Business Continuity

From Emergency 2.0 Wiki

Jump to: navigation, search

Main Page | Business Continuity

Contributor Info
Reference Group Business Continuity
Additional Contributors Eileen Culleton

The Business Continuity Institute leads the Business Continuity Reference Group managing the development of content for this section.

The links provided under each of the headings (Emergency Preparation, Emergency Response and Emergency Recovery) are listed due to their linkage with business continuity. These links overlap with other topic areas.

Contents

Using Social Media and Web 2.0 for business continuity

Emergency Preparation

The links below are to pages relevant to business continuity:


Emergency Response

Red Cross Digital Operations Centre
The links below are to pages relevant to business continuity:



Emergency Recovery

Hurricane Sandy Coworking Crowdmap


The links below are to pages relevant to business continuity:





Business Continuity Framework

Business Continuity Institute

Background The Business Continuity Institute (BCI) is the world’s most eminent Business Continuity Management (BCM) institute and its name is instantly recognised as standing for good practice and professionalism. The aim of the BCI is to promote the art and science of Business Continuity Management (BCM) worldwide. The BCI currently has over 6000 members in 100 countries.

BCM is an holistic process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause. It provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and value creating activities.

The BCI has produced the ‘Good Practice Guidelines (GPG) 2010’ which is a management guide to implementing global good practice in BCM. The GPG provides a best practice methodology and techniques for developing an effective and sustainable incident response and recovery capability. The GPG is available for download at www.thebci.org.

General Principles

The key requirements for an effective response are:

  • A clear procedure for the escalation and control of an incident (incident response structure)
  • Communications with stakeholders (internal and external to the business)
  • Plans to resume interrupted activities

The actions outlined in Business Continuity Plans are not intended to cover every eventuality as, by their nature, all incidents are different.

The GPG considers that there are five types of plan corresponding to five overlapping stages of the response:

  • Emergency Management – covers the immediate response to an emergency, including emergency evacuation and communication
  • Incident Management – details the management level response to an incident and includes crisis communications procedures
  • Continuity – the initial business response to ensure that essential activities can continue to operate at a minimal acceptable level of service
  • Recovery – procedures for the recovery of business activities to a sustainable level
  • Resumption – to resume operations at what the business defines as “normal”

Continuity Plans

The term Business Continuity Plan (BCP) can be defined as: ‘A documented collection of procedures and information that have been developed, compiled and maintained in readiness for use in an incident, to enable an organization to continue to deliver its important and urgent activities, at an acceptable pre-defined level’.

There are other terms in common usage, all of which are specialist forms of BCP. Although clearly within the generic definition above, Emergency Response Plans and Incident Management Plans are managed separately from BCP in some organizations. Also, in some organizations, ICT (Information, Communication Technology) plans are still referred to as Disaster Recovery Plans.

In context of the GPG, all plans (however named) which conform to the generic definition are considered BCPs.

Incident Response Structure

Regardless of the cause of the incident which results in a business interruption or impact, there must be a documented response structure in place. This structure needs to cover the three levels of management – Strategic, Tactical and Operational.

  • Strategic Level Plans

The Incident Management Plan (IMP) is a strategic level plan that documents actions to be undertaken at the time of an incident, covering key personnel, resources, services and actions needed to implement the incident management process.

The IMP is also sometimes referred to as the ‘Crisis Management Plan’ and will normally include procedures for managing any media response required.

  • Tactical Level Plans

Tactical level plans often form the bulk of an organization’s portfolio of BCP’s. These plans address business disruption, interruption or loss from the initial response to the point at which business operations are recovered.

  • Operational Level Plans

Operational level plans provide for the resumption of the business functions covered by the plan from the beginning of the incident through the recovery phase and back to ‘business as usual’.

These levels of response provide a suitable model for all sizes of organization, but need to be implemented in a way that fits the organization’s management structure and culture. Steps to Develop a Plan The keys steps to developing an effective plan include:

  • Appoint an owner and planning team
  • Define the objectives and scope
  • Establish a Response Team (particularly important to ensure that the business can provide a timely response capability should an incident occur during the development of the plan)
  • Agree roles and responsibilities
  • Decide the structure, format, components and content of the plan
  • Determine the strategies, such as alternate locations, on which the plan is based
  • Gather information and consult with key stakeholders
  • Draft the plan
  • Circulate for feedback
  • Amend the plan as appropriate
  • Publish the plan
  • Agree a programme for ongoing maintenance and exercising to ensure currency

Plan Contents

All plans should be constructed using a template for standardization, be action orientated, concise and easy to read. As a minimum, all plans should include the following elements:

  • Purpose, Scope and Objectives
  • Assumptions
  • Incident management structure
  • Roles and responsibilities
  • Invocation/activation instructions, including authority to invoke and escalation process
  • Meeting locations (primary and alternate)
  • Communications (staff, stakeholders, customers and media etc.)
  • Action checklists
  • Contact List

Communication A Communication Plan should be established that details procedures and protocols for communicating with the following stakeholders:

  • Staff, relatives, friends and emergency services
  • Customers
  • Suppliers
  • Members or sections of the public
  • Shareholders, investors, board members or owners
  • Other parts of the organization
  • Regulatory authorities
  • Media – local and international newspapers, radio, TV, internet and other media

Specific communication roles and responsibilities should be agreed and documented, including means of communication and instructions to staff on what they should do if approached by the media.

Content to be developed

  • Any good business continuity or continuity of operations plan should consider how the internal critical IT infrastructure that will keep the organization functioning and able to provide services to clients, will be affected by a disaster. This goes much further than having ancillary data centres. More information on a new approach here: Software escrow as a BCP tool


Other References

Personal tools