Implementing a Business Continuity Management Program
1. Establish the BCM Ownership.
2. Align BCM Program to organizational Strategic Goals.
4. Determine the BCM Strategy.
The purpose is to address decisions regarding strategies that are not viable to be determined at the individual organizational unit level.
1. Business Continuity Process: The lifecycle of an event:
– COOP-related Procedures (Threat-based SOPs: If fire, dial x###, etc.)
– Crisis Management – (ER/IM: Protect people and assets)
– Business/Disaster Recovery (BRP/COOP: Sustain Critical Functions & IT )
– Resumption (Component of BRP/COOP: Return to Normal Operations)
2. Business Continuity Strategy: Based on loss of asset type:
– Facilities Strategy (hotsite, AWA, etc.)
– Personnel Strategy (remote work, backups, contractors, etc.)
– IT/Systems Strategy (redundancy/Failover, UPS/Gen, etc.)
– Data/Records Strategy (backups, offsite storage, access, etc.)
– Supply Chain Strategy (etc.)
This should be included in the BCP Policy document.
The all-hazards planning approach involves performing a detailed risk assessment of all potential hazards that can possibly affect the organization, and then develop mitigations, planning strategies, and perform testing exercises based on these prioritized hazards. These potential hazards are defined by certain categories, such as Natural Disasters, Human-caused Events, or Technical Disruptions. For each potential hazard, one should determine the rating for each based on the following risk factors:
– Probability of Occurrence (Likelihood the threat will materialize)
– Loss Impact (Direct impact due to the loss of the function)
– Consequence (Downstream losses as a result of the realized threat)
– Exposure (the passive, inherent factors contributing to vulnerability)
– Level of Control (the active, controllable variables to offset vulnerability, e.g. – the Fire Suppression system)
In order to be complete in this assessment, it is also important to understand and consider the other side of the all-hazards planning approach, which is to identify and address all the “asset-types” for the organization that can be impacted by these potential hazards. What are the key assets to the organization, and how can the potential hazards affect these different asset types? In many cases, organizational assets can include: Facilities, Personnel, IT/Infrastructure, and Data/Records. So now, as an example you can develop planning strategies to account for all the “loss of facility” scenarios, whether the cause is fire, flooding, tornado, earthquake, train derailment, or other.
In summary, a comprehensive Enterprise Risk Management strategy will identify all the potential Hazards that can affect the organization, then rank and prioritize these for the different Asset Types that are identified for the organization, and finally employ mitigation strategies, effective planning approaches and testing/exercising to bring the organization into even greater resilience.
For more detailed information about how to better prepare your organization with an All-Hazards Risk Assessment, effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via:
– The contact form using the link at the top of this page
– Email at PSISales@ParadigmSI.com
– Call us at 800-558-9568 ext. 300
Next up in Part 5: Determine the BCM Implementation Approach