assessment findings they will likely include the following scenarios:
- Loss of building
- Operating without IT or telephony
- Loss of staff
- Training will be given in incident management so that staff know how to use the plan in responding to an incident.
- Clear written instructions will be given to each BC Champion with the requirements on them for updating their plan, BIA, reporting and exercising.
- All solutions implemented, even if pared-back, must meet the requirements of GPG 2018 and ISO 22301 and must be credible if audited by a third party.
A methodology for implementing business continuity
Train Support Assure™
PlanB Consulting has developed a methodology, Train – Support – Assure™, for developing Business Continuity across a number of business areas simultaneously. This methodology allows for a high level of embedding of Business Continuity knowledge with the organisation’s staff and is cost-effective. The methodology is tried and tested, having been used successfully by TNT, East Ayrshire Council, NCFE, Shetland Islands Council and a number of Ministry of Defence sites.
The methodology is very simple: all business units within scope designate a Business Continuity Coordinator (BCC). Each BCC attends three 7-hour workshops with a two to three-week gap between each workshop. The workshops consist of basic Business Continuity knowledge followed by training on how to develop the pre-prepared templates for each stage of the business continuity process. As much as possible of the business continuity development work is done in the classroom. BCCs are then sent away with their ‘homework’. This has to be completed before the next workshop. Telephone and e-mail support is offered after each workshop if required. Once a BCC has compiled his/her homework it is sent to PlanB Consulting, who quality assures it and sends it back to the BCC with any comments. This ensures that before the next workshop all BCCs are at a similar stage, their work is checked and that throughout the whole process their work is quality assured.
This approach has huge benefits for the organisation as it facilitates maximum business continuity skills and knowledge transfer to the BCCs. It also promotes ‘buy in’ to Business Continuity, embeds business continuity within the client and is very cost-effective. The methodology ensures that plans are developed by those who understand the organisation best and that the quality of plans and their look and feel are standard across the client’s organisation.
PlanB Consulting believes that plans produced using this methodology are as good, or better than the quality of plans written by an external business continuity consultant. PlanB Consulting has recently been carrying out workshops for an East Ayrshire organisation, whose BCCs began their Train – Support – Assure™ process some three years ago. They still update their plans, talk knowledgeably on the subject and are still enthusiastic about Business Continuity.