In our previous article we looked at how and why business continuity is not merely a commodity, but an essential risk management tool – especially in an age of unexpected pandemics.
Implementing ISO22301:2019 may be your best first step towards peace of mind from any impending misfortune, whatever the scale.
Basic terms in the ISO22301 standard
Business Continuity Management System (BCMS): It is a part of an overall management system which ensures business continuity through strategic planning, implementation, maintenance, and continuous improvement.
Maximum Acceptable Outage (MAO): the maximum time an activity can be disrupted without incurring a severe crisis (also known as Tolerable Maximum Period of Disruption)
Recovery Time Objective (RTO): a pre-determined time during which an activity must restart, or resources recovered
Recovery Point Objective (RPO): maximum amount of data loss. It can be the minimum time amount of data that must be restored by the organisation.
Minimum Business Continuity Objective (MBCO): minimum level of services or goods an organisation should produce soon after restoring business operations.
Phase 1: Business Continuity Planning
A business continuity policy shall be developed as part of the planning phase of the Business Continuity project. The policy shall consist of a document approved by top management that defines the extent and scope of the business continuity effort within the organization. Top management shall determine the scope of the BC programme by identifying the key products and services that support the organization’s objectives, obligations and statutory duties.
Phase 2: Business Impact Assessment (BIA)
The organization subsequently shall determine and document the impact of a disruption to the activities that support its key products and services. This process is commonly referred to as a business impact analysis (BIA). This shall include the:
- Assessment and prioritization of all business functions and processes, including their interdependencies, as part of a workflow analysis;
- Identification of the potential impact of business disruptions resulting from uncontrolled, non-specific events on the institution’s business functions and processes;
- Estimation of maximum allowable downtime, as well as the acceptable level of losses, associated with the institution’s business functions and processes; and
- Estimation of recovery time objectives (RTOs) and recovery point objectives (RPOs.
Phase 3: Risk Assessment
The risk assessment step is critical and has a significant bearing on whether business continuity planning efforts will be successful. During the risk assessment step, a risk assessment shall be developed to enable the organisation to understand the threats and vulnerabilities of its critical activities and supporting processes, including those provided by suppliers and outsourced partners. This shall be evaluated using various threat scenarios, which outcome would lead the organisation to understand the impact that would arise if an identified threat materializes in an incident and cause a business disruption.
Phase 4: Business Continuity Strategy Development
Tuning Fork’s approach is to determine the organisation’s BCM strategies should:
a) implement appropriate measures to reduce the likelihood of incidents occurring and/or reduce the potential effects of those incidents;
b) take due account of the resilience and mitigation measures;
c) provide continuity for its critical activities during and following an incident; and
d) take account of those activities that have not been identified as critical.
Strategies considered may include a combination of the following organizational resources: people, premises, technology; information, supplies and stakeholders.
Phase 5: Business Continuity Plan Development
The BIA and risk assessment represent the foundation of the Business Continuity Plan (BCP). The BCP shall be written on an enterprise-wide basis, reviewed and approved by the board and senior management, and disseminated to employees for timely implementation. The output consists of a BCP that documents business continuity strategies and procedures to recover, resume, and maintain all critical business functions and processes.
Phase 6: Business Continuity Awareness Training
Organizations should provide business continuity training for personnel to ensure that all parties are aware of their primary and backup responsibilities should a disaster occur. Key employees should be involved in the business continuity development process as well as periodic tests and training exercises. The training program should incorporate enterprise-wide training as well as specific training for individual business units. Employees should be aware of which conditions call for implementing all or parts of the BCP, who is responsible for implementing the BCP for business units and the institution, and what to do if these key employees are not available at the time of a disaster. Cross-training should be used to anticipate restoring operations in the absence of key employees. Employee training should be regularly scheduled and updated to address changes to the BCP.
Phase 7: Business Continuity Testing
An enterprise-wide business continuity testing process should be established by the organisation and should set expectations for business lines and support functions to follow in implementing testing strategies and test plans.
The testing process should continuously improve by adapting to changes in business conditions and supporting expanded integration testing. The testing process should incorporate the use of a BIA and risk assessment for developing enterprise-wide and business line continuity testing strategies.
Phase 8: Business Continuity Plan Monitoring, Maintenance, and Updating
Once tests have been completed, documented, and assessed, the test program should be updated to address any gaps identified during the tests. Suggestions for improving test scenarios, plans, or scripts provided by test participants should be incorporated into the testing cycle. In the event that tests do not succeed in meeting their required objectives, management should determine whether it is necessary to re-test prior to the next scheduled test. Failure to meet significant test objectives for critical business functions requires management to address re-testing based on the risk to the institution.
In addition, and also critical internal audits of the Business Continuity Management Function are also essential in order to have an independent view of the Business Continuity Management, so as to strive for continual improvement.