Upload
sb
View
220
Download
0
Embed Size (px)
Citation preview
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
1/58
~ White Paper ~The New BusinessContinuity Model
Written by: Dan WilderCBRA, Six Sigma Green Belt
Published on: October 6th, 2008
Version 1.0
Document Classification: Public Domain
Dan Wilder publishes this document for the use of Public Domain. It contains public information, ideas and concepts and is free to distribute and usewithout restriction except noted herein. All reference material shown herein is depicted for the sole purpose of illustrating the subject of this whitepaper
and shall remain the property of is listed owner and shall not be reproduced without written consent. Author does not warrant nor make claims that this information is in any way warranted. Use of this material is at the users own risk.
2008 Dan Wilder, All Rights Released.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
2/58
White Paper
The New Business Continuity Model
Public Domain Page 2 of 58 Modified: August 26, 2008
Version 1.0
Table of Contents
1 Introduction......................................................................................................... 6
2
The Big Question … Why? ................................................................................. 6
3 The Standards ....................................................................................................7 3.1
ISO 20000 Family – Service Delivery......................................................................7
3.1.1 What is ISO / IEC 20000...................................................................................................9
3.2
ISO 27000 Family – Business Continuity ..............................................................10
3.2.1 What is ISO / IEC 27000.................................................................................................10
3.3
It’s not just a regulatory requirement any more…..................................................12
3.3.1 COSO .............................................................................................................................12 3.3.2
Governance Risk & Compliance (GRC) .........................................................................13
4 The Business Continuity Paradigm................................................................... 15 4.1 What is BCM? .......................................................................................................15
4.1.1 Building Blocks................................................................................................................16
4.1.2
BCM Organizational Ownership ..................................................................................... 18
4.1.3
BCM Strategy.................................................................................................................. 18
4.1.4
BCM and Risk Management...........................................................................................18
4.2 Why BCM? ............................................................................................................19 4.2.1 Strategic Value................................................................................................................19 4.2.2 Sustainability and Resiliency ..........................................................................................19
5 The BCM Model ................................................................................................19 5.1
Business Continuity Management Components ...................................................20
5.2
Where to Start .......................................................................................................20
5.2.1 Business Continuity Planning .........................................................................................21 5.2.2 Establishment of the Business Continuity Management Team ......................................21 5.2.3 Establishment of a Business Continuity Steering Committee.........................................22 5.2.4 Defining the Policy ..........................................................................................................22
5.2.5
Defining Management Components ...............................................................................23 5.3
Conducting the BIA ...............................................................................................24
5.3.1 BIA - Identifying Critical Needs … ..................................................................................24 5.3.2
BIA - Business Critical Functions / Systems...................................................................24
5.3.3 BIA - Outage Impact Analysis.........................................................................................25
5.4 Risk Assessment...................................................................................................26 5.5
Risk Mitigation .......................................................................................................26
5.5.1
Risk Mitigation – Crisis Points Defined...........................................................................27
5.5.2 Importance of Defining Risk Points.................................................................................28 5.5.3 Risk Cost Modeling .........................................................................................................28 5.5.4 Mitigating Risks...............................................................................................................29
6 Business Continuity Plan Creation.................................................................... 30 6.1 Creating the Business Continuity Plan ..................................................................30
6.2
BCM Process Components ...................................................................................30
6.2.1
BCM Master Plan............................................................................................................31
6.2.2
BCM Communications Plan............................................................................................32
6.2.3 BCM Common Processes Plan ......................................................................................32 6.2.4 BCP Site Plans ...............................................................................................................32 6.2.5 BCP Sub-Plans...............................................................................................................33 6.2.6 BCP Contingency Plans.................................................................................................. 33 6.2.7 Validating the BCP..........................................................................................................33 6.2.8
BCM Program - Document Flow.....................................................................................34
6.2.9
Business Continuity Planning – Recap...........................................................................35
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
3/58
White Paper
The New Business Continuity Model
Public Domain Page 3 of 58 Modified: August 26, 2008
Version 1.0
7 Business Continuity Plan Execution ................................................................. 36 7.1 BCP Execution – Team Leadership Tree..............................................................36
7.1.1 EMT Team Component...................................................................................................37 7.1.2 EOC Team Component ..................................................................................................37 7.1.3
BCC/DRC Team Component..........................................................................................38
7.1.4
BCT Component .............................................................................................................38
7.2 Plan Elements .......................................................................................................38 7.2.1
Main Points of Coverage ................................................................................................39
7.3 BCM Execution Process........................................................................................40 7.4
BCP Execution – Recap........................................................................................41
8 BCM Plan Management & Reporting................................................................ 41 8.1
Plan Management .................................................................................................42
8.1.1
Document Management .................................................................................................42
8.1.2
Plan Management Reporting ..........................................................................................43
9 BCM Governance ............................................................................................. 44 9.1
Audit Types ...........................................................................................................44
9.1.1
Preparatory Audit(-)
......................................................................................................... 45 9.1.2 Feasibility Audit
(+)........................................................................................................... 45
9.1.3 Due Diligence Audit(-)
.....................................................................................................45 9.1.4 Compliance Audit
(+)........................................................................................................ 45
9.1.5 Investigative Audit(+)
....................................................................................................... 46
9.2
Audit Type Usage..................................................................................................46
9.3 Performance Metrics .............................................................................................46
10 BCM Review .................................................................................................47
Figures and Tables
Figure 1: ITIL v2 Service Continuity Management ..................................................... 8
Figure 2: ITIL v3 Model..............................................................................................9
Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)..................................................................................................................... 11 Figure 4: ITIL CoBIT Coverage................................................................................ 12 Figure 5: GRC Automating Compliance...................................................................14 Figure 6: GRC Bi-Directional Compliance Mapping................................................. 14 Figure 7: GRC Complex Relationship Mapping ....................................................... 15 Figure 8: BCM Components .................................................................................... 20 Figure 9: BCM Organization .................................................................................... 22 Figure 10: BCM Components .................................................................................. 23 Figure 11: Disaster Recovery Timeline.................................................................... 27
Figure 12: Risk Cost Model Trending Example........................................................ 29
Figure 13: BCM Process Components..................................................................... 31 Figure 14: BCM Document Flow Diagram ............................................................... 35 Figure 15: BCM Team Leadership Components...................................................... 37 Figure 16: BCP in Action.......................................................................................... 40 Figure 17: BCM Process Flow ................................................................................. 41 Figure 18: Plan Management................................................................................... 42 Figure 19: Document Management Flow................................................................. 43 Figure 20: Sample Reports ...................................................................................... 44
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
4/58
White Paper
The New Business Continuity Model
Public Domain Page 4 of 58 Modified: August 26, 2008
Version 1.0
Figure 21: Audit Types............................................................................................. 45 Figure 22: CoBIT Performance Metrics.................................................................... 47
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
5/58
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
6/58
White Paper
The New Business Continuity Model
Public Domain Page 6 of 58 Modified: August 26, 2008
Version 1.0
1 Introduction As we all know, everything evolves over time; the way we do business, services
provided and the urgency of delivery. When Katrina hit the Gulf Coast, not manycompanies were prepared for what would come after the hurricane. Many simplyboarded up the windows and hoped for the best. Others evacuated with theirpersonal possessions and many with just the clothes on their backs. The purposebehind this whitepaper is to explore what companies should be doing to protectthemselves in today’s market and environment.
An article referenced on this topic written by David Honour, editor, Continuity Centralback in March of 2003 reflects how long this dilemma has been exposed(http://www.continuitycentral.com/feature003.htm ). Even Homeland Security &FEMA published guidance to help companies identify the bare essentials needed to
survive (http://www.ready.gov/business/plan/planning.html )(http://www.fema.gov/business/bc.shtm ). Many companies are subjected togovernment regulations to ensure some level of protection is in place for thefinancial numbers reported. Others require more stringent guidelines to protectstockholders and the public alike.
The business community has raised the topic to the point where the InternationalStandards Organization launched a call for change in 2002 and has subsequentlybeen working on a set of new standards since. The latest ISO reference on thistopic is ISO/PAS 22399:2007 which provides general guidance for an organization(private, governmental, and non-governmental) to develop its own specific
performance criteria for incident preparedness and operational continuity, and todesign an appropriate management system.
The concepts and theories depicted herein have been independently presented to awide cross-section of industry experts with great acceptance. This whitepaper is thecompilation of these concepts into a single model to address the ever pressing issueof facilitating a functional Business Continuity program. Within this whitepaper wewill explore what it takes to enable companies of all industries to become resistant tocatastrophic events as well as improve the operability of normal services. Theconcepts depicted herein are derived from a formulation of several years’ researchof business and industry best practices along with the very latest industry and
international standards1. Thus the Paradigm shift begins…
2 The Big Question … Why? As the economy moves faster and faster to a global economy, it is imperative thatorganizations big and small take note of how they protect themselves from a variety
1 Disclaimer : This document is not intended to be all inclusive for all the standards or best practices listed. To further understand each standard
or best practice you are encouraged to research them separately. Additionally, businesses, companies and organizations are usedsynonymously where they all refer to the primary entity being safeguarded.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
7/58
White Paper
The New Business Continuity Model
Public Domain Page 7 of 58 Modified: August 26, 2008
Version 1.0
of disasters, which will enable them to not only grow but become sustainable. Theimportance of sustainability as a provider of goods and services has reached thisglobal market place as a key factor in the selection process of these goods and
services. The overriding requirements by governments and businesses alike are toensure that the supply chain can be maintained!
The approach presented herein has been designed by a team of engineers topreserve the revenue stream through stabilization of the services provided. Thisstabilization has reduced risk and improved sustainability for its customers, whichhas been driven by the market place and governing requirements. This approachdiffers from the traditional examples provided from companies representing softwaresolutions within the Governance, Risk Compliance (GRC2) market segment throughan ingrained operational framework of processes with metrics similar to what theCommittee of Sponsoring Organizations of the Treadway Commission (COSO3)
framework represents.
Because most companies maintain global operations, the approach is driven andmanaged to the international body of standards along with local, regional, industry,and governmentally imposed requirements. These standards are currently evolvingfrom a collection of many individual standards to several families of standards similarto what the ISO 9000 family achieved for Quality Management.
3 The StandardsNow that we’ve introduced the reasons for this whitepaper, let’s discuss thestandards that pertain to this topic. Several factors need to be understood. First is;
the International Standards Organization4 has recognized the need for businesses touse standards for normal operations that will prepare them for the global economy(ISO/PAS 22399:2007). The International Standards that are currently underdevelopment are the ISO 20000 family of standards that incorporate the ITIL© methods for the Service Delivery models companies may need to use. There is alsothe ISO 27000 family of standards that are incorporating the ISACA CoBIT© methods for all companies to use to incorporate measurements of stability. Thesenew standards are referred to as ‘Business Resiliency’ which is described as theability for a business to resist known and unknown crisis.
3.1 ISO 20000 Family – Service Delivery
The ISO 20000 family of standards are developed around the ITIL5 (InformationTechnology Infrastructure Library) methods(http://www.itil.org/de/isoiec20000/index.php ) also known as the ‘IT ServiceManagement Standard’.
2 All rights reserved by Open Compliance & Ethics Group (OCEG) – http://www.oceg.org
3 All rights reserved by Commission of Sponsoring Organizations of the Treadway Commission (COSO) – http://www.coso.org
4 All rights reserved by International Standards Organization (ISO) - http://www.iso.org/iso/home.htm
5 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
8/58
White Paper
The New Business Continuity Model
Public Domain Page 8 of 58 Modified: August 26, 2008
Version 1.0
• The ITIL-ISO 20000 model depicted in Figure 1 below defines IT ServiceContinuity Management levels to ensure management controls andprocesses are in place to meet the service requirements.
Figure 1: ITIL v2 Service Continuity Management
6
• However the ITIL model has been replaced with the new ITIL v3.
•
A new generation of the ITIL, ‘ITIL V3’, has recently been published. Thisnew version represents an important evolutionary step in ITIL’s life. ‘ITILRefresh’ as it is referred, has transformed the guidance from providing agreat service to being the most innovative and best in class. At the sametime, the interface between old and new approaches is seamless so thatusers do not have to reinvent the wheel when adopting it.
• V3 allows users to build on the successes of V2 but take IT servicemanagement even further. In general, V3 makes the link between ITIL’sbest practice and business benefits both clearer and stronger. The maindevelopment is that V3 guidance takes a lifecycle approach (Figure 2), asopposed to organizing according to IT delivery sectors.
ITIL is now based on five core lifecycle titles:1. Service Strategy2. Service Design3. Service Transition4. Service Operation5. Continual Service Improvement
6 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
9/58
White Paper
The New Business Continuity Model
Public Domain Page 9 of 58 Modified: August 26, 2008
Version 1.0
Figure 2: ITIL v3 Model
7
3.1.1 What is ISO / IEC 20000
• As stated on ITIL.ORG, this standard is derived from the British Standard 15000and is a common reference for all companies, regardless of business sector, size
or type.• The standard is designed to provide IT services for both internal and external
customers as a basis of common terminology with an integrated approach for theprocesses used to provide these services.
• It is closely aligned with industry best practices recommended for ServiceSupport and Delivery.
• In addition to Industry standards, the ISO standard provides clear specificationsand information as to how an organization must align itself to internationallyaccepted certifications and processes.
• These processes provide the management controls necessary to provide theservice capability in standard measure across all government and industrysectors.
• This unification of measurement of service delivery and support controls enablesservice users to evaluate the service value to organizational standards withconfidence.
• This standard is defined in using these process areas:
• Management System
• PISM Planning and Implement
• Planning and Implementation
7 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
10/58
White Paper
The New Business Continuity Model
Public Domain Page 10 of 58 Modified: August 26, 2008
Version 1.0
• Relationship Processes
• Service Delivery Processes
• Resolution Processes
•
Control Processes• Release Processes
3.2 ISO 27000 Family – Business Continuity
The ISO 27000 family of standards is still in the development process. This family ofstandards is defined as the ‘Business Continuity’ standard. Within the ISO 27000family, certain existing standards have been enumerated in to this new family.
3.2.1 What is ISO / IEC 27000
Currently the ISO 17799 Information Security standard and certification process hasbeen established as ISO 27002 and ISO 27001 respectively. Some of the additional
elements that will be covered in this standard are listed as:Subcommittee /Working Group
Title
JTC 1/SC 27/WG 1Information security management systems - The convener can bereached through: BSI
JTC 1/SC 27/WG 2Cryptography and security mechanisms - The convener can be reachedthrough: JISC
JTC 1/SC 27/WG 3 Security evaluation criteria - The convener can be reached through: SIS
JTC 1/SC 27/WG 4Security controls and services - The convener can be reached through:SPRING SG
JTC 1/SC 27/WG 5Identity management and privacy technologies - The convener can bereached through: DIN
As with the ISO 20000 family, British Standard ‘BS259998
Business ContinuityManagement’ is the foundation for this family of standards. With this standard,ISACA Governance methodology found in CoBIT9 is being incorporated to providethe management controls and measurements to establish common processes,structures and terminology.The recent release of the British Standard BS25999-1:200610 has provided the globalbody of standards a preview of what the ISO standard will represent.
• BS 25999-1:2006 is a code of practice that takes the form of guidance andrecommendations. It establishes the process, principles and terminologyof Business Continuity Management (BCM), providing a basis forunderstanding, developing and implementing business continuity within anorganization and to provide confidence in business-to-business and
business-to-customer dealings.• In addition, it provides a comprehensive set of controls based on BCM
best practice and covers the entire BCM lifecycle (see Figure 3)
• BS 25999 is published in two parts:
8 The British Standard incorporates several existing standards as illustrated at http://www.pas56.com/ . The blending of British Standards as
depicted at http://pas56.standardsdirect.org/ represent what the ISO Development committee has defined as the defined goal of ISO 27000which is outlined in ISO/PAS 22399:2007.9 CoBIT is a registered trademark of ISACA methodology and can be found at http://www.isaca.org/
10 BS25999-1:2006 can be found at http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
11/58
White Paper
The New Business Continuity Model
Public Domain Page 11 of 58 Modified: August 26, 2008
Version 1.0
• BS 25999-1 • Business Continuity Management – Part 1: Code of practice.This document takes the form of good practice guidance andrecommendations, indicating what practices an organization should or may
undertake to implement effective BCM. Organizations may choose to followall or part of the Code of practice. The Code can be used for self-assessmentor between organizations. The Code is not a specification for BCM.
• BS 25999-2 • Business Continuity Management – Part 2: Specification. Thisdocument sets out specifically what an organization shall do to implementBCM. It is for use by internal and external parties, including certificationbodies, to assess the organization’s ability to meet regulatory and customerrequirements as well as the organization’s own requirements. BS 25999-2contains only those requirements that can be objectively audited and ademonstration of successful implementation can therefore be used by anorganization to assure interested parties that an appropriate businesscontinuity management system (BCMS) is in place.
•
Initial work by practitioners in 1999 resulted in a widely acceptedrepresentation of the BCM life cycle. With the publication of BS 25999-1 in2006, a new illustration of the BCM life cycle was introduced
NOTE: A free demo of BS 25999 online is available – go to www.bsi-global.com/bs25999online
Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)
11
11 All Rights Reserved British Standards Institute (BSI) - http://www.bsi-global.com/en/
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
12/58
White Paper
The New Business Continuity Model
Public Domain Page 12 of 58 Modified: August 26, 2008
Version 1.0
3.3 It’s not just a regulatory requirement any more…
The primary driver for these standards is to establish a global compatibility alongwith the ability to measure the maturity of organizations to these standards. The
implication of governance aligning with service delivery shown in Figure 4 exampleclarifies the use of multiple standards to achieve the objective of adherence andcompliance. The BCM Model will discuss the organizational structure and processesestablished by new industry standards to meet the objectives of maintaining andmanaging a Business Continuity Management Program.
Figure 4: ITIL CoBIT Coverage
12
3.3.1 COSO
Under the COSO Framework the definition, creation and use of Internal Controls (IC)to successfully meet objectives is paramount to the overall success of theorganization. This is where objective setting is a precondition to the internal control.Through objective setting an organization’s management can identify risksassociated with the achievement of the desired objective. Each risk must be rankedon its impact and probability to set the correct control parameters.
In mitigation of these risks, internal controls are designed and implemented toeffectively mitigate the associated risk through the ongoing success measurementprocess. This allows the organization to adjust as needed to meet the objectivethrough continual measurement which will improve the quality of the defined process.Generally COSO Internal Controls fit well within the ITIL and CoBIT frameworks, asshown in Figure 4 above, to provide the measurement of operational supportprocesses but the COSO framework is primarily used for the safeguarding of
12 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
13/58
White Paper
The New Business Continuity Model
Public Domain Page 13 of 58 Modified: August 26, 2008
Version 1.0
financial processes within an organization that sustain the executive level fiduciaryand regulatory responsibilities.
3.3.2 Governance Risk & Compliance (GRC)Numerous groups and entities have launched similar programs to address elementsof what the BCM embraces. This includes an industry segment defined as GRCfrom two different groups.
3.3.2.1 Open Compliance & Ethics Group (OCEG)
This group set out to establish a CoBIT© like framework that includes domains thatbridge numerous functions and processes. The OCEG Framework or CapabilityModel utilizes a Universal System Outcomes concept.
• Universal System Outcomes are the expected and measurable results of a high-performing GRC system defined in these process segments. Inform & Integrate
Detect & Discern Organize & Oversee Assess & Align Monitor & Measure Prevent & Promote Respond & Resolve
• Utilizing 8 Integrated Components with 8 Universal Outcomes Enhance Organizational Culture Increase Stakeholder Confidence Prepare & Protect the Organization Prevent, Detect & Reduce Adversity Motivate & Inspire Desired Conduct
Improve Responsiveness & Efficiency Optimize Economic & Social Value Achieve Business Objectives
• Each with its own Elements Each Element embodies a number of related Practices in a high-performing
GRC system. Each Element includes a discussion of Principles and CommonSources of Failure, as well as the Practices that support success.
3.3.2.2 Object Management Group GRC Round Table (GRC-RT)
This group understands the utilization of similar compliance requirements andestablishes a process for utilization, first by capturing the regulatory requirements.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
14/58
White Paper
The New Business Continuity Model
Public Domain Page 14 of 58 Modified: August 26, 2008
Version 1.0
Figure 5: GRC Automating Compliance
GRC-RT Diagram 13
Then by creating mappings between each compliance requirement element througha pertinent industry framework object to an identified internal control. Most of thesewill be bi-directional mappings with data flowing in both directions.
Figure 6: GRC Bi-Directional Compliance Mapping
When defining the regulation mapping through a framework, many relationships willdevelop that will economize on the overall process of compliance management.
13 All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/ (http://www.grcroundtable.org/GRC_RT_Overview.pdf )
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
15/58
White Paper
The New Business Continuity Model
Public Domain Page 15 of 58 Modified: August 26, 2008
Version 1.0
Figure 7: GRC Complex Relationship Mapping
GRC-RT Diagrams 14
The BCM Model attempts to provide a singularity of tasks and controls needed tomeet the objective of compliance, risk mitigation and business sustainability most likethe GRC-RT method shown above with the role up to management needed togovern the processes. This assumes that the pertinent industry model reflectedcontinues to address the ever changing regulations, thus the need for automating theprocess as much as possible.
4 The Business Continuity ParadigmWith the standards represented above, a Business Continuity Paradigm has takenshape. The context of this whitepaper will build on this paradigm to present a newmodel that organizations can use to establish a foundation of Business ContinuityPractices and Principles where metrics can be devised to provide both qualitativeand quantitative results of operational readiness performance to management.These foundations of collaborative methods are now referred to herein as the“Business Continuity Management” (BCM) and align with both the published andunpublished ISO standards referenced. As such, this BCM Model is designed to
provide an advance look into what the BCM future beholds.
4.1 What is BCM?
BCM is a board owned and driven set of processes established to facilitate thefunctions and services of the organization, which are defined by a strategic andtactical framework that:
14 All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/ (http://www.grcroundtable.org/GRC_RT_Overview.pdf )
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
16/58
White Paper
The New Business Continuity Model
Public Domain Page 16 of 58 Modified: August 26, 2008
Version 1.0
• Proactively improves the resiliency of the organization against a disruptionthat impedes the organization’s ability to achieve its key objectives.
• Provides a validated and tested method of recovery of the organization’s
ability to provide the functions and services at a predefined level within apredefined time.
• Affords the organization the ability to deliver a proven capability to manage itsbusiness while preserving its brand image and reputation.
4.1.1 Building Blocks
Much like what Program Management (PM) enables for holistic management ofprojects within an organization; BCM provides a similar level of management andfiduciary responsibility to mitigate risks to the continual operations of business. Thissystematic process facilitates organizational maturity and business resiliency utilizingthese essential building blocks:
1) BUSINESS CONTINUITY (BC): Establishes the ability of an organization toprovide service and support for its customers and to maintain its viabilitybefore, during, and after a business continuity event (i.e. disaster / crisis,natural or man made). BC in itself is only a starting point.
2) PLAN, DO, CHECK, ACTION (PDCA): An adaptation of the Deming wheel.While the Deming wheel stresses the need for constant interaction amongresearch, design, production, and sales, the PDCA Cycle asserts that everymanagerial action can be improved by careful application of the sequence:plan, do, check, action. Later in Deming's career, he modified PDCA to"Plan, Do, Study, Act" (PDSA) so as to better describe hisrecommendations. In Six Sigma programs, the PDSA cycle is called"Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature
of the cycle must be explicitly added to the DMAIC procedure. The PDCAcycle implies a continual methodology of process improvement. Whereeach process includes controls that provide measurement of success that isused to define overall operation success. One poor process does notcause an organization to fail, systemic failure occurs where numerousprocess enable failure over time.
3) BUSINESS CONTINUITY PLANNING (BCP): Is the process of developingand documenting arrangements and procedures that enable anorganization to respond to an event that lasts for an unacceptable period oftime and return to performing its normal Business Critical Functions and/orsupporting System (BCFS) after an interruption. BCP is the documentationto facilitate the process of mitigation of risk to the operation of anorganization in preparation of the eventual crisis.
4) RISK MANAGEMENT (RM): Risk management is a structured approach tomanaging uncertainty related to a threat, a sequence of human activitiesincluding: risk assessment, strategies development to manage it, andmitigation of risk using managerial resources. Whereas risk managementtends to be preemptive, business continuity planning (BCP) was invented todeal with the consequences of realized residual risks. The necessity tohave BCP in place arises because even very unlikely events will occur ifgiven enough time. Risk management and BCP are often mistakenly seenas rivals or overlapping practices. In fact these processes are so tightly tied
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
17/58
White Paper
The New Business Continuity Model
Public Domain Page 17 of 58 Modified: August 26, 2008
Version 1.0
together that such separation seems artificial. For example, the riskmanagement process creates important inputs for the BCP (assets, impactassessments, cost estimates etc). Risk management also proposesapplicable controls for the observed risks. Therefore, risk managementcovers several areas that are vital for the BCP process. However, the BCPprocess goes beyond risk management's preemptive approach and moveson from the assumption that the disaster will realize at some point. Thisincludes the assessment of each risk and where appropriate, theestablishment of mitigation controls to manage the process designed tominimize the risks potential impact.
5) BUSINESS CONTINUITY MANAGEMENT (BCM): Is defined15 as a holisticmanagement process that identifies potential impacts that threaten anorganization with associated risk, and provides a framework for buildingresiliency with the capability for an effective response which safeguards theinterests of its key stakeholders, reputation, brand and value creatingactivities. This management structure includes the facilitation of recovery,continuity and/or restoration in the event of a disaster or crisis through themanagement of an overall contingency program and through training,rehearsals, and reviews, to ensure the plan(s) stays current and up to date.This framework facilitates the entire process of preparing for the inevitablecrisis to strike which engage processes to mitigate the impact of risk to thebusiness operation. All of which provides for a sustainable and resilientorganization with the emphasis on ‘Risk Mitigation with Governance’ whichis engrained in the day-to-day operation of business.
This implies that BCM specifically provides: A level of managerial oversight at the appropriate organizational level which
has a stake in the continual operations of business with fiduciary
responsibilities. Quality processes that mitigates Critical Business Functions and/or support
Systems (BCFS). Processes that must: correlate to measurable financial impacts, be rated according to their risk potential, include their individual probability of disruption as reflected in Service Level
Agreement (SLA) management, be quantifiable through metrics measurement, and incorporate continual improvement.
BCM is the entire organization’s responsibility. Each entity and resource has a stakein the success of the organization as a whole, which emphasizes that the
organization will need to:• Identify, define and prioritize potential impacts in advance
• Create a framework to mitigate and manage risks, of each, within industrystandard guidelines
• Defend the organization against the potential of loss, with the resiliency to quicklyrecover in the event of a crisis
15 Definitions to the BCM terms used herein can be found in Appendix A
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
18/58
White Paper
The New Business Continuity Model
Public Domain Page 18 of 58 Modified: August 26, 2008
Version 1.0
• Utilize industry best practices in creation and execution of the BusinessContinuity Management Lifecycle (Figure 3).
4.1.2 BCM Organizational OwnershipTo establish ownership and drive the BCM principles throughout the organization, aBCM strategy must be created and approved by a governing board within theorganization which has board level executive stakeholders. The reason ownershipmust reside at this level is clear. The board owns the overall resiliency of theorganization and as such they own the ability to manage resiliency. This isreinforced by many governmental regulations such as Sarbanes-Oxley (SOX)16 within the United States, where the CEO and CFO must personally attest to thevalidity of the financials reported.
4.1.3 BCM Strategy
Most organizations, regardless of size, have strategic directives to attain. These
may be necessary to grow business by increasing the product and services deliveredor to improve the availability of the goods and services provided. The consequencesof not pairing these directives to a means of resiliency are usually devastating to thecontinued operation of an organization. This may include loss of profits, customers,up to and including loss of life. The survival of an organization’s reputation orexistence is at stake!
NOTE: According to research by the University of Texas, when companiessuffer a catastroph ic data loss, 94 percent of them fail: 43 percent neverreopen, and the remaining 51 percent close within two years.
The alignment of the organizational strategic goals and objectives must beincorporated into the BCM Strategy to ensure that the organization can achieve both.The organizational structure needed to facilitate this process is within what this
model refers to as a ‘BCM Steering Committee’17
. The full BCM structure will bedefined further on in this paper.The key is that BCM recognizes the importance and need for stakeholders at thehighest organizational level to ensure the organization’s survivability and resiliency isproperly prioritized and subsequently maintained. As the stakes rise with newventures, BCM is the solution for the subsequent consequences of disruptions whichhave a direct and implied fiduciary impact that also include a probable regulatoryconsequence.
4.1.4 BCM and Risk Management
BCM has a direct relationship with most forms of Risk Management. The principlebehind BCM is to ‘Risk Mitigation with Governance’. This principle incorporates
many elements and types of risk management into the BCM Strategy andsubsequent program. One of the primary derivatives of a BCM program is toestablish direct feedback to the board level management on the ‘State of Readiness’which provides the ‘Value-Add’ needed by the board to ensure a sustainableoperation and to enable viable decisions!
16 Information on SOX can be found at http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm and the full SOX ACT ‘HR:3763’ -
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf 17
This model will identify organizational roles and responsibilities paired with the BCM Process defined herein that utilize existing operationalresources for most of the stated requirements. Only a small complement of resources used to facilitate the BCM Process are actually neededwhere the actual number varies depending on the size and complexity of an organization.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
19/58
White Paper
The New Business Continuity Model
Public Domain Page 19 of 58 Modified: August 26, 2008
Version 1.0
4.2 Why BCM?
The principle reason BCM is needed is it forms an important element oforganizational management, provisioning of service and efficient and effective
deployment of resources very similar to the way Program Management performs arollup of resources and financials into a holistic view. This provides transparency intothe operational ‘State of Readiness’ at most process points to effectively manage theorganization to its optimal state of maturity and subsequent efficiency.This model encapsulates the benefit of utilization of existing resources for thefacilitation of risk mitigation through the adaptation of appropriate internal controls,thereby reducing the burden of cost normally associated with a separate structure.
4.2.1 Strategic Value
The alignment of BCM with an organization’s strategic vision and the utilization ofavailable skilled resources provide a substantive value to achieve the organizations
strategic objectives and goals. When the organization relies upon BCM as an assetwithin the definition of its strategy, the organization can only realize a higher thannormal probability of successful achievement.
4.2.2 Sustainability and Resiliency
All organizations strive to remain operable for a long duration, which translates intosustainability. To achieve sustainability the organization must have a program thatdrives to this goal. The BCM Model outlines the organization and processes neededto achieve sustainability. The use of sustainable practices, though utilization ofcontinually improving processes, a level of resiliency is established. Resiliencyenables an organization to undergo higher levels of risk impacts and remainoperational. Quality of service may degrade, but only to predefined levels. Thus,financial downturns, major service disruptions, or natural disasters can all bemitigated with appropriate controls in place to ensure the proper ‘State of Readiness’is maintained at all times.
5 The BCM ModelOver the history of the industrialized world, companies, organizations andbusinesses struggled with how to protect; what they built, how they are generatingrevenue, and all important, how to continue to grow. Facing sometimes catastrophiccrisis’s and financial down turns, many strong and prosperous entities survived. Forthose many that failed can be summed up in these three words; ‘were theyprepared?’‘Survival of the Fittest’ played out in real-time revealed those who continue tooperate today were prepared, and those that aren’t, were not. History has identifiedthat if an organization does not have a contingency plan, the probability for it tosustain a long term existence is slim.While there is no silver bullet with any framework, the BCM Model is a researchcompilation of standards, processes and experience that brings together for the firsttime a comprehensive framework for organizations to use for the sole purpose of‘being prepared!’. The BCM Model will walk through the ownership, fiduciary
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
20/58
White Paper
The New Business Continuity Model
Public Domain Page 20 of 58 Modified: August 26, 2008
Version 1.0
responsibilities, along with the processes to create and sustain a program to mitigatemost common events. Included is essential information to protect the organization’sinterests and assets. In this ever changing global economy, organizations will need
every advantage afforded them to survive. How this is accomplished is the basis ofthe BCM Model with the underlying theme ‘Risk Mitigation with Governance’.
5.1 Business Continuity Management Components
Business Continuity Management model defines these elements into tactical aspectsof a BCM Process. BCM Process utilizes functional components to facilitate the‘Risk Mitigation with Governance’ principle. These structures of functionalcomponents are:
• Business Continuity Steering Committee
• Business Continuity Management Team
• Business Continuity Plan Administrator
• Business Continuity Leads or Business Continuity Coordinators/DisasterRecovery Coordinators
• Business Continuity Teams
Figure 8: BCM Components
5.2 Where to StartMost organizations find it difficult to identify the starting point of their BusinessContinuity program. A few indicators will clearly identify the starting point and helpidentify the effort needed to establish a quality program. Here is a list of some ofthose indicators:
• Has a Business Impact Analysis been conduction within the last 24 months?
• Utilizing the data from the Business Impact Analysis, was a Risk Assessmentconducted and critical functions and systems identified?
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
21/58
White Paper
The New Business Continuity Model
Public Domain Page 21 of 58 Modified: August 26, 2008
Version 1.0
• Does existing documentation exist that can be used for planning purposes?
• Is the existing documentation adequate for the critical systems?
• Is there Executive stakeholder buy in and support?
• Has ownership of the various elements been established and accepted?• Has funding been granted and approved?
• Are short and long term business & IT objectives aligned?Once these indicators have been resolved, most organizations will succeed withestablishment of a Business Continuity Management program.Here is where we start.
5.2.1 Business Continuity Planning
Now that we have established the objectives driving the Business Continuityprogram, we can now begin planning. To start with, the senior management teamwill have defined a Business Continuity Strategy (BCS) to match what they see as
business risks needing mitigation surrounding the most common loss of businessservices. At a minimum the BCS should include the following policies, processes,and/or concepts:
A defined policy governing the Business Continuity Program, Process for the identification of the Business Continuity Management Team
and subsequent crisis or emergency management team structure (includingthe structure used to facilitate creation, maintenance, execution and trainingof the Business Continuity Plan),
Process for assignment identification, functional responsibilities, and approvalof the BCSC team along with governance structure as needed,
Conduct a Business Impact Analysis (BIA) to identification of the areas ofBusiness Critical Function and/or System (BCFS) that need to be protected,
along with the general scope of need for the various BCFS and respectivelocations of operation.
Risk Assessment on all high priority and/or critical BCFS items to include aprobability and impact value. These risk values will ensure internal controlscan be established with appropriate thresholds for success measurement.
With these elements understood, planning can proceed with the identification andestablishment of resources along with appropriate funding needed to satisfy thebusiness objectives driving the BCM program utilizing the following components.
5.2.2 Establishment of the Business Continuity Management Team
The Executive Management should identify the requirements of the BusinessContinuity Management Team (BCMT). A high-level organizational structure of the
BCMT is needed to identify who should serve on this team and what responsibilitieseach role will play in the functional operation of the BCMT. At a minimum the BCMTshould include:
At least one Executive, one Senior Management representative, and thenwhat ever level of management is deemed appropriate to represent the fulloperational complement of the overall organization,
An organizational structure that will provide the appropriate level of authorityon those areas of the organization that will most likely be directly involvedwith Business Continuity execution,
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
22/58
White Paper
The New Business Continuity Model
Public Domain Page 22 of 58 Modified: August 26, 2008
Version 1.0
The designation of a “Crisis or Emergency Management Team” (EMT) fromcurrent management that will facilitate the execution of the BusinessContinuity Plan (BCP),
The emergency declaration classification types, rules and criteria.
Figure 9: BCM Organization
BCM
Business Continuity
Management Organization
BUSINESS CONTINUITY STEERING COMMITTEE (BCSC):
A com mit tee of deci sion makers, p rocess owner s,technology experts and continuity professionals, tasked withmaking strategic recovery and continuity planning decisions
for the organization.
BUSINESS CONTINUITY TEAM (BCT):
Designated individuals responsible for developing,execution, rehearsals, and maintenance of the business
continuity plan, including the processes and procedures.SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management
Team. Associated terms: Emergency Management Team.
BUSINESS CONTINUITY MANAGEMENT (BCM):
A hol istic managem ent pr ocess t hat id entifi es pote ntial i mpacts thatthreaten an organization and provides a framework for building
resilience with the capability for an effective response thatsafeguards the interests of its key stakeholders, reputation, brand
and value creating activities. The management of recovery or
continuity in the event of a disaster. Also the management of theoverall program through training, rehearsals, and reviews, to ensure
the plan stays current and up to date.
BUSINESS CONTINUITY MANAGEMENT PROGRAM: An on goin g manag ement an d gov ernanc e proc ess sup por ted by
senior management and resourced to ensure that the necessarysteps are taken to identify the impact of potential losses, maintain
viable recovery strategies and plans, and ensure continuity of
products/services through exercising, rehearsal, testing, training,maintenance and assurance.
Risk
Management
through
Governance
DepartmentalDesignees
BC
Team(BCT)
OrganizationalDesignee
BCM
Corrdinator (DRC/BCC)0
DISASTER:
A sudd en, unpl anned calam itou s event cau sing greatdamage or loss as defined or determined by a risk
assessment and BIA; 1) Any event that creates an inability on
an organizations part to provide Business Critical Functionsfor some predetermined period of time. 2) In the business
environment, any event that creates an inabilit y on an
organization’s part to provide the critical business functions
for some predetermined period of time. 3) The period whencompany management decides to divert f rom normal
production responses and exercises its disaster recovery
plan. Typically signifies the beginnin g of a move from aprimary to an alternate location.
SIMILAR TERMS: Business Interruption; Outage; Catastrophe
THREAT: A comb inati on of the ri sk, th e consequ ence of t hat ri sk, and
the likelihood t hat the negative event will t ake place.
Assoc iated t erm: r isk. Ex ample Thr eats: Natu ral, Man-mad e,
Technological, and Political disasters.)
Executive ManagementTeam and Assignees
BCM
Steering
Committee(BCSC)
BUSINESS CONTINUITY MANAGEMENT TEAM (BCMT): A gro up of indi vidual s fun ctio nally respo nsibl e for d irect ing
the development of the business continuit y plan, as well as
responsible for participation in the declaring a disaster andaiding the recovery process, both pre-disaster and post-
disaster. Also r eferred to as the Executive Emergency
Management Team (EEMT)SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management
Team. Associated terms: Emergency Management Team.
EMERGENCY MANAGEMENT TEAM (EMT): A gro up of managers f unct ionall y resp onsi ble fo r
execution of the business continuity plan, as well as
responsible for declaring a disaster and providingdirection during the recovery process, both pre-disaster
and post-disaster.SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery
Management Team. Associated terms: Crisis Management Team.DISASTER RECOVERY COORDINATOR (DRC):
A rol e of th e BCM progr am that l eads & coo rdin ates
planning and implementation for recovery of an
organization, location or unit for technical functions.SIMILAR ROLES: Disaster Recovery Planner, and Disaster Recovery Administrator
May also act as a Plan Administrator
BUSINESS CONTINUITY COORDINATOR (BCC):
A rol e of th e BCM progr am that l eads & coo rdin ates
planning and implementation for recovery of an
organization, location or unit for nontechnical functions.SIMILAR ROLES: Business Recovery Coordinator, Business Recovery Planner
May also act as a Plan Administrator
Designated Managers
BCM
Emergency
ManagementTeam
(EMT)
Designated Senior &Executive Managers
BCM
Team(BCMT)
5.2.3 Establishment of a Business Continuity Steering Committee
The Business Continuity Steering Committee (BCSC) shall be created by theBusiness Continuity Management Team (BCMT). The BCSC shall be populated withrepresentation of all Business Critical Functions and/or supporting System (BCFS)areas with management and senior employees by referral from a member of theBCMT and approved by Executive Management. The BCSC team must have bothexecutive management and broad employee based support to provide an effectiveand representative body that will be viewed by all as the appropriate members of theorganization to provide Business Continuity vision and direction. This team will beresponsible for providing the organization with strategic oversight on all BusinessContinuity initiatives, policies, processes, plans and structures. The BCSC shall meeton a regular schedule, not less than quarterly, and rely on the Business ContinuityManagement Team for all fiduciary requirements identified.
5.2.4 Defining the Policy
The Business Continuity Steering Committee should establish a policy that willprovide an overall guidance to the teams implementing Business Continuity. A high-level policy must be published to identify several factors to the organization as awhole. The Business Continuity policy should set the expectations the organization
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
23/58
White Paper
The New Business Continuity Model
Public Domain Page 23 of 58 Modified: August 26, 2008
Version 1.0
has for all employees, contractors and agents. These should be as clear and conciseas possible and must be approved by executive management with enforceableterms.The Business Continuity Policy should include:
Overall Business Continuity mission statement Company Business Continuity objectives Who participates in Business Continuity Enforceable terms deemed necessary Governance
5.2.5 Defining Management Components
The Business Continuity Steering Committee should establish a managementstructure to facilitate the execution of the BCM Program. The Components of theBusiness Continuity Management Structure should include:
Identification of the Owners of the main Business Continuity Plans (BCP)
needed to appropriately respond to a crisis. Establish a Business Continuity Strategy (BCS) to provide direction aligned
with business objectives. Define a recovery management process that includes metrics for all Business
Critical Function and/or supporting Service (BCSF). The conduct of a Business Impact Analysis to provide vital financial ties to
each identified BCFS. Facilitate the establishment of the Business Continuity Sub-plan ownership at
the operational level through the Business Continuity Team. (BCT)
Figure 10: BCM Components
BCM
Business Continuity
Management Components
BUSINESS CONTINUITY STRATEGY (BCMS): An appr oach by an organi zation t hat wil l ensur e its r ecovery and cont inui tyin the face of a disaster or other major outage. Plans and methodologies are
determined by the organizations strategy. There may be more than one
solution to ful fill an organization’s strategy. Examples: Internal or externalhot-site, or cold-sit e, Alternate Work Area reciprocal agreement, Mobile
Recovery, Quick Ship / Drop Ship, Consorti um-based solutions, etc.
BUSINESS IMPACT ANALYSIS (BIA): A pro cess desi gned to prio rit ize Busi ness Cri tical Functi ons
and supporting Systems by assessing the potentialquantitative (financial) and qualitative (non-financial) impact
that might r esult if an or ganization was to experience a
business continuity event.
BUSINESS INTERRUPTION:
Any even t, wheth er anti cipated (i.e., publ ic serv ice str ike) orunanticipated (i.e., blackout) which disrupts the normal course of
business operations at an organization’s location. Simi lar terms:outage, service interruption. Associated terms: business
interruption costs, business interruption insurance.
BUSINESS CONTINUITY MANAGEMENT PROCESS:
The Business Continuity Institute’s BCM process (also known as theBC Life Cycle) combines 6 key elements: 1) Understanding Your
Business 2) Continui ty Strategies 3) Developing a BCM Response 4)Establishing a Continui ty Culture 5) Exercising, Rehearsal & Testing
6) The BCM Management Process
Recovery
Management
DHLGMDepartment Managers
BC / DR
Plan
BCMDesignee
BCMStrategy
(BCMS)
External Auditor
BIA
BCT
BRP / DRP
BUSINESS CONTINUITY PLAN (BCP):
Process of developing and documenting arrangements andprocedures that enable an organization to respond to an event
that lasts for an unacceptable period of time and return to
performing its critical functions after an interruption.SIMILAR TERMS: Busin ess Resumption Plan, Continuity Plan, Contingency Plan,
Disaster Recovery Plan, Recovery Plan.
DISASTER RECOVERY PLAN (DRP):The management approved document th at defines the
resources, actions, tasks and d ata required to manage thetechnology recovery effort. Usually refers to the technology
recovery effort. This is a component of the Business
Continuity Management Program.SIMILAR TERMS: B usiness Continuity Management Plan, Recovery Plan.
RECOVERY POINT OBJECTIVE (RPO):
From a business perspective RPO is the maximumamount of data loss t he business can incur in an event.
The targeted point in time t o which systems and datamust be recovered after an outage as determined by the
business unit.
RECOVERY TIME OBJECTIVE (RTO):
The period of time within which sys tems, applications, orfunctions m ust be recovered after an outage (e.g. one
business day). RTO’s are often used as the basis f or thedevelopment of recovery str ategies, and as a determinant
as to whether or not to impl ement the recovery strategiesduring a disaster situation.
SIMILAR TERMS: Maximum All owable Downtime
RECOVERY:
Implementing the prioriti zed actions required to r eturn theprocesses and support functions to operational stability
following an interruption or disaster.
BUSINESS RESUMPTION PLANNING (BRP):
TERM Currently Being ReworkedSIMILAR TERMS: Business Continuity Planni ng, Disaster Recovery Planning
DISASTER RECOVERY PLANNING (DRP):
The technological aspect of business continuity planning.The advance planning and preparation that is necessary to
minimize loss and ensure continuity of t he Business Critical
Functions and supporting Systems of an organization inthe event of disaster.
SIMILAR TERMS: Contingency Planning; Bu siness Resumption Planning;
Corporate Contingency Planning; Business Interruption Planning; DisasterPreparedness.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
24/58
White Paper
The New Business Continuity Model
Public Domain Page 24 of 58 Modified: August 26, 2008
Version 1.0
5.3 Conduct ing the BIA
To fully understand the potential impact any loss of service could have on business,a Business Impact Analysis (BIA) should be conducted. The conduct of a BIA
should be scheduled every 3 to 5 years to keep the information used for lossidentification current. A BIA should be performed prior to the BCS creation to ensurethat the organization has identified the BCFSs that represent what the loss potentialis, how it can be mitigated, and what the implications to the services provided wouldmean to the recipient of those services. When a BIA is re-conducted after the BCMProgram is in place, it will be used to update the BCFS list and financial risks ofeach. The Business Continuity Management Team and Business ContinuitySteering Committee participants may be adjusted based upon the informationprovided.The following few slides describe the essence of the BIA:
5.3.1 BIA - Identifying Crit ical Needs …The critical needs should be identified within all departments. Critical needs includeall information, processes, activities and equipment needed to continue operationsshould a department be destroyed or become inaccessible. To determine the criticalneeds of the organization, each department should document all important functionsperformed within that department. This information can be gathered by documentingdaily activities within each department.
An analysis over a period of two weeks to one month can indicate the principlefunctions performed inside and outside the department, and assist in identifying thenecessary data requirements for the department to conduct its daily operationssatisfactorily. This determines the Business Critical Function and/or supportingService (BCSF) which are critical functions / systems relied on to perform criticalbusiness functions, System or application interfaces, that require a Maximumacceptable outage for the system considering both the user perspective and thetechnical perspective.
5.3.2 BIA - Business Critical Functions / Systems
To Identify Business Critical Function and/or supporting Service (BCSF) some of thediagnostic questions that are asked include:
What specialized equipment is used in the department and how is it used? What are lead times for replacing critical equipment? If the on-line systems were not available, how could the department continue
to function?
What parameters, guidelines, or procedures would be necessary to limitexposure during on-line systems downtime (i.e., management approval maybe required of checks or disbursements above specified dollar amounts)?
What is the minimum staff and floor space needed to continue operations atanother facility?
What special forms and supplies are needed for each departmental area? What communication devices (i.e., telephones, facsimile equipment, and data
transmission equipment) would be necessary to continue operations?
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
25/58
White Paper
The New Business Continuity Model
Public Domain Page 25 of 58 Modified: August 26, 2008
Version 1.0
Which employees have been trained to carry out several departmental jobs orresponsibilities and could fill positions of key employees if they wereunavailable?
5.3.3 BIA - Outage Impact Analysis
Once the critical needs have been documented, it is important to determine theimpact of an outage to the critical systems and business functions. The impactdepends on the type of outage that occurs, and the time that lapses before normaloperations can be resumed. The following information should be carefully analyzed:
Impact Analysis is defined by these six areas:1. Business Function Description2. Critical Systems3. Dependencies4. Workflow Impact5. Future Business Function Changes
6. Impact of Not Processing Business Function Description is:
1. Size of the business function (e.g., total revenue, number ofemployees, number of patients, etc.)
2. Main purpose of the business function (e.g., revenue generation,administrative, customer service, support function, ancillary function,etc.)
3. Critical operations performed. Critical Systems Description is:
1. Systems relied on to perform critical business functions2. System or application interfaces3. Maximum acceptable outage for the system, considering both the
user perspective and the technical perspective Dependencies Description is:
1. Dependencies between business functions2. Dependencies between departments3. Dependencies between systems
Workflow Impact Description is:1. Loss of controls2. Major bottlenecks3. Potential stop in the workflow4. Complete interruption of the workflow
Future Business Function Changes Description is:1. Systems
2. Procedures3. Operations4. Personnel5. Organization6. Other changes
Impact of Processing Failure Description is:1. Impact on customer service2. Noncompliance with government regulations3. Noncompliance with existing contracts4. Increase in personnel requirements
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
26/58
White Paper
The New Business Continuity Model
Public Domain Page 26 of 58 Modified: August 26, 2008
Version 1.0
5. Loss of revenue6. Loss of business7. Increased operating costs8. Penalties9. Loss of financial management capability10. Loss of competitive edge11. Loss of goodwill12. Negative media coverage13. Loss of stockholder confidence14. Legal actions15. Other impacts
Redundancy Levels Description is:‘Existing and required redundancy levels throughout the organization toaccommodate critical systems and functions:’
1. Hardware2. Information3. Personnel4. Services
Alternate Processing Methods Description is:1. Alternate processing methods for the critical functions in the event of
a systems outage2. Impact of using the alternative processing method3. Alternate processing costs
5.4 Risk Assessment
The Business Critical Functions and/or Services identified in the BIA must now beanalyzed to determine their impact and probability of disruption to establish a
ranking of each. Once the BCFS risks are ranked to a common scale (usually 1 to 3or 1 to 5 with 1 having the highest priority i.e. Severity 1), then planning prioritizationis applied and a list of plans generated. The object is the mitigation of risk for thehighest ranked items first, then working down through the list until all critical itemshave mitigation plans that are ready for validation. Re-ranking may take place asmore information is discovered during the risk assessment process.Risk assignments are used to design internal controls (ICs) and thresholds thatprovide measurement of success which feed the ‘State of Readiness’ metrics.These same ICs should also be mapped to any regulatory requirements to ensure atotal risk is known and measured.
NOTE: Priority ranking should follow what ever scale is used within the current
Incident / Problem Management system to take full advantage of establishedprocesses. Universal use of common terms within this process should also beadopted to avoid communication failures and confusion.
5.5 Risk Mitigation
It is important to identify risks, associate the cost of each and trend it over time,however, if the risk is never mitigated then it will continue to be a drain on theorganization’s sustainability which may ultimately lead to its demise. To address thistopic, continual improvement processes mandate that this information be analyzed
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
27/58
White Paper
The New Business Continuity Model
Public Domain Page 27 of 58 Modified: August 26, 2008
Version 1.0
and addressed where appropriate for a given organizations goals and objectives.Mitigating every risk is too costly, even for the largest of organizations.Understanding the risk’s implications to the current business strategy will provide the
most cost effective means of Risk Mitigate any organization can afford.
The Disaster Recovery Timeline shown in Figure 11 illustrates the elementary pointsof risk that must be identified, evaluated and prioritized for impact that incorporates abusiness established tolerance. This must be accomplished for every BusinessCritical Function and/or supporting Service (BCSF) identified in the BIA. Thisrecovery data will be included in any Service Level Agreement (SLA) establishedwith the service provider whether internal or external.
Figure 11: Disaster Recovery Timeline
5.5.1 Risk Mitigation – Crisis Points Defined
RPO – is the last known point of valid data on a system by system or function
by function basis. This is the starting point of data restoration and is ownedby IT as agreed too by Business.
RTO – is the technical point of restoration of a system or function. This is thestarting point where processing can restart after the failure. It is owned by ITas agreed too by Business.
MTD – is the point at which all recovery processing has been completedwhile processing current normal daily activities. This is the actual return toBusiness As Usual state. This is solely owned by business.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
28/58
White Paper
The New Business Continuity Model
Public Domain Page 28 of 58 Modified: August 26, 2008
Version 1.0
WRT – is the amount of time and effort needed to recover from the crisis.This includes the reentry of data from;
The point of the crisis back to the RPO, The manual data collected from the point of crisis to the RTO, And the processing of current daily data needed to stay current with the
expectation of business services Most companies fail because they do not plan this recovery period
5.5.2 Importance of Defining Risk Points
Failure to identify a point of risk is opening the flood gates and inviting in a crisis.Each BCFS must have its Risk Points defined and accepted by business and theservice or function provider.Risk Point failures;
Lack of adequately define Risk Points will cause failure Lack of organizational participation in Risk Point metrics establishment will
cause failure How to you create SLA’s without Risk Point definitions and measurements?
(You can’t!) Establishing Risk Points with Metrics is essential to the successful creation of
every BCM Plan (BCP, Sub-BCP) and the sustainability of business! Identification of regulatory requirements inclusive with the risk points ensures
compliance is included in the success measurement.
5.5.3 Risk Cost Modeling
Utilizing the financial data from the Business Impact Analysis (BIA) for eachBusiness Critical Function and/or supporting Service (BCSF) a Risk Cost Model canbe created to identify the underlying cost for each BCFS along with the projected
revenue stream disrupted in the event of its failure. Building this model requiresbusiness participation to adequately track and trend the risk cost over a period oftime. The resulting Risk Cost Model represents the BCM Model’s ability to provide‘Value Add’ by providing another vantage point of an organization’s sustainability.Research does not reveal an industry targeted risk level to achieve; however, wewere able to extrapolate from other risk models and business objectives to establisha risk target of 2% or less. The example below uses ‘Top Line Revenue’ as a basisfor the risk cost analysis. Governments and other organizations may need to use‘Bottom Line Revenue’. In either case, the target should complement theorganization’s strategic goals and objectives.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
29/58
White Paper
The New Business Continuity Model
Public Domain Page 29 of 58 Modified: August 26, 2008
Version 1.0
Figure 12: Risk Cost Model Trending Example
NOTE: Investment in Risk Mitigation through a BCM Program is a long termbusiness ob jective, to suggest otherwise is setting the stage for failure.
5.5.4 Mitigating Risks
The BIA is essential to establish the parameters for mitigating risk. What do we dowith this information?
Identifies the Business Critical Function and/or supporting Service (BCFS)
with supporting financial data Identifies the priorities business places on each BCFS, usually financially
driven Identifies the cost to business if the BCFS were to fail. Supporting services of
the BCFS should retain the same status as the high level business function.How do we use this information?
Build Risk Cost models utilizing real financial data on a BCFS by BCFS basisthat reflects a real ‘State of Readiness’
Establish a financial connection for each BCFS and their supporting servicesthat include resources, service contracts and SLAs.
Through planning risk is mitigated thus establishing a Value Add by providinga form or ‘Revenue Protection’ not currently available to the business.
How is this accomplished? Risk Point identification with established business tolerance / threshold
metrics for each Service Level Agreements that have real achievable metrics Risk Cost Modeling to show the financial implications of risk mitigation (ROI) Risk Analysis using Strategic Plan as a long term projection of impact
severity and probability of occurrenceWhat does it provide?
Identifies priority for funding mitigation solutions
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
30/58
White Paper
The New Business Continuity Model
Public Domain Page 30 of 58 Modified: August 26, 2008
Version 1.0
Enables cooperative planning between provider and user Establishes path to successful achievement of strategic business goals and
objectives Affordable Sustainability with attainable Resiliency
6 Business Continuity Plan CreationThe preparation stage of the BCM Model and all industry leading standards mandatethe creation of plans to facilitate the continuity of operations. The creation of theseplans is where many fail to get a program off the ground. This aspect of the processis defined with what plans would represent a minimal scenario for any organizationalong with a structured process for integrating them together to attain a sustainableprogram. The effort to create the documentation required is no small task, however,without the basis to draw upon, the program and subsequently the operations isdestined to fail.
Engaging the appropriate resources is required for the successful creation ofcontingency plans. Ownership must reside with the appropriate assigned skill toenable the execution when required. The basic literary level of each plan shouldaddress the principle of utilizing a similar skill near or at the level required to performdaily management. Utilizing these basic principles will enhance the probability ofsuccessful creation of the plans needed.
6.1 Creating the Business Continuity Plan
With the full understanding of “What BCM is”, the process of creating the BusinessContinuity Plan (BCP) can now take place. With the BCM organizational structuredefined, resources assigned, a Business Impact Analysis (BIA) conducted, Risk
Assessment completed with mitigation steps identified and with an approved BCSdocumented, the next step is to create the Business Continuity Plan. The BCP iscreated, maintained and administered by the Business Continuity Plan Administrator(BCPA) to include:
Identification of all BCFSs and their associated risks to business, along withthe appropriate resources to facilitate the execution of safeguarding andrestoring each BCFS.
The processes, procedures, actions, tasks and/or steps used to mitigate therisks identified for the various plausible scenarios at each business location,
Identification of all locations included, along with any sub-plans needed toprovide adequate coverage for each risk to be mitigate,
A clear communications process to identify, evaluate, declare and recover
from most typical causes to loss of service delivery capability or disaster thatincludes all required resources, roles, locations, with information publicationtypes and guidelines,
The process for Business Continuity Plans updates organizationalawareness, training and periodic validation testing.
6.2 BCM Process Components
We can now explore what plan components are used within the BCM.
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
31/58
White Paper
The New Business Continuity Model
Public Domain Page 31 of 58 Modified: August 26, 2008
Version 1.0
The BCM utilizes several types of components to provide appropriate coverage andmanagement of the process. The BCM Process Components define the areas andtypes of plans used.
NOTE: Figure 13 depicts the various plan components and potential uses.The components include:
Organizational level management that includes the BCM Program charter,goals, objectives and controls. This will include:
Master Plan, Communications Plan, Common Process plan to facilitate the interoperations with all other plans. Operational level management includes Business Continuity Plans that detail
the actions taken. This will include: Site (Location) Plan, Sub-Plans with the specific task taken by the skilled resource teams, Contingency Plans are usually at the Department level to provide guidance to
safeguard items across multiple locations that are the responsibility of adepartment.
Figure 13: BCM Process Components
6.2.1 BCM Master Plan
The BCM Master Business Continuity Plan (Master BCP) is used by seniormanagement to establish the overall governing process for facilitating BusinessContinuity. (Owner: BCMT) The BCM Master Plan is the BCP document thatcontains the primary policies, process, procedures and actions needed protect theorganization from serious BCFS loss.The BCM Master BCP should include the organization’s policy and vision withdealing with emergencies, either man made or natural. The processes listed in the
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
32/58
White Paper
The New Business Continuity Model
Public Domain Page 32 of 58 Modified: August 26, 2008
Version 1.0
plan will include the BCP Communications Plan; EMT, BCC/DRC and BCT teamactivities; organized by major crisis type, location crisis type and contingencies withchecklists for the various BCFSs and actions required for each. If situationalcontingencies have been prepared, they will be identified and referenced within theBCM Master Plan. Recovery activities for each BCFS and location will be referencedfor EMT guidance and execution.
6.2.2 BCM Communications Plan
The ability to communicate during any crisis or emergency is paramount tosuccessful BCP execution. (Owner: BCMT). A BCM Communications Plan must becreated to become a primary section of the BCP Master Plan to ensure identificationof all BCM resources for all sites and functions the BCP is intended to cover.The Communications Plan will also list all Notification and Reporting schedules/listsrequired to ensure appropriate resources are engaged and informed with the currentstatus published in accordance within organizational policies and guidelines. The
BCM Communications Plan should include the following contact information: Identification of the BCMT and subsequent CMT/EMT Identification of the organization’s business locations with BCFS Identification of the BCC/DRC by location and function Identification of the BCT by location and function Identification of the external contingencies, emergency facilities, key venders
and key customers, or other contingency contact information deemedappropriate
6.2.3 BCM Common Processes Plan
The ability to manage status and instruct flow during the execution of a crisis oremergency is a key basis to successful business risk mitigation. (Owner: BCMT) A
BCM Common Processes Plan must be created and become a complementarysection to both the BCP Master and Communication Plans to ensure status reportingand execution of activities between the EMT and the BCC/DRC is properly managedand maintained.The Common Processes Plan will list all Status Notification and Reporting schedulesrequired to ensure the EMT is fully informed as to the current status of the crisis oremergency and all actions engaged by the BCC/DRC. The BCM CommonProcesses Plan should include the following information:
Meeting requirements for all teams to establish Command & Controlrequirements
Common Status Reporting Schedules and activities Common steps taken by the EMT, EOC, BCC, DRC and BCT
Other common activities that is required within the execution of all BCPs
6.2.4 BCP Site Plans
To successfully execute the mitigating actions needed to protect the organizationfrom loss at the Facility level, action steps must be planned in great detail using BCPSite Plans. (Owner: BCC, DRC).
A BCP Site Plan is the level of actions or steps taken by the resources physicallyprotecting the organizational assets within a single facility. The actions listed within aSite Plan shall be defined as a major BCFS and/or operational system that may be
8/16/2019 Manning at Conventional Marine Terminals_OCIMF
33/58
White Paper
The New Business Continuity Model
Public Domain Page 33 of 58 Modified: August 26, 2008
Version 1.0
disrupted from normal operation during the course of a crisis or emergency. BCFSsor Systems will be listed by standard reference nomenclature so as not todisseminate misleading or confusing information or status.The Site Plans will define the steps needed by a reasonably skilled resource toprotect site’s BCFSs or Systems. The resource executing these steps may not befully skilled on the BCFS or System so the level of