Risk Analysis: BCM Program Implementation (Part 8)

July 25th, 2023 by

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

5. Determine the BCM Implementation Approach.

6. Initiate the BCM Program

7. Business Impact Analysis

8. Risk Analysis

The Risk Analysis involves a determination of the events that can adversely affect an organization, the damage such events can cause and the controls needed to prevent or minimize the effects of potential loss. Risks can be quantified by determination of: Potential Threats, Probabilities, Impacts and Vulnerabilities.

The Risk Analysis will:
– Identify potential threats,
– Understand threat size impacts
– Determine mitigation techniques for each threat,
– Perform cost/benefit analysis for each mitigation technique,
– Prioritize/summarize viable & effective mitigation strategies,
– Implement mitigation strategies using: avoidance (eliminate), reduction (mitigate), transference       (outsource/insure), retention (accept/budget)

Risk Assessment Strategies will focus on:    

Preemptive/preventative measures to reduce the risk or impact of a risk event 

Approaches to continuing/resuming key business process activities during a crisis (e.g., executing key processes remotely, utilize additional working shifts).   

The developed strategies will be quantified in terms of cost/benefit, with final selection of strategies for implementation by the Risk Management Committee. 

For each risk develop strategies that enhance business continuity of the process.  Strategies will outline approaches to either:  

Increase the level of control associated with the process, and/or  

Decrease the business impact associated with a process disruption.  

Where not covered already develop strategies to secure the availability of “Mission Critical Resources”. Develop a timeline to implement the suggested strategies and submit to management for approval.

For more detailed information about how to perform a Risk Analysis, better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via: 

The contact form using the link at the top of this page

Email at PSISales@ParadigmSI.com

For more information, call us at 800-558-9568 ext. 300

To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call: 814-330-2560

Next up in Part 9:  Plan Development

Implementing a BCM Program (Part 7)

June 12th, 2023 by

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

5. Determine the BCM Implementation Approach.

6. Initiate the BCM Program

7. Business Impact Analysis

 

BIA Purpose 

The Business Impact Analysis (BIA) is the critical first step in the conceptual transition from recovery to continuity.  It is designed to establish a common understanding for endorsement by senior management, of what the enterprise sees as its key processes.  It is the most important element, as well as the most complex component of the Business Continuity Planning (BCP) or Continuity Of Operations (COOP) program. 

An effective BIA will:  

Identify the processes or functions performed by an organization and the criticality of each process

Identify the resources required to support each process performed

Demonstrate interdependencies between processes and/or departments

Allow understanding of the impact of failing to perform a key process

Assign a Recovery Time Objective (RTO) for each process and a Recovery Point Objective (RPO)

Identify Recovery Requirements 

Prioritize the order in which the business units will recover 

The BIA will assign priorities to those processes and the quantified impact on the organization should the processes be disrupted, serve to determine vulnerabilities based on the failure of critical functions, and ascertain which functions are mission-critical, critical, essential, or non(less)-essential. 

To begin the BIA Process:

Develop detailed project plans for implementation of the BIA 

Form a BIA Steering Committee

Identify the BIA Administrator Team

Conduct a Project Kickoff Session and invite Project Stakeholders

For more detailed information about how to perform a Business Impact Analysis, better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via: 

The contact form using the link at the top of this page

Email at PSISales@ParadigmSI.com

For more information, call us at 800-558-9568 ext. 300

To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call:814-330-2560

Next up in Part 8:  Risk Analysis

Implementing a BCM Program (Part 6)

May 23rd, 2023 by

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

5. Determine the BCM Implementation Approach.

6. Initiate the BCM Program

 

First, determine the BCM Program Injection Point

Not every organization is the same, and not every organization is starting at the same place.  BCM is a lifecycle.  If you are starting from scratch, the Business Impact Analysis (BIA) is a good starting point within the BCM lifecycle.  Maybe your organization has performed a recent BIA/RA and it would be better suited to begin with Plan Development using the Maximum Acceptable Outage (MAO) values, dependencies and technology requirements from the recent BIA/RA results as the basis for the planning strategy.

Next, determine the scope of the Planning effort

Conduct a review of current Business Continuity Plans.  The three main plan types can be described as:

Agency/Business Recovery – Plan development and documentation to resume/recover critical business activities

Crisis Management/Emergency Response – Contingency Planning for executive decision-making, communications and high-level pre-planning activities.

Disaster Recovery– IT Planning Contingency Planning for applications and related infrastructure components (systems, servers, network, databases, etc.)

Your organization may have some or all of these plan types in place already.  You may choose to focus first on Crisis Management/Emergency Response first to ensure that effective crisis communications are in place as well as contingencies for safety of people and protection of critical assets during a disruption.  Some organizations may choose to prioritize first the resiliency and recovery capabilities of the infrastructure and IT resources with Disaster Recovery planning.  Others may need to prioritize the development of operational/business recovery plans for sustaining critical business functions identified during the BIA effort.

All business units, related activities, and associated IT applications and infrastructure must be identified for plan development.

The business units rated as most critical during the Impact Analysis should be the plans documented first by the Business Unit Recovery Teams.

The IT applications rated as most critical during the Impact Analysis should be the plans documented first by the IT Disaster Recovery Teams.

Designate team members that have responsibility for coordinating plan development and documentation.

For more detailed information about how to better prepare your organization with effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via: 

The contact form using the link at the top of this page

Email at PSISales@ParadigmSI.com

For more information, call us at 800-558-9568 ext. 300

To speak with a Sales Representative about Business Continuity Planning Consulting or Business Continuity Software, please call:814-330-2560

Next up in Part 7:  Business Impact Analysis

Implementing a BCM Program (Part 5)

April 3rd, 2023 by

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

5. Determine the BCM Implementation Approach

The first step is to meet with decision-makers to understand and review the program approach, requirements and scope relative to implementation of the Business Continuity Management program.

The key focus is directed at identifying and then supporting the critical business functions.

Meet with decision-makers to understand and review the program approach, requirements and scope relative to OpsPlanner implementation for BCM/COOP.

Who? Decision-makers regarding the implementation factors for the continuity program (e.g. – IT representation for technology considerations; Agency-level BCM owners, etc..)

What is expected to be accomplished? Level-set on expectations and strategize operational decisions regarding specific implementation topics.

(e.g. – Who is required to approve a plan before it can be published?)

What distinct operational segments are covered in this program?

  • Operational Groups:
  • Lines of Business:
  • Organizational Units:
  • Locations: (Site -> Location)
  • (named facilities: cold/hot sites? non-US sites?  IS/failover locations?  ancillary/support sites?

Define Critical Success Factors / Project Goals

For example:

  1. Identify gaps in RTO between business units and IT
  2. Accurately integrate information about people, contact information, locations, equipment and systems in a timely manner
  3. Allow business units to declare an event scenario and record the activities that occur for evaluation and improvement
  4. Document and test all BCP test plans
  5. Document and test all DR processes

Discuss desired implementation method:

  1. “Big Bang” approach: All Agencies brought online at one time, or
  2. Staged implementation, with lessons learned after initial deployment and period of operation.

Discuss desired training approach:

  1. “Train the trainer” –Individual focus sessions by user function? (e.g.: Admins, etc.)

Use internal or external staffing? 

The first step in determining the BCM implementation approach is to decide if the BCM program will be implemented using internal/hired staff, or using external BCM consultants.  Either approach can be valid, depending on the resource capabilities and budget that is available.  Outsourcing the BCM program implementation to BCM Consultants can certainly streamline the process.  If internal staff can lead and manage the BCM implementation, this can minimize third party expenses, but increase the amount of effort and expertise requirements from existing FTEs.

Manual, document-driven BCMP or software-based BCMP solutions?

In many cases the size of the organization and complexity of the BCM requirements will drive this decision.  For other than very small organizations with minimal requirements, a software-based BCMP solution can be a great investment with positive return-on-investment.

There are many great BCM tools available in the marketplace.  Certain features and capabilities can be tailored to certain industries and BCM requirements.  It will be important to determine your key requirements and then review and assess which BCM tools best fit those organizational needs and requirements.

The OpsPlanner Business Continuity Planning Software solution can provide your organization with enterprise capabilities for Business Impact Analysis, Risk Assessment, Incident Management, and Automated Notification for a comprehensive Business Continuity Management program.

In addition, our Certified Business Continuity Planning Consulting professionals work shoulder-to-shoulder with you to facilitate enterprise-wide business continuity planning and participation, training, and support.

For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:

– The contact form using the link at the top of this page
– Email at PSISales@ParadigmSI.com
– Call us at 800-558-9568 ext. 300

Next up in Part 6:  Initiate the BCM Program

Implementing a BCM Program (Part 4)

March 1st, 2023 by

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy.

4. Determine the BCM Strategy.

The purpose is to address decisions regarding strategies that are not viable to be determined at the individual organizational unit level.

1. Business Continuity Process: The lifecycle of an event:

– COOP-related Procedures (Threat-based SOPs: If fire, dial x###, etc.)
– Crisis Management – (ER/IM: Protect people and assets)
– Business/Disaster Recovery (BRP/COOP: Sustain Critical Functions & IT )
– Resumption (Component of BRP/COOP: Return to Normal Operations)

2. Business Continuity Strategy: Based on loss of asset type:

– Facilities Strategy (hotsite, AWA, etc.)
– Personnel Strategy (remote work, backups, contractors, etc.)
– IT/Systems Strategy (redundancy/Failover, UPS/Gen, etc.)
– Data/Records Strategy (backups, offsite storage, access, etc.)
– Supply Chain Strategy (etc.)

This should be included in the BCP Policy document.

The all-hazards planning approach involves performing a detailed risk assessment of all potential hazards that can possibly affect the organization, and then develop mitigations, planning strategies, and perform testing exercises based on these prioritized hazards.  These potential hazards are defined by certain categories, such as Natural Disasters, Human-caused Events, or Technical Disruptions.  For each potential hazard, one should determine the rating for each based on the following risk factors:

Probability of Occurrence (Likelihood the threat will materialize)
Loss Impact (Direct impact due to the loss of the function)
Consequence (Downstream losses as a result of the realized threat)
Exposure (the passive, inherent factors contributing to vulnerability)
Level of Control (the active, controllable variables to offset vulnerability, e.g. – the Fire Suppression system)

In order to be complete in this assessment, it is also important to understand and consider the other side of the all-hazards planning approach, which is to identify and address all the “asset-types” for the organization that can be impacted by these potential hazards.  What are the key assets to the organization, and how can the potential hazards affect these different asset types?  In many cases, organizational assets can include:  Facilities, Personnel, IT/Infrastructure, and Data/Records.  So now, as an example you can develop planning strategies to account for all the “loss of facility” scenarios, whether the cause is fire, flooding, tornado, earthquake, train derailment, or other.

In summary, a comprehensive Enterprise Risk Management strategy will identify all the potential Hazards that can affect the organization, then rank and prioritize these for the different Asset Types that are identified for the organization, and finally employ mitigation strategies, effective planning approaches and testing/exercising to bring the organization into even greater resilience.

For more detailed information about how to better prepare your organization with an All-Hazards Risk Assessment, effective BC/DR Planning tools, or to schedule a tabletop exercise with our Certified Business Continuity Professionals, please contact us via: 

The contact form using the link at the top of this page
Email at PSISales@ParadigmSI.com
Call us at 800-558-9568 ext. 300

Next up in Part 5:  Determine the BCM Implementation Approach

Implementing a BCM Program (Part 3)

February 1st, 2023 by

Implementing a Business Continuity Management Program

1. Establish the BCM Ownership.

2. Align BCM Program to organizational Strategic Goals.

3. Develop the BCM Policy – Standards & Guidelines

In many cases the BCM policy and approaches are driven by standardization bodies along with local, regional, industry-imposed requirements.    Codes of practice and specifications are defined by relevant international standards such as ISO 27001 – specification for an ISMS, an Information Security, Management System, and ISO 22301 – Societal security – Business Continuity Management Systems Requirements.

ISO 22301 is the leading global standard for Business Continuity Management. 

The focus of ISO 22301 is to ensure continuity of business delivery of products and services after occurrence of disruptive events (e.g., natural disasters, man-made disasters, etc.). This is done by finding out business continuity priorities (through business impact analysis), what potential disruptive events can affect business operations (through risk assessment), defining what needs to be done to prevent such events from happening, and then defining how to recover minimal and normal operations in the shortest time possible (i.e., risk mitigation or risk treatment). Therefore, the main philosophy of ISO 22301 is based on analyzing impacts and managing risks: find out which activities are more important and which risks can affect them, and then systematically treat those risks. 1

Said another way, BCM is an: Holistic management process that identifies potential impacts that threaten an organization with associated risk, and provides a framework for building resiliency with the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities. 2

As such, the basis for building an effective business continuity management program consists of an understanding of the following primary elements:

> Potential Impacts are developed from the Business Impact Analysis (BIA).

> Threats are developed from the Risk Assessment (RA) by identifying potential hazards with the highest probability, impact and vulnerability.

> The BCM view of the Organization as distinct named Critical Functions, locations, dependencies and technology requirements is determined from the Business Impact Analysis (BIA)

> An Effective Response is developed by focusing on recovery strategies for each of the organization’s critical functions with a recovery plan that attains a defined Maximum Allowable Outage (MAO) value for each.

Your organization may require adherence to several industry standards.  Select the BCM and industry-specific standards and guidelines to be included in scope of your BCM program and policy.  The BCM process will need to address each of the above elements in order to implement an effective Business Continuity Management program. 

NFPA 1600/1660  https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1600; https://www.nfpa.org/codes-and-standards/all-codes-and-standards/list-of-codes-and-standards/detail?code=1660

NIMS https://www.fema.gov/emergency-managers/nims

ISO 22301 https://www.nqa.com/medialibraries/NQA/NQA-Media-Library/PDFs/NQA-ISO-22301-Implementation-Guide.pdf

FFIEC https://ithandbook.ffiec.gov/it-booklets/business-continuity-management.aspx

NCUA  https://ncua.gov/regulation-supervision/letters-credit-unions-other-guidance/ffiec-release-updated-business-continuity-planning-examination-handbook

For more information about how to better prepare your organization with an effective Business Continuity Management System, please contact us via:

  • The contact form using the link at the top of this page
  • Email at PSISales@ParadigmSI.com
  • Call us at 800-558-9568 ext. 300

Next up in Part 4:  Determine the BCM Strategy

 

1  https://advisera.com/27001academy/what-is-iso-22301/
2   BS 25999-2:2007, 2.4