The purpose of Business Continuity Management (BCM) is to attain comprehensive operational continuity (ability to continue critical operations during a disruption) and resilience (planning, preparedness and protection over the long-term.)
ref: https://www.iso.org/obp/ui/#iso:std:iso:22300:ed-3:v1:en
In today’s current environment, the global economy is shifting and evolving more now than ever. Geo-political events are disrupting supply chains. Staffing levels and unique staffing approaches are being tested from the COVID-19 pandemic. Infrastructure is becoming more vulnerable with ransomware and other exploits. IT requirements are evolving with the progression of cloud-based systems and the advent of 5G. It will be important that organizations big and small protect themselves from a variety of potential disasters, which will enable them to not only grow but to become sustainable.
What are the drivers for implementation of a BCM program?
The impetus for BCM can stem from external forces such as regulatory requirements (FFIEC or NCUA for financial institutions, etc.) and legal and fiduciary considerations (Sarbanes-Oxley.) Just as well, the drivers for BCM can come from internal factors and stakeholder requirements regarding preservation of the general sustainability and growth of the organization.
Where to begin?
– Establish the BCM Ownership.
To establish ownership and drive the BCM principles throughout the organization, a BCM strategy must be created and approved by the governing board. Ownership must reside at this level as the board owns the overall resilience of the organization, where the CEO and CFO must personally attest to the validity of the data being reported. The BCM Ownership must drive and define the BCM policy in a top-down approach. BCM is difficult to impossible to implement at the grass-roots level.
The BCM Leadership Team will typically include:
– The Business Continuity Steering Committee (BCSC) will be responsible to establish the BCM Policy. The BCSC will provide the appropriate level of authority on those areas of the organization that will most likely be involved with Business Continuity execution.
> At least one Executive, one Senior Management representative, and then what ever level of management is deemed appropriate to represent the full operational components of the organization.
– The Business Continuity Team (BCT) will be responsible to develop and maintain the Business Continuity Plans consistent with the BCM Policy.
> Line-of-Business Leaders, Site Leaders, Program Owners.
Per the ISO BCM standard, persons in top management and other relevant management roles throughout the organization shall demonstrate leadership with respect to the BCMS via demonstration of the following activities:
> Ensuring that policies and objectives are established and communicated for the business continuity management system, which are compatible with the strategic direction of the organization, promote continual improvement, and ensure that the BCMS achieves its intended outcome(s).
> Ensuring the integration of the business continuity management system requirements into the organization’s business processes with: allocation of resources needed for the business continuity management system, communication of the BCMS requirements to organizational staff and stakeholders, directing and supporting persons to contribute to the effectiveness of the BCMS, establishing roles, responsibilities, and competencies for business continuity management, and appointing one or more persons to be responsible for the BCMS with the appropriate authority/competencies to be accountable for the implementation and maintenance of the BCMS as well as supporting other relevant management roles to demonstrate their leadership and commitment as it applies to their areas of responsibility.
Top management shall ensure the parameters and support for the BCMS are communicated within the organization by creating or updating the BCM Policy Document to include:
> Documentation of the Process and Methodology approaches for conducting the organizational BIA and Risk Assessment,
> Documentation of the Process and Methodology approaches for selection of business continuity strategies to protect the critical functions, assets and stakeholders to the organization.
> Defining the criteria for accepting risks and the acceptable levels of risk,
> Actively engaging in exercising and testing,
> Ensuring that internal audits of the BCMS are conducted,
> Conducting management reviews of the BCMS, and
> Demonstrating its commitment to continual improvement.
For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:
- The contact form using the link at the top of this page
- Email at PSISales@ParadigmSI.com
- Call us at 800-558-9568 ext. 300
Coming next month in Part 2: Align BCM to Strategic Goals