PlanB has considerable experience at delivering full business continuity lifecycle for a large number of different industries and in different countries. This has varied from financial services to housing associations and from building material supplies to the manufacturing of security products. We do not believe that there is an industry we can’t develop business continuity for. Many of our plans developed during a full lifecycle roll out have been tested during an incident and so you can be assured that any business continuity full lifecycle roiled out by PlanB Consulting will be tried and tested.
Although every client is different and their requirements may also be different, PlanB Consulting follows the Business Continuity Institute’s BCM Lifecyle for the delivery of Business Continuity. The above diagram gives an overview of the different elements of approach. How each item is delivered depends on the requirements of the project.
The diagram shows how all the activities for the delivery of full-lifecycle Business Continuity fit together and complement each other. The timeline for the Business Continuity project moves from left to right. All the phases of the diagram follow the standard Business Continuity Lifecycle as laid out in the Business Continuity Institute’s Good Practice Guidelines and ISO 22301.
Full BCM Lifecycle Development
Gap Analysis (optional)
When developing Business Continuity, organisations will want to take into account work already carried out. PlanB Consulting will always use as much of the existing plan as possible and incorporate it into the project to avoid unnecessary duplication. A gap analysis will identify the scope of the work and the cost of the project enabling the client to obtain the necessary budget and identify those who are going to help develop and support the project.
PlanB Consulting Deliverable – Gap Analysis Report
Business Continuity Programme Set-Up and “Kick off Meeting’.
The first stage of any project is to set up a robust project management structure to ensure that the business continuity programme is managed and that business buy-in is achieved. Like all projects, the more work that goes into the set-up of the project the easier the project will be to carry out. This will involve the identification of a project board, developing the project plan and the writing of a Project Initiation Document (PID). Those involved with the project will also be identified and will meet with a PlanB consultant to discuss the project. It is also likely that a senior manager ‘kick off’ meeting will take place so that they can be briefed on the details of the project and can discuss their roles within the project. Key to this part of the project is identifying who will Support the project once it is completed. This person will work alongside our consultants to ensure that once the project is completed they are able to update and manage the programme on an ongoing basis.
PlanB Consulting Deliverable – Project Initiation Document and Project Plan
Business Continuity Programme Management & BCMS Development
This activity is the ongoing project management that takes place throughout the project. Quality assurance should take place as the Business Continuity Management System (BCMS) is developed. Quality assurance is key throughout the project as each step builds on the next and workbooks and products developed by your staff will always be quality assured before being written into the relevant document. Poor quality data at the beginning of the project can lead to the conclusion of the project not actually satisfying the requirements of the organisation. A key part of the BCMS development is a Policy Statement tailored to the organisation which details their commitment to business continuity. Alongside the policy statement, PlanB Consulting will develop an ‘Operational Manual’. The manual will contain information on how business continuity will be managed on an ongoing basis, a governance structure, roles and responsibilities and a set of internal organisation standards which details items such as how often plans will be updated and how often exercises will take place.
PlanB Consulting Deliverable – Policy statement and Operational Manual
Analysis – BIA and Risk & Threat Assessment
This is about ensuring that Business Continuity takes into account the aspirations, direction and nature of the organisation. Is this an organisation which needs to provide a constant service regardless of the situation, such as a hospital or a large bank where reputation is key or an Internet retailer where any down time will cost it money? All organisations have different drivers to the way they conduct their business and what is important to them. It is very important that business continuity planning reflects this. The BIA looks at the organisation and ascertains the impact of the loss of the organisation’s activities. If an activity is not carried out could it cause loss of life, such as the 999 emergency service in the UK, or could it be an activity such as public relations and marketing which could be delayed for a month with no major impact on the organisation? Looking at the impacts of the loss of these activities the BIA will help identify the time criticality of the activities of the organisation. During the BIA stage, the minimum requirements to operate the activity will also be recorded. The risk and threat assessment looks at the resources required to operate the activities of the organisation. A resource could be a building, an IT system, a supplier or a production line. All the resources which underpin the organisation’s activities are recorded and then the risks to the resources and the vulnerabilities of the resources are recorded.
PlanB Consulting Deliverable – BIA and Risk and Threat Assessment Report
Design – Development of Solutions
During the BIA the time criticality of the organisation’s activities will be identified in addition to the minimum requirements to operate the activity. The resources to operate the activity will also be identified. This stage is about devising a solution for the recovery of the most time-critical activities. This could be agreeing on solutions that decrease the likelihood of an incident occurring or will enable the organisation to recover more quickly. At this stage it may require high-level decision making to agree on the strategies as a number of different strategies may be considered, giving different levels of recovery and different levels of cost. There may be risks identified which require further investigation in order to have an indepth understanding of the impact of them materialising and to understand in depth their impact. These will be identified in the BIA and Risk and Threat Assessment Report.
PlanB Consulting Deliverable – BIA and Risk and Threat Assessment Report containing suggested solutions or identified risk.
Implementation – Strategic, Tactical and Operational Plans
Once the strategy is agreed then plans need to be written up on how to carry out the strategy and how the coordination of the recovery will take place. PlanB Consulting will develop plans appropriate to the size and complexity of the organisation. They will also develop an incident management hierarchy appropriate to the organisation.
The strategic plan is concerned with looking both inward and outward. A strategic level plan ensures that the recovery is being coordinated in line with the organisation’s objectives, ensuring that the recovery is sufficient to determine the survival of the organisation. The plan includes an external viewpoint to coordinate the message going outside the organisation and checking that the needs of external stakeholders are being satisfied. The organisation’s media strategy is usually coordinated at the strategic level and the team will consist of senior managers.
Tactical plans are concerned with the coordination of a number of operational recovery plans. These plans may also be concerned with the coordination of centrally provided resources such as IT, telecoms and property. They provide an overview of the recovery and make sure that the plans are being implemented, resolve any conflicts between recovering parts of the organisation and ensure that the whole of the recovery is coordinated.
Operational plans are concerned with the recovery of individual business units.
Functional plans include disaster recovery (DR), facilities management (FM) or Human Resources (HR) plans or plans for specific threats such as pandemic flu or a fuel crisis.
When developing plans PlanB Consulting believe that large, unwieldy plans will not be used in an incident and will gather dust on a shelf. We are great believers in developing user friendly, easy to use plans which only contain the key information required to be used during an incident.
PlanB Consulting Deliverable – Plan(s) Appropriate to the requirements of the organisation.
Exercises & Incident Management Training
Exercising the newly written plan is vitally important to ensure that the plan is fit for purpose, any flaws or gaps within it are identified to make sure that it would actually work if implemented. PlanB Consulting also believes passionately that incident management training is vital to ensuring that those allocated a role on an incident team know how to implement the plan and are taught tools and techniques for successfully managing an incident. This stage of the project will consist of training on the plan and then an exercise to ensure that it is fit for purpose.
Management reviews are meetings which have a number of purposes in the ongoing management of business continuity. During the meeting, any changes or new threats within the organisation are identified so that amendments can be made to the BCMS. Incident and near misses are reviewed and actions are identified, and owners designated. Actions from the previous incident, exercises, audits and reviews are discussed and updated. The yearly programme and objectives are reviewed, and progress checked. Management reviews will be conducted throughout the project and the template will be handed over to the organisation for ongoing management.
PlanB Consulting Deliverable – Management review template and a series of meetings will be conducted.
Strategic Decision-Making and Risk Mitigation
Senior managers need to be involved throughout the project to make decisions on behalf of the organisation. This could involve deciding on the scope of the project at the start through to subsequently making major strategic decisions on such matters as the movement of key IT systems to the cloud or the splitting of a business unit across two sites to make them more resilient. They will also have a role in making sure that the business continuity solutions delivered meet the requirements of the organisation. They will be asked to ‘sign off’ the organisation’s Recovery Time Objectives (RTO) for all the organisation’s activities and will ensure that the suggested solutions meet the requirements of the organisation. The risk assessment is likely to identify a number of risks to the organisation. These risks are then reviewed, and appropriate mitigation measures are identified. These measures may be minor and can be implemented at a low level within the organisation. More major risks may require strategic decision making and it may then take a period of time to implement them.
Embedding Business Continuity in the Organisation’s Culture
Throughout the project, activities need to be carried out which embed business continuity within the organisation. This could include seminars and presentations to staff. It could also include making sure that Business Continuity is part of the decision-making process so that, for example, if a new building is purchased or a new part of the organisation is added, business continuity is taken into account as part of the process. For new starters, an element of business continuity should be incorporated in the organisation’s induction process.
PlanB Consulting Deliverable – Induction training documents and embedding training
Exercises & Incident Management Training
Exercising the newly written plan is vitally important to identify any flaws or gaps and to ensure that it is fit for purpose. PlanB Consulting also believes passionately that incident management training is vital to ensuring that those allocated a role on an incident team know how to implement the plan, they are given tools and techniques for successfully managing an incident. This stage of the project will consist of training on the plan and then conducting an exercise to ensure that it is fit for purpose. For all exercises, an exercise instruction sheet containing all the information for running the exercise, as well as a post-exercise report, is written. Train Support Assure™
PlanB Consulting Deliverables – ‘Exercise Instruction and Post Exercise Report’ for each exercise.
To ensure the continued viability of the business continuity plans, and to ensure they are practical, the plans have to be kept up to date and regularly exercised. If major changes take place within the organisation then the whole BCM Lifecycle should be reviewed to see if the existing plans can incorporate the changes or whether a new Business Continuity programme is required to ensure that the business continuity response is still valid. All plans need to be regularly exercised, maintained, reviewed and audited.
PlanB Philosophy for the implementation of BC during this project
PlanB Consulting manages business continuity on an ongoing basis for a number of clients and a number of our staff have had internal business continuity roles. We understand the issues of ongoing management, updating documents and keeping the BCMS up to date. Too often we have seen beautifully written and constructed BC documents developed by consultants which have been handed over to part-time business continuity coordinators. These coordinators are not then given sufficient training, leading to insufficient reviewing procedures being implemented. This in turn can mean that three or four years of work and investment is lost and the organisation needs to start again. In delivering this project, we will prevent this happening by not delivering an over-complex and over-engineered business continuity management solution.
PlanB Consulting will be guided in the delivery of this project by the following principles:
- We will always be aware that the BC solution will be managed on an ongoing basis mainly by non-BC professionals who will often have little BC knowledge; they want a simple, easy-to-update solution.
- The BIA will only contain the information necessary to inform the part of the organisation’s strategy or BC Plan.
- Wherever possible BIA planning will be done centrally, particularly in the development of Maximum Tolerable Periods of Disruption (MTPDs) and Recovery Time Objectives (RTOs), so that they are consistent across the organisation. This will ensure that parts of the organisation carrying out the same activities have a consistent RTO. It will also reduce the size of individual site BIAs and hence the updating burden.
- Plans will be action-orientated and contain only the information needed on the day of an incident. Half the plan will be concerned with the process of managing an incident and how the plan fits and integrates with the tactical and crisis plans.
- The second part of the plan will be very bespoke to the location and will detail how staff will respond to a number of scenarios. Depending on the risk assessment findings they will likely include the following scenarios:
- Loss of building
- Operating without IT or telephony
- Loss of staff
- Training will be given in incident management so that staff know how to use the plan in responding to an incident.
- Clear written instructions will be given to each BC Champion with the requirements on them for updating their plan, BIA, reporting and exercising.
- All solutions implemented, even if pared-back, must meet the requirements of GPG 2018 and ISO 22301 and must be credible if audited by a third party.
A methodology for implementing business continuity
Train Support Assure™
PlanB Consulting has developed a methodology, Train – Support – Assure™, for developing Business Continuity across a number of business areas simultaneously. This methodology allows for a high level of embedding of Business Continuity knowledge with the organisation’s staff and is cost-effective. The methodology is tried and tested, having been used successfully by TNT, East Ayrshire Council, NCFE, Shetland Islands Council and a number of Ministry of Defence sites.
The methodology is very simple: all business units within scope designate a Business Continuity Coordinator (BCC). Each BCC attends three 7-hour workshops with a two to three-week gap between each workshop. The workshops consist of basic Business Continuity knowledge followed by training on how to develop the pre-prepared templates for each stage of the business continuity process. As much as possible of the business continuity development work is done in the classroom. BCCs are then sent away with their ‘homework’. This has to be completed before the next workshop. Telephone and e-mail support is offered after each workshop if required. Once a BCC has compiled his/her homework it is sent to PlanB Consulting, who quality assures it and sends it back to the BCC with any comments. This ensures that before the next workshop all BCCs are at a similar stage, their work is checked and that throughout the whole process their work is quality assured.
This approach has huge benefits for the organisation as it facilitates maximum business continuity skills and knowledge transfer to the BCCs. It also promotes ‘buy in’ to Business Continuity, embeds business continuity within the client and is very cost-effective. The methodology ensures that plans are developed by those who understand the organisation best and that the quality of plans and their look and feel are standard across the client’s organisation.
PlanB Consulting believes that plans produced using this methodology are as good, or better than the quality of plans written by an external business continuity consultant. PlanB Consulting has recently been carrying out workshops for an East Ayrshire organisation, whose BCCs began their Train – Support – Assure™ process some three years ago. They still update their plans, talk knowledgeably on the subject and are still enthusiastic about Business Continuity.