Full BCM Lifecycle Development
Although every client is different and their requirements may also be different PlanB Consulting tends to follow the Business Continuity Institute's BCM Lifeycle for the delivery of Business Continuity. The above diagram gives an overview of our approach. How each item is delivered depends on the requirements of the project. Elements such as the Business Impact Analysis and the development of plans may be carried out using the Train – Support – Assure™ methodology or may be developed by PlanB Consulting’s consultants.
The diagram shows how all the activities for the delivery of full-lifecycle Business Continuity fit together and complement each other. The timeline for the Business Continuity project moves from left to right. All the phases of the diagram follow the standard Business Continuity Lifecycle as laid out in the Business Continuity Institute’s Good Practice Guidelines and BS25999.
1. Gap Analysis (optional)
When developing Business Continuity some organisations may already have elements of business continuity in place so they may want to look at how much work is required to develop Business Continuity, taking into account existing work carried out. PlanB Consulting will always try and use as many existing elements of Business Continuity work as possible and incorporate them within the project as we do not want to carry out unnecessary work. Other clients may want a gap analysis undertaking in order to look at the scope, the work involved and the cost of the Business Continuity project. This enables them to obtain the necessary budget, identify internally those people who are going to help in the development and obtain internal support embarking on the project.
2. Business Continuity Programme Set-Up
The first stage of any project is to set up a robust project management structure to ensure that the business continuity programme is managed and that business buy-in is achieved. Like all projects, the more work that goes into the set-up of the project the easier the project will be to carry out. This will involve the identification of a project board, developing the project plan and the writing of a Project Initiation Document (PID). Those involved with the project will also be identified and will meet with a PlanB consultant to discuss the project. It is also likely that a senior manager ‘kick off’ meeting will take place so that they can be briefed on the details of the project and can discuss their roles within the project.
3. Business Continuity Programme Management, Quality Assurance and Development of the Business Continuity Management System
This activity is the ongoing project management which takes place throughout the project. Quality assurance should take place as the Business Continuity Management System (BCMS) is developed. Quality assurance is key throughout the project as each step builds on the next. Poor quality data at the beginning of the project can lead to the conclusion of the project not actually satisfying the requirements of the organisation.
4. Strategic Decision-Making
Senior managers need to be involved throughout the project to make decisions on behalf of the organisation. This could involve deciding on the scope of the project at the start through to subsequently making major strategic decisions on such matters as the building of a second data centre or the splitting of a business unit across two sites to make them more resilient.
5. Embedding Business Continuity Management in the Organisation’s Culture
Throughout the project, activities need to be carried out which embed business continuity within the organisation. This could include seminars and presentations to staff. It could also include making sure that Business Continuity is part of the decision making process so that, for example, if a new building is purchased or a new part of the organisation is added, business continuity is taken into account as part of the process.
6. Organisational Understanding
This is about ensuring that Business Continuity takes into account the aspirations, direction and nature of the organisation. Is this an organisation which needs to provide a constant service regardless of the situation, such as a hospital or a large bank where reputation is key or an Internet retailer where any down time will cost it money? All organisations have different drivers to the way they conduct their business and what is important to them. It is very important that business continuity planning reflects this.
7. Business Impact Analysis (BIA)
The BIA looks at the organisation and ascertains the impact of the loss of the organisation’s activities. If an activity is not carried out could it cause loss of life, such as the 999 emergency service in the UK, or could it be an activity such as public relations and marketing which could be delayed for a month with no major impact on the organisation? Looking at the impacts of the loss of these activities the BIA will help identify the time criticality of the activities of the organisation. During the BIA stage the minimum requirements to operate the activity will also be recorded.
8. Risk Assessment and Continuity Recovery Requirements
The risk assessment looks at the resources required to operate the activities of the organisation. A resource could be a building, an IT system, a supplier or a production line. All the resources which underpin the organisation’s activities are recorded and then the risks to the resources and the vulnerabilities of the resources are recorded.
9. Risk Mitigation Measures Implementation
The risk assessment is likely to identify a number of risks to the organisation. These risks are then reviewed and appropriate mitigation measures are identified. These measures may be minor and can be implemented at low level within the organisation. More major risks may require strategic decision making and it may then take a period of time to implement them, which could last beyond the period of the Business Continuity project.
10. IT Disaster Recovery
For most organisations IT is a single point of failure and major loss of IT will quickly render the organisation unable to work. Most organisations will have some IT recovery capability even if this is just backing up the data on tapes. Often, the business continuity project will identify that the present level of IT recovery is insufficient or needs to be changed. Alongside the risk mitigation measures implementation there may be a programme to improve the resilience and recovery time of the organisation’s IT.
11. Business Continuity Strategies
During the BIA the time criticality of the organisation’s activities will be identified in addition to the minimum requirements to operate the activity. The resources to operate the activity will also be identified. This stage is about devising a strategy for the recovery of the most time critical activities. At this stage it may require high-level decision making to agree the strategies as a number of different strategies may be considered, giving different levels of recovery and different levels of cost.
12. Operational Recovery Plans
Once the strategy is agreed then plans need to be written up on how to carry out the strategy and how the coordination of the recovery will take place.
The strategic plan is concerned with looking both inward and outward. A strategic level plan ensures that the recovery is being coordinated in line with the organisation’s objectives, ensuring that the recovery is sufficient to determine the survival of the organisation. The plan includes an external viewpoint to coordinate the message going outside the organisation and checking that the needs of external stakeholders are being satisfied. The organisation’s media strategy is usually coordinated at the strategic level and the team will consist of senior managers.
Tactical plans are concerned with the coordination of a number of operational recovery plans. These plans may also be concerned with the coordination of centrally provided resources such as IT, telecoms and property. They provide an overview of the recovery and make sure that the plans are being implemented, resolve any conflicts between recovering parts of the organisation and ensure that the whole of the recovery is coordinated.
Operational plans are concerned with the recovery of individual business units.
Functional plans include disaster recovery (DR), facilities management (FM) or Human Resources (HR) plans or plans for specific threats such as pandemic flu or a fuel crisis.
Exercising the newly written plan is vitally important to ensure that the plan is fit for purpose, any flaws or gaps within it are identified and that it would actually work if implemented. This step may consist of a series of exercises, each one growing in complexity to ensure the plan will work. Exercising plans will also ensure that the staff know how to implement the plan and are conversant with their roles.
14. Ongoing Management
To ensure the continued viability of the business continuity plans, and to ensure they are practical, the plans have to be kept up to date and regularly exercised. If major changes take place within the organisation then the whole BCM Lifecycle should be reviewed to see if the existing plans can incorporate the changes or whether a new Business Continuity programme is required to ensure that the business continuity response is still valid. All plans need to be regularly exercised, maintained, reviewed and audited.