Implementing a Business Continuity Management Program
In order for the BCM program itself to be resilient, we must tangibly justify and validate the BCM effort. It is often that this part of the BCM program is neglected.
Before even attempting to define the BCM goals, does your organization have defined Strategic Goals?
For example:
Then, determine the appropriate BCM Goals which have direct traceability back to the organization’s Strategic Goals:
BCM Goals and Metrics should be developed and aligned back to Strategic Goals, then documented as part of the BCM Policy.
Does your organization have defined Strategic Goals that can serve as the imperative for specific and tangible BCM Program goals?
For more information about how to better prepare your organization with an effective Business Continuity Management System and development of BCM Strategic Goals, please contact us via:
The contact form using the link at the top of this page
Cybersecurity is a critical part of business continuity management because it helps protect an organization’s information and systems from security threats. A breach of cybersecurity can have significant consequences for an organization, such as the loss of sensitive data, monetary loss, and damage to the organization’s reputation. To prevent these types of disruptions, organizations must incorporate robust cybersecurity measures into their business continuity management plan.
There are several organizations and institutions that offer recommendations and best practices for information and cyber security. Some of the main ones include the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Center for Internet Security (CIS), and the SANS Institute.
Here are some examples of recommendations and best practices for information security and cyber security from NIST, ISO, CIS, and SANS:
NIST recommends implementing strong password policies, regularly patching and updating software and security systems, and using encryption to protect sensitive data.
ISO recommends implementing a robust risk management program, including regular risk assessments and implementing controls to mitigate identified risks.
CIS recommends implementing a multi-layered approach to security, including both technical controls (such as firewalls and intrusion detection systems) and non-technical controls (such as employee training and incident response plans).
SANS recommends implementing a defense-in-depth strategy, which involves protecting the network and individual devices at multiple levels to reduce the likelihood and impact of a security breach.
The specific laws that require businesses to keep a degree of cyber security or resilience vary by country and jurisdiction. In the United States, for example, some of the main laws that address this issue include the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).
Here are some examples of what businesses need to do to comply with FISMA, HIPAA, and PCI DSS on cyber and information security:
FISMA requires that federal agencies implement a range of security controls to protect their information and systems, including regular risk assessments, training for employees, and incident response plans.
HIPAA requires that covered entities, such as healthcare providers and insurers, implement technical, physical, and administrative safeguards to protect patient health information. This includes implementing access controls, regular risk assessments, and training for employees.
PCI DSS requires that businesses that accept credit card payments implement a range of security controls to protect cardholder data, such as using encryption, implementing firewalls, and regularly testing security systems.
In general, however, most businesses are expected to take reasonable steps to protect their sensitive data and systems from cyber threats, such as implementing strong password policies, regularly updating software and security systems, and training employees on how to identify and report potential security threats. It’s also important for businesses to have a plan for responding to and recovering from a security breach, to minimize the damage and disruption caused by such an incident.
All-in-all, there are many organizations and institutions that offer recommendations and best practices for information security and cyber security, and there are also various laws and regulations that require businesses to keep a given level of security to protect sensitive data and systems. It’s important for businesses to be aware of these requirements and recommendations, and to implement controls and measures to protect themselves against cyber threats. By following cybersecurity recommendations and best practices, organizations can reduce the risk of a cybersecurity breach and ensure the ongoing availability of their systems and data. This will help organizations keep their overall resilience and ensure their ability to continue working in the face of potential disruptions.
For more information about how to better prepare your organization against cyber-related threats with an effective Business Continuity Management System, please contact us via:
The contact form using the link at the top of this page
The purpose of Business Continuity Management (BCM) is to attain comprehensive operational continuity (ability to continue critical operations during a disruption) and resilience (planning, preparedness and protection over the long-term.)
In today’s current environment, the global economy is shifting and evolving more now than ever. Geo-political events are disrupting supply chains. Staffing levels and unique staffing approaches are being tested from the COVID-19 pandemic. Infrastructure is becoming more vulnerable with ransomware and other exploits. IT requirements are evolving with the progression of cloud-based systems and the advent of 5G. It will be important that organizations big and small protect themselves from a variety of potential disasters, which will enable them to not only grow but to become sustainable.
What are the drivers for implementation of a BCM program?
The impetus for BCM can stem from external forces such as regulatory requirements (FFIEC or NCUA for financial institutions, etc.) and legal and fiduciary considerations (Sarbanes-Oxley.) Just as well, the drivers for BCM can come from internal factors and stakeholder requirements regarding preservation of the general sustainability and growth of the organization.
Where to begin?
– Establish the BCM Ownership.
To establish ownership and drive the BCM principles throughout the organization, a BCM strategy must be created and approved by the governing board. Ownership must reside at this level as the board owns the overall resilience of the organization, where the CEO and CFO must personally attest to the validity of the data being reported. The BCM Ownership must drive and define the BCM policy in a top-down approach. BCM is difficult to impossible to implement at the grass-roots level.
The BCM Leadership Team will typically include:
– The Business Continuity Steering Committee (BCSC) will be responsible to establish the BCM Policy. The BCSC will provide the appropriate level of authority on those areas of the organization that will most likely be involved with Business Continuity execution.
> At least one Executive, one Senior Management representative, and then what ever level of management is deemed appropriate to represent the full operational components of the organization.
– The Business Continuity Team (BCT) will be responsible to develop and maintain the Business Continuity Plans consistent with the BCM Policy.
> Line-of-Business Leaders, Site Leaders, Program Owners.
Per the ISO BCM standard, persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS via demonstration of the following activities:
> Ensuring that policies and objectives are established and communicated for the business continuity management system, which are compatible with the strategic direction of the organization, promote continual improvement, and ensure that the BCMS achieves its intended outcome(s).
> Ensuring the integration of the business continuity management system requirements into the organization’s business processes with: allocation of resources needed for the business continuity management system, communication of the BCMS requirements to organizational staff and stakeholders, directing and supporting persons to contribute to the effectiveness of the BCMS, establishing roles, responsibilities, and competencies for business continuity management, and appointing one or more persons to be responsible for the BCMS with the appropriate authority/competencies to be accountable for the implementation and maintenance of the BCMS as well as supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility.
Top management shall ensure the parameters and support for the BCMS are communicated within the organization by creating or updating the BCM Policy Document to include:
> Documentation of the Process and Methodology approaches for conducting the organizational BIA and Risk Assessment,
> Documentation of the Process and Methodology approaches for selection of business continuity strategies to protect the critical functions, assets and stakeholders to the organization.
> Defining the criteria for accepting risks and the acceptable levels of risk,
> Actively engaging in exercising and testing,
> Ensuring that internal audits of the BCMS are conducted,
> Conducting management reviews of the BCMS, and
> Demonstrating its commitment to continual improvement.
For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:
The contact form using the link at the top of this page
5G is the next generation of mobile broadband service, and it will bring an exponential leap in capability, much more than in previous generations. Ultra-reliable and extreme real-time communications will help to support the growth of the Internet of Things (IoT) down to wearable devices and a massive distribution of sensor networks that will impact the efficiency of our everyday lives.
Currently, the first 5G services are available to about 12% of the mobile broadband users in the US. Within 3 years, 5G coverage availability is expected to be at 25% or greater. 100% coverage availability is expected within four to five years.
The success of 5G will require caching and storing massive amounts of data to support applications and other functions that run on these devices. The advent of smart homes, smart industry and smart cities will require moving a large portion of the computing power down from the cloud to the device level, or closer to the device level.
Edge computing and near-edge computing will be the architecture that is required to support the new mobile broadband ecosystem. Street-level IoT devices and connections, along with micro data centers will fuel the throughput and capacity that is required to enable the middle layer low latency fiber and wireless connections between the core systems that remain in the centralized cloud, and the edge level computing being performed via devices within industry, homes and cities.
5G and Edge computing infrastructure will bring with it many advancements, but also many challenges. Protection of user data and privacy will be paramount. The end user and business consumers will demand increasing capability, capacity, storage and uncompromised security.
While 5G and Edge computing may not dramatically affect your day-to-day consumer functions and business operations today, it most certainly will within a few years to come.
Businesses should be prepared to assess their existing critical functions, data flows, dependencies, and technologies with a view towards the ever-evolving use cases for how users and consumers will interface with your organization, and how your internal BC/DR plans will need to be proactively managed and transformed to meet the needs of the new 5G/Edge computing universe.
Is your Business Impact Analysis (BIA) up-to-date? Does your latest threat assessment include technology and data security hazards? Is your data center and cloud services infrastructure and Disaster Recovery Plan ready to handle the challenges of 5G and Edge computing?
For more information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
The following news article provides an excellent introduction to the basic facts about coronavirus. Below are some important activities to consider when building your pandemic response plan.
From CBC News: Information about the coronavirus outbreak is spreading fast, but what do we actually know about the illness? CBC News medical contributor and family physician Dr. Peter Lin breaks down the facts about what it is, where it came from, how it spreads and what you can do to protect yourself. To read more: https://www.cbc.ca/1.5433625
How does the organization get started? While this is not an exhaustive listing, a basic Pandemic response plan should at least include the following considerations:
Containment Activities
Reducing risk of infected persons entering the workplace
Social Distancing
Environmental cleaning
Management Activities
Managing Fear
Communicate Sick Leave policy
Prevent Travel to infected areas
Maintain Essential Business Activities
Identification of core people and skills
Business Planning for absence
Contingencies for remote work
Alternate staffing and alternate work locations
For more detailed information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
We at Paradigm Solutions International encourage you to sign up early and attend the DRJ Spring 2019 conference. The venue is located in Orlando, FL at the Disney Coronado Springs Resort from March 24th-27th, 2019.
The DRJ conference is a great opportunity to hear valuable presentations from keynote speakers, network with other organizations, attend workshops and view exhibits from the vendors.