Maintenance of a business continuity management system: a managerial approach
- Published: Friday, 21 October 2016 10:38
When a business continuity management system (BCMS) has been established and implemented, a serious managerial challenge evolves: the BCMS has to be maintained and put into a continuous improvement process. In this article, Alberto Alexander. Ph.D, MBCI, looks at the activities that need to be performed to maintain and improve a BCMS.
Any organization that establishes and implements a BCMS needs to follow the BCMS processes and deliverables, which are depicted in figure one. The BCMS processes, also known as the BCMS process life cycle model, (Alexander, 2009), consist of six phases.
Figure one: BCMS process and deliverables
The stages of the BCMS process life cycle model are the following:
Stage one: business impact analysis
The business impact analysis (BIA), which is conducted during the first stage, analyzes the financial and operational impact of disruptive events on the business areas and processes of an organization. The financial impact refers to monetary losses such as lost sales, lost funding, and contractual penalties. Operational impact represents non–monetary losses related to business operations, and can include loss of competitive edge, damage to investor confidence, poor customer service, low staff morale, and damage to business reputation.
The BIA identifies the following information:
- Mission critical areas of the business and their processes;
- The extent of potential operational and financial impact to the organization;
- Requirements for recovering disrupted critical business processes.
The findings of the BIA enable an organization to determine the extent of the overall effort needed to recover from potential business disruption, thereby paving the way for developing the business continuity strategy and business continuity procedures.
The most important deliverables of the BIA are:
- Essential process identification;
- Recovery times: maximum tolerable period of disruption (MTPD), recovery time objectives (RTO);
- Minimum resource requirements.
Stage two: risk assessment
The risk assessment, which is composed of risk analysis and risk evaluation, is performed on the critical processes identified during the BIA stage. Risk analysis helps calculate the risk (impact x probability of threat occurrence). The risk evaluation is made to find out the risk significance. The main deliverable of this stage are the identification of threat scenarios.
Stage three: business continuity strategy development
Business continuity strategy development “assesses the requirements and identifies the options for recovery of critical processes and resources in the event they are disrupted by a disaster,” (Alexander, 2016). The main purpose of this stage is to develop a business continuity strategy that satisfies the business recovery requirements identified in the BIA stage.
Stage four: operations resumption planning
An operations resumption plan “contains predetermined recovery procedures and guidelines which organizations can follow during a crisis situation to minimize impact to business,” (Alexander, 2016). The predetermined procedures and guidelines prevent organizations from making on the spot critical decisions in the middle of a crisis.
Stage five: business continuity exercising and testing
“The only way a company can assure that its BCMS arrangements are validated is through exercises. The main purpose of the exercising stage in the BCMS is to ‘validate the business continuity strategy, activities, assumptions regarding times (MTPD, RTO), procedures and work instructions specified in the business continuity plan,’” (Alexander, 2016).
Gaps and weaknesses within the plan are identified at this stage. The idea is very simple: it is highly desirable to find the gaps and shortcomings during an exercise rather than to discover them during a real crisis situation. BCMS arrangements have to be practiced and, as a consequence, will be reviewed and kept up to date. A company that does not have records to show that its BCMS arrangements have been tested and are ready to be implemented cannot assure it has a reliable BCMS.
Stage six: business continuity plan maintenance
This stage maintains the business continuity plan in a constant ready-state. The maintenance process of a BCMS is constant and dynamic. A BCMS that is not constantly tested and updated will be of little help if a disruptive incident hits the organization. Changes have to be monitored; impacts, risk and continuity strategies need to be reevaluated; the operations resumption plan needs to be updated; and exercises and testing need to be evaluated.
The business continuity plan maintenance process
Once the business continuity arrangements have been tested, the role of the maintenance stage becomes critical. Frequent internal and external changes are common occurrences for business. Most of these changes can potentially invalidate the business continuity plan unless it is continually adjusted and modified to reflect these changes.
The main objective of this stage is to ensure that the BCMS always remains current, complete, accurate and in a ready–state for execution.
To achieve its objective, the maintenance stage employs the processes presented in figure two.
Figure two: business continuity plan maintenance processes
The maintenance processes are:
Business continuity plan change management
Without a business continuity plan change management process, business continuity plan maintenance becomes very difficult. A change management process addresses two of the most challenging aspects of plan maintenance: monitoring changes in the organization and its external environment; and controlling changes or revisions to the plan. Figure three, shows the main steps of the business continuity change management process.
Figure three: business continuity plan change management process
Changes in the organization and the external environment are monitored in step one (figure three), and changes identified as having a potential impact to the BCMS are revised in step two to determine if those changes actually affect the business continuity arrangements. In step two, business continuity plan change requests are issued for changes that affect the plan. Step three processes the change requests and updates the plan with necessary changes and revisions.
Business continuity plan change management process step one: monitor changes
Step one of the plan´s change management process represents the task of constant monitoring of changes in the organization to identify potential impacts of the plan. As presented in figure four changes to the organization can occur at multiple levels in the main categories of process, people and resources.
Any changes in processes, people and resources, can potentially require changes to certain parts of the plan. For instance, a process–related change can affect recovery priorities; a people-related change can affect business continuity teams or notification procedures; and a resource–related change can affect recovery requirements for IT systems.
Figure four: changes affecting business continuity arrangements
A business continuity plan is sensitive to changes that occur not only internally within the organization but those externally in business partners, vendors, alternate recovery facilities, and off site storage facilities. The examples below demonstrate possible internal and external changes related to processes, people and resources, that may impact the plan.
Process related impacts
- A new strategic product is introduced and, as a result, new procedures are added to affected business units.
- A supplier has switched from manually processing orders to automatic order processing.
People related impacts
- An early retirement package is given to employees and as a result a number of senior personnel have left the firm.
- Several key IT technical recovery team members have been promoted to different departments and no longer perform the same roles.
Resource related impacts
- The local area network supporting the organization´s critical systems has changed from token–ring to an ethernet architecture.
- The hot site vendor has recently upgraded its mainframe system to accommodate additional customers. This has resulted in certain configuration changes.
The output of this step consists of a compilation of monitored changes that can potentialy impact the business continuity arrangements.
Business continuity plan change management process step two: review compiled changes, test results and audit results
The main purpose of this step is to review information that can potentially affect the business continuity arrangements’ accuracy and validity, and cause the organization to issue BCMS change requests.There are three main sources of input to this step. The first source of input is the compiled changes from step one; the second source is the result of business continuity arrangements exercises or testing; and the third source is the results of any business continuity plan audits. A change manager, responsible for coordinating the processing of change requests with business continuity teams, reviews the information from these three sources in order to determine if it affects the plan. After this review, one or more change requests are issued corresponding to the information affecting the plan.
Business continuity plan change management process step three: process business continuity change requests
This step ensures that updates or revisions to the business continuity plan take place according to the change control procedures specified in the plan. The change requests resulting from the preceding step are processed in this step.
Business continuity plan testing
As presented in figure two, above, business continuity plan testing is the second process used to maintain the business continuity plan. Periodic tests are an excellent opportunity for improving the effectiveness and accuracy of the business continuity arrangements. Tests results can reveal the strengths, weaknesses, and gaps of various parts of the plan. The tests results also provide an opportunity to determine how well the plan's change management process, is implemented.
The following list characterizes the relative complexity of the testing methods:
- Check list test: low complexity;
- Walkthrough test: low to medium complexity;
- Simulation test: medium to high complexity;
- Full interruption test: high complexity;
- Unannounced test: medium to high complexity.
Business continuity test schedule
Establishing a test schedule is an important element of maintaining a business continuity arrangement. “There are two main activities defining a test schedule. The first is to select appropriate test intervals: monthly, quarterly, semiannually, or annually. The second is assign a test method to each test interval. The assignment of a test method to a test interval should consider the test method's complexity (testing scope, effort, resources, costs).” (Alexander, 2016). Using a test schedule, therefore, gradually trains the teams to conduct more complex tests and allows the business continuity plan(s) to be completely evaluated. The results and experience from simpler tests are used to improve the business continuity arrangements, and prepare the teams for subsequent more complex tests.
Tests can be conducted at different intervals such as monthly, quarterly, semiannually, or annually. Monthly tests use a checklist for the walkthrough method to verify currency and accuracy.
Business continuity training
Valid and up-to-date business continuity arrangements are of little value if the employees responsible for its improvement and execution do not have adequate training and awareness. The business continuity plan maintenance stage implements an enterprise wide continous awareness and training program. Management commitment is critical to the success of such a program. Management needs to ensure that a yearly business continuity planning budget includes sufficient funding for training and ensures that the employees participate in training.
Development of a business continuity awareness and training program is a four step process:
- Identify awareness and training requirements by specifying who in the organization needs training and what type of knowledge they need to fulfill their expected roles and responsibilities.
- Assess the gaps in business continuity knowledge between what individuals need and what they currently possess.
- Select a set of training methods for each individual identified in the requirements, taking into account their training gaps and the training budget.
- Create a schedule of business continuity awareness and training activities using the methods selected above.
Periodic audits and frequent reviews of the organization´s awareness and training program are highly recommended to improve and maintain its quality. To assist with any audits the progress of the organization's awareness and training program should be tracked and documented.
Business continuity plan audits
Periodic business continuity audits are the fourth important acivity of business continuity plan maintenance. A business continuity audit involves an impartial review of the organization’s business continuity plan(s) and program to determine its compliance with the organization’s internal guidelines, and external regulations and standards. The scope of the audit needs to include all of the stages of the BCMS processes, presented in figure one, above. From a plan maintenance perspective, gaps and weaknesses in any of the these stages identified in an audit report will result in some of the following activities:
- Redoing the BCMS process stages that are identified as having gaps and weaknesses.
- Implementing recommendations of the audit report wherever possible.
- Updating the business continuity arrangements to incorporate the changes resulting from the above activities according to the plan’s change management process.
Maintaining business continuity arrangements in a constant ready-state is a complex and challenging task. The preceding sections of this article suggested the use of four different processes to help maintain the BCMS:
- Business continuity plan change management.
- Business continuity testing.
- Business continuity plan training.
- Business continuity plan audits.
The following guidelines should be considered to maintain the BCMS in a constant ready–state:
- The business continuity plan should be kept in multiple locations such as the primary site, alternate recovery facilities, employees’ vehicles and homes, and off site storage facilities.
- Regular testing should be conducted to identify gaps and weaknesses in the continuity plan. The plan should be thouroughly tested wherever there are critical changes made to it.
- Any significant changes in process, people, or resources should be reviewed for initiating possible plan updates and plan testing.
- Version control should be used for the business continuity plan and business continuity test plan in order to avoid confusion and use of outdated information.
- It is very important to integrate current and future projects into the business continuity plan change management process.
- Responsibilities assign for business continuity plan maintenance should be assigned to an experienced person or team.
- The organization has to ensure that business continuity plan maintenance is part of the BCMS budget.
- New employees need to be adequately trained.
Alberto G. Alexander, holds a Ph.D from The University of Kansas and a M.A. from Northern Michigan University. He is a member of the Business Continuity Institute and is managing director and international consultant with Eficiencia Gerencial y Productividad SAC Contact him at: firstname.lastname@example.org. He is a professor at The Graduate Business School of ESAN.
- Alexander, Alberto ‘Methodology for Developing a Business Impact Analysis’ The Business Continuity Journal, Volume Three, Issue Four, 2009.
- Alexander, Alberto ‘A Methodology for Developing a Business Continuity Strategy’ Continuity Central, 2016
- Alexander, Alberto ‘Operations Resumption Planning: A Managerial Approach’ Continuity Central, 201
- Alexander, Alberto ‘Planning and Managing Exercises for Business Continuity Management Arrangements’ Continuity Central, 2016