~ White Paper ~ The New Business Continuity Model

~ White Paper ~ The New Business Continuity Model

Written by: Dan Wilder CBRA, Six Sigma Green Belt

Published on: October 6th, 2008

Version 1.0

Document Classification: Public Domain

Dan Wilder publishes this document for the use of Public Domain. It contains public information, ideas and concepts and is free to distribute and use without restriction except noted herein. All reference material shown herein is depicted for the sole purpose of illustrating the subject of this whitepaper

and shall remain the property of is listed owner and shall not be reproduced without written consent. Author does not warrant nor make claims that this information is in any way warranted. Use of this material is at the users own risk.

2008 Dan Wilder, All Rights Released.

White Paper The New Business Continuity Model

Public Domain Page 2 of 58 Modified: August 26, 2008

Version 1.0

Table of Contents 1 Introduction......................................................................................................... 6 2 The Big Question … Why? ................................................................................. 6 3 The Standards .................................................................................................... 7

3.1 ISO 20000 Family – Service Delivery......................................................................7 3.1.1 What is ISO / IEC 20000...................................................................................................9

3.2 ISO 27000 Family – Business Continuity ..............................................................10 3.2.1 What is ISO / IEC 27000.................................................................................................10

3.3 It’s not just a regulatory requirement any more…..................................................12 3.3.1 COSO .............................................................................................................................12 3.3.2 Governance Risk & Compliance (GRC) .........................................................................13

4 The Business Continuity Paradigm................................................................... 15 4.1 What is BCM? .......................................................................................................15

4.1.1 Building Blocks................................................................................................................16 4.1.2 BCM Organizational Ownership .....................................................................................18 4.1.3 BCM Strategy..................................................................................................................18 4.1.4 BCM and Risk Management...........................................................................................18

4.2 Why BCM? ............................................................................................................19 4.2.1 Strategic Value................................................................................................................19 4.2.2 Sustainability and Resiliency ..........................................................................................19

5 The BCM Model................................................................................................ 19 5.1 Business Continuity Management Components ...................................................20 5.2 Where to Start .......................................................................................................20

5.2.1 Business Continuity Planning .........................................................................................21 5.2.2 Establishment of the Business Continuity Management Team ......................................21 5.2.3 Establishment of a Business Continuity Steering Committee.........................................22 5.2.4 Defining the Policy ..........................................................................................................22 5.2.5 Defining Management Components ...............................................................................23

5.3 Conducting the BIA ...............................................................................................24 5.3.1 BIA - Identifying Critical Needs … ..................................................................................24 5.3.2 BIA - Business Critical Functions / Systems...................................................................24 5.3.3 BIA - Outage Impact Analysis.........................................................................................25

5.4 Risk Assessment...................................................................................................26 5.5 Risk Mitigation .......................................................................................................26

5.5.1 Risk Mitigation – Crisis Points Defined...........................................................................27 5.5.2 Importance of Defining Risk Points.................................................................................28 5.5.3 Risk Cost Modeling.........................................................................................................28 5.5.4 Mitigating Risks...............................................................................................................29

6 Business Continuity Plan Creation.................................................................... 30 6.1 Creating the Business Continuity Plan ..................................................................30 6.2 BCM Process Components ...................................................................................30

6.2.1 BCM Master Plan............................................................................................................31 6.2.2 BCM Communications Plan............................................................................................32 6.2.3 BCM Common Processes Plan ......................................................................................32 6.2.4 BCP Site Plans ...............................................................................................................32 6.2.5 BCP Sub-Plans ...............................................................................................................33 6.2.6 BCP Contingency Plans..................................................................................................33 6.2.7 Validating the BCP..........................................................................................................33 6.2.8 BCM Program - Document Flow.....................................................................................34 6.2.9 Business Continuity Planning – Recap...........................................................................35



Version 1.0

7 Business Continuity Plan Execution ................................................................. 36 7.1 BCP Execution – Team Leadership Tree..............................................................36

7.1.1 EMT Team Component...................................................................................................37 7.1.2 EOC Team Component ..................................................................................................37 7.1.3 BCC/DRC Team Component..........................................................................................38 7.1.4 BCT Component .............................................................................................................38

7.2 Plan Elements .......................................................................................................38 7.2.1 Main Points of Coverage ................................................................................................39

7.3 BCM Execution Process........................................................................................40 7.4 BCP Execution – Recap........................................................................................41

8 BCM Plan Management & Reporting................................................................ 41 8.1 Plan Management .................................................................................................42

8.1.1 Document Management .................................................................................................42 8.1.2 Plan Management Reporting ..........................................................................................43

9 BCM Governance ............................................................................................. 44 9.1 Audit Types ...........................................................................................................44

9.1.1 Preparatory Audit (-).........................................................................................................45 9.1.2 Feasibility Audit (+) ...........................................................................................................45 9.1.3 Due Diligence Audit (-) .....................................................................................................45 9.1.4 Compliance Audit (+) ........................................................................................................45 9.1.5 Investigative Audit (+) .......................................................................................................46

9.2 Audit Type Usage..................................................................................................46 9.3 Performance Metrics .............................................................................................46

10 BCM Review ................................................................................................. 47

Figures and Tables Figure 1: ITIL v2 Service Continuity Management ..................................................... 8 Figure 2: ITIL v3 Model .............................................................................................. 9 Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)..................................................................................................................... 11 Figure 4: ITIL CoBIT Coverage................................................................................ 12 Figure 5: GRC Automating Compliance................................................................... 14 Figure 6: GRC Bi-Directional Compliance Mapping................................................. 14 Figure 7: GRC Complex Relationship Mapping ....................................................... 15 Figure 8: BCM Components .................................................................................... 20 Figure 9: BCM Organization .................................................................................... 22 Figure 10: BCM Components .................................................................................. 23 Figure 11: Disaster Recovery Timeline .................................................................... 27 Figure 12: Risk Cost Model Trending Example........................................................ 29 Figure 13: BCM Process Components..................................................................... 31 Figure 14: BCM Document Flow Diagram ............................................................... 35 Figure 15: BCM Team Leadership Components...................................................... 37 Figure 16: BCP in Action.......................................................................................... 40 Figure 17: BCM Process Flow ................................................................................. 41 Figure 18: Plan Management................................................................................... 42 Figure 19: Document Management Flow ................................................................. 43 Figure 20: Sample Reports ...................................................................................... 44



Version 1.0

Figure 21: Audit Types............................................................................................. 45 Figure 22: CoBIT Performance Metrics.................................................................... 47



Version 1.0

Intentionally Left Blank



Version 1.0

1 Introduction As we all know, everything evolves over time; the way we do business, services provided and the urgency of delivery. When Katrina hit the Gulf Coast, not many companies were prepared for what would come after the hurricane. Many simply boarded up the windows and hoped for the best. Others evacuated with their personal possessions and many with just the clothes on their backs. The purpose behind this whitepaper is to explore what companies should be doing to protect themselves in today’s market and environment. An article referenced on this topic written by David Honour, editor, Continuity Central back in March of 2003 reflects how long this dilemma has been exposed (http://www.continuitycentral.com/feature003.htm). Even Homeland Security & FEMA published guidance to help companies identify the bare essentials needed to survive (http://www.ready.gov/business/plan/planning.html) (http://www.fema.gov/business/bc.shtm). Many companies are subjected to government regulations to ensure some level of protection is in place for the financial numbers reported. Others require more stringent guidelines to protect stockholders and the public alike. The business community has raised the topic to the point where the International Standards Organization launched a call for change in 2002 and has subsequently been working on a set of new standards since. The latest ISO reference on this topic is ISO/PAS 22399:2007 which provides general guidance for an organization (private, governmental, and non-governmental) to develop its own specific performance criteria for incident preparedness and operational continuity, and to design an appropriate management system. The concepts and theories depicted herein have been independently presented to a wide cross-section of industry experts with great acceptance. This whitepaper is the compilation of these concepts into a single model to address the ever pressing issue of facilitating a functional Business Continuity program. Within this whitepaper we will explore what it takes to enable companies of all industries to become resistant to catastrophic events as well as improve the operability of normal services. The concepts depicted herein are derived from a formulation of several years’ research of business and industry best practices along with the very latest industry and international standards1. Thus the Paradigm shift begins…

2 The Big Question … Why? As the economy moves faster and faster to a global economy, it is imperative that organizations big and small take note of how they protect themselves from a variety

1 Disclaimer: This document is not intended to be all inclusive for all the standards or best practices listed. To further understand each standard or best practice you are encouraged to research them separately. Additionally, businesses, companies and organizations are used synonymously where they all refer to the primary entity being safeguarded.



Version 1.0

of disasters, which will enable them to not only grow but become sustainable. The importance of sustainability as a provider of goods and services has reached this global market place as a key factor in the selection process of these goods and services. The overriding requirements by governments and businesses alike are to ensure that the supply chain can be maintained! The approach presented herein has been designed by a team of engineers to preserve the revenue stream through stabilization of the services provided. This stabilization has reduced risk and improved sustainability for its customers, which has been driven by the market place and governing requirements. This approach differs from the traditional examples provided from companies representing software solutions within the Governance, Risk Compliance (GRC2) market segment through an ingrained operational framework of processes with metrics similar to what the Committee of Sponsoring Organizations of the Treadway Commission (COSO3) framework represents. Because most companies maintain global operations, the approach is driven and managed to the international body of standards along with local, regional, industry, and governmentally imposed requirements. These standards are currently evolving from a collection of many individual standards to several families of standards similar to what the ISO 9000 family achieved for Quality Management.

3 The Standards Now that we’ve introduced the reasons for this whitepaper, let’s discuss the standards that pertain to this topic. Several factors need to be understood. First is; the International Standards Organization4 has recognized the need for businesses to use standards for normal operations that will prepare them for the global economy (ISO/PAS 22399:2007). The International Standards that are currently under development are the ISO 20000 family of standards that incorporate the ITIL© methods for the Service Delivery models companies may need to use. There is also the ISO 27000 family of standards that are incorporating the ISACA CoBIT© methods for all companies to use to incorporate measurements of stability. These new standards are referred to as ‘Business Resiliency’ which is described as the ability for a business to resist known and unknown crisis.

3.1 ISO 20000 Family – Service Delivery The ISO 20000 family of standards are developed around the ITIL5 (Information Technology Infrastructure Library) methods (http://www.itil.org/de/isoiec20000/index.php) also known as the ‘IT Service Management Standard’.

2 All rights reserved by Open Compliance & Ethics Group (OCEG) – http://www.oceg.org 3 All rights reserved by Commission of Sponsoring Organizations of the Treadway Commission (COSO) – http://www.coso.org 4 All rights reserved by International Standards Organization (ISO) - http://www.iso.org/iso/home.htm 5 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp



Version 1.0

• The ITIL-ISO 20000 model depicted in Figure 1 below defines IT Service Continuity Management levels to ensure management controls and processes are in place to meet the service requirements. Figure 1: ITIL v2 Service Continuity Management

6

• However the ITIL model has been replaced with the new ITIL v3. • A new generation of the ITIL, ‘ITIL V3’, has recently been published. This

new version represents an important evolutionary step in ITIL’s life. ‘ITIL Refresh’ as it is referred, has transformed the guidance from providing a great service to being the most innovative and best in class. At the same time, the interface between old and new approaches is seamless so that users do not have to reinvent the wheel when adopting it.

• V3 allows users to build on the successes of V2 but take IT service management even further. In general, V3 makes the link between ITIL’s best practice and business benefits both clearer and stronger. The main development is that V3 guidance takes a lifecycle approach (Figure 2), as opposed to organizing according to IT delivery sectors. ITIL is now based on five core lifecycle titles:

1. Service Strategy 2. Service Design 3. Service Transition 4. Service Operation 5. Continual Service Improvement

6 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp



Version 1.0

Figure 2: ITIL v3 Model

7

3.1.1 What is ISO / IEC 20000 • As stated on ITIL.ORG, this standard is derived from the British Standard 15000

and is a common reference for all companies, regardless of business sector, size or type.

• The standard is designed to provide IT services for both internal and external customers as a basis of common terminology with an integrated approach for the processes used to provide these services.

• It is closely aligned with industry best practices recommended for Service Support and Delivery.

• In addition to Industry standards, the ISO standard provides clear specifications and information as to how an organization must align itself to internationally accepted certifications and processes.

• These processes provide the management controls necessary to provide the service capability in standard measure across all government and industry sectors.

• This unification of measurement of service delivery and support controls enables service users to evaluate the service value to organizational standards with confidence.

• This standard is defined in using these process areas: • Management System • PISM Planning and Implement • Planning and Implementation




Version 1.0

• Relationship Processes • Service Delivery Processes • Resolution Processes • Control Processes • Release Processes

3.2 ISO 27000 Family – Business Continuity The ISO 27000 family of standards is still in the development process. This family of standards is defined as the ‘Business Continuity’ standard. Within the ISO 27000 family, certain existing standards have been enumerated in to this new family.

3.2.1 What is ISO / IEC 27000 Currently the ISO 17799 Information Security standard and certification process has been established as ISO 27002 and ISO 27001 respectively. Some of the additional elements that will be covered in this standard are listed as:

Subcommittee / Working Group Title

JTC 1/SC 27/WG 1 Information security management systems - The convener can be reached through: BSI

JTC 1/SC 27/WG 2 Cryptography and security mechanisms - The convener can be reached through: JISC

JTC 1/SC 27/WG 3 Security evaluation criteria - The convener can be reached through: SIS

JTC 1/SC 27/WG 4 Security controls and services - The convener can be reached through: SPRING SG

JTC 1/SC 27/WG 5 Identity management and privacy technologies - The convener can be reached through: DIN

As with the ISO 20000 family, British Standard ‘BS259998 Business Continuity Management’ is the foundation for this family of standards. With this standard, ISACA Governance methodology found in CoBIT9 is being incorporated to provide the management controls and measurements to establish common processes, structures and terminology. The recent release of the British Standard BS25999-1:200610 has provided the global body of standards a preview of what the ISO standard will represent. • BS 25999-1:2006 is a code of practice that takes the form of guidance and

recommendations. It establishes the process, principles and terminology of Business Continuity Management (BCM), providing a basis for understanding, developing and implementing business continuity within an organization and to provide confidence in business-to-business and business-to-customer dealings.

• In addition, it provides a comprehensive set of controls based on BCM best practice and covers the entire BCM lifecycle (see Figure 3)

• BS 25999 is published in two parts:

8 The British Standard incorporates several existing standards as illustrated at http://www.pas56.com/ . The blending of British Standards as depicted at http://pas56.standardsdirect.org/ represent what the ISO Development committee has defined as the defined goal of ISO 27000 which is outlined in ISO/PAS 22399:2007. 9 CoBIT is a registered trademark of ISACA methodology and can be found at http://www.isaca.org/ 10 BS25999-1:2006 can be found at http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563



Version 1.0

• BS 25999-1 • Business Continuity Management – Part 1: Code of practice. This document takes the form of good practice guidance and recommendations, indicating what practices an organization should or may undertake to implement effective BCM. Organizations may choose to follow all or part of the Code of practice. The Code can be used for self-assessment or between organizations. The Code is not a specification for BCM.

• BS 25999-2 • Business Continuity Management – Part 2: Specification. This document sets out specifically what an organization shall do to implement BCM. It is for use by internal and external parties, including certification bodies, to assess the organization’s ability to meet regulatory and customer requirements as well as the organization’s own requirements. BS 25999-2 contains only those requirements that can be objectively audited and a demonstration of successful implementation can therefore be used by an organization to assure interested parties that an appropriate business continuity management system (BCMS) is in place.

• Initial work by practitioners in 1999 resulted in a widely accepted representation of the BCM life cycle. With the publication of BS 25999-1 in 2006, a new illustration of the BCM life cycle was introduced

NOTE: A free demo of BS 25999 online is available – go to www.bsi-global.com/bs25999online

Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)

11

11 All Rights Reserved British Standards Institute (BSI) - http://www.bsi-global.com/en/



Version 1.0

3.3 It’s not just a regulatory requirement any more… The primary driver for these standards is to establish a global compatibility along with the ability to measure the maturity of organizations to these standards. The implication of governance aligning with service delivery shown in Figure 4 example clarifies the use of multiple standards to achieve the objective of adherence and compliance. The BCM Model will discuss the organizational structure and processes established by new industry standards to meet the objectives of maintaining and managing a Business Continuity Management Program. Figure 4: ITIL CoBIT Coverage

12

3.3.1 COSO Under the COSO Framework the definition, creation and use of Internal Controls (IC) to successfully meet objectives is paramount to the overall success of the organization. This is where objective setting is a precondition to the internal control. Through objective setting an organization’s management can identify risks associated with the achievement of the desired objective. Each risk must be ranked on its impact and probability to set the correct control parameters. In mitigation of these risks, internal controls are designed and implemented to effectively mitigate the associated risk through the ongoing success measurement process. This allows the organization to adjust as needed to meet the objective through continual measurement which will improve the quality of the defined process. Generally COSO Internal Controls fit well within the ITIL and CoBIT frameworks, as shown in Figure 4 above, to provide the measurement of operational support processes but the COSO framework is primarily used for the safeguarding of




Version 1.0

financial processes within an organization that sustain the executive level fiduciary and regulatory responsibilities.

3.3.2 Governance Risk & Compliance (GRC) Numerous groups and entities have launched similar programs to address elements of what the BCM embraces. This includes an industry segment defined as GRC from two different groups.

3.3.2.1 Open Compliance & Ethics Group (OCEG) This group set out to establish a CoBIT© like framework that includes domains that bridge numerous functions and processes. The OCEG Framework or Capability Model utilizes a Universal System Outcomes concept. • Universal System Outcomes are the expected and measurable results of a high-

performing GRC system defined in these process segments. Inform & Integrate Detect & Discern Organize & Oversee Assess & Align Monitor & Measure Prevent & Promote Respond & Resolve

• Utilizing 8 Integrated Components with 8 Universal Outcomes Enhance Organizational Culture Increase Stakeholder Confidence Prepare & Protect the Organization Prevent, Detect & Reduce Adversity Motivate & Inspire Desired Conduct Improve Responsiveness & Efficiency Optimize Economic & Social Value Achieve Business Objectives

• Each with its own Elements Each Element embodies a number of related Practices in a high-performing

GRC system. Each Element includes a discussion of Principles and Common Sources of Failure, as well as the Practices that support success.

3.3.2.2 Object Management Group GRC Round Table (GRC-RT) This group understands the utilization of similar compliance requirements and establishes a process for utilization, first by capturing the regulatory requirements.



Version 1.0

Figure 5: GRC Automating Compliance

GRC-RT Diagram 13 Then by creating mappings between each compliance requirement element through a pertinent industry framework object to an identified internal control. Most of these will be bi-directional mappings with data flowing in both directions. Figure 6: GRC Bi-Directional Compliance Mapping

When defining the regulation mapping through a framework, many relationships will develop that will economize on the overall process of compliance management.

13 All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/ (http://www.grcroundtable.org/GRC_RT_Overview.pdf)



Version 1.0

Figure 7: GRC Complex Relationship Mapping

GRC-RT Diagrams 14

The BCM Model attempts to provide a singularity of tasks and controls needed to meet the objective of compliance, risk mitigation and business sustainability most like the GRC-RT method shown above with the role up to management needed to govern the processes. This assumes that the pertinent industry model reflected continues to address the ever changing regulations, thus the need for automating the process as much as possible.

4 The Business Continuity Paradigm With the standards represented above, a Business Continuity Paradigm has taken shape. The context of this whitepaper will build on this paradigm to present a new model that organizations can use to establish a foundation of Business Continuity Practices and Principles where metrics can be devised to provide both qualitative and quantitative results of operational readiness performance to management. These foundations of collaborative methods are now referred to herein as the “Business Continuity Management” (BCM) and align with both the published and unpublished ISO standards referenced. As such, this BCM Model is designed to provide an advance look into what the BCM future beholds.

4.1 What is BCM? BCM is a board owned and driven set of processes established to facilitate the functions and services of the organization, which are defined by a strategic and tactical framework that:

14 All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/ (http://www.grcroundtable.org/GRC_RT_Overview.pdf)



Version 1.0

• Proactively improves the resiliency of the organization against a disruption that impedes the organization’s ability to achieve its key objectives.

• Provides a validated and tested method of recovery of the organization’s ability to provide the functions and services at a predefined level within a predefined time.

• Affords the organization the ability to deliver a proven capability to manage its business while preserving its brand image and reputation.

4.1.1 Building Blocks Much like what Program Management (PM) enables for holistic management of projects within an organization; BCM provides a similar level of management and fiduciary responsibility to mitigate risks to the continual operations of business. This systematic process facilitates organizational maturity and business resiliency utilizing these essential building blocks:

1) BUSINESS CONTINUITY (BC): Establishes the ability of an organization to provide service and support for its customers and to maintain its viability before, during, and after a business continuity event (i.e. disaster / crisis, natural or man made). BC in itself is only a starting point.

2) PLAN, DO, CHECK, ACTION (PDCA): An adaptation of the Deming wheel. While the Deming wheel stresses the need for constant interaction among research, design, production, and sales, the PDCA Cycle asserts that every managerial action can be improved by careful application of the sequence: plan, do, check, action. Later in Deming's career, he modified PDCA to "Plan, Do, Study, Act" (PDSA) so as to better describe his recommendations. In Six Sigma programs, the PDSA cycle is called "Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature of the cycle must be explicitly added to the DMAIC procedure. The PDCA cycle implies a continual methodology of process improvement. Where each process includes controls that provide measurement of success that is used to define overall operation success. One poor process does not cause an organization to fail, systemic failure occurs where numerous process enable failure over time.

3) BUSINESS CONTINUITY PLANNING (BCP): Is the process of developing and documenting arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its normal Business Critical Functions and/or supporting System (BCFS) after an interruption. BCP is the documentation to facilitate the process of mitigation of risk to the operation of an organization in preparation of the eventual crisis.

4) RISK MANAGEMENT (RM): Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources. Whereas risk management tends to be preemptive, business continuity planning (BCP) was invented to deal with the consequences of realized residual risks. The necessity to have BCP in place arises because even very unlikely events will occur if given enough time. Risk management and BCP are often mistakenly seen as rivals or overlapping practices. In fact these processes are so tightly tied



Version 1.0

together that such separation seems artificial. For example, the risk management process creates important inputs for the BCP (assets, impact assessments, cost estimates etc). Risk management also proposes applicable controls for the observed risks. Therefore, risk management covers several areas that are vital for the BCP process. However, the BCP process goes beyond risk management's preemptive approach and moves on from the assumption that the disaster will realize at some point. This includes the assessment of each risk and where appropriate, the establishment of mitigation controls to manage the process designed to minimize the risks potential impact.

5) BUSINESS CONTINUITY MANAGEMENT (BCM): Is defined15 as a holistic management process that identifies potential impacts that threaten an organization with associated risk, and provides a framework for building resiliency with the capability for an effective response which safeguards the interests of its key stakeholders, reputation, brand and value creating activities. This management structure includes the facilitation of recovery, continuity and/or restoration in the event of a disaster or crisis through the management of an overall contingency program and through training, rehearsals, and reviews, to ensure the plan(s) stays current and up to date. This framework facilitates the entire process of preparing for the inevitable crisis to strike which engage processes to mitigate the impact of risk to the business operation. All of which provides for a sustainable and resilient organization with the emphasis on ‘Risk Mitigation with Governance’ which is engrained in the day-to-day operation of business.

This implies that BCM specifically provides: A level of managerial oversight at the appropriate organizational level which

has a stake in the continual operations of business with fiduciary responsibilities.

Quality processes that mitigates Critical Business Functions and/or support Systems (BCFS).

Processes that must: correlate to measurable financial impacts, be rated according to their risk potential, include their individual probability of disruption as reflected in Service Level

Agreement (SLA) management, be quantifiable through metrics measurement, and incorporate continual improvement.

BCM is the entire organization’s responsibility. Each entity and resource has a stake in the success of the organization as a whole, which emphasizes that the organization will need to: • Identify, define and prioritize potential impacts in advance • Create a framework to mitigate and manage risks, of each, within industry

standard guidelines • Defend the organization against the potential of loss, with the resiliency to quickly

recover in the event of a crisis

15 Definitions to the BCM terms used herein can be found in Appendix A



Version 1.0

• Utilize industry best practices in creation and execution of the Business Continuity Management Lifecycle (Figure 3).

4.1.2 BCM Organizational Ownership To establish ownership and drive the BCM principles throughout the organization, a BCM strategy must be created and approved by a governing board within the organization which has board level executive stakeholders. The reason ownership must reside at this level is clear. The board owns the overall resiliency of the organization and as such they own the ability to manage resiliency. This is reinforced by many governmental regulations such as Sarbanes-Oxley (SOX)16 within the United States, where the CEO and CFO must personally attest to the validity of the financials reported.

4.1.3 BCM Strategy Most organizations, regardless of size, have strategic directives to attain. These may be necessary to grow business by increasing the product and services delivered or to improve the availability of the goods and services provided. The consequences of not pairing these directives to a means of resiliency are usually devastating to the continued operation of an organization. This may include loss of profits, customers, up to and including loss of life. The survival of an organization’s reputation or existence is at stake!

NOTE: According to research by the University of Texas, when companies suffer a catastrophic data loss, 94 percent of them fail: 43 percent never reopen, and the remaining 51 percent close within two years.

The alignment of the organizational strategic goals and objectives must be incorporated into the BCM Strategy to ensure that the organization can achieve both. The organizational structure needed to facilitate this process is within what this model refers to as a ‘BCM Steering Committee’17. The full BCM structure will be defined further on in this paper. The key is that BCM recognizes the importance and need for stakeholders at the highest organizational level to ensure the organization’s survivability and resiliency is properly prioritized and subsequently maintained. As the stakes rise with new ventures, BCM is the solution for the subsequent consequences of disruptions which have a direct and implied fiduciary impact that also include a probable regulatory consequence.

4.1.4 BCM and Risk Management BCM has a direct relationship with most forms of Risk Management. The principle behind BCM is to ‘Risk Mitigation with Governance’. This principle incorporates many elements and types of risk management into the BCM Strategy and subsequent program. One of the primary derivatives of a BCM program is to establish direct feedback to the board level management on the ‘State of Readiness’ which provides the ‘Value-Add’ needed by the board to ensure a sustainable operation and to enable viable decisions!

16 Information on SOX can be found at http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm and the full SOX ACT ‘HR:3763’ - http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf 17 This model will identify organizational roles and responsibilities paired with the BCM Process defined herein that utilize existing operational resources for most of the stated requirements. Only a small complement of resources used to facilitate the BCM Process are actually needed where the actual number varies depending on the size and complexity of an organization.



Version 1.0

4.2 Why BCM? The principle reason BCM is needed is it forms an important element of organizational management, provisioning of service and efficient and effective deployment of resources very similar to the way Program Management performs a rollup of resources and financials into a holistic view. This provides transparency into the operational ‘State of Readiness’ at most process points to effectively manage the organization to its optimal state of maturity and subsequent efficiency. This model encapsulates the benefit of utilization of existing resources for the facilitation of risk mitigation through the adaptation of appropriate internal controls, thereby reducing the burden of cost normally associated with a separate structure.

4.2.1 Strategic Value The alignment of BCM with an organization’s strategic vision and the utilization of available skilled resources provide a substantive value to achieve the organizations strategic objectives and goals. When the organization relies upon BCM as an asset within the definition of its strategy, the organization can only realize a higher than normal probability of successful achievement.

4.2.2 Sustainability and Resiliency All organizations strive to remain operable for a long duration, which translates into sustainability. To achieve sustainability the organization must have a program that drives to this goal. The BCM Model outlines the organization and processes needed to achieve sustainability. The use of sustainable practices, though utilization of continually improving processes, a level of resiliency is established. Resiliency enables an organization to undergo higher levels of risk impacts and remain operational. Quality of service may degrade, but only to predefined levels. Thus, financial downturns, major service disruptions, or natural disasters can all be mitigated with appropriate controls in place to ensure the proper ‘State of Readiness’ is maintained at all times.

5 The BCM Model Over the history of the industrialized world, companies, organizations and businesses struggled with how to protect; what they built, how they are generating revenue, and all important, how to continue to grow. Facing sometimes catastrophic crisis’s and financial down turns, many strong and prosperous entities survived. For those many that failed can be summed up in these three words; ‘were they prepared?’ ‘Survival of the Fittest’ played out in real-time revealed those who continue to operate today were prepared, and those that aren’t, were not. History has identified that if an organization does not have a contingency plan, the probability for it to sustain a long term existence is slim. While there is no silver bullet with any framework, the BCM Model is a research compilation of standards, processes and experience that brings together for the first time a comprehensive framework for organizations to use for the sole purpose of ‘being prepared!’. The BCM Model will walk through the ownership, fiduciary



Version 1.0

responsibilities, along with the processes to create and sustain a program to mitigate most common events. Included is essential information to protect the organization’s interests and assets. In this ever changing global economy, organizations will need every advantage afforded them to survive. How this is accomplished is the basis of the BCM Model with the underlying theme ‘Risk Mitigation with Governance’.

5.1 Business Continuity Management Components Business Continuity Management model defines these elements into tactical aspects of a BCM Process. BCM Process utilizes functional components to facilitate the ‘Risk Mitigation with Governance’ principle. These structures of functional components are:

• Business Continuity Steering Committee • Business Continuity Management Team • Business Continuity Plan Administrator • Business Continuity Leads or Business Continuity Coordinators/Disaster

Recovery Coordinators • Business Continuity Teams

Figure 8: BCM Components

5.2 Where to Start Most organizations find it difficult to identify the starting point of their Business Continuity program. A few indicators will clearly identify the starting point and help identify the effort needed to establish a quality program. Here is a list of some of those indicators:

• Has a Business Impact Analysis been conduction within the last 24 months? • Utilizing the data from the Business Impact Analysis, was a Risk Assessment

conducted and critical functions and systems identified?



Version 1.0

• Does existing documentation exist that can be used for planning purposes? • Is the existing documentation adequate for the critical systems? • Is there Executive stakeholder buy in and support? • Has ownership of the various elements been established and accepted? • Has funding been granted and approved? • Are short and long term business & IT objectives aligned?

Once these indicators have been resolved, most organizations will succeed with establishment of a Business Continuity Management program. Here is where we start.

5.2.1 Business Continuity Planning Now that we have established the objectives driving the Business Continuity program, we can now begin planning. To start with, the senior management team will have defined a Business Continuity Strategy (BCS) to match what they see as business risks needing mitigation surrounding the most common loss of business services. At a minimum the BCS should include the following policies, processes, and/or concepts:

A defined policy governing the Business Continuity Program, Process for the identification of the Business Continuity Management Team

and subsequent crisis or emergency management team structure (including the structure used to facilitate creation, maintenance, execution and training of the Business Continuity Plan),

Process for assignment identification, functional responsibilities, and approval of the BCSC team along with governance structure as needed,

Conduct a Business Impact Analysis (BIA) to identification of the areas of Business Critical Function and/or System (BCFS) that need to be protected, along with the general scope of need for the various BCFS and respective locations of operation.

Risk Assessment on all high priority and/or critical BCFS items to include a probability and impact value. These risk values will ensure internal controls can be established with appropriate thresholds for success measurement.

With these elements understood, planning can proceed with the identification and establishment of resources along with appropriate funding needed to satisfy the business objectives driving the BCM program utilizing the following components.

5.2.2 Establishment of the Business Continuity Management Team The Executive Management should identify the requirements of the Business Continuity Management Team (BCMT). A high-level organizational structure of the BCMT is needed to identify who should serve on this team and what responsibilities each role will play in the functional operation of the BCMT. At a minimum the BCMT should include:

At least one Executive, one Senior Management representative, and then what ever level of management is deemed appropriate to represent the full operational complement of the overall organization,

An organizational structure that will provide the appropriate level of authority on those areas of the organization that will most likely be directly involved with Business Continuity execution,



Version 1.0

The designation of a “Crisis or Emergency Management Team” (EMT) from current management that will facilitate the execution of the Business Continuity Plan (BCP),

The emergency declaration classification types, rules and criteria. Figure 9: BCM Organization

BCM Business Continuity

Management Organization

BUSINESS CONTINUITY STEERING COMMITTEE (BCSC):A committee of decision makers, process owners,

technology experts and continuity professionals, tasked with making strategic recovery and continuity planning decisions

for the organization.

BUSINESS CONTINUITY TEAM (BCT):Designated individuals responsible for developing,

execution, rehearsals, and maintenance of the business continuity plan, including the processes and procedures.

SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management Team. Associated terms: Emergency Management Team.

BUSINESS CONTINUITY MANAGEMENT (BCM): A holistic management process that identifies potential impacts that

threaten an organization and provides a framework for building resilience with the capability for an effective response that

safeguards the interests of its key stakeholders, reputation, brand and value creating activities. The management of recovery or

continuity in the event of a disaster. Also the management of the overall program through training, rehearsals, and reviews, to ensure

the plan stays current and up to date.

BUSINESS CONTINUITY MANAGEMENT PROGRAM:An ongoing management and governance process supported by senior management and resourced to ensure that the necessary

steps are taken to identify the impact of potential losses, maintain viable recovery strategies and plans, and ensure continuity of

products/services through exercising, rehearsal, testing, training, maintenance and assurance.

Risk Management

through Governance

DepartmentalDesignees

BCTeam

(BCT)

Organizational Designee

BCMCorrdinator

(DRC/BCC)0

DISASTER:A sudden, unplanned calamitous event causing great

damage or loss as defined or determined by a risk assessment and BIA; 1) Any event that creates an inability on an organizations part to provide Business Critical Functions

for some predetermined period of time. 2) In the business environment, any event that creates an inability on an

organization’s part to provide the critical business functions for some predetermined period of time. 3) The period when

company management decides to divert from normal production responses and exercises its disaster recovery plan. Typically signifies the beginning of a move from a

primary to an alternate location.SIMILAR TERMS: Business Interruption; Outage; Catastrophe

THREAT:A combination of the risk, the consequence of that risk, and

the likelihood that the negative event will take place. Associated term: risk. Example Threats: Natural, Man-made,

Technological, and Political disasters.)

Executive Management Team and Assignees

BCMSteering

Committee(BCSC)

BUSINESS CONTINUITY MANAGEMENT TEAM (BCMT):A group of individuals functionally responsible for directing the development of the business continuity plan, as well as responsible for participation in the declaring a disaster and

aiding the recovery process, both pre-disaster and post-disaster. Also referred to as the Executive Emergency

Management Team (EEMT)SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management

Team. Associated terms: Emergency Management Team.

EMERGENCY MANAGEMENT TEAM (EMT):A group of managers functionally responsible for

execution of the business continuity plan, as well as responsible for declaring a disaster and providing

direction during the recovery process, both pre-disaster and post-disaster.

SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management Team. Associated terms: Crisis Management Team. DISASTER RECOVERY COORDINATOR (DRC):

A role of the BCM program that leads & coordinates planning and implementation for recovery of an

organization, location or unit for technical functions. SIMILAR ROLES: Disaster Recovery Planner, and Disaster Recovery Administrator

May also act as a Plan Administrator

BUSINESS CONTINUITY COORDINATOR (BCC):A role of the BCM program that leads & coordinates

planning and implementation for recovery of an organization, location or unit for nontechnical functions.

SIMILAR ROLES: Business Recovery Coordinator, Business Recovery PlannerMay also act as a Plan Administrator

Designated Managers

BCMEmergency

Management Team

(EMT)

Designated Senior & Executive Managers

BCMTeam(BCMT)

5.2.3 Establishment of a Business Continuity Steering Committee The Business Continuity Steering Committee (BCSC) shall be created by the Business Continuity Management Team (BCMT). The BCSC shall be populated with representation of all Business Critical Functions and/or supporting System (BCFS) areas with management and senior employees by referral from a member of the BCMT and approved by Executive Management. The BCSC team must have both executive management and broad employee based support to provide an effective and representative body that will be viewed by all as the appropriate members of the organization to provide Business Continuity vision and direction. This team will be responsible for providing the organization with strategic oversight on all Business Continuity initiatives, policies, processes, plans and structures. The BCSC shall meet on a regular schedule, not less than quarterly, and rely on the Business Continuity Management Team for all fiduciary requirements identified.

5.2.4 Defining the Policy The Business Continuity Steering Committee should establish a policy that will provide an overall guidance to the teams implementing Business Continuity. A high-level policy must be published to identify several factors to the organization as a whole. The Business Continuity policy should set the expectations the organization



Version 1.0

has for all employees, contractors and agents. These should be as clear and concise as possible and must be approved by executive management with enforceable terms. The Business Continuity Policy should include:

Overall Business Continuity mission statement Company Business Continuity objectives Who participates in Business Continuity Enforceable terms deemed necessary Governance

5.2.5 Defining Management Components The Business Continuity Steering Committee should establish a management structure to facilitate the execution of the BCM Program. The Components of the Business Continuity Management Structure should include:

Identification of the Owners of the main Business Continuity Plans (BCP) needed to appropriately respond to a crisis.

Establish a Business Continuity Strategy (BCS) to provide direction aligned with business objectives.

Define a recovery management process that includes metrics for all Business Critical Function and/or supporting Service (BCSF).

The conduct of a Business Impact Analysis to provide vital financial ties to each identified BCFS.

Facilitate the establishment of the Business Continuity Sub-plan ownership at the operational level through the Business Continuity Team. (BCT)

Figure 10: BCM Components BCM

Business Continuity Management Components

BUSINESS CONTINUITY STRATEGY (BCMS):An approach by an organization that will ensure its recovery and continuity

in the face of a disaster or other major outage. Plans and methodologies are determined by the organizations strategy. There may be more than one

solution to fulfill an organization’s strategy. Examples: Internal or external hot-site, or cold-site, Alternate Work Area reciprocal agreement, Mobile

Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc.

BUSINESS IMPACT ANALYSIS (BIA): A process designed to prioritize Business Critical Functions

and supporting Systems by assessing the potential quantitative (financial) and qualitative (non-financial) impact

that might result if an organization was to experience a business continuity event.

BUSINESS INTERRUPTION: Any event, whether anticipated (i.e., public service strike) or

unanticipated (i.e., blackout) which disrupts the normal course of business operations at an organization’s location. Similar terms:

outage, service interruption. Associated terms: business interruption costs, business interruption insurance.

BUSINESS CONTINUITY MANAGEMENT PROCESS:The Business Continuity Institute’s BCM process (also known as the

BC Life Cycle) combines 6 key elements: 1) Understanding Your Business 2) Continuity Strategies 3) Developing a BCM Response 4) Establishing a Continuity Culture 5) Exercising, Rehearsal & Testing

6) The BCM Management Process

RecoveryManagement

DHLGMDepartment Managers

BC / DRPlan

BCMDesignee

BCMStrategy

(BCMS)

External Auditor

BIA

BCT

BRP / DRP

BUSINESS CONTINUITY PLAN (BCP): Process of developing and documenting arrangements and

procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to

performing its critical functions after an interruption. SIMILAR TERMS: Business Resumption Plan, Continuity Plan, Contingency Plan,

Disaster Recovery Plan, Recovery Plan.

DISASTER RECOVERY PLAN (DRP):The management approved document that defines the

resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology

recovery effort. This is a component of the Business Continuity Management Program.

SIMILAR TERMS: Business Continuity Management Plan, Recovery Plan.

RECOVERY POINT OBJECTIVE (RPO):From a business perspective RPO is the maximum

amount of data loss the business can incur in an event. The targeted point in time to which systems and data

must be recovered after an outage as determined by the business unit.

RECOVERY TIME OBJECTIVE (RTO):The period of time within which systems, applications, or

functions must be recovered after an outage (e.g. one business day). RTO’s are often used as the basis for the

development of recovery strategies, and as a determinant as to whether or not to implement the recovery strategies

during a disaster situation.SIMILAR TERMS: Maximum Allowable Downtime

RECOVERY:Implementing the prioritized actions required to return the processes and support functions to operational stability

following an interruption or disaster.

BUSINESS RESUMPTION PLANNING (BRP):TERM Currently Being Reworked

SIMILAR TERMS: Business Continuity Planning, Disaster Recovery Planning

DISASTER RECOVERY PLANNING (DRP):The technological aspect of business continuity planning. The advance planning and preparation that is necessary to

minimize loss and ensure continuity of the Business Critical Functions and supporting Systems of an organization in

the event of disaster.SIMILAR TERMS: Contingency Planning; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster

Preparedness.



Version 1.0

5.3 Conducting the BIA To fully understand the potential impact any loss of service could have on business, a Business Impact Analysis (BIA) should be conducted. The conduct of a BIA should be scheduled every 3 to 5 years to keep the information used for loss identification current. A BIA should be performed prior to the BCS creation to ensure that the organization has identified the BCFSs that represent what the loss potential is, how it can be mitigated, and what the implications to the services provided would mean to the recipient of those services. When a BIA is re-conducted after the BCM Program is in place, it will be used to update the BCFS list and financial risks of each. The Business Continuity Management Team and Business Continuity Steering Committee participants may be adjusted based upon the information provided. The following few slides describe the essence of the BIA:

5.3.1 BIA - Identifying Critical Needs … The critical needs should be identified within all departments. Critical needs include all information, processes, activities and equipment needed to continue operations should a department be destroyed or become inaccessible. To determine the critical needs of the organization, each department should document all important functions performed within that department. This information can be gathered by documenting daily activities within each department. An analysis over a period of two weeks to one month can indicate the principle functions performed inside and outside the department, and assist in identifying the necessary data requirements for the department to conduct its daily operations satisfactorily. This determines the Business Critical Function and/or supporting Service (BCSF) which are critical functions / systems relied on to perform critical business functions, System or application interfaces, that require a Maximum acceptable outage for the system considering both the user perspective and the technical perspective.

5.3.2 BIA - Business Critical Functions / Systems To Identify Business Critical Function and/or supporting Service (BCSF) some of the diagnostic questions that are asked include:

What specialized equipment is used in the department and how is it used? What are lead times for replacing critical equipment? If the on-line systems were not available, how could the department continue

to function? What parameters, guidelines, or procedures would be necessary to limit

exposure during on-line systems downtime (i.e., management approval may be required of checks or disbursements above specified dollar amounts)?

What is the minimum staff and floor space needed to continue operations at another facility?

What special forms and supplies are needed for each departmental area? What communication devices (i.e., telephones, facsimile equipment, and data

transmission equipment) would be necessary to continue operations?



Version 1.0

Which employees have been trained to carry out several departmental jobs or responsibilities and could fill positions of key employees if they were unavailable?

5.3.3 BIA - Outage Impact Analysis Once the critical needs have been documented, it is important to determine the impact of an outage to the critical systems and business functions. The impact depends on the type of outage that occurs, and the time that lapses before normal operations can be resumed. The following information should be carefully analyzed:

Impact Analysis is defined by these six areas: 1. Business Function Description 2. Critical Systems 3. Dependencies 4. Workflow Impact 5. Future Business Function Changes 6. Impact of Not Processing

Business Function Description is: 1. Size of the business function (e.g., total revenue, number of

employees, number of patients, etc.) 2. Main purpose of the business function (e.g., revenue generation,

administrative, customer service, support function, ancillary function, etc.)

3. Critical operations performed. Critical Systems Description is:

1. Systems relied on to perform critical business functions 2. System or application interfaces 3. Maximum acceptable outage for the system, considering both the

user perspective and the technical perspective Dependencies Description is:

1. Dependencies between business functions 2. Dependencies between departments 3. Dependencies between systems

Workflow Impact Description is: 1. Loss of controls 2. Major bottlenecks 3. Potential stop in the workflow 4. Complete interruption of the workflow

Future Business Function Changes Description is: 1. Systems 2. Procedures 3. Operations 4. Personnel 5. Organization 6. Other changes

Impact of Processing Failure Description is: 1. Impact on customer service 2. Noncompliance with government regulations 3. Noncompliance with existing contracts 4. Increase in personnel requirements



Version 1.0

5. Loss of revenue 6. Loss of business 7. Increased operating costs 8. Penalties 9. Loss of financial management capability 10. Loss of competitive edge 11. Loss of goodwill 12. Negative media coverage 13. Loss of stockholder confidence 14. Legal actions 15. Other impacts

Redundancy Levels Description is: ‘Existing and required redundancy levels throughout the organization to accommodate critical systems and functions:’

1. Hardware 2. Information 3. Personnel 4. Services

Alternate Processing Methods Description is: 1. Alternate processing methods for the critical functions in the event of

a systems outage 2. Impact of using the alternative processing method 3. Alternate processing costs

5.4 Risk Assessment The Business Critical Functions and/or Services identified in the BIA must now be analyzed to determine their impact and probability of disruption to establish a ranking of each. Once the BCFS risks are ranked to a common scale (usually 1 to 3 or 1 to 5 with 1 having the highest priority i.e. Severity 1), then planning prioritization is applied and a list of plans generated. The object is the mitigation of risk for the highest ranked items first, then working down through the list until all critical items have mitigation plans that are ready for validation. Re-ranking may take place as more information is discovered during the risk assessment process. Risk assignments are used to design internal controls (ICs) and thresholds that provide measurement of success which feed the ‘State of Readiness’ metrics. These same ICs should also be mapped to any regulatory requirements to ensure a total risk is known and measured.

NOTE: Priority ranking should follow what ever scale is used within the current Incident / Problem Management system to take full advantage of established processes. Universal use of common terms within this process should also be adopted to avoid communication failures and confusion.

5.5 Risk Mitigation It is important to identify risks, associate the cost of each and trend it over time, however, if the risk is never mitigated then it will continue to be a drain on the organization’s sustainability which may ultimately lead to its demise. To address this topic, continual improvement processes mandate that this information be analyzed



Version 1.0

and addressed where appropriate for a given organizations goals and objectives. Mitigating every risk is too costly, even for the largest of organizations. Understanding the risk’s implications to the current business strategy will provide the most cost effective means of Risk Mitigate any organization can afford. The Disaster Recovery Timeline shown in Figure 11 illustrates the elementary points of risk that must be identified, evaluated and prioritized for impact that incorporates a business established tolerance. This must be accomplished for every Business Critical Function and/or supporting Service (BCSF) identified in the BIA. This recovery data will be included in any Service Level Agreement (SLA) established with the service provider whether internal or external. Figure 11: Disaster Recovery Timeline

5.5.1 Risk Mitigation – Crisis Points Defined RPO – is the last known point of valid data on a system by system or function

by function basis. This is the starting point of data restoration and is owned by IT as agreed too by Business.

RTO – is the technical point of restoration of a system or function. This is the starting point where processing can restart after the failure. It is owned by IT as agreed too by Business.

MTD – is the point at which all recovery processing has been completed while processing current normal daily activities. This is the actual return to Business As Usual state. This is solely owned by business.



Version 1.0

WRT – is the amount of time and effort needed to recover from the crisis. This includes the reentry of data from;

The point of the crisis back to the RPO, The manual data collected from the point of crisis to the RTO, And the processing of current daily data needed to stay current with the

expectation of business services Most companies fail because they do not plan this recovery period

5.5.2 Importance of Defining Risk Points Failure to identify a point of risk is opening the flood gates and inviting in a crisis. Each BCFS must have its Risk Points defined and accepted by business and the service or function provider. Risk Point failures;

Lack of adequately define Risk Points will cause failure Lack of organizational participation in Risk Point metrics establishment will

cause failure How to you create SLA’s without Risk Point definitions and measurements?

(You can’t!) Establishing Risk Points with Metrics is essential to the successful creation of

every BCM Plan (BCP, Sub-BCP) and the sustainability of business! Identification of regulatory requirements inclusive with the risk points ensures

compliance is included in the success measurement.

5.5.3 Risk Cost Modeling Utilizing the financial data from the Business Impact Analysis (BIA) for each Business Critical Function and/or supporting Service (BCSF) a Risk Cost Model can be created to identify the underlying cost for each BCFS along with the projected revenue stream disrupted in the event of its failure. Building this model requires business participation to adequately track and trend the risk cost over a period of time. The resulting Risk Cost Model represents the BCM Model’s ability to provide ‘Value Add’ by providing another vantage point of an organization’s sustainability. Research does not reveal an industry targeted risk level to achieve; however, we were able to extrapolate from other risk models and business objectives to establish a risk target of 2% or less. The example below uses ‘Top Line Revenue’ as a basis for the risk cost analysis. Governments and other organizations may need to use ‘Bottom Line Revenue’. In either case, the target should complement the organization’s strategic goals and objectives.



Version 1.0

Figure 12: Risk Cost Model Trending Example

NOTE: Investment in Risk Mitigation through a BCM Program is a long term business objective, to suggest otherwise is setting the stage for failure.

5.5.4 Mitigating Risks The BIA is essential to establish the parameters for mitigating risk. What do we do with this information?

Identifies the Business Critical Function and/or supporting Service (BCFS) with supporting financial data

Identifies the priorities business places on each BCFS, usually financially driven

Identifies the cost to business if the BCFS were to fail. Supporting services of the BCFS should retain the same status as the high level business function.

How do we use this information? Build Risk Cost models utilizing real financial data on a BCFS by BCFS basis

that reflects a real ‘State of Readiness’ Establish a financial connection for each BCFS and their supporting services

that include resources, service contracts and SLAs. Through planning risk is mitigated thus establishing a Value Add by providing

a form or ‘Revenue Protection’ not currently available to the business. How is this accomplished?

Risk Point identification with established business tolerance / threshold metrics for each

Service Level Agreements that have real achievable metrics Risk Cost Modeling to show the financial implications of risk mitigation (ROI) Risk Analysis using Strategic Plan as a long term projection of impact

severity and probability of occurrence What does it provide?

Identifies priority for funding mitigation solutions



Version 1.0

Enables cooperative planning between provider and user Establishes path to successful achievement of strategic business goals and

objectives Affordable Sustainability with attainable Resiliency

6 Business Continuity Plan Creation The preparation stage of the BCM Model and all industry leading standards mandate the creation of plans to facilitate the continuity of operations. The creation of these plans is where many fail to get a program off the ground. This aspect of the process is defined with what plans would represent a minimal scenario for any organization along with a structured process for integrating them together to attain a sustainable program. The effort to create the documentation required is no small task, however, without the basis to draw upon, the program and subsequently the operations is destined to fail. Engaging the appropriate resources is required for the successful creation of contingency plans. Ownership must reside with the appropriate assigned skill to enable the execution when required. The basic literary level of each plan should address the principle of utilizing a similar skill near or at the level required to perform daily management. Utilizing these basic principles will enhance the probability of successful creation of the plans needed.

6.1 Creating the Business Continuity Plan With the full understanding of “What BCM is”, the process of creating the Business Continuity Plan (BCP) can now take place. With the BCM organizational structure defined, resources assigned, a Business Impact Analysis (BIA) conducted, Risk Assessment completed with mitigation steps identified and with an approved BCS documented, the next step is to create the Business Continuity Plan. The BCP is created, maintained and administered by the Business Continuity Plan Administrator (BCPA) to include:

Identification of all BCFSs and their associated risks to business, along with the appropriate resources to facilitate the execution of safeguarding and restoring each BCFS.

The processes, procedures, actions, tasks and/or steps used to mitigate the risks identified for the various plausible scenarios at each business location,

Identification of all locations included, along with any sub-plans needed to provide adequate coverage for each risk to be mitigate,

A clear communications process to identify, evaluate, declare and recover from most typical causes to loss of service delivery capability or disaster that includes all required resources, roles, locations, with information publication types and guidelines,

The process for Business Continuity Plans updates organizational awareness, training and periodic validation testing.

6.2 BCM Process Components We can now explore what plan components are used within the BCM.



Version 1.0

The BCM utilizes several types of components to provide appropriate coverage and management of the process. The BCM Process Components define the areas and types of plans used.

NOTE: Figure 13 depicts the various plan components and potential uses. The components include:

Organizational level management that includes the BCM Program charter, goals, objectives and controls. This will include:

Master Plan, Communications Plan, Common Process plan to facilitate the interoperations with all other plans. Operational level management includes Business Continuity Plans that detail

the actions taken. This will include: Site (Location) Plan, Sub-Plans with the specific task taken by the skilled resource teams, Contingency Plans are usually at the Department level to provide guidance to

safeguard items across multiple locations that are the responsibility of a department.

Figure 13: BCM Process Components

6.2.1 BCM Master Plan The BCM Master Business Continuity Plan (Master BCP) is used by senior management to establish the overall governing process for facilitating Business Continuity. (Owner: BCMT) The BCM Master Plan is the BCP document that contains the primary policies, process, procedures and actions needed protect the organization from serious BCFS loss. The BCM Master BCP should include the organization’s policy and vision with dealing with emergencies, either man made or natural. The processes listed in the



Version 1.0

plan will include the BCP Communications Plan; EMT, BCC/DRC and BCT team activities; organized by major crisis type, location crisis type and contingencies with checklists for the various BCFSs and actions required for each. If situational contingencies have been prepared, they will be identified and referenced within the BCM Master Plan. Recovery activities for each BCFS and location will be referenced for EMT guidance and execution.

6.2.2 BCM Communications Plan The ability to communicate during any crisis or emergency is paramount to successful BCP execution. (Owner: BCMT). A BCM Communications Plan must be created to become a primary section of the BCP Master Plan to ensure identification of all BCM resources for all sites and functions the BCP is intended to cover. The Communications Plan will also list all Notification and Reporting schedules/lists required to ensure appropriate resources are engaged and informed with the current status published in accordance within organizational policies and guidelines. The BCM Communications Plan should include the following contact information:

Identification of the BCMT and subsequent CMT/EMT Identification of the organization’s business locations with BCFS Identification of the BCC/DRC by location and function Identification of the BCT by location and function Identification of the external contingencies, emergency facilities, key venders

and key customers, or other contingency contact information deemed appropriate

6.2.3 BCM Common Processes Plan The ability to manage status and instruct flow during the execution of a crisis or emergency is a key basis to successful business risk mitigation. (Owner: BCMT) A BCM Common Processes Plan must be created and become a complementary section to both the BCP Master and Communication Plans to ensure status reporting and execution of activities between the EMT and the BCC/DRC is properly managed and maintained. The Common Processes Plan will list all Status Notification and Reporting schedules required to ensure the EMT is fully informed as to the current status of the crisis or emergency and all actions engaged by the BCC/DRC. The BCM Common Processes Plan should include the following information:

Meeting requirements for all teams to establish Command & Control requirements

Common Status Reporting Schedules and activities Common steps taken by the EMT, EOC, BCC, DRC and BCT Other common activities that is required within the execution of all BCPs

6.2.4 BCP Site Plans To successfully execute the mitigating actions needed to protect the organization from loss at the Facility level, action steps must be planned in great detail using BCP Site Plans. (Owner: BCC, DRC). A BCP Site Plan is the level of actions or steps taken by the resources physically protecting the organizational assets within a single facility. The actions listed within a Site Plan shall be defined as a major BCFS and/or operational system that may be



Version 1.0

disrupted from normal operation during the course of a crisis or emergency. BCFSs or Systems will be listed by standard reference nomenclature so as not to disseminate misleading or confusing information or status. The Site Plans will define the steps needed by a reasonably skilled resource to protect site’s BCFSs or Systems. The resource executing these steps may not be fully skilled on the BCFS or System so the level of detail provided must not make any assumptions of the depth of specific skills required. Each Site Plan will include a safeguard list of items addressed, the current status of each, and reference information that may be used to assist in execution in the event of the performed action failure.

6.2.5 BCP Sub-Plans To successfully execute the mitigating actions needed to protect the organization from loss, lower level action steps must be planned in great detail using BCP Sub-Plans. (Owner: BCC, DRC, BCT). A BCP Sub-Plan is the lowest level actions or steps taken by the resources physically protecting the organizational assets. These actions shall be defined by BCFS and/or technological system(s) that may be disrupted from normal operation during the course of a crisis or emergency. BCFSs or Systems will be listed by standard reference nomenclature so as not to disseminate misleading or confusing information or status. The Sub-Plans will define the steps needed by a reasonably skilled resource to protect BCFSs or Systems. The resource executing these steps may not be fully skilled on the BCFS or System so the level of detail provided must not make any assumptions of the depth of specific skills required. Each Sub-Plan will include a safeguard list of items addressed, the current status of each, and reference information that may be used to assist in execution in the event of the performed action failure.

6.2.6 BCP Contingency Plans To plan for the less likely but more catastrophic crisis situations, such as total loss or extended disruption of operational work space, or for those other scenarios that have major impact in more focus situations. (Owner: BCC, DRC, BCT). A BCCP is more directed to location, facility or site relocation in the event of a catastrophic failure or loss of operational work space. A BCCP is also established for those extreme circumstances that may be presented where Normal Business or System Function can not be readily restored to service. These plans will identify alternate work locations, resources, equipment, or other planned alternatives needed to safeguard life and organizational assets. Off site lock boxes for business critical data or intellectual property is just an example of what a BCCP may cover. Contingency contracts for space and assets needed to temporarily relocate the BCFS to maintain a minimum level of service. Alternative processes or requirements for a given set of circumstances to mitigate failure at the site level

6.2.7 Validating the BCP Once the BCP is approved, it should be validated for the types of situations it is designated to provide coverage. (Owner: BCPA). Prior to validating the BCP,



Version 1.0

training of all resources should be scheduled to ensure a basis of understanding is established for all organizational functions and resources. A Validation without sufficient knowledge will result in inaccurate capability data. BCP Validation is defined as an ongoing process to ensure the highest ‘State of Readiness’ is maintained throughout an organization. The BCPA shall, as a continual administrative and governance function of their role, conduct tests on select portions of the BCP in accordance with an established schedule. Each validated shall be accomplished by execution of select components of high risks to ensure the fundamental BCP sections meet the desired expectation. The BCP validation is a test of execution against the resulting simulated BCFS failure. Testing must be performed periodically to ensure a highest level of readiness is maintained at all times. A review of the BCP Validation should be provided to the BCMT as soon as it is available. The same sections of a BCP should not be validated in consecutive tests to provide a wider cross-section of validation and subsequent quantification of readiness statistics.

6.2.8 BCM Program - Document Flow This illustrates the BCM program document flow process. This process contains management level plans, site level plans and

department level plans. Sub-plans are used by the subject matter experts to execute tasks, provide

information and reestablish baselines. Add and remove elements in the document flow illustrated in Figure 14 below

to meet the needs of the organization.



Version 1.0

Figure 14: BCM Document Flow Diagram

BCM – Master Plan

BCM – Communications Plan

BCM – Common Processes Plan

Business Continuity Management Level

Business Continuity Plans

(Site BCP)

Configurations

Tasks

SOP

Information

BCM

Departmental Plans

Executive DeptLegal DeptHR DeptFinance DeptSales DeptProduct Development DeptOperations DeptCustomer Solutions Dept

BCM

The BCM Level is used by theEMT & EOC to manage the BCM Process

Site Plans facility theBCM at the local level

Department Plans facilitate theBCM at the Department leveland are Contingency Plans

Documents are classified into four (4) categories that represent Sub-Plan content types

Sub-Plans contain the information ortasks that the Business Continuity Teamperform or use to mitigate risk

These risk mitigating actions safeguard thecompany’s ability to continue to operate normally

Cisco 28xx Router ConfigurationCisco 37xx Switch ConfigurationCisco 38xx Router ConfigurationCisco Aironet 12xx Wireless AP ConfigurationCisco Call Manager ConfigurationDomestic (ST) database ConfigurationHandheld Scanner ConfigurationHP 42xx/43xx Printer ConfigurationJBM Cellular Broadband ConfigurationLocal Site File and Printer Server ConfigurationMOS model 500 Scale ConfigurationSite Active Directory ConfigurationSite Invoice Printer ConfigurationZebra (105xx, 28xx) Printer Configuration

Domestic (ST) Database Server Recovery TasksEmergency Power Generator Recovery TasksID Mail Sorting Machine Recovery TasksLibra Mail Sorting Machine Recovery TasksLocal Site File and Printer Server Recovery TasksSetup Tasks for Domestic (ST) Admin StationsSetup Tasks for Domestic (ST) Coding StationSetup Tasks for Domestic (ST) Receiving StationSite Active Directory Recovery TasksSite Automation Equipment Recovery TasksSite Data Communications Recovery TasksSite Server Room Equipment Recovery TasksSite Voice Communications Recovery Tasks

Site Evacuation Plan

Site Emergency Contact ListSite Emergency Contact List for all VendorsSite Inventory of IT EquipmentSite Inventory of OPS EquipmentSite Listing of LAN IP Ranges

Business ContinuityPlan Level

Business ContinuitySub-Plan Level

6.2.9 Business Continuity Planning – Recap To recap what is needed to establish BCM, remember that the first thing to do is to establish a BCM organizational structure that includes the BCMT, BCSC, BCPA, BCC, DRC and BCT. The next step is to have the BIA with subsequent Risk Assessment conducted. With the information from the BIA create a BCS aligned with the business strategic vision. Then create the plans, use the BCP Components to identify the plans needed:

Master Plan Communications Plan Common Process Plan Site or Facility Plans Sub-Plans Contingency Plans

Final step is to validate the plans by running tests using them and establishing a review schedule to keep the plans current and ready.



Version 1.0

7 Business Continuity Plan Execution When it comes to execution, ‘Time is Money’! The BCM Model makes every attempt to 1) utilize current operational resources and skills and 2) put the right information in the hands of those who will have the greatest impact of mitigating the risk exposed. This requires that the BCM Program be fully structured with an organization that includes the required management and skilled resources. An assignment of roles and responsibilities for each is imperative to swift execution. To further enhance the timeliness of execution, continual training and awareness is a must to keep fresh the reasons why they need to stay with the program. The components of the BCM Program outlined goes to great lengths to establish the appropriate command and control structure that meets governmental guidelines and industry standards. The elements shown have been successfully implemented within a global enterprise and are proven functionally expedient.

7.1 BCP Execution – Team Leadership Tree To facilitate the execution of the BCP, the BCT Structure will need to identify the various lead elements. During execution of the BCP, the BCM requires the establishment of Lead components to facilitate the organization’s management structure for declaration, execution, management and reporting of the tasks to execute to protect the organization from extended periods of loss of services. The BCP Lead Components are established as part of the overall BCM organizational structure which includes the EMT Lead, EOC Lead, BCC/DRC Leads for the locations affected and optionally the COOP Leads for the various systems impacted. These leads are the primary response team leads to manage the execution of all tasks performed by the BCT. Each lead has defined organizational responsibilities and associated sub-plans.



Version 1.0

Figure 15: BCM Team Leadership Components

7.1.1 EMT Team Component To provide management during BCP execution, the Emergency Management Team is responsible for declaration, execution, restoration and risk mitigation. The EMT shall be a predefined group of senior managers who are assigned on a rotational basis to lead the BCM Process in the event of a crisis or emergency. This team is also known as the Crisis Management Team (CMT). The EMT Lead is the designated member of the BCMT that is on call to handle the management role within the execution of the BCM Process. The EMT Lead shall identify, qualify and declare emergencies using the BCM policies and guidelines for each and remains the central management role and shall provide status reporting to the Executive Emergency Management Team (EEMT) throughout the declared emergency period. The EMT shall dispatch resources to execute applicable sections of the identified BCPs as deemed appropriate to mitigate the risk of service loss to the organization. The EMT shall participate in a post restoration review to identify any BCP changes that may need to be addressed to ensure an evolving, self correcting BCM process.

7.1.2 EOC Team Component During the execution of the BCP, a central impact issue tracking, status collection, and information command post must be established. The EOC shall be formed as the primary function of the central Help or Service Desk function during the execution of the BCM process as deemed by the EMT. The EOC shall report to the EMT for all BCP assignments and communicate directly with the BCC/DRC, and as needed to the BCT, at the location or locations impacted.



Version 1.0

The EOC shall provide organizational communications as directed by the EMT in accordance with the BCP Communication and Common Processes Plans. All system, functional, and organizational status collection shall be directed to the EOC for central collection and redistribution as deemed appropriate by the EMT, or in accordance with the BCP.

7.1.3 BCC/DRC Team Component When the EMT requires execution of a BCP, a specialized local leadership team is required to oversee the steps needed to mitigate risk. The BCC/DRC is the predetermined local functional lead that is directed by the EMT to plan, prepare, and execute the BCP and/or Sub-Plan steps needed to identify and perform the tasks required to protect the organization’s BCFSs. The BCC/DRC shall identify the BCT needed at the impacted location (Site, Facility or Office) and provide the BCT roster to the EMT. The EMT shall direct the BCC/DRC on all actions taken to mitigate risk. The BCC/DRC is responsible for the assigned location’s business and system continuity, operational status and restoration of impacts that impair the continued operations of service from that location. The location resource, system and business status is to be reported to the EOC by the BCC/DRC to ensure the EMT is kept abreast of all situational changes. The BCC/DRC shall utilize the EMT to facilitate and coordinate activities required outside of the location where the BCC/DRC is located.

7.1.4 BCT Component To execute the BCP, resources must be assigned functional responsibilities at each location covered by the plan. The BCT is a pool of resources that is used to execute the mitigation of risks or restoration from BCFS loss specific using specific resource skills to step through the tasks needed to plan, prepare, or restore from a defined condition. These resource skills are identified on a function by function and location by location basis and may include a specific function senior member to lead for the execution of a specific task such as an Emergency Coordinator (EC), Emergency Response Team (ERT), Area Coordinators (AC) or Evacuation Managers (EM). These specialized roles will be used by the BCC / DRC as needed to facilitate the execution of the tasks required by the BCP. The BCC and/or DRC are the designated lead for a given set of functional areas at a specified location. A BCC or DRC may oversee multiple functional areas but should be limited to the location at which they regularly perform their daily work. The location BCT will be directed by the BCC or DRC as needed to complete the tasks identified in the BCP using the specified BCP Sub-plans.

7.2 Plan Elements The BCP shall include various components to provide proper coverage of all Business Critical Function and/or supporting Service (BCSF). BCPs consist of numerous components and elements that are used to facilitate the organization’s execution of recovery processes. The typical BCP elements are:

Site (Location or Facility) Plans Critical Function Plans



Version 1.0

Sub-Plans Contingency Plans

Each of these BCP Elements is designed for a specific purpose to protect people, places and things. Through these plans, risk to the organization is mitigated and resiliency established. The Process of Execution shall outline all of the elements leading up to this point in a flow that will provide a ‘Continual Self Improvement’ aspect to ensure the process does not grow stagnant.

7.2.1 Main Points of Coverage There are three main areas each BCP will utilize and a forth as needed Prepare:

These are the advance action steps that can be performed to safeguard assets in preparation for or at the very beginning of a crisis, including activating the resources needed

Safeguard: These are the action steps that can be performed during the crisis to

safeguard assets and mitigate further risk Restore:

These are the action steps that can are performed to return operations to normal after the crisis has ended

Recover: These are the action steps that are needed to replace a function, system,

facility that has been damaged which cannot simply be restored and placed back into normal service



Version 1.0

Figure 16: BCP in Action

EMT

Prepare

Restore

Site IT BCP

Site OPS BCP

Prepare

Recover

Restore

Recover

Actions &Reporting

Notification,Actions & Reporting

Notifications, Actions & Reporting

Actions &Reporting

Actions &Reporting

Actions &Reporting

Actions &Reporting

Actions &Reporting

Business Continuity Plans in Action

CrisisReported

To Helpdesk

EOCActivated &

Notifies

Task

NormalOperations Ta

sk

NormalOperations

Resume

EMT Declares Crisis & is Notifications BCT TeamsPrepare

BCT TeamsMitigate Risk,

Monitor & Report

BCT TeamsRecover/Restore EMT Declares Crisis End

Safeguard

Safeguard

Actions &Reporting

Actions &Reporting

7.3 BCM Execution Process The BCP shall follow a defined process to ensure that all assets are safeguarded against risk. A synopsis of what this process entails:

1) Incident reported to HD (EOC) 2) EOC evaluates Incident to BCM criteria 3) EOC notifies on call EMT 4) EMT declares Status 5) EOC notifies 6) BCC & DRC activate BCPs 7) BCC & DRC report status to EOC 8) EOC collects status and provides to EMT 9) EMT with BCC & DRC determine BCP steps to take to mitigate risk 10) BCT engaged to complete BCP tasks 11) EMT Declares status 12) Post Emergency Meeting to identify BCP gaps and strategies to include in BCPs



Version 1.0

Figure 17: BCM Process Flow EndSTART

BCPMaster Plan

Probability of Emergency Identified

{EOC /EMT}

ExecuteSite & Dept

BCP-Safeguard-{BCC / DRC}

BCM Communications

PlanEvaluation ofBCP Actions

{EMT}

DeclareEmergency

{EMT}

BCP

BCPSub-

Plans >{BCT}

DeclareRestoration

{EMT}

ExecuteSite & Dept

BCP-Restore-

{BCC / DRC}

DeclareEnd

{EMT}

EMTBCTEOC

Legend

ExecuteSite & Dept

BCP-Prepare-

{BCC / DRC}

BCP

ExecuteSite & Dept

BCP-Recovery-

{BCC / DRC}

EmergencyStatus / Issue

DataCollection

{EOC}

EmergencySituation

EndNotification

{EOC}

EmergencySituation

RestorationNotification

{EOC}

EmergencySituation

DeclarationNotification

{EOC}

Preliminary Emergency

SituationNotification

{EMT}

Prepare for

Impact{BCT}

ActivateEmergency

Support TeamsEOC / EMT /BCT

{EMT}

Evaluate Emergency

Impact{EMT}

BC

P

Identify Alternate

Locations & Resources

IdentifyLocations,

Functions & Systems Impacted

{EOC / EMT}

IdentifyBCT needed to mitigate Impact

risks{EMT}

7.4 BCP Execution – Recap To recap what is needed to execute the BCP, remember that the first thing to do is to identify the BCM organizational structure needed, this includes the BCMT, BCSC, BCPA, BCC, DRC and BCT. The next step is to have the BCP validated through a test exercise. During the BCP execution, collect the data reported to the EOC and EMT for analysis. The plans that should be executed are:

• Master Plan • Communications Plan • Sub-Plans • Contingency Plans

Final step is to analysis the execution process and data collected to ensure all aspects are covered.

8 BCM Plan Management & Reporting Plan Management and Reporting is the main area of coverage that will require a separate functional team. This is due in part to the specialized skills required to set, establish and maintain the BCM Program. The following topics should be included in the coverage.



Version 1.0

• Reporting on the Crisis or Emergency should be accomplished in a post execution report to the EMT by the BCPA.

• General feedback from the BCT as to the effectiveness of the BCP should be reviewed and considered for BCP changes and improvements.

• Training on the BCP should be scheduled periodically for most BCFSs, Systems and Locations not less than once every 24 months.

• Annual review and updates will ensure the BCP is kept current with changes in business or organizational structures.

• Plan Management, including creation, updates, publications and aging is vital to the ‘State of Readiness’ of any organization.

• Governance to ensure compliance and readiness is managed and maintained • Communications to the organization about Business Continuity should be made

several times a year, especially prior to known seasonal changes that could impact business operations.

• Business Continuity awareness is always a great topic for monthly organizational publications.

8.1 Plan Management The BCM Plan Management tool provides a quick view (scoreboard) of the current status by site & team or by company and team. Used to provide instant visibility on readiness status Figure 18: Plan Management

18

8.1.1 Document Management Document management is typically one of those items that never get off the ground within a continuity program. Most see it as a hindrance to preparedness. The issue is that if the effort is made to create and maintain plans to establish a risk management program, managing change is vital! Document management provides the ability not only to store and retrieve files; it also typically comes with some level of workflow automation and versioning. Automation is important for organizations

18 All rights reserved by CPO – http://www.cpo.com



Version 1.0

that have a small team managing the BCM Program, where versioning is critical to validation of appropriate coverage. After a recovery, contingency or restoration process is complete is too late to determine if you have the latest information available. Then with the legal implications, no business should operate without knowing it is using the latest available.

Figure 19: Document Management Flow

Create PlanDocumentChecklist

Create PlanPDF

Placeholders

SME Interviewsfor Plan & DocumentCreation

Plan / Document

ReviewSchedule

DocumentRepository

Validation

Testing & ValidationProcess

Plan Documents

Age Expiration

Event

Reporting

Report State Of

Readiness

DocumentUpdate

Complete

Recovery Items

Create / Updated Recovery Items

Process

DocumentManagement

System

Planning

Plan Review& Approval

Process

New Plan / Document Creation

DocumentWorkflow

Management

Readiness Plan

Management

8.1.2 Plan Management Reporting Reporting on the ‘State of Readiness’ is crucial to the company’s ability to resist the impact of dealing with emergency or crisis throughout the year. Measurement of readiness is required by ISO Standards to identify maturity level. Management of readiness is dependant on visibility into the ‘State of Readiness’ at the company, site and team levels. Scoreboards provide a quick graphical view of current state. Consolidated Readiness Reports provide the drill down needed to identify critical points of failure or weakness. Plan document management is the key to a successful ‘State of Readiness’. Identification of readiness of the various risks is essential to safeguard the company These snapshots of a site readiness report depict both graphical and textual versions of the data. Remember, ‘Reporting is a requirement of readiness!’



Version 1.0

Figure 20: Sample Reports

19

9 BCM Governance The BCM Model’s ‘Risk Mitigation with Governance’ principle use of the ISACA CoBIT© model for auditing requires an understanding of the “Domains” and there relationship to “Business Goals and Objectives” and how to use “IT Resources” within the “IT Process” illustrated in the CoBIT© framework. These are established to ensure a level of business understanding and identify a qualifying maturity level. The model is fully defined within the published CoBIT© standard, whereas this document will outline the CoBIT© model information needed for the purpose of providing structure and guidance to each BCM audit.

9.1 Audit Types There are many types of audits that can be conducted. The business purpose an audit will define the type used. This section will describe the various types of audits and when each should generally be used. It is important to understand that the selection of the correct audit type for the given set of circumstances is imperative to achieve the desired results. Not every audit type is required nor desired to be conducted, audit type selection is paramount to ensure audit scope and reporting match the requested need. To validate the ‘State of Readiness’ of plans, standard audit principals apply. The ‘Audit Types’ diagram, Figure 21 below, depicts the main types of audits used within industry today. The diagram depicts the audit types as they may be used within a BCM Planning process step for representation of possible use. Each audit type will be defined for the purpose of use within this process with an established frequency of use as represented by (+) for common and (-) for those less commonly used.

19 All Rights reserved by CPO – http://www.cpo.com



Version 1.0

Figure 21: Audit Types

9.1.1 Preparatory Audit (-) A preparatory audit is generally conducted at the beginning of a project such as the identification phase. Figure 21 depicts this as the Initiation of a BCP Plan. This audit will scope the preparation aspects of the targeted project or program and its uses to establish a basis for work scope required to move forward. These audits are usually conducted to identify skills needed to define a project, program, product, concept or idea.

9.1.2 Feasibility Audit (+) A feasibility audit is just what it implies, to identify the possibility of an idea or concept for a project or program. Figure 21 depicts this as the transitory phase from the BCP Initiation to the BCP Assessment. This audit will scope the probability of success of the idea or concept for execution with a cost benefit analysis. This type of audit is usually conducted to identify and create a business case for the purpose of funding a project, program or product.

9.1.3 Due Diligence Audit (-) A due diligence audit is a much broader type of audit and is more frequently conducted to identify work effort assignment clarity. Figure 21 depicts this as the BCP work effort area of the process. This audit will scope the ability for a skill to complete a task within the confines of a project, program, procedure or process. This type of audit is generally used to identify failures of skills within processes and will provide a resulting failure and risk report.

9.1.4 Compliance Audit (+) A compliance audit is the most common of all audit types and is most frequently conducted to identify adherence to standards. Figure 21 depicts this as the entire BCP process. This audit will scope the identified process required by regulatory (government, industry or business) requirements. This type of audit is used to identify process or procedural failures for the purpose of metrics measurement and improvement with a resulting failure measurement, risk identification and



Version 1.0

recommendation for improvement based upon the governing standards. The CoBIT model focuses primarily on this audit type.

9.1.5 Investigative Audit (+) An investigative audit is just as in implies, which is to research a process, procedure, product, operation or function to identify fault or failure points. Figure 21 depicts this as the post delivery analysis area of the BCP process. This audit will scope the area to be investigated with an understanding of broadening as needed by the investigative process which implies a liberal scope for the audit process. This type of audit is used solely when a suspected failure is present and further information is required to clearly identify the fault for reporting and risk assessment.

9.2 Audit Type Usage Within an organization BCM Program the focus of audits will primarily pertain to the Compliance audit type for the purpose of measurement within the ISACA CoBIT© maturity model for IT services delivered. However, the conduct of a Root Cause Analysis (RCA) uses an Investigative audit type as a basis for providing factual results when a service delivery failure occurs. The Feasibility audit type is used for the purpose of developing business cases to improve or develop a process which includes changes in and/or a new; services, products or functions to meet business needs. Preparatory and Due Diligence audit types are not normally conducted within the audit process unless a business need identifies the specific requirements for their conduct.

9.3 Performance Metrics Industry best practices utilize ISACA CoBIT© Governance Performance Metric for most governance activities. Metrics are needed to ensure compliance to plan for determination of the ‘State of Readiness’. The graphic in Figure 22 illustrates the complexities involved with establishing metrics. The appropriate metric is the one that provides the greatest value to the desired objective. An organization will need to identify and determine what those objectives are and then design metrics using the process shown to define the measurement system used.



Version 1.0

Figure 22: CoBIT Performance Metrics

DriveDrive

Drive

Impr

ove

and

real

ign

Mea

sure

ach

ieve

men

t

Mea

sure

Mea

sure

Mea

sure

Mea

sure

20

10 BCM Review Now that we all understand what is Business Continuity Management utilizing the new ISO standards and its importance to the continued operation of business, what does BCM mean to You? 1. Managing a Business Continuity Program is an ‘Organizational responsibility’ 2. Must have a Basis: ‘Risk Analysis, BIA, Risk Cost Modeling’ 3. Plans have owners, owners must accept responsibilities, and it’s a culture! 4. ‘Use the right Tools’ to facilitate the BCM process 5. Reporting is key to providing ‘Value Add’ 6. BCM is ‘Risk Mitigation with Governance’

20 All Rights Reserved by ISACA – http://www.isaca.org



Version 1.0

Appendix A – BCM Definitions The following pages identify the some of terms used within the Business Continuity Industry and are used within this BCM Model. These definitions are derived from several Internet sources:

Disaster Recovery Journal’s Business Continuity Glossary http://www.drj.com/glossary/glossleft.htm

ISACA International body of Governance Standards http://www.isaca.org/ ITIL International body on Service Delivery Standards

http://www.itil.org/en/index.php Disaster Recovery Institute International http://www.drii.org/DRII/ International Standards Organization http://www.iso.org/iso/home.htm American Standards Organization http://www.ansi.org/ Wikipedia http://en.wikipedia.org Object Management Group http://www.omg.org GRC Roundtable http://www.grcroundtable.org And many more …

Definitions: BUSINESS CONTINUITY (BC): The ability of an organization to provide service and support for its customers and to maintain its viability before, during, and after a business continuity event. BUSINESS CONTINUITY MANAGEMENT (BCM): A holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities. This includes the facilitation of recovery, continuity and/or restoration in the event of a disaster and the management of the overall program through training, rehearsals, and reviews, to ensure the plan(s) stay current and up to date.

• This implies that an organization needs to identify and define the potential impacts; create a framework to mitigate and manage risks, within industry standard guidelines, to defend the organization against the potential of loss with the resiliency to quickly recover in the event of a disaster.

• This is accomplished by using industry best practices in creation and execution of a Business Continuity Management Process (BCMP).

• BCM is the entire organization’s responsibility, for each entity within an organization has a stake in the success of the organization as a whole!

BUSINESS CONTINUITY MANAGEMENT PROCESS (BCMP): The Business Continuity Institute’s BCM process (also known as the BC Life Cycle) combines 6 key elements:

1. Understanding Your Business 2. Continuity Strategies 3. Developing a Business Continuity Management Response



Version 1.0

4. Establishing a Continuity Culture 5. Exercising, Rehearsal & Testing 6. Evolving Business Continuity Management Process

• The BCMP implies that an organization needs to define the process under which it will execute the Business Continuity concepts using the 6 key elements above.

BUSINESS CONTINUITY MANAGEMENT TEAM (BCMT): A group of individuals functionally responsible for directing the development and execution of the business continuity plan, as well as responsible for declaring a disaster and providing direction during the recovery process, both pre-disaster and post-disaster. This is a component of the BCMP.

SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management Team. Associated Terms: Crisis Management Team, Emergency Management Team. • The BCMT must have a guiding principle to ensure the company is adequately

protected with a vision into the direction the company plans to explore in the near and long term.

• This is accomplished by developing a BCS that encompasses both the company’s current state and future direction.

• The BCMT is chartered with management oversight of the BCMP and all subsequent teams, plans, processes needed to achieve Business Continuity. They have direct responsibility to ensure that the BCS objectives are met within the execution of the BCMP and utilize the BCPA to administer all aspects of the BCMP.

• The BCMT or designee shall be the organizational entity to officially declare an emergency situation that will evoke the execution of the BCP and subsequent respective plans.

BUSINESS CONTINUITY OR DISASTER RECOVERY COORDINATOR (BCC/DRC): A role of the BCM program that coordinates planning and implementation for overall recovery of an organization or unit(s).

SIMILAR ROLES: Business Recovery Coordinator, Business Recovery Planner, Disaster Recovery Planner, and Disaster Recovery Administrator • This implies that an organization needs to identify the local resources that will

physically execute the BCP or DRP. • This is accomplished by designating a primary and alternate resource for each

location for both business operational (BCC) and technological (DRC) functions to participate in the execution of all local and enterprise-wide BC or DR plans.

• The BCC/DRC is responsible for ensuring the local plans are up to date, coordinate the local plans with the BCPA to bring them in sync with the BCP, execute their plans under the management of the BCMT or designee.

• The BCMT should maintain a location by location BCC/DRC list. BUSINESS CONTINUITY PLAN (BCP): A management approved document that provides guidance on the system restoration for emergencies, disasters, mobilization, and for maintaining a ‘State of Readiness’ to provide the necessary



Version 1.0

level responsiveness to business interruptions, outages and disasters. This is a component of the BCMP.

SIMILAR TERMS: Business Resumption Plan, Continuity Plan, Business Continuance Contingency Plan, Disaster Recovery Plan, Recovery Plan. • This implies that an organization must create a plan that includes all aspects of

the BCM for the organization. • The BCP shall include reference to all other BC or DR plans used by the

organization so as to ensure risk is mitigated and contingencies are identified. • This is accomplished by the BCMT directing the BCPA to create a plan that

meets the objectives outlined in the BCSC and meets industry standards for BCM.

• The BCPA is directly responsibility for the creation and execution of the BCP for both actual declared emergencies and for periodic updates and testing.

BUSINESS CONTINUITY PLAN ADMINISTRATOR (BCPA): The designated individual responsible for plan documentation, maintenance, and distribution. This is a component of the BCMP.

• This implies that an organization needs to identify a qualified resource to manage the Business Continuity Plans and Program.

• To accomplish the tasks assigned, this resource should be dedicated full time to the BCPA role to ensure Business Continuity is maintained at all times and to assist in the development of a BC friendly work environment throughout the organization.

• The BCPA is responsible for and has direct management authority of the creation, planned execution and adherence to, the BCMP. The BCPA sits on the BCMT and BCSC panel and participates in the creation of the BCS.

• The BCPA may also participate in the development of Continuity of Operations Plan (COOP) for the normal operation of business to ensure synergy between normal and emergency operational conditions.

• The BCPA should periodically report on the BC readiness of the organization. BUSINESS CONTINUITY PLANNING (BCP): Process of developing and documenting arrangements and procedures that enable an organization to respond to an event that lasts for an unacceptable period of time and return to performing its Business Critical Functions and/or supporting System (BCFS) after an interruption.

SIMILAR TERMS: Business Resumption Plan, Continuity Plan, Business Continuance Contingency Plan, Disaster Recovery Plan, Recovery Plan. • This implies that an organization needs to identify the needs of the business to

support its continued operations in the event of a crisis that impedes its ability to provide normal services to its customers.

• Business Continuity is accomplished through an organizational structure called the Business Continuity Management Team (BCMT) that uses a process called the Business Continuity Management Process (BCMP) to appropriately and swiftly react to most anticipated and unanticipated disruptions of that service.

BUSINESS CONTINUITY STEERING COMMITTEE (BCSC): A committee of decision makers, process owners, technology experts and continuity professionals



Version 1.0

that are tasked with making strategic recovery and continuity planning decisions for the organization. This is a component of the BCMP.

• This implies that an organization needs to identify the resources that should participate on the BCSC that will adequately provide coverage for all BCFS, Corporate Vision and Future Direction Planning.

• The selection and designation of resources to the BCSC is accomplished by the BCMT and must be approved and supported by the Senior Executive Management Team.

• The BCSC is chartered with strategic oversight of the Business Continuity Strategy (BCS), Business Continuity Management Process (BCMP), Business Continuity Plan (BCP), Disaster Recovery Plan (DRP), Executive / Management Succession Plan (EMSP), Continuity of Operations Plan (COOP), along with all subsequent supporting processes needed to protect the company from operational risks that results in financial loss or direct exposure to catastrophic fiduciary failure.

BUSINESS CONTINUITY STRATEGY (BCS): An approach by an organization that will ensure its recovery and continuity in the face of a disaster or other major outage. Plans and methodologies are determined by the organization’s strategy. There may be more than one solution to fulfill an organization’s strategy. This is a component of the BCMP.

EXAMPLES: Internal or external hot-site, or cold-site, Alternate Work Area reciprocal agreement, Mobile Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc. • This implies that the BCMT must identify the most common natural and man-

made impacts to business first so as to plan for the lowest level impact to the major impact events.

• In order to accomplish this task, the BCSC employs the BCMT to list the types of Crisis and/or Disasters that would impact the company’s ability to operate. These are usually identified along with the identification of the Business Critical Functions and/or supporting Systems (Mission Critical Activities and Supporting Systems).

• Together the BIA will identify the Business Critical Functions and/or supporting Systems (BCFS) and the BCT will identify the plausible impacts and probability of each identified scenario.

• The BCS is defined and approved by the BCSC and executed using the BCMP. BUSINESS CONTINUITY TEAM (BCT): Designated individuals responsible for developing, executing, rehearsing, and maintaining the business continuity plan, including the processes and procedures. This is a component of the BCMP.

SIMILAR TERMS: Disaster Recovery Team, Business Recovery Team, and Recovery Team. Associated Term: Crisis Response Team, Emergency Management Team. • This implies the BCMP requires the BCMT to designate individuals from the

various departments, organizations and teams to participate not only in the Business Impact Analysis (BIA) but in the entire BCMP.

• Representatives of the BCT should be those individuals who are directly involved with or support the Business Critical Functions and/or supporting Systems



Version 1.0

(BCFS) with a sufficient cross-section of resources and alternate designees to participate in the recovery of each function listed.

• If the BCFS are performed at multiple locations, designated representatives from each location should also be included in the BCT. The BCT is utilized by the BCC/DRC during the execution of BC/DR plans for the specific functions required to recover or restore BCFS.

• The BCMT should maintain a location by location, function by function BCT list. BUSINESS CRITICAL FUNCTIONS / SYSTEM (BCFS): The critical operational and/or business support functions that can not be interrupted or unavailable for less than a mandated or predetermined timeframe without significantly jeopardizing the organization. An example of a business function is a logical grouping of processes/activities that produce a product and/or service such as Accounting, Staffing, Customer Service, etc.

• This could pertain to assets described as an item of property and/or component of a business activity/process owned by an organization. There are three types of assets: physical assets (e.g. buildings and equipment); financial assets (e.g. currency, bank deposits and shares) and non-tangible assets (e.g. goodwill, reputation)

• Functions or systems that are used to determine the trade marked identity of an organization within their respective industry, nationally or globally may be considered a Business Critical Functions and/or supporting Systems (BCSF)

• The critical operational and/or business support activities (either provided internally or outsourced) required by the organization to achieve its objective's i.e. services and/or products. Such as applications that support business activities or processes that could not be interrupted or unavailable for 24 hours or less without significantly jeopardizing the organization

SIMILAR TERMS: Mission Critical; Mission Critical Activities/Applications; Critical Systems

BUSINESS IMPACT ANALYSIS (BIA): A process designed to prioritize Business Critical Functions and/or supporting Systems (BCFS) by assessing the potential quantitative (financial) and qualitative (non-financial) impact that might result if an organization was to experience a business continuity event. This is a component of the BCMP.

• This implies that an organization should first have a BIA conducted with an external firm specializing in this concept to identify the Business Critical Functions and/or supporting Systems (aka Mission Critical Activities and Supporting Systems) and include a detailed risk assessment to quantify the BIA findings.

• The BIA should be a coordinated effort with the BCMT and BCT to provide a current analysis of business impact.

• The resulting BIA should be used by the BCMT to create and document the BCS for the company.

• The BCS will need to be approved by the BCSC and implemented using the BCMP.



Version 1.0

BUSINESS INTERRUPTION: Any event, whether anticipated (i.e., public service strike) or unanticipated (i.e., blackout) which disrupts the normal course of business operations at an organization’s location.

SIMILAR TERMS: Outage, Service Interruption. Associated Terms: Business Interruption Costs, Business Interruption Insurance.

BUSINESS INTERRUPTION COSTS: The impact to the business caused by different types of outages, normally measured by revenue lost.

Associated Terms: Business Interruption, Business Interruption Insurance. BUSINESS INTERRUPTION INSURANCE: Insurance coverage for disaster related expenses that may be incurred until operations are fully recovered after a disaster. Business interruption insurance generally provides reimbursement for necessary ongoing expenses during this shutdown, plus loss of net profits that would have been earned during the period of interruption, within the limits of the policy.

Associated Terms: Business Interruption, Business Interruption Costs. CONTINUITY OF OPERATIONS PLAN (COOP): A COOP provides guidance on the system ‘State of Readiness’ to provide the necessary level of information processing support commensurate with the mission requirements/priorities identified by the respective functional proponent. The Federal Government and its supporting agencies traditionally use this term to describe activities otherwise known as Disaster Recovery, Business Continuity, Business Resumption, or Business Continuance Contingency Planning (BCCP).

• For the purpose of brevity, COOP will be defined herein as the normal business operational plan used to handle every day issues of supporting the business.

• This implies that an organization needs to identify the Standard Operating Procedures (SOP) used for daily activities in the support of normal business functions.

• The SOP’s should be detailed processes governing such functions as Issue Management, Change Management, System Management Administration, Procurement Management, Resource Management, Corporate Policies and Corporate Communications.

DISASTER: A sudden, unplanned calamitous event causing great damage or loss as defined or determined by a Risk Assessment and Quantified by a Business Impact Analysis (BIA);

1) Any event that creates an inability on an organization’s part to provide Business Critical Functions and/or supporting Systems (BCFS) for some predetermined period of time.

2) In the business environment, any event that creates an inability on an organization’s part to provide their critical function for some predetermined period of time.

3) The period when a company’s or organization’s management decides to divert from normal production responses and exercises its Business Continuity Plan’s (BCP) Disaster Recovery Plans (DRP) and/or Business



Version 1.0

Continuance Contingency Plans (BCCP). Typically signifies the beginning of a move from a primary to an alternate location. SIMILAR TERMS: Business Interruption; Outage; Catastrophe

DISASTER RECOVERY (DR): Activities and programs designed to return the entity to an acceptable condition. The ability of an organization to respond to an interruption in services by implementing a disaster recovery plan which will restore an organization's Business Critical Functions and/or supporting Systems (BCFS). DISASTER RECOVERY PLAN (DRP): The management approved document that defines the resources, actions, tasks and data required to manage the technology recovery effort. Usually refers to the technology recovery effort. This is a component of the BCMP.

SIMILAR TERMS: Business Continuity Plan, Recovery Plan, Business Resumption Plan, Business Continuance Contingency Plan. • This implies that an organization needs to identify the means by which it will

recover from a failure of technology due to expected or unexpected means. • This is accomplished by documenting the various technology systems and

components, planning how to swiftly restore each and resources needed to facilitate the restoration activities.

• The technology department managers over each area of functionality are responsible for documenting, planning, supporting and providing skilled resources to ensure the normal operation and survivability of the technology under their control.

• The plan should include reference to the external documents maintained as part of the Standard Operating Procedures (SOP) of the technology and call for the transfer of this information to this plan in the event of its execution.

DISASTER RECOVERY PLANNING (DRP): The technological aspect of business continuity planning. The advance planning and preparation that is necessary to minimize loss and ensure continuity of the Business Critical Functions and/or supporting Systems (BCFS) of an organization in the event of disaster.

SIMILAR TERMS: Business Continuance Contingency Plan; Business Resumption Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster Preparedness. • This implies that an organization not only needs to provide Business Continuity,

but that it needs to have the ability to recover from impeding situations rapidly to mitigate business risk.

• Disaster Recovery is primarily a technological function to restore business capability that is accomplished using the Disaster Recovery Plan (DRP) identified within the Business Continuity Plan (BCP) derived by the Business Continuity Plan Administrator (BCPA) under the direction of the Business Continuity Management Team (BCMT).

EMERGENCY MANAGEMENT TEAM (EMT): A group of managers functionally responsible for execution of the business continuity plan, as well as responsible for



Version 1.0

declaring a disaster and providing direction during the recovery process, both pre-disaster and post-disaster.

SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management Team. Associated Terms: Crisis Management Team, Executive Emergency Management Team. • The EMT is a line manager that declares and directs the execution of the BCM. • The EMT is chartered with management oversight of the EOC, BCC & DRC and

all subsequent teams, plans, processes needed to achieve Business Continuity. They have direct responsibility to ensure that the BCMT objectives are met within the execution of the BCM Process and utilize the Emergency Command Center (EOC) to administer execution aspects of the BCM.

• BCM Process is accomplished through the utilization of the EOC and organizational level management plans.

• The EMT shall be a group of seasoned managers that are on a rotational on-call basis.

EXECUTIVE / MANAGEMENT SUCCESSION PLAN (MSP): A predetermined plan for ensuring the continuity of authority, decision-making, and communication in the event that key members of executive management unexpectedly become incapacitated. This is a component of the BCMP.

• This implies that an organization needs to identify a succession plan for all levels of management. Executive Management succession is considered critical to the operation of the business and must be planned in advance.

• To accomplish this, the Executive Managers shall identify alternate designees for themselves and their direct reports. This type of information is considered company secret and should not be made public inside or outside the company without the CEO or Presidents prior approval and only provided to internal resources on a “Need to Know” basis.

• This plan should only be openly executed in the direst situations or internally if designated resources are unavailable at the time of the declared emergency.

• This plan should contain the organizational structure and the list the management alternate designees.

INTERNAL CONTROLS (IC): COSO defines internal control as a process, affected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.

1. Internal control is a process. It is a means to an end, not an end in itself. 2. Internal control is not merely documented by policy manuals and forms. Rather, it is

put in by people at every level of an organization. 3. Internal control can provide only reasonable assurance, not absolute assurance, to

an entity’s management and board. 4. Internal control is geared to the achievement of objectives in one or more separate

but overlapping categories. Similar Terms: IT Controls, Audit Controls, Business Controls, Operational Controls, ICS all refer to a type of control used to provide a quantifiable measurement that



Version 1.0

represents the level of success in achieving a stated objective. http://en.wikipedia.org/wiki/Internal_control

OUTAGE: The interruption of automated processing systems, infrastructure, support services, or essential business operations, which may result, in the organizations inability to provide services for some period of time.

SIMILAR TERMS: Outage, Service Interruption. PLAN DO CHECK ACTION (PDCA): An adaptation of the Deming wheel. While the Deming wheel stresses the need for constant interaction among research, design, production, and sales, the PDCA Cycle asserts that every managerial action can be improved by careful application of the sequence: plan, do, check, action. Later in Deming's career, he modified PDCA to "Plan, Do, Study, Act" (PDSA) so as to better describe his recommendations. In Six Sigma programs, the PDSA cycle is called "Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature of the cycle must be explicitly added to the DMAIC procedure.

Similar Terms: The Deming Cycle or Wheel is the concept of continuously rotating wheel used by W. E. Deming to emphasize the necessity of constant interaction among research, design, production, and sales so as to arrive at an improved quality that satisfies customers.

PROGRAM MANAGEMENT (PM): Is the process of managing multiple ongoing inter-dependent projects. Program Management also reflects the emphasis on coordinating and prioritizing resources across projects, departments, and entities to ensure that resource contention is managed from a global focus. Program management provides a layer above project management focusing on selecting the best group of programs, defining them in terms of their constituent projects and providing an infrastructure where projects can be run successfully but leaving project management to the project management community. Key factors in program management:

• Governance: The structure, process, and procedure to control operations and changes to performance objectives.

• Standards: Define the performance architecture. • Alignment: The program must support higher level vision, goals and objectives. • Assurance: Verify and validate the program, ensuring adherence to standards

and alignment with the vision. • Management: Ensure there are regular reviews, there is accountability, and that

management of projects, stakeholders and suppliers is in place. • Integration: Optimize performance across the program value chain, functionally

and technically. • Finances: Tracking of finances is an important part of Program management and

basic costs together with wider costs of administering the program are all tracked.

• Infrastructure: Allocation of resources influences the cost and success of the program. Infrastructure might cover offices, version control, and IT.

• Planning: Develop the plan bringing together the information on projects, resources, timescales, monitoring and control.



Version 1.0

• Improvement: Continuously assess performance; research and develop new capabilities; and systemically apply learning and knowledge to the program.

RISK MANAGEMENT (RM): Risk management is a structured approach to managing uncertainty related to a threat, a sequence of human activities including: risk assessment, strategies development to manage it, and mitigation of risk using managerial resources.

• The strategies include transferring the risk to another party, avoiding the risk, reducing the negative effect of the risk, and accepting some or all of the consequences of a particular risk.

• Risk management is simply a practice of systematically selecting cost effective approaches for minimizing the effect of threat realization to the organization. All risks can never be fully avoided or mitigated simply because of financial and practical limitations. Therefore all organizations have to accept some level of residual risks.

• The objective of risk management is to reduce different risks related to a pre-selected domain to the level accepted by society. It may refer to numerous types of threats caused by environment, technology, humans, organizations and politics. Intangible risk management identifies a new type of risk - a risk that has a 100% probability of occurring but is ignored by the organization due to a lack of identification ability.

EXAMPLES: When deficient knowledge is applied to a situation, a knowledge risk materializes. Relationship risk appears when ineffective collaboration occurs. Process-engagement risk may be an issue when ineffective operational procedures are applied. These risks directly reduce the productivity of knowledge workers, decrease cost effectiveness, profitability, service, quality, reputation, brand value, and earnings quality. Intangible risk management allows risk management to create immediate value from the identification and reduction of risks that reduce productivity. • Common Risk Treatments include:

Avoidance (eliminate) Reduction (mitigate) Transference (outsource or insure) Retention (accept and budget)

Similar Terms: Enterprise Risk Management (ERM), Financial Risk Management (FRM), Intangible Risk Management (IRM), Operational Risk Management (ORM), Associated Risk, Acceptable Risk, Indirect Risk.



Version 1.0

Intentionally Left Blank