The purpose of Business Continuity Management (BCM) is to attain comprehensive operational continuity (ability to continue critical operations during a disruption) and resilience (planning, preparedness and protection over the long-term.)
In today’s current environment, the global economy is shifting and evolving more now than ever. Geo-political events are disrupting supply chains. Staffing levels and unique staffing approaches are being tested from the COVID-19 pandemic. Infrastructure is becoming more vulnerable with ransomware and other exploits. IT requirements are evolving with the progression of cloud-based systems and the advent of 5G. It will be important that organizations big and small protect themselves from a variety of potential disasters, which will enable them to not only grow but to become sustainable.
What are the drivers for implementation of a BCM program?
The impetus for BCM can stem from external forces such as regulatory requirements (FFIEC or NCUA for financial institutions, etc.) and legal and fiduciary considerations (Sarbanes-Oxley.) Just as well, the drivers for BCM can come from internal factors and stakeholder requirements regarding preservation of the general sustainability and growth of the organization.
Where to begin?
– Establish the BCM Ownership.
To establish ownership and drive the BCM principles throughout the organization, a BCM strategy must be created and approved by the governing board. Ownership must reside at this level as the board owns the overall resilience of the organization, where the CEO and CFO must personally attest to the validity of the data being reported. The BCM Ownership must drive and define the BCM policy in a top-down approach. BCM is difficult to impossible to implement at the grass-roots level.
The BCM Leadership Team will typically include:
– The Business Continuity Steering Committee (BCSC) will be responsible to establish the BCM Policy. The BCSC will provide the appropriate level of authority on those areas of the organization that will most likely be involved with Business Continuity execution.
> At least one Executive, one Senior Management representative, and then what ever level of management is deemed appropriate to represent the full operational components of the organization.
– The Business Continuity Team (BCT) will be responsible to develop and maintain the Business Continuity Plans consistent with the BCM Policy.
> Line-of-Business Leaders, Site Leaders, Program Owners.
Per the ISO BCM standard, persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS via demonstration of the following activities:
> Ensuring that policies and objectives are established and communicated for the business continuity management system, which are compatible with the strategic direction of the organization, promote continual improvement, and ensure that the BCMS achieves its intended outcome(s).
> Ensuring the integration of the business continuity management system requirements into the organization’s business processes with: allocation of resources needed for the business continuity management system, communication of the BCMS requirements to organizational staff and stakeholders, directing and supporting persons to contribute to the effectiveness of the BCMS, establishing roles, responsibilities, and competencies for business continuity management, and appointing one or more persons to be responsible for the BCMS with the appropriate authority/competencies to be accountable for the implementation and maintenance of the BCMS as well as supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility.
Top management shall ensure the parameters and support for the BCMS are communicated within the organization by creating or updating the BCM Policy Document to include:
> Documentation of the Process and Methodology approaches for conducting the organizational BIA and Risk Assessment,
> Documentation of the Process and Methodology approaches for selection of business continuity strategies to protect the critical functions, assets and stakeholders to the organization.
> Defining the criteria for accepting risks and the acceptable levels of risk,
> Actively engaging in exercising and testing,
> Ensuring that internal audits of the BCMS are conducted,
> Conducting management reviews of the BCMS, and
> Demonstrating its commitment to continual improvement.
For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:
The contact form using the link at the top of this page
The recent executive order from the White House requires that all Federal Information Systems should meet or exceed specific standards and requirements for cybersecurity. Do your critical cloud-service solutions meet these modernized cybersecurity requirements?
The Federal Government is moving towards adoption of security best practices towards a “Zero Trust Architecture” which will accelerate movement to secure cloud services, including Software as a Service (SaaS), Infrastructure as a Service (IaaS), and Platform as a Service (PaaS).
Among these detailed requirements include standards, procedures, or criteria regarding encryption for data and establishment of multi-factor, risk-based authentication and conditional access across the enterprise.
What is your level of confidence that your organization can meet these modernized standards and could successfully prevent or recover from a security breach?
BC/DR planning tools can assist you and provide an effective foundation to build, plan, document, test, train, mature and continuously improve your organizational resiliency.
For more information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
FEMA has developed a Fact Sheet regarding General Reconstitution Planning Considerations which can be used to develop and coordinate a plan to resume operations. Some of the content includes how organizations should assess the status of personnel, assets and facilities, pandemic planning mitigation measures, as well as financial and insurance considerations.
************************************************
FEMA FACT SHEET
Reconstitution During the COVID-19 Pandemic
In these uncertain times, organizations across the nation are grappling with when and how to resume operations while protecting the well-being and safety of their employees and communities. Many organizations will be returning to a new normal and are asking: When is it safe to bring people back? Do we need to modify how we operate? How do we keep our employees, customers and community safe? How do we maintain a safe and sanitary environment?
An organization may need to adapt and adopt new processes, address physical and psychological impacts to personnel, recover records and files, reestablish communications and IT equipment, or acquire specialized equipment to regain full functionality. Planning for reconstitution requires expertise and coordination from the entire organization and coordination with partners and stakeholders throughout the community.
This fact sheet builds upon the White House guidelines for Opening Up America Again by providing further reconstitution planning recommendations for state, local, tribal, territorial and private sector stakeholders.
General Reconstitution Planning Considerations
Identifying reconstitution considerations assists organizations to develop and coordinate a plan to resume operations. Organizations should determine how to assess the status of personnel, assets and facilities. Organizations should:
Begin now by developing a plan and procedures for how operations will be resumed. Organizations may need to consider a time-phased approach to prepare a facility to be reoccupied. Offices, functions and returning personnel may need to be prioritized or work in staggered shifts.
Communicate with employees and inform them of the process for returning to work. Consider providing online training and guidance for employees before returning.
Coordinate with partners and stakeholders. Determine what methods will be used to inform employees, customers, vendors and stakeholders that operations are being resumed.
Identify and implement additional facility maintenance tasks necessary to safely reopen closed buildings.
Address physical and psychological impacts to personnel through employee and family support plans and other human resource measures.
Develop an after-action report/improvement plan to note lessons learned and improve plans.
FEMA’s National Continuity Programs offers additional continuity of operations and reconstitution planning guidance and resources, including:
Organizations should abide by emergency orders, applicable statutes, and public health guidelines and prioritize employee and community safety and well-being. Refer to the Centers for Disease Control and Prevention (CDC) for COVID-19 guidance and protective measures.
Measures an organization may need to consider include:
Prepare for a resurgence or additional “waves” of the virus and identify mitigation measures.
Continue utilization of telework and other workforce flexibilities. Telework.gov provides telework guidance and resources for the Federal government and may be helpful to others.
Incorporate social distancing measures, including limiting building capacities, staggering shifts, closing common areas, rotating “office days” for shared offices, installing physical barriers, and limiting non-essential travel.
Allow high-risk/vulnerable individuals additional flexibility or continue isolation without repercussions.
Acquire cleaning supplies, masks/face coverings and gloves, and implement personal protective policies or measures (handwashing, hand sanitizer, etc.) to limit the spread of the virus and protect employees and customers.
Conduct health screenings to monitor employee wellness and prevent further infections and develop or revise human resource policies to detail processes for sick employees or family members, as well as those exposed to the virus or showing symptoms.
Intensify cleaning, sanitizing, disinfection and ventilation activities according to CDC and the Occupational Safety and Health Administration (OSHA) guidance:
State, Local, Tribal and Territorial (SLTT) Government Considerations
SLTT and insular area governments play a critical role in involving the whole community in preparing for the resumption of governmental and private sector functions and recovering from a health and economic crisis. The White House Opening Up America Again guidelines establish three phases and gating guidelines to assist SLTT governments in their decision-making processes. SLTT governments will need to continue to coordinate with businesses, industry and critical infrastructure owners and operators to determine resource requirements and how supply chain disruptions affect resource management efforts. Additional considerations include:
Public health infrastructure: Plan for continued virus testing, reporting, and contact tracing efforts and monitoring public health and healthcare system(s) capacity for a resurgence.
Schools: Develop plans and policies for training and resource support for intermittent E-learning. The U.S. Department of Education offers COVID-19 guidance and resources: www.ed.gov/coronavirus
Public Transportation: Develop plans for ensuring public health while providing public transportation. Refer to the U.S. Department of Transportation COVID-19 resource page: www.transportation.gov/coronavirus
Critical Infrastructure: The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) offers guidance and resources for critical infrastructure owners and operators: www.cisa.gov/coronavirus
Intergovernmental Coordination: Coordinate across all branches of government (legislative, judicial, executive) and with neighboring jurisdictions to discuss planning, response and mitigation efforts.
Restarting a business may be challenging, and an organization’s reconstitution plan may need to balance health and financial concerns. Customers will need to feel safe enough to venture out. Organizations will be more likely to succeed if they take serious preventive measures and can demonstrate that they are safe. Organizations should keep up to date with federal, state and local mitigation recommendations, and clearly communicate these updates and measures with employees and stakeholders. Additional private sector considerations include:
Consider applying for a disaster loan. The Small Business Administration (SBA) offers disaster assistance in the form of low-interest loans to businesses, renters, and homeowners: www.sba.gov/disaster-assistance/coronavirus-covid-19.
Contact customers, vendors and suppliers to determine demand or potential supply issues.
Review insurance policies to determine eligibility for coverage of business interruption or loss.
Establish online commerce platforms, train staff to operate in an e-commerce environment, and adjust business models for a new economy.
Questions to Consider When Reconstituting Operations
People
Who will be responsible for COVID-19 issues and how they impact our workplace(s)?
Are our human resources policies and processes consistent with public health recommendations and federal/state statutes?
Have we established a priority order of return?
Do new policies regarding sick leave, scheduling, control measures, etc. need to be established and/or continued?
How do we determine employee status and their availability to return?
Have employees been exposed to COVID-19?
How can we protect employees?
Can alternate work arrangements be established for at-risk employees?
Will there be new requirements for returning to work (e.g., employees must be symptom-free)?
How will hiring be conducted?
Have we accounted for a possible resurgence of COVID-19 within our workforce and the community?
Do we have a plan if stricter social distancing policies are enacted?
Can training be conducted virtually, including new hire and new health and safety requirements?
What is the status of childcare and dependent care services to support employees returning to work?
Messaging/Communications
How and what are we messaging/communicating with our employees, stakeholders, vendors, and customers?
What considerations need to be communicated to employees prior to reopening?
Health and safety measures?
Change in schedule or shifts?
Employee status?
Priority/phased opening?
Requirements for returning to work?
How frequently will messages be disseminated?
What should employees expect when they return to work?
How would we conduct employee accountability?
What should customers/stakeholders expect when we reopen?
Have we coordinated with contractors or vendors about their plans to reopen or how our reopening will impact them?
Facilities
Who is responsible for ensuring our facilities meet the necessary safety and health guidelines to reopen?
Have we established a priority order for opening multiple facilities or business locations?
Have we identified the health and safety requirements outlined by CDC, HHS, OSHA, etc. specific to our organization?
Can our facilities accommodate any necessary social distancing requirements?
What health and safety assessments need to occur before we can re-enter our primary location?
Will this require contract or vendor support?
Can any necessary facility repairs, updates, or cleaning occur now (during social distancing measures) to prepare for reopening?
How can we reduce our employee exposure to COVID-19?
Have we created a plan to clean and disinfect our frequently touched objects and surfaces per EPA’s criteria for use against COVID-19?
Resources/Logistics
Have we determined which portions, if any, of applicable statutes apply to our organization (e.g. CARES Act, etc.)?
If required or necessary for infection control, do we have the necessary cleaning supplies and personal protective equipment (PPE) for our employees (e.g., masks, gloves, face shields, etc.)?
Has an accounting been done to determine what resources we have on hand, and what resources are required to reopen?
Is our supply chain able to accommodate supporting our logistical requirements in preparation for reopening?
For more detailed information about how to better prepare your organization with an All Hazards Risk Assessment, effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
The following news article provides an excellent introduction to the basic facts about coronavirus. Below are some important activities to consider when building your pandemic response plan.
From CBC News: Information about the coronavirus outbreak is spreading fast, but what do we actually know about the illness? CBC News medical contributor and family physician Dr. Peter Lin breaks down the facts about what it is, where it came from, how it spreads and what you can do to protect yourself. To read more: https://www.cbc.ca/1.5433625
How does the organization get started? While this is not an exhaustive listing, a basic Pandemic response plan should at least include the following considerations:
Containment Activities
Reducing risk of infected persons entering the workplace
Social Distancing
Environmental cleaning
Management Activities
Managing Fear
Communicate Sick Leave policy
Prevent Travel to infected areas
Maintain Essential Business Activities
Identification of core people and skills
Business Planning for absence
Contingencies for remote work
Alternate staffing and alternate work locations
For more detailed information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
The contact form using the link at the top of this page
How can one demonstrate a measurable return on investment (ROI) from the implementation of an continuity planning tool?
In the economic landscape of today, it is no news to anyone that we see companies that have been in business for generations closing their doors. Organizations that remain are forced to have leaner operations, coordinate just-in-time inventory levels and manage the highest levels of employee productivity; all to drive sustainable profit margins and positive cash flows for the stakeholders.
Even government agencies, especially at the local and state levels, are struggling with dwindling revenues from their private sector constituencies, facing increases in unfunded mandates, higher costs, lower budgets and cut-backs in services and operations. Needless to say, all spending is highly scrutinized no matter the industry or sector, and discretionary spending items are omitted from budgets without even a second thought.
This being the case, why would any organization choose during these critical times to implement a Business Continuity (BC) or Continuity of Operations (COOP) program?
Request our complete Whitepaper to learn more about demonstrating ROI from a continuity planning solution.
