February 25th, 2025 by ParadigmSI
Implementing a Business Continuity Management Program
1. Establish the BCM Ownership.
2. Align BCM Program to organizational Strategic Goals.
3. Develop the BCM Policy.
4. Determine the BCM Strategy.
5. Determine the BCM Implementation Approach.
6. Initiate the BCM Program
7. Business Impact Analysis
8. Risk Analysis
The Risk Analysis involves a determination of the events that can adversely affect an organization, the damage such events can cause and the controls needed to prevent or minimize the effects of potential loss. Risks can be quantified by determination of: Potential Threats, Probabilities, Impacts and Vulnerabilities.
The Risk Analysis will:
– Identify potential threats,
– Understand threat size impacts
– Determine mitigation techniques for each threat,
– Perform cost/benefit analysis for each mitigation technique,
– Prioritize/summarize viable & effective mitigation strategies,
– Implement mitigation strategies using: avoidance (eliminate), reduction (mitigate), transference (outsource/insure), retention (accept/budget)
Risk Assessment Strategies will focus on:
Preemptive/preventative measures to reduce the risk or impact of a risk event
Approaches to continuing/resuming key business process activities during a crisis (e.g., executing key processes remotely, utilize additional working shifts).
The developed strategies will be quantified in terms of cost/benefit, with final selection of strategies for implementation by the Risk Management Committee.
For each risk develop strategies that enhance business continuity of the process. Strategies will outline approaches to either:
Increase the level of control associated with the process, and/or
Decrease the business impact associated with a process disruption.
Where not covered already develop strategies to secure the availability of “Mission Critical Resources”. Develop a timeline to implement the suggested strategies and submit to management for approval.
For more detailed information about how to perform a Risk Analysis, better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
Email at PSISales@ParadigmSI.com
For more information, call us at 800-558-9568 ext. 300
To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call: 814-330-2560
Next up in Part 9: Plan Development
May 23rd, 2023 by ParadigmSI
Implementing a Business Continuity Management Program
1. Establish the BCM Ownership.
2. Align BCM Program to organizational Strategic Goals.
3. Develop the BCM Policy.
4. Determine the BCM Strategy.
5. Determine the BCM Implementation Approach.
6. Initiate the BCM Program
First, determine the BCM Program Injection Point
Not every organization is the same, and not every organization is starting at the same place. BCM is a lifecycle. If you are starting from scratch, the Business Impact Analysis (BIA) is a good starting point within the BCM lifecycle. Maybe your organization has performed a recent BIA/RA and it would be better suited to begin with Plan Development using the Maximum Acceptable Outage (MAO) values, dependencies and technology requirements from the recent BIA/RA results as the basis for the planning strategy.
Next, determine the scope of the Planning effort
Conduct a review of current Business Continuity Plans. The three main plan types can be described as:
Agency/Business Recovery – Plan development and documentation to resume/recover critical business activities
Crisis Management/Emergency Response – Contingency Planning for executive decision-making, communications and high-level pre-planning activities.
Disaster Recovery– IT Planning Contingency Planning for applications and related infrastructure components (systems, servers, network, databases, etc.)
Your organization may have some or all of these plan types in place already. You may choose to focus first on Crisis Management/Emergency Response first to ensure that effective crisis communications are in place as well as contingencies for safety of people and protection of critical assets during a disruption. Some organizations may choose to prioritize first the resiliency and recovery capabilities of the infrastructure and IT resources with Disaster Recovery planning. Others may need to prioritize the development of operational/business recovery plans for sustaining critical business functions identified during the BIA effort.
All business units, related activities, and associated IT applications and infrastructure must be identified for plan development.
The business units rated as most critical during the Impact Analysis should be the plans documented first by the Business Unit Recovery Teams.
The IT applications rated as most critical during the Impact Analysis should be the plans documented first by the IT Disaster Recovery Teams.
Designate team members that have responsibility for coordinating plan development and documentation.
For more detailed information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
Email at PSISales@ParadigmSI.com
For more information, call us at 800-558-9568 ext. 300
To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call:814-330-2560
Next up in Part 7: Business Impact Analysis
March 1st, 2023 by ParadigmSI
Implementing a Business Continuity Management Program
1. Establish the BCM Ownership.
2. Align BCM Program to organizational Strategic Goals.
3. Develop the BCM Policy.
4. Determine the BCM Strategy.
The purpose is to address decisions regarding strategies that are not viable to be determined at the individual organizational unit level.
1. Business Continuity Process: The lifecycle of an event:
– COOP-related Procedures (Threat-based SOPs: If fire, dial x###, etc.)
– Crisis Management – (ER/IM: Protect people and assets)
– Business/Disaster Recovery (BRP/COOP: Sustain Critical Functions & IT )
– Resumption (Component of BRP/COOP: Return to Normal Operations)
2. Business Continuity Strategy: Based on loss of asset type:
– Facilities Strategy (hotsite, AWA, etc.)
– Personnel Strategy (remote work, backups, contractors, etc.)
– IT/Systems Strategy (redundancy/Failover, UPS/Gen, etc.)
– Data/Records Strategy (backups, offsite storage, access, etc.)
– Supply Chain Strategy (etc.)
This should be included in the BCP Policy document.
The all-hazards planning approach involves performing a detailed risk assessment of all potential hazards that can possibly affect the organization, and then develop mitigations, planning strategies, and perform testing exercises based on these prioritized hazards. These potential hazards are defined by certain categories, such as Natural Disasters, Human-caused Events, or Technical Disruptions. For each potential hazard, one should determine the rating for each based on the following risk factors:
– Probability of Occurrence (Likelihood the threat will materialize)
– Loss Impact (Direct impact due to the loss of the function)
– Consequence (Downstream losses as a result of the realized threat)
– Exposure (the passive, inherent factors contributing to vulnerability)
– Level of Control (the active, controllable variables to offset vulnerability, e.g. – the Fire Suppression system)
In order to be complete in this assessment, it is also important to understand and consider the other side of the all-hazards planning approach, which is to identify and address all the “asset-types” for the organization that can be impacted by these potential hazards. What are the key assets to the organization, and how can the potential hazards affect these different asset types? In many cases, organizational assets can include: Facilities, Personnel, IT/Infrastructure, and Data/Records. So now, as an example you can develop planning strategies to account for all the “loss of facility” scenarios, whether the cause is fire, flooding, tornado, earthquake, train derailment, or other.
In summary, a comprehensive Enterprise Risk Management strategy will identify all the potential Hazards that can affect the organization, then rank and prioritize these for the different Asset Types that are identified for the organization, and finally employ mitigation strategies, effective planning approaches and testing/exercising to bring the organization into even greater resilience.
For more detailed information about how to better prepare your organization with an All-Hazards Risk Assessment, effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
– The contact form using the link at the top of this page
– Email at PSISales@ParadigmSI.com
– Call us at 800-558-9568 ext. 300
Next up in Part 5: Determine the BCM Implementation Approach
February 1st, 2023 by ParadigmSI
Implementing a Business Continuity Management Program
1. Establish the BCM Ownership.
2. Align BCM Program to organizational Strategic Goals.
3. Develop the BCM Policy – Standards & Guidelines
In many cases the BCM policy and approaches are driven by standardization bodies along with local, regional, industry-imposed requirements. Codes of practice and specifications are defined by relevant international standards such as ISO 27001 – specification for an ISMS, an Information Security, Management System, and ISO 22301 – Societal security – Business Continuity Management Systems Requirements.
ISO 22301 is the leading global standard for Business Continuity Management.
The focus of ISO 22301 is to ensure continuity of business delivery of products and services after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This is done by finding out business continuity priorities (through business impact analysis), what potential disruptive events can affect business operations (through risk assessment), defining what needs to be done to prevent such events from happening, and then defining how to recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and managing risks: find out which activities are more important and which risks can affect them, and then systematically treat those risks. 1
Said another way, BCM is an: Holistic management process that identifies potential impacts that threaten an organization with associated risk, and provides a framework for building resiliency with the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities. 2
As such, the basis for building an effective business continuity management program consists of an understanding of the following primary elements:
> Potential Impacts are developed from the Business Impact Analysis (BIA).
> Threats are developed from the Risk Assessment (RA) by identifying potential hazards with the highest probability, impact and vulnerability.
> The BCM view of the Organization as distinct named Critical Functions, locations, dependencies and technology requirements is determined from the Business Impact Analysis (BIA)
> An Effective Response is developed by focusing on recovery strategies for each of the organization’s critical functions with a recovery plan that attains a defined Maximum Allowable Outage (MAO) value for each.
Your organization may require adherence to several industry standards. Select the BCM and industry-specific standards and guidelines to be included in scope of your BCM program and policy. The BCM process will need to address each of the above elements in order to implement an effective Business Continuity Management program.
– NFPA 1600/1660 https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600; https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1660
– NIMS https://www.fema.gov/emergency-managers/nims
– ISO 22301 https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-22301-Implementation-Guide.pdf
– FFIEC https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx
– NCUA https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ffiec-release-updated-business-continuity-planning-examination-handbook
For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:
- The contact form using the link at the top of this page
- Email at PSISales@ParadigmSI.com
- Call us at 800-558-9568 ext. 300
Next up in Part 4: Determine the BCM Strategy
2 BS 25999-2:2007, 2.4
January 3rd, 2023 by ParadigmSI
Implementing a Business Continuity Management Program
In order for the BCM program itself to be resilient, we must tangibly justify and validate the BCM effort. It is often that this part of the BCM program is neglected.
Before even attempting to define the BCM goals, does your organization have defined Strategic Goals?
For example:
Then, determine the appropriate BCM Goals which have direct traceability back to the organization’s Strategic Goals:
BCM Goals and Metrics should be developed and aligned back to Strategic Goals, then documented as part of the BCM Policy.
Does your organization have defined Strategic Goals that can serve as the imperative for specific and tangible BCM Program goals?
For more information about how to better prepare your organization with an effective Business Continuity Management System and development of BCM Strategic Goals, please contact us via:
- The contact form using the link at the top of this page
- Email at PSISales@ParadigmSI.com
- Call us at 800-558-9568 ext. 300
Coming next month in Part 3: Develop the BCM Policy – Standards & Guidelines
December 19th, 2022 by ParadigmSI
Cybersecurity is a critical part of business continuity management because it helps protect an organization’s information and systems from security threats. A breach of cybersecurity can have significant consequences for an organization, such as the loss of sensitive data, monetary loss, and damage to the organization’s reputation. To prevent these types of disruptions, organizations must incorporate robust cybersecurity measures into their business continuity management plan.
There are several organizations and institutions that offer recommendations and best practices for information and cyber security. Some of the main ones include the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO), the Center for Internet Security (CIS), and the SANS Institute.
Here are some examples of recommendations and best practices for information security and cyber security from NIST, ISO, CIS, and SANS:
NIST recommends implementing strong password policies, regularly patching and updating software and security systems, and using encryption to protect sensitive data.
ISO recommends implementing a robust risk management program, including regular risk assessments and implementing controls to mitigate identified risks.
CIS recommends implementing a multi-layered approach to security, including both technical controls (such as firewalls and intrusion detection systems) and non-technical controls (such as employee training and incident response plans).
SANS recommends implementing a defense-in-depth strategy, which involves protecting the network and individual devices at multiple levels to reduce the likelihood and impact of a security breach.
The specific laws that require businesses to keep a degree of cyber security or resilience vary by country and jurisdiction. In the United States, for example, some of the main laws that address this issue include the Federal Information Security Management Act (FISMA), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI DSS).
Here are some examples of what businesses need to do to comply with FISMA, HIPAA, and PCI DSS on cyber and information security:
FISMA requires that federal agencies implement a range of security controls to protect their information and systems, including regular risk assessments, training for employees, and incident response plans.
HIPAA requires that covered entities, such as healthcare providers and insurers, implement technical, physical, and administrative safeguards to protect patient health information. This includes implementing access controls, regular risk assessments, and training for employees.
PCI DSS requires that businesses that accept credit card payments implement a range of security controls to protect cardholder data, such as using encryption, implementing firewalls, and regularly testing security systems.
In general, however, most businesses are expected to take reasonable steps to protect their sensitive data and systems from cyber threats, such as implementing strong password policies, regularly updating software and security systems, and training employees on how to identify and report potential security threats. It’s also important for businesses to have a plan for responding to and recovering from a security breach, to minimize the damage and disruption caused by such an incident.
All-in-all, there are many organizations and institutions that offer recommendations and best practices for information security and cyber security, and there are also various laws and regulations that require businesses to keep a given level of security to protect sensitive data and systems. It’s important for businesses to be aware of these requirements and recommendations, and to implement controls and measures to protect themselves against cyber threats. By following cybersecurity recommendations and best practices, organizations can reduce the risk of a cybersecurity breach and ensure the ongoing availability of their systems and data. This will help organizations keep their overall resilience and ensure their ability to continue working in the face of potential disruptions.
For more information about how to better prepare your organization against cyber-related threats with an effective Business Continuity Management System, please contact us via:
- The contact form using the link at the top of this page
- Email at PSISales@ParadigmSI.com
- Call us at 800-558-9568 ext. 300
