Manning at Conventional Marine Terminals_OCIMF

8/16/2019 Manning at Conventional Marine Terminals_OCIMF

1/58

~ White Paper ~The New BusinessContinuity Model

Written by: Dan WilderCBRA, Six Sigma Green Belt

Published on: October 6th, 2008

Version 1.0

Document Classification: Public Domain

Dan Wilder publishes this document for the use of Public Domain. It contains public information, ideas and concepts and is free to distribute and usewithout restriction except noted herein. All reference material shown herein is depicted for the sole purpose of illustrating the subject of this whitepaper

and shall remain the property of is listed owner and shall not be reproduced without written consent. Author does not warrant nor make claims that this information is in any way warranted. Use of this material is at the users own risk.

2008 Dan Wilder, All Rights Released.


2/58

White Paper

The New Business Continuity Model

Public Domain Page 2 of 58 Modified: August 26, 2008

Version 1.0

Table of Contents

1 Introduction......................................................................................................... 6

2

The Big Question … Why? ................................................................................. 6

3 The Standards ....................................................................................................7 3.1

ISO 20000 Family – Service Delivery......................................................................7

3.1.1 What is ISO / IEC 20000...................................................................................................9

3.2

ISO 27000 Family – Business Continuity ..............................................................10

3.2.1 What is ISO / IEC 27000.................................................................................................10

3.3

It’s not just a regulatory requirement any more…..................................................12

3.3.1 COSO .............................................................................................................................12 3.3.2

Governance Risk & Compliance (GRC) .........................................................................13

4 The Business Continuity Paradigm................................................................... 15 4.1 What is BCM? .......................................................................................................15

4.1.1 Building Blocks................................................................................................................16

4.1.2

BCM Organizational Ownership ..................................................................................... 18

4.1.3

BCM Strategy.................................................................................................................. 18

4.1.4

BCM and Risk Management...........................................................................................18

4.2 Why BCM? ............................................................................................................19 4.2.1 Strategic Value................................................................................................................19 4.2.2 Sustainability and Resiliency ..........................................................................................19

5 The BCM Model ................................................................................................19 5.1

Business Continuity Management Components ...................................................20

5.2

Where to Start .......................................................................................................20

5.2.1 Business Continuity Planning .........................................................................................21 5.2.2 Establishment of the Business Continuity Management Team ......................................21 5.2.3 Establishment of a Business Continuity Steering Committee.........................................22 5.2.4 Defining the Policy ..........................................................................................................22

5.2.5

Defining Management Components ...............................................................................23 5.3

Conducting the BIA ...............................................................................................24

5.3.1 BIA - Identifying Critical Needs … ..................................................................................24 5.3.2

BIA - Business Critical Functions / Systems...................................................................24

5.3.3 BIA - Outage Impact Analysis.........................................................................................25

5.4 Risk Assessment...................................................................................................26 5.5

Risk Mitigation .......................................................................................................26

5.5.1

Risk Mitigation – Crisis Points Defined...........................................................................27

5.5.2 Importance of Defining Risk Points.................................................................................28 5.5.3 Risk Cost Modeling .........................................................................................................28 5.5.4 Mitigating Risks...............................................................................................................29

6 Business Continuity Plan Creation.................................................................... 30 6.1 Creating the Business Continuity Plan ..................................................................30

6.2

BCM Process Components ...................................................................................30

6.2.1

BCM Master Plan............................................................................................................31

6.2.2

BCM Communications Plan............................................................................................32

6.2.3 BCM Common Processes Plan ......................................................................................32 6.2.4 BCP Site Plans ...............................................................................................................32 6.2.5 BCP Sub-Plans...............................................................................................................33 6.2.6 BCP Contingency Plans.................................................................................................. 33 6.2.7 Validating the BCP..........................................................................................................33 6.2.8

BCM Program - Document Flow.....................................................................................34

6.2.9

Business Continuity Planning – Recap...........................................................................35


3/58

White Paper



Version 1.0

7 Business Continuity Plan Execution ................................................................. 36 7.1 BCP Execution – Team Leadership Tree..............................................................36

7.1.1 EMT Team Component...................................................................................................37 7.1.2 EOC Team Component ..................................................................................................37 7.1.3

BCC/DRC Team Component..........................................................................................38

7.1.4

BCT Component .............................................................................................................38

7.2 Plan Elements .......................................................................................................38 7.2.1

Main Points of Coverage ................................................................................................39

7.3 BCM Execution Process........................................................................................40 7.4

BCP Execution – Recap........................................................................................41

8 BCM Plan Management & Reporting................................................................ 41 8.1

Plan Management .................................................................................................42

8.1.1

Document Management .................................................................................................42

8.1.2

Plan Management Reporting ..........................................................................................43

9 BCM Governance ............................................................................................. 44 9.1

Audit Types ...........................................................................................................44

9.1.1

Preparatory Audit(-)

......................................................................................................... 45 9.1.2 Feasibility Audit

(+)........................................................................................................... 45

9.1.3 Due Diligence Audit(-)

.....................................................................................................45 9.1.4 Compliance Audit

(+)........................................................................................................ 45

9.1.5 Investigative Audit(+)

....................................................................................................... 46

9.2

Audit Type Usage..................................................................................................46

9.3 Performance Metrics .............................................................................................46

10 BCM Review .................................................................................................47

Figures and Tables

Figure 1: ITIL v2 Service Continuity Management ..................................................... 8

Figure 2: ITIL v3 Model..............................................................................................9

Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)..................................................................................................................... 11 Figure 4: ITIL CoBIT Coverage................................................................................ 12 Figure 5: GRC Automating Compliance...................................................................14 Figure 6: GRC Bi-Directional Compliance Mapping................................................. 14 Figure 7: GRC Complex Relationship Mapping ....................................................... 15 Figure 8: BCM Components .................................................................................... 20 Figure 9: BCM Organization .................................................................................... 22 Figure 10: BCM Components .................................................................................. 23 Figure 11: Disaster Recovery Timeline.................................................................... 27

Figure 12: Risk Cost Model Trending Example........................................................ 29

Figure 13: BCM Process Components..................................................................... 31 Figure 14: BCM Document Flow Diagram ............................................................... 35 Figure 15: BCM Team Leadership Components...................................................... 37 Figure 16: BCP in Action.......................................................................................... 40 Figure 17: BCM Process Flow ................................................................................. 41 Figure 18: Plan Management................................................................................... 42 Figure 19: Document Management Flow................................................................. 43 Figure 20: Sample Reports ...................................................................................... 44


4/58

White Paper



Version 1.0

Figure 21: Audit Types............................................................................................. 45 Figure 22: CoBIT Performance Metrics.................................................................... 47


5/58


6/58

White Paper



Version 1.0

1 Introduction As we all know, everything evolves over time; the way we do business, services

provided and the urgency of delivery. When Katrina hit the Gulf Coast, not manycompanies were prepared for what would come after the hurricane. Many simplyboarded up the windows and hoped for the best. Others evacuated with theirpersonal possessions and many with just the clothes on their backs. The purposebehind this whitepaper is to explore what companies should be doing to protectthemselves in today’s market and environment.

An article referenced on this topic written by David Honour, editor, Continuity Centralback in March of 2003 reflects how long this dilemma has been exposed(http://www.continuitycentral.com/feature003.htm ). Even Homeland Security &FEMA published guidance to help companies identify the bare essentials needed to

survive (http://www.ready.gov/business/plan/planning.html )(http://www.fema.gov/business/bc.shtm ). Many companies are subjected togovernment regulations to ensure some level of protection is in place for thefinancial numbers reported. Others require more stringent guidelines to protectstockholders and the public alike.

The business community has raised the topic to the point where the InternationalStandards Organization launched a call for change in 2002 and has subsequentlybeen working on a set of new standards since. The latest ISO reference on thistopic is ISO/PAS 22399:2007 which provides general guidance for an organization(private, governmental, and non-governmental) to develop its own specific

performance criteria for incident preparedness and operational continuity, and todesign an appropriate management system.

The concepts and theories depicted herein have been independently presented to awide cross-section of industry experts with great acceptance. This whitepaper is thecompilation of these concepts into a single model to address the ever pressing issueof facilitating a functional Business Continuity program. Within this whitepaper wewill explore what it takes to enable companies of all industries to become resistant tocatastrophic events as well as improve the operability of normal services. Theconcepts depicted herein are derived from a formulation of several years’ researchof business and industry best practices along with the very latest industry and

international standards1. Thus the Paradigm shift begins…

2 The Big Question … Why? As the economy moves faster and faster to a global economy, it is imperative thatorganizations big and small take note of how they protect themselves from a variety

1 Disclaimer : This document is not intended to be all inclusive for all the standards or best practices listed. To further understand each standard

or best practice you are encouraged to research them separately. Additionally, businesses, companies and organizations are usedsynonymously where they all refer to the primary entity being safeguarded.


7/58

White Paper



Version 1.0

of disasters, which will enable them to not only grow but become sustainable. Theimportance of sustainability as a provider of goods and services has reached thisglobal market place as a key factor in the selection process of these goods and

services. The overriding requirements by governments and businesses alike are toensure that the supply chain can be maintained!

The approach presented herein has been designed by a team of engineers topreserve the revenue stream through stabilization of the services provided. Thisstabilization has reduced risk and improved sustainability for its customers, whichhas been driven by the market place and governing requirements. This approachdiffers from the traditional examples provided from companies representing softwaresolutions within the Governance, Risk Compliance (GRC2) market segment throughan ingrained operational framework of processes with metrics similar to what theCommittee of Sponsoring Organizations of the Treadway Commission (COSO3)

framework represents.

Because most companies maintain global operations, the approach is driven andmanaged to the international body of standards along with local, regional, industry,and governmentally imposed requirements. These standards are currently evolvingfrom a collection of many individual standards to several families of standards similarto what the ISO 9000 family achieved for Quality Management.

3 The StandardsNow that we’ve introduced the reasons for this whitepaper, let’s discuss thestandards that pertain to this topic. Several factors need to be understood. First is;

the International Standards Organization4 has recognized the need for businesses touse standards for normal operations that will prepare them for the global economy(ISO/PAS 22399:2007). The International Standards that are currently underdevelopment are the ISO 20000 family of standards that incorporate the ITIL© methods for the Service Delivery models companies may need to use. There is alsothe ISO 27000 family of standards that are incorporating the ISACA CoBIT© methods for all companies to use to incorporate measurements of stability. Thesenew standards are referred to as ‘Business Resiliency’ which is described as theability for a business to resist known and unknown crisis.

3.1 ISO 20000 Family – Service Delivery

The ISO 20000 family of standards are developed around the ITIL5 (InformationTechnology Infrastructure Library) methods(http://www.itil.org/de/isoiec20000/index.php ) also known as the ‘IT ServiceManagement Standard’.

2 All rights reserved by Open Compliance & Ethics Group (OCEG) – http://www.oceg.org

3 All rights reserved by Commission of Sponsoring Organizations of the Treadway Commission (COSO) – http://www.coso.org

4 All rights reserved by International Standards Organization (ISO) - http://www.iso.org/iso/home.htm

5 All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp


8/58

White Paper



Version 1.0

• The ITIL-ISO 20000 model depicted in Figure 1 below defines IT ServiceContinuity Management levels to ensure management controls andprocesses are in place to meet the service requirements.

Figure 1: ITIL v2 Service Continuity Management

6

• However the ITIL model has been replaced with the new ITIL v3.

•

A new generation of the ITIL, ‘ITIL V3’, has recently been published. Thisnew version represents an important evolutionary step in ITIL’s life. ‘ITILRefresh’ as it is referred, has transformed the guidance from providing agreat service to being the most innovative and best in class. At the sametime, the interface between old and new approaches is seamless so thatusers do not have to reinvent the wheel when adopting it.

• V3 allows users to build on the successes of V2 but take IT servicemanagement even further. In general, V3 makes the link between ITIL’sbest practice and business benefits both clearer and stronger. The maindevelopment is that V3 guidance takes a lifecycle approach (Figure 2), asopposed to organizing according to IT delivery sectors.

ITIL is now based on five core lifecycle titles:1. Service Strategy2. Service Design3. Service Transition4. Service Operation5. Continual Service Improvement



9/58

White Paper



Version 1.0

Figure 2: ITIL v3 Model

7

3.1.1 What is ISO / IEC 20000

• As stated on ITIL.ORG, this standard is derived from the British Standard 15000and is a common reference for all companies, regardless of business sector, size

or type.• The standard is designed to provide IT services for both internal and external

customers as a basis of common terminology with an integrated approach for theprocesses used to provide these services.

• It is closely aligned with industry best practices recommended for ServiceSupport and Delivery.

• In addition to Industry standards, the ISO standard provides clear specificationsand information as to how an organization must align itself to internationallyaccepted certifications and processes.

• These processes provide the management controls necessary to provide theservice capability in standard measure across all government and industrysectors.

• This unification of measurement of service delivery and support controls enablesservice users to evaluate the service value to organizational standards withconfidence.

• This standard is defined in using these process areas:

• Management System

• PISM Planning and Implement

• Planning and Implementation



10/58

White Paper



Version 1.0

• Relationship Processes

• Service Delivery Processes

• Resolution Processes

•

Control Processes• Release Processes

3.2 ISO 27000 Family – Business Continuity

The ISO 27000 family of standards is still in the development process. This family ofstandards is defined as the ‘Business Continuity’ standard. Within the ISO 27000family, certain existing standards have been enumerated in to this new family.

3.2.1 What is ISO / IEC 27000

Currently the ISO 17799 Information Security standard and certification process hasbeen established as ISO 27002 and ISO 27001 respectively. Some of the additional

elements that will be covered in this standard are listed as:Subcommittee /Working Group

Title

JTC 1/SC 27/WG 1Information security management systems - The convener can bereached through: BSI

JTC 1/SC 27/WG 2Cryptography and security mechanisms - The convener can be reachedthrough: JISC

JTC 1/SC 27/WG 3 Security evaluation criteria - The convener can be reached through: SIS

JTC 1/SC 27/WG 4Security controls and services - The convener can be reached through:SPRING SG

JTC 1/SC 27/WG 5Identity management and privacy technologies - The convener can bereached through: DIN

As with the ISO 20000 family, British Standard ‘BS259998

Business ContinuityManagement’ is the foundation for this family of standards. With this standard,ISACA Governance methodology found in CoBIT9 is being incorporated to providethe management controls and measurements to establish common processes,structures and terminology.The recent release of the British Standard BS25999-1:200610 has provided the globalbody of standards a preview of what the ISO standard will represent.

• BS 25999-1:2006 is a code of practice that takes the form of guidance andrecommendations. It establishes the process, principles and terminologyof Business Continuity Management (BCM), providing a basis forunderstanding, developing and implementing business continuity within anorganization and to provide confidence in business-to-business and

business-to-customer dealings.• In addition, it provides a comprehensive set of controls based on BCM

best practice and covers the entire BCM lifecycle (see Figure 3)

• BS 25999 is published in two parts:

8 The British Standard incorporates several existing standards as illustrated at http://www.pas56.com/ . The blending of British Standards as

depicted at http://pas56.standardsdirect.org/ represent what the ISO Development committee has defined as the defined goal of ISO 27000which is outlined in ISO/PAS 22399:2007.9 CoBIT is a registered trademark of ISACA methodology and can be found at http://www.isaca.org/

10 BS25999-1:2006 can be found at http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563


11/58

White Paper



Version 1.0

• BS 25999-1 • Business Continuity Management – Part 1: Code of practice.This document takes the form of good practice guidance andrecommendations, indicating what practices an organization should or may

undertake to implement effective BCM. Organizations may choose to followall or part of the Code of practice. The Code can be used for self-assessmentor between organizations. The Code is not a specification for BCM.

• BS 25999-2 • Business Continuity Management – Part 2: Specification. Thisdocument sets out specifically what an organization shall do to implementBCM. It is for use by internal and external parties, including certificationbodies, to assess the organization’s ability to meet regulatory and customerrequirements as well as the organization’s own requirements. BS 25999-2contains only those requirements that can be objectively audited and ademonstration of successful implementation can therefore be used by anorganization to assure interested parties that an appropriate businesscontinuity management system (BCMS) is in place.

•

Initial work by practitioners in 1999 resulted in a widely acceptedrepresentation of the BCM life cycle. With the publication of BS 25999-1 in2006, a new illustration of the BCM life cycle was introduced

NOTE: A free demo of BS 25999 online is available – go to www.bsi-global.com/bs25999online

Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)

11

11 All Rights Reserved British Standards Institute (BSI) - http://www.bsi-global.com/en/


12/58

White Paper



Version 1.0

3.3 It’s not just a regulatory requirement any more…

The primary driver for these standards is to establish a global compatibility alongwith the ability to measure the maturity of organizations to these standards. The

implication of governance aligning with service delivery shown in Figure 4 exampleclarifies the use of multiple standards to achieve the objective of adherence andcompliance. The BCM Model will discuss the organizational structure and processesestablished by new industry standards to meet the objectives of maintaining andmanaging a Business Continuity Management Program.

Figure 4: ITIL CoBIT Coverage

12

3.3.1 COSO

Under the COSO Framework the definition, creation and use of Internal Controls (IC)to successfully meet objectives is paramount to the overall success of theorganization. This is where objective setting is a precondition to the internal control.Through objective setting an organization’s management can identify risksassociated with the achievement of the desired objective. Each risk must be rankedon its impact and probability to set the correct control parameters.

In mitigation of these risks, internal controls are designed and implemented toeffectively mitigate the associated risk through the ongoing success measurementprocess. This allows the organization to adjust as needed to meet the objectivethrough continual measurement which will improve the quality of the defined process.Generally COSO Internal Controls fit well within the ITIL and CoBIT frameworks, asshown in Figure 4 above, to provide the measurement of operational supportprocesses but the COSO framework is primarily used for the safeguarding of



13/58

White Paper



Version 1.0

financial processes within an organization that sustain the executive level fiduciaryand regulatory responsibilities.

3.3.2 Governance Risk & Compliance (GRC)Numerous groups and entities have launched similar programs to address elementsof what the BCM embraces. This includes an industry segment defined as GRCfrom two different groups.

3.3.2.1 Open Compliance & Ethics Group (OCEG)

This group set out to establish a CoBIT© like framework that includes domains thatbridge numerous functions and processes. The OCEG Framework or CapabilityModel utilizes a Universal System Outcomes concept.

• Universal System Outcomes are the expected and measurable results of a high-performing GRC system defined in these process segments. Inform & Integrate

Detect & Discern Organize & Oversee Assess & Align Monitor & Measure Prevent & Promote Respond & Resolve

• Utilizing 8 Integrated Components with 8 Universal Outcomes Enhance Organizational Culture Increase Stakeholder Confidence Prepare & Protect the Organization Prevent, Detect & Reduce Adversity Motivate & Inspire Desired Conduct

Improve Responsiveness & Efficiency Optimize Economic & Social Value Achieve Business Objectives

• Each with its own Elements Each Element embodies a number of related Practices in a high-performing

GRC system. Each Element includes a discussion of Principles and CommonSources of Failure, as well as the Practices that support success.

3.3.2.2 Object Management Group GRC Round Table (GRC-RT)

This group understands the utilization of similar compliance requirements andestablishes a process for utilization, first by capturing the regulatory requirements.


14/58

White Paper



Version 1.0

Figure 5: GRC Automating Compliance

GRC-RT Diagram 13

Then by creating mappings between each compliance requirement element througha pertinent industry framework object to an identified internal control. Most of thesewill be bi-directional mappings with data flowing in both directions.

Figure 6: GRC Bi-Directional Compliance Mapping

When defining the regulation mapping through a framework, many relationships willdevelop that will economize on the overall process of compliance management.

13 All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/ (http://www.grcroundtable.org/GRC_RT_Overview.pdf )


15/58

White Paper



Version 1.0

Figure 7: GRC Complex Relationship Mapping

GRC-RT Diagrams 14

The BCM Model attempts to provide a singularity of tasks and controls needed tomeet the objective of compliance, risk mitigation and business sustainability most likethe GRC-RT method shown above with the role up to management needed togovern the processes. This assumes that the pertinent industry model reflectedcontinues to address the ever changing regulations, thus the need for automating theprocess as much as possible.

4 The Business Continuity ParadigmWith the standards represented above, a Business Continuity Paradigm has takenshape. The context of this whitepaper will build on this paradigm to present a newmodel that organizations can use to establish a foundation of Business ContinuityPractices and Principles where metrics can be devised to provide both qualitativeand quantitative results of operational readiness performance to management.These foundations of collaborative methods are now referred to herein as the“Business Continuity Management” (BCM) and align with both the published andunpublished ISO standards referenced. As such, this BCM Model is designed to

provide an advance look into what the BCM future beholds.

4.1 What is BCM?

BCM is a board owned and driven set of processes established to facilitate thefunctions and services of the organization, which are defined by a strategic andtactical framework that:

14 All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/ (http://www.grcroundtable.org/GRC_RT_Overview.pdf )


16/58

White Paper



Version 1.0

• Proactively improves the resiliency of the organization against a disruptionthat impedes the organization’s ability to achieve its key objectives.

• Provides a validated and tested method of recovery of the organization’s

ability to provide the functions and services at a predefined level within apredefined time.

• Affords the organization the ability to deliver a proven capability to manage itsbusiness while preserving its brand image and reputation.

4.1.1 Building Blocks

Much like what Program Management (PM) enables for holistic management ofprojects within an organization; BCM provides a similar level of management andfiduciary responsibility to mitigate risks to the continual operations of business. Thissystematic process facilitates organizational maturity and business resiliency utilizingthese essential building blocks:

1) BUSINESS CONTINUITY (BC): Establishes the ability of an organization toprovide service and support for its customers and to maintain its viabilitybefore, during, and after a business continuity event (i.e. disaster / crisis,natural or man made). BC in itself is only a starting point.

2) PLAN, DO, CHECK, ACTION (PDCA): An adaptation of the Deming wheel.While the Deming wheel stresses the need for constant interaction amongresearch, design, production, and sales, the PDCA Cycle asserts that everymanagerial action can be improved by careful application of the sequence:plan, do, check, action. Later in Deming's career, he modified PDCA to"Plan, Do, Study, Act" (PDSA) so as to better describe hisrecommendations. In Six Sigma programs, the PDSA cycle is called"Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature

of the cycle must be explicitly added to the DMAIC procedure. The PDCAcycle implies a continual methodology of process improvement. Whereeach process includes controls that provide measurement of success that isused to define overall operation success. One poor process does notcause an organization to fail, systemic failure occurs where numerousprocess enable failure over time.

3) BUSINESS CONTINUITY PLANNING (BCP): Is the process of developingand documenting arrangements and procedures that enable anorganization to respond to an event that lasts for an unacceptable period oftime and return to performing its normal Business Critical Functions and/orsupporting System (BCFS) after an interruption. BCP is the documentationto facilitate the process of mitigation of risk to the operation of anorganization in preparation of the eventual crisis.

4) RISK MANAGEMENT (RM): Risk management is a structured approach tomanaging uncertainty related to a threat, a sequence of human activitiesincluding: risk assessment, strategies development to manage it, andmitigation of risk using managerial resources. Whereas risk managementtends to be preemptive, business continuity planning (BCP) was invented todeal with the consequences of realized residual risks. The necessity tohave BCP in place arises because even very unlikely events will occur ifgiven enough time. Risk management and BCP are often mistakenly seenas rivals or overlapping practices. In fact these processes are so tightly tied


17/58

White Paper



Version 1.0

together that such separation seems artificial. For example, the riskmanagement process creates important inputs for the BCP (assets, impactassessments, cost estimates etc). Risk management also proposesapplicable controls for the observed risks. Therefore, risk managementcovers several areas that are vital for the BCP process. However, the BCPprocess goes beyond risk management's preemptive approach and moveson from the assumption that the disaster will realize at some point. Thisincludes the assessment of each risk and where appropriate, theestablishment of mitigation controls to manage the process designed tominimize the risks potential impact.

5) BUSINESS CONTINUITY MANAGEMENT (BCM): Is defined15 as a holisticmanagement process that identifies potential impacts that threaten anorganization with associated risk, and provides a framework for buildingresiliency with the capability for an effective response which safeguards theinterests of its key stakeholders, reputation, brand and value creatingactivities. This management structure includes the facilitation of recovery,continuity and/or restoration in the event of a disaster or crisis through themanagement of an overall contingency program and through training,rehearsals, and reviews, to ensure the plan(s) stays current and up to date.This framework facilitates the entire process of preparing for the inevitablecrisis to strike which engage processes to mitigate the impact of risk to thebusiness operation. All of which provides for a sustainable and resilientorganization with the emphasis on ‘Risk Mitigation with Governance’ whichis engrained in the day-to-day operation of business.

This implies that BCM specifically provides: A level of managerial oversight at the appropriate organizational level which

has a stake in the continual operations of business with fiduciary

responsibilities. Quality processes that mitigates Critical Business Functions and/or support

Systems (BCFS). Processes that must: correlate to measurable financial impacts, be rated according to their risk potential, include their individual probability of disruption as reflected in Service Level

Agreement (SLA) management, be quantifiable through metrics measurement, and incorporate continual improvement.

BCM is the entire organization’s responsibility. Each entity and resource has a stakein the success of the organization as a whole, which emphasizes that the

organization will need to:• Identify, define and prioritize potential impacts in advance

• Create a framework to mitigate and manage risks, of each, within industrystandard guidelines

• Defend the organization against the potential of loss, with the resiliency to quicklyrecover in the event of a crisis

15 Definitions to the BCM terms used herein can be found in Appendix A


18/58

White Paper



Version 1.0

• Utilize industry best practices in creation and execution of the BusinessContinuity Management Lifecycle (Figure 3).

4.1.2 BCM Organizational OwnershipTo establish ownership and drive the BCM principles throughout the organization, aBCM strategy must be created and approved by a governing board within theorganization which has board level executive stakeholders. The reason ownershipmust reside at this level is clear. The board owns the overall resiliency of theorganization and as such they own the ability to manage resiliency. This isreinforced by many governmental regulations such as Sarbanes-Oxley (SOX)16 within the United States, where the CEO and CFO must personally attest to thevalidity of the financials reported.

4.1.3 BCM Strategy

Most organizations, regardless of size, have strategic directives to attain. These

may be necessary to grow business by increasing the product and services deliveredor to improve the availability of the goods and services provided. The consequencesof not pairing these directives to a means of resiliency are usually devastating to thecontinued operation of an organization. This may include loss of profits, customers,up to and including loss of life. The survival of an organization’s reputation orexistence is at stake!

NOTE: According to research by the University of Texas, when companiessuffer a catastroph ic data loss, 94 percent of them fail: 43 percent neverreopen, and the remaining 51 percent close within two years.

The alignment of the organizational strategic goals and objectives must beincorporated into the BCM Strategy to ensure that the organization can achieve both.The organizational structure needed to facilitate this process is within what this

model refers to as a ‘BCM Steering Committee’17

. The full BCM structure will bedefined further on in this paper.The key is that BCM recognizes the importance and need for stakeholders at thehighest organizational level to ensure the organization’s survivability and resiliency isproperly prioritized and subsequently maintained. As the stakes rise with newventures, BCM is the solution for the subsequent consequences of disruptions whichhave a direct and implied fiduciary impact that also include a probable regulatoryconsequence.

4.1.4 BCM and Risk Management

BCM has a direct relationship with most forms of Risk Management. The principlebehind BCM is to ‘Risk Mitigation with Governance’. This principle incorporates

many elements and types of risk management into the BCM Strategy andsubsequent program. One of the primary derivatives of a BCM program is toestablish direct feedback to the board level management on the ‘State of Readiness’which provides the ‘Value-Add’ needed by the board to ensure a sustainableoperation and to enable viable decisions!

16 Information on SOX can be found at http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm and the full SOX ACT ‘HR:3763’ -

http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf 17

This model will identify organizational roles and responsibilities paired with the BCM Process defined herein that utilize existing operationalresources for most of the stated requirements. Only a small complement of resources used to facilitate the BCM Process are actually neededwhere the actual number varies depending on the size and complexity of an organization.


19/58

White Paper



Version 1.0

4.2 Why BCM?

The principle reason BCM is needed is it forms an important element oforganizational management, provisioning of service and efficient and effective

deployment of resources very similar to the way Program Management performs arollup of resources and financials into a holistic view. This provides transparency intothe operational ‘State of Readiness’ at most process points to effectively manage theorganization to its optimal state of maturity and subsequent efficiency.This model encapsulates the benefit of utilization of existing resources for thefacilitation of risk mitigation through the adaptation of appropriate internal controls,thereby reducing the burden of cost normally associated with a separate structure.

4.2.1 Strategic Value

The alignment of BCM with an organization’s strategic vision and the utilization ofavailable skilled resources provide a substantive value to achieve the organizations

strategic objectives and goals. When the organization relies upon BCM as an assetwithin the definition of its strategy, the organization can only realize a higher thannormal probability of successful achievement.

4.2.2 Sustainability and Resiliency

All organizations strive to remain operable for a long duration, which translates intosustainability. To achieve sustainability the organization must have a program thatdrives to this goal. The BCM Model outlines the organization and processes neededto achieve sustainability. The use of sustainable practices, though utilization ofcontinually improving processes, a level of resiliency is established. Resiliencyenables an organization to undergo higher levels of risk impacts and remainoperational. Quality of service may degrade, but only to predefined levels. Thus,financial downturns, major service disruptions, or natural disasters can all bemitigated with appropriate controls in place to ensure the proper ‘State of Readiness’is maintained at all times.

5 The BCM ModelOver the history of the industrialized world, companies, organizations andbusinesses struggled with how to protect; what they built, how they are generatingrevenue, and all important, how to continue to grow. Facing sometimes catastrophiccrisis’s and financial down turns, many strong and prosperous entities survived. Forthose many that failed can be summed up in these three words; ‘were theyprepared?’‘Survival of the Fittest’ played out in real-time revealed those who continue tooperate today were prepared, and those that aren’t, were not. History has identifiedthat if an organization does not have a contingency plan, the probability for it tosustain a long term existence is slim.While there is no silver bullet with any framework, the BCM Model is a researchcompilation of standards, processes and experience that brings together for the firsttime a comprehensive framework for organizations to use for the sole purpose of‘being prepared!’. The BCM Model will walk through the ownership, fiduciary


20/58

White Paper



Version 1.0

responsibilities, along with the processes to create and sustain a program to mitigatemost common events. Included is essential information to protect the organization’sinterests and assets. In this ever changing global economy, organizations will need

every advantage afforded them to survive. How this is accomplished is the basis ofthe BCM Model with the underlying theme ‘Risk Mitigation with Governance’.

5.1 Business Continuity Management Components

Business Continuity Management model defines these elements into tactical aspectsof a BCM Process. BCM Process utilizes functional components to facilitate the‘Risk Mitigation with Governance’ principle. These structures of functionalcomponents are:

• Business Continuity Steering Committee

• Business Continuity Management Team

• Business Continuity Plan Administrator

• Business Continuity Leads or Business Continuity Coordinators/DisasterRecovery Coordinators

• Business Continuity Teams

Figure 8: BCM Components

5.2 Where to StartMost organizations find it difficult to identify the starting point of their BusinessContinuity program. A few indicators will clearly identify the starting point and helpidentify the effort needed to establish a quality program. Here is a list of some ofthose indicators:

• Has a Business Impact Analysis been conduction within the last 24 months?

• Utilizing the data from the Business Impact Analysis, was a Risk Assessmentconducted and critical functions and systems identified?


21/58

White Paper



Version 1.0

• Does existing documentation exist that can be used for planning purposes?

• Is the existing documentation adequate for the critical systems?

• Is there Executive stakeholder buy in and support?

• Has ownership of the various elements been established and accepted?• Has funding been granted and approved?

• Are short and long term business & IT objectives aligned?Once these indicators have been resolved, most organizations will succeed withestablishment of a Business Continuity Management program.Here is where we start.

5.2.1 Business Continuity Planning

Now that we have established the objectives driving the Business Continuityprogram, we can now begin planning. To start with, the senior management teamwill have defined a Business Continuity Strategy (BCS) to match what they see as

business risks needing mitigation surrounding the most common loss of businessservices. At a minimum the BCS should include the following policies, processes,and/or concepts:

A defined policy governing the Business Continuity Program, Process for the identification of the Business Continuity Management Team

and subsequent crisis or emergency management team structure (includingthe structure used to facilitate creation, maintenance, execution and trainingof the Business Continuity Plan),

Process for assignment identification, functional responsibilities, and approvalof the BCSC team along with governance structure as needed,

Conduct a Business Impact Analysis (BIA) to identification of the areas ofBusiness Critical Function and/or System (BCFS) that need to be protected,

along with the general scope of need for the various BCFS and respectivelocations of operation.

Risk Assessment on all high priority and/or critical BCFS items to include aprobability and impact value. These risk values will ensure internal controlscan be established with appropriate thresholds for success measurement.

With these elements understood, planning can proceed with the identification andestablishment of resources along with appropriate funding needed to satisfy thebusiness objectives driving the BCM program utilizing the following components.

5.2.2 Establishment of the Business Continuity Management Team

The Executive Management should identify the requirements of the BusinessContinuity Management Team (BCMT). A high-level organizational structure of the

BCMT is needed to identify who should serve on this team and what responsibilitieseach role will play in the functional operation of the BCMT. At a minimum the BCMTshould include:

At least one Executive, one Senior Management representative, and thenwhat ever level of management is deemed appropriate to represent the fulloperational complement of the overall organization,

An organizational structure that will provide the appropriate level of authorityon those areas of the organization that will most likely be directly involvedwith Business Continuity execution,


22/58

White Paper



Version 1.0

The designation of a “Crisis or Emergency Management Team” (EMT) fromcurrent management that will facilitate the execution of the BusinessContinuity Plan (BCP),

The emergency declaration classification types, rules and criteria.

Figure 9: BCM Organization

BCM

Business Continuity

Management Organization

BUSINESS CONTINUITY STEERING COMMITTEE (BCSC):

A com mit tee of deci sion makers, p rocess owner s,technology experts and continuity professionals, tasked withmaking strategic recovery and continuity planning decisions

for the organization.

BUSINESS CONTINUITY TEAM (BCT):

Designated individuals responsible for developing,execution, rehearsals, and maintenance of the business

continuity plan, including the processes and procedures.SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management

Team. Associated terms: Emergency Management Team.

BUSINESS CONTINUITY MANAGEMENT (BCM):

A hol istic managem ent pr ocess t hat id entifi es pote ntial i mpacts thatthreaten an organization and provides a framework for building

resilience with the capability for an effective response thatsafeguards the interests of its key stakeholders, reputation, brand

and value creating activities. The management of recovery or

continuity in the event of a disaster. Also the management of theoverall program through training, rehearsals, and reviews, to ensure

the plan stays current and up to date.

BUSINESS CONTINUITY MANAGEMENT PROGRAM: An on goin g manag ement an d gov ernanc e proc ess sup por ted by

senior management and resourced to ensure that the necessarysteps are taken to identify the impact of potential losses, maintain

viable recovery strategies and plans, and ensure continuity of

products/services through exercising, rehearsal, testing, training,maintenance and assurance.

Risk

Management

through

Governance

DepartmentalDesignees

BC

Team(BCT)

OrganizationalDesignee

BCM

Corrdinator (DRC/BCC)0

DISASTER:

A sudd en, unpl anned calam itou s event cau sing greatdamage or loss as defined or determined by a risk

assessment and BIA; 1) Any event that creates an inability on

an organizations part to provide Business Critical Functionsfor some predetermined period of time. 2) In the business

environment, any event that creates an inabilit y on an

organization’s part to provide the critical business functions

for some predetermined period of time. 3) The period whencompany management decides to divert f rom normal

production responses and exercises its disaster recovery

plan. Typically signifies the beginnin g of a move from aprimary to an alternate location.

SIMILAR TERMS: Business Interruption; Outage; Catastrophe

THREAT: A comb inati on of the ri sk, th e consequ ence of t hat ri sk, and

the likelihood t hat the negative event will t ake place.

Assoc iated t erm: r isk. Ex ample Thr eats: Natu ral, Man-mad e,

Technological, and Political disasters.)

Executive ManagementTeam and Assignees

BCM

Steering

Committee(BCSC)

BUSINESS CONTINUITY MANAGEMENT TEAM (BCMT): A gro up of indi vidual s fun ctio nally respo nsibl e for d irect ing

the development of the business continuit y plan, as well as

responsible for participation in the declaring a disaster andaiding the recovery process, both pre-disaster and post-

disaster. Also r eferred to as the Executive Emergency

Management Team (EEMT)SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management

Team. Associated terms: Emergency Management Team.

EMERGENCY MANAGEMENT TEAM (EMT): A gro up of managers f unct ionall y resp onsi ble fo r

execution of the business continuity plan, as well as

responsible for declaring a disaster and providingdirection during the recovery process, both pre-disaster

and post-disaster.SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery

Management Team. Associated terms: Crisis Management Team.DISASTER RECOVERY COORDINATOR (DRC):

A rol e of th e BCM progr am that l eads & coo rdin ates

planning and implementation for recovery of an

organization, location or unit for technical functions.SIMILAR ROLES: Disaster Recovery Planner, and Disaster Recovery Administrator

May also act as a Plan Administrator

BUSINESS CONTINUITY COORDINATOR (BCC):

A rol e of th e BCM progr am that l eads & coo rdin ates

planning and implementation for recovery of an

organization, location or unit for nontechnical functions.SIMILAR ROLES: Business Recovery Coordinator, Business Recovery Planner

May also act as a Plan Administrator

Designated Managers

BCM

Emergency

ManagementTeam

(EMT)

Designated Senior &Executive Managers

BCM

Team(BCMT)

5.2.3 Establishment of a Business Continuity Steering Committee

The Business Continuity Steering Committee (BCSC) shall be created by theBusiness Continuity Management Team (BCMT). The BCSC shall be populated withrepresentation of all Business Critical Functions and/or supporting System (BCFS)areas with management and senior employees by referral from a member of theBCMT and approved by Executive Management. The BCSC team must have bothexecutive management and broad employee based support to provide an effectiveand representative body that will be viewed by all as the appropriate members of theorganization to provide Business Continuity vision and direction. This team will beresponsible for providing the organization with strategic oversight on all BusinessContinuity initiatives, policies, processes, plans and structures. The BCSC shall meeton a regular schedule, not less than quarterly, and rely on the Business ContinuityManagement Team for all fiduciary requirements identified.

5.2.4 Defining the Policy

The Business Continuity Steering Committee should establish a policy that willprovide an overall guidance to the teams implementing Business Continuity. A high-level policy must be published to identify several factors to the organization as awhole. The Business Continuity policy should set the expectations the organization


23/58

White Paper



Version 1.0

has for all employees, contractors and agents. These should be as clear and conciseas possible and must be approved by executive management with enforceableterms.The Business Continuity Policy should include:

Overall Business Continuity mission statement Company Business Continuity objectives Who participates in Business Continuity Enforceable terms deemed necessary Governance

5.2.5 Defining Management Components

The Business Continuity Steering Committee should establish a managementstructure to facilitate the execution of the BCM Program. The Components of theBusiness Continuity Management Structure should include:

Identification of the Owners of the main Business Continuity Plans (BCP)

needed to appropriately respond to a crisis. Establish a Business Continuity Strategy (BCS) to provide direction aligned

with business objectives. Define a recovery management process that includes metrics for all Business

Critical Function and/or supporting Service (BCSF). The conduct of a Business Impact Analysis to provide vital financial ties to

each identified BCFS. Facilitate the establishment of the Business Continuity Sub-plan ownership at

the operational level through the Business Continuity Team. (BCT)

Figure 10: BCM Components

BCM

Business Continuity

Management Components

BUSINESS CONTINUITY STRATEGY (BCMS): An appr oach by an organi zation t hat wil l ensur e its r ecovery and cont inui tyin the face of a disaster or other major outage. Plans and methodologies are

determined by the organizations strategy. There may be more than one

solution to ful fill an organization’s strategy. Examples: Internal or externalhot-site, or cold-sit e, Alternate Work Area reciprocal agreement, Mobile

Recovery, Quick Ship / Drop Ship, Consorti um-based solutions, etc.

BUSINESS IMPACT ANALYSIS (BIA): A pro cess desi gned to prio rit ize Busi ness Cri tical Functi ons

and supporting Systems by assessing the potentialquantitative (financial) and qualitative (non-financial) impact

that might r esult if an or ganization was to experience a

business continuity event.

BUSINESS INTERRUPTION:

Any even t, wheth er anti cipated (i.e., publ ic serv ice str ike) orunanticipated (i.e., blackout) which disrupts the normal course of

business operations at an organization’s location. Simi lar terms:outage, service interruption. Associated terms: business

interruption costs, business interruption insurance.

BUSINESS CONTINUITY MANAGEMENT PROCESS:

The Business Continuity Institute’s BCM process (also known as theBC Life Cycle) combines 6 key elements: 1) Understanding Your

Business 2) Continui ty Strategies 3) Developing a BCM Response 4)Establishing a Continui ty Culture 5) Exercising, Rehearsal & Testing

6) The BCM Management Process

Recovery

Management

DHLGMDepartment Managers

BC / DR

Plan

BCMDesignee

BCMStrategy

(BCMS)

External Auditor

BIA

BCT

BRP / DRP

BUSINESS CONTINUITY PLAN (BCP):

Process of developing and documenting arrangements andprocedures that enable an organization to respond to an event

that lasts for an unacceptable period of time and return to

performing its critical functions after an interruption.SIMILAR TERMS: Busin ess Resumption Plan, Continuity Plan, Contingency Plan,

Disaster Recovery Plan, Recovery Plan.

DISASTER RECOVERY PLAN (DRP):The management approved document th at defines the

resources, actions, tasks and d ata required to manage thetechnology recovery effort. Usually refers to the technology

recovery effort. This is a component of the Business

Continuity Management Program.SIMILAR TERMS: B usiness Continuity Management Plan, Recovery Plan.

RECOVERY POINT OBJECTIVE (RPO):

From a business perspective RPO is the maximumamount of data loss t he business can incur in an event.

The targeted point in time t o which systems and datamust be recovered after an outage as determined by the

business unit.

RECOVERY TIME OBJECTIVE (RTO):

The period of time within which sys tems, applications, orfunctions m ust be recovered after an outage (e.g. one

business day). RTO’s are often used as the basis f or thedevelopment of recovery str ategies, and as a determinant

as to whether or not to impl ement the recovery strategiesduring a disaster situation.

SIMILAR TERMS: Maximum All owable Downtime

RECOVERY:

Implementing the prioriti zed actions required to r eturn theprocesses and support functions to operational stability

following an interruption or disaster.

BUSINESS RESUMPTION PLANNING (BRP):

TERM Currently Being ReworkedSIMILAR TERMS: Business Continuity Planni ng, Disaster Recovery Planning

DISASTER RECOVERY PLANNING (DRP):

The technological aspect of business continuity planning.The advance planning and preparation that is necessary to

minimize loss and ensure continuity of t he Business Critical

Functions and supporting Systems of an organization inthe event of disaster.

SIMILAR TERMS: Contingency Planning; Bu siness Resumption Planning;

Corporate Contingency Planning; Business Interruption Planning; DisasterPreparedness.


24/58

White Paper



Version 1.0

5.3 Conduct ing the BIA

To fully understand the potential impact any loss of service could have on business,a Business Impact Analysis (BIA) should be conducted. The conduct of a BIA

should be scheduled every 3 to 5 years to keep the information used for lossidentification current. A BIA should be performed prior to the BCS creation to ensurethat the organization has identified the BCFSs that represent what the loss potentialis, how it can be mitigated, and what the implications to the services provided wouldmean to the recipient of those services. When a BIA is re-conducted after the BCMProgram is in place, it will be used to update the BCFS list and financial risks ofeach. The Business Continuity Management Team and Business ContinuitySteering Committee participants may be adjusted based upon the informationprovided.The following few slides describe the essence of the BIA:

5.3.1 BIA - Identifying Crit ical Needs …The critical needs should be identified within all departments. Critical needs includeall information, processes, activities and equipment needed to continue operationsshould a department be destroyed or become inaccessible. To determine the criticalneeds of the organization, each department should document all important functionsperformed within that department. This information can be gathered by documentingdaily activities within each department.

An analysis over a period of two weeks to one month can indicate the principlefunctions performed inside and outside the department, and assist in identifying thenecessary data requirements for the department to conduct its daily operationssatisfactorily. This determines the Business Critical Function and/or supportingService (BCSF) which are critical functions / systems relied on to perform criticalbusiness functions, System or application interfaces, that require a Maximumacceptable outage for the system considering both the user perspective and thetechnical perspective.

5.3.2 BIA - Business Critical Functions / Systems

To Identify Business Critical Function and/or supporting Service (BCSF) some of thediagnostic questions that are asked include:

What specialized equipment is used in the department and how is it used? What are lead times for replacing critical equipment? If the on-line systems were not available, how could the department continue

to function?

What parameters, guidelines, or procedures would be necessary to limitexposure during on-line systems downtime (i.e., management approval maybe required of checks or disbursements above specified dollar amounts)?

What is the minimum staff and floor space needed to continue operations atanother facility?

What special forms and supplies are needed for each departmental area? What communication devices (i.e., telephones, facsimile equipment, and data

transmission equipment) would be necessary to continue operations?


25/58

White Paper



Version 1.0

Which employees have been trained to carry out several departmental jobs orresponsibilities and could fill positions of key employees if they wereunavailable?

5.3.3 BIA - Outage Impact Analysis

Once the critical needs have been documented, it is important to determine theimpact of an outage to the critical systems and business functions. The impactdepends on the type of outage that occurs, and the time that lapses before normaloperations can be resumed. The following information should be carefully analyzed:

Impact Analysis is defined by these six areas:1. Business Function Description2. Critical Systems3. Dependencies4. Workflow Impact5. Future Business Function Changes

6. Impact of Not Processing Business Function Description is:

1. Size of the business function (e.g., total revenue, number ofemployees, number of patients, etc.)

2. Main purpose of the business function (e.g., revenue generation,administrative, customer service, support function, ancillary function,etc.)

3. Critical operations performed. Critical Systems Description is:

1. Systems relied on to perform critical business functions2. System or application interfaces3. Maximum acceptable outage for the system, considering both the

user perspective and the technical perspective Dependencies Description is:

1. Dependencies between business functions2. Dependencies between departments3. Dependencies between systems

Workflow Impact Description is:1. Loss of controls2. Major bottlenecks3. Potential stop in the workflow4. Complete interruption of the workflow

Future Business Function Changes Description is:1. Systems

2. Procedures3. Operations4. Personnel5. Organization6. Other changes

Impact of Processing Failure Description is:1. Impact on customer service2. Noncompliance with government regulations3. Noncompliance with existing contracts4. Increase in personnel requirements


26/58

White Paper



Version 1.0

5. Loss of revenue6. Loss of business7. Increased operating costs8. Penalties9. Loss of financial management capability10. Loss of competitive edge11. Loss of goodwill12. Negative media coverage13. Loss of stockholder confidence14. Legal actions15. Other impacts

Redundancy Levels Description is:‘Existing and required redundancy levels throughout the organization toaccommodate critical systems and functions:’

1. Hardware2. Information3. Personnel4. Services

Alternate Processing Methods Description is:1. Alternate processing methods for the critical functions in the event of

a systems outage2. Impact of using the alternative processing method3. Alternate processing costs

5.4 Risk Assessment

The Business Critical Functions and/or Services identified in the BIA must now beanalyzed to determine their impact and probability of disruption to establish a

ranking of each. Once the BCFS risks are ranked to a common scale (usually 1 to 3or 1 to 5 with 1 having the highest priority i.e. Severity 1), then planning prioritizationis applied and a list of plans generated. The object is the mitigation of risk for thehighest ranked items first, then working down through the list until all critical itemshave mitigation plans that are ready for validation. Re-ranking may take place asmore information is discovered during the risk assessment process.Risk assignments are used to design internal controls (ICs) and thresholds thatprovide measurement of success which feed the ‘State of Readiness’ metrics.These same ICs should also be mapped to any regulatory requirements to ensure atotal risk is known and measured.

NOTE: Priority ranking should follow what ever scale is used within the current

Incident / Problem Management system to take full advantage of establishedprocesses. Universal use of common terms within this process should also beadopted to avoid communication failures and confusion.

5.5 Risk Mitigation

It is important to identify risks, associate the cost of each and trend it over time,however, if the risk is never mitigated then it will continue to be a drain on theorganization’s sustainability which may ultimately lead to its demise. To address thistopic, continual improvement processes mandate that this information be analyzed


27/58

White Paper



Version 1.0

and addressed where appropriate for a given organizations goals and objectives.Mitigating every risk is too costly, even for the largest of organizations.Understanding the risk’s implications to the current business strategy will provide the

most cost effective means of Risk Mitigate any organization can afford.

The Disaster Recovery Timeline shown in Figure 11 illustrates the elementary pointsof risk that must be identified, evaluated and prioritized for impact that incorporates abusiness established tolerance. This must be accomplished for every BusinessCritical Function and/or supporting Service (BCSF) identified in the BIA. Thisrecovery data will be included in any Service Level Agreement (SLA) establishedwith the service provider whether internal or external.

Figure 11: Disaster Recovery Timeline

5.5.1 Risk Mitigation – Crisis Points Defined

RPO – is the last known point of valid data on a system by system or function

by function basis. This is the starting point of data restoration and is ownedby IT as agreed too by Business.

RTO – is the technical point of restoration of a system or function. This is thestarting point where processing can restart after the failure. It is owned by ITas agreed too by Business.

MTD – is the point at which all recovery processing has been completedwhile processing current normal daily activities. This is the actual return toBusiness As Usual state. This is solely owned by business.


28/58

White Paper



Version 1.0

WRT – is the amount of time and effort needed to recover from the crisis.This includes the reentry of data from;

The point of the crisis back to the RPO, The manual data collected from the point of crisis to the RTO, And the processing of current daily data needed to stay current with the

expectation of business services Most companies fail because they do not plan this recovery period

5.5.2 Importance of Defining Risk Points

Failure to identify a point of risk is opening the flood gates and inviting in a crisis.Each BCFS must have its Risk Points defined and accepted by business and theservice or function provider.Risk Point failures;

Lack of adequately define Risk Points will cause failure Lack of organizational participation in Risk Point metrics establishment will

cause failure How to you create SLA’s without Risk Point definitions and measurements?

(You can’t!) Establishing Risk Points with Metrics is essential to the successful creation of

every BCM Plan (BCP, Sub-BCP) and the sustainability of business! Identification of regulatory requirements inclusive with the risk points ensures

compliance is included in the success measurement.

5.5.3 Risk Cost Modeling

Utilizing the financial data from the Business Impact Analysis (BIA) for eachBusiness Critical Function and/or supporting Service (BCSF) a Risk Cost Model canbe created to identify the underlying cost for each BCFS along with the projected

revenue stream disrupted in the event of its failure. Building this model requiresbusiness participation to adequately track and trend the risk cost over a period oftime. The resulting Risk Cost Model represents the BCM Model’s ability to provide‘Value Add’ by providing another vantage point of an organization’s sustainability.Research does not reveal an industry targeted risk level to achieve; however, wewere able to extrapolate from other risk models and business objectives to establisha risk target of 2% or less. The example below uses ‘Top Line Revenue’ as a basisfor the risk cost analysis. Governments and other organizations may need to use‘Bottom Line Revenue’. In either case, the target should complement theorganization’s strategic goals and objectives.


29/58

White Paper



Version 1.0

Figure 12: Risk Cost Model Trending Example

NOTE: Investment in Risk Mitigation through a BCM Program is a long termbusiness ob jective, to suggest otherwise is setting the stage for failure.

5.5.4 Mitigating Risks

The BIA is essential to establish the parameters for mitigating risk. What do we dowith this information?

Identifies the Business Critical Function and/or supporting Service (BCFS)

with supporting financial data Identifies the priorities business places on each BCFS, usually financially

driven Identifies the cost to business if the BCFS were to fail. Supporting services of

the BCFS should retain the same status as the high level business function.How do we use this information?

Build Risk Cost models utilizing real financial data on a BCFS by BCFS basisthat reflects a real ‘State of Readiness’

Establish a financial connection for each BCFS and their supporting servicesthat include resources, service contracts and SLAs.

Through planning risk is mitigated thus establishing a Value Add by providinga form or ‘Revenue Protection’ not currently available to the business.

How is this accomplished? Risk Point identification with established business tolerance / threshold

metrics for each Service Level Agreements that have real achievable metrics Risk Cost Modeling to show the financial implications of risk mitigation (ROI) Risk Analysis using Strategic Plan as a long term projection of impact

severity and probability of occurrenceWhat does it provide?

Identifies priority for funding mitigation solutions


30/58

White Paper



Version 1.0

Enables cooperative planning between provider and user Establishes path to successful achievement of strategic business goals and

objectives Affordable Sustainability with attainable Resiliency

6 Business Continuity Plan CreationThe preparation stage of the BCM Model and all industry leading standards mandatethe creation of plans to facilitate the continuity of operations. The creation of theseplans is where many fail to get a program off the ground. This aspect of the processis defined with what plans would represent a minimal scenario for any organizationalong with a structured process for integrating them together to attain a sustainableprogram. The effort to create the documentation required is no small task, however,without the basis to draw upon, the program and subsequently the operations isdestined to fail.

Engaging the appropriate resources is required for the successful creation ofcontingency plans. Ownership must reside with the appropriate assigned skill toenable the execution when required. The basic literary level of each plan shouldaddress the principle of utilizing a similar skill near or at the level required to performdaily management. Utilizing these basic principles will enhance the probability ofsuccessful creation of the plans needed.

6.1 Creating the Business Continuity Plan

With the full understanding of “What BCM is”, the process of creating the BusinessContinuity Plan (BCP) can now take place. With the BCM organizational structuredefined, resources assigned, a Business Impact Analysis (BIA) conducted, Risk

Assessment completed with mitigation steps identified and with an approved BCSdocumented, the next step is to create the Business Continuity Plan. The BCP iscreated, maintained and administered by the Business Continuity Plan Administrator(BCPA) to include:

Identification of all BCFSs and their associated risks to business, along withthe appropriate resources to facilitate the execution of safeguarding andrestoring each BCFS.

The processes, procedures, actions, tasks and/or steps used to mitigate therisks identified for the various plausible scenarios at each business location,

Identification of all locations included, along with any sub-plans needed toprovide adequate coverage for each risk to be mitigate,

A clear communications process to identify, evaluate, declare and recover

from most typical causes to loss of service delivery capability or disaster thatincludes all required resources, roles, locations, with information publicationtypes and guidelines,

The process for Business Continuity Plans updates organizationalawareness, training and periodic validation testing.

6.2 BCM Process Components

We can now explore what plan components are used within the BCM.


31/58

White Paper



Version 1.0

The BCM utilizes several types of components to provide appropriate coverage andmanagement of the process. The BCM Process Components define the areas andtypes of plans used.

NOTE: Figure 13 depicts the various plan components and potential uses.The components include:

Organizational level management that includes the BCM Program charter,goals, objectives and controls. This will include:

Master Plan, Communications Plan, Common Process plan to facilitate the interoperations with all other plans. Operational level management includes Business Continuity Plans that detail

the actions taken. This will include: Site (Location) Plan, Sub-Plans with the specific task taken by the skilled resource teams, Contingency Plans are usually at the Department level to provide guidance to

safeguard items across multiple locations that are the responsibility of adepartment.

Figure 13: BCM Process Components

6.2.1 BCM Master Plan

The BCM Master Business Continuity Plan (Master BCP) is used by seniormanagement to establish the overall governing process for facilitating BusinessContinuity. (Owner: BCMT) The BCM Master Plan is the BCP document thatcontains the primary policies, process, procedures and actions needed protect theorganization from serious BCFS loss.The BCM Master BCP should include the organization’s policy and vision withdealing with emergencies, either man made or natural. The processes listed in the


32/58

White Paper



Version 1.0

plan will include the BCP Communications Plan; EMT, BCC/DRC and BCT teamactivities; organized by major crisis type, location crisis type and contingencies withchecklists for the various BCFSs and actions required for each. If situationalcontingencies have been prepared, they will be identified and referenced within theBCM Master Plan. Recovery activities for each BCFS and location will be referencedfor EMT guidance and execution.

6.2.2 BCM Communications Plan

The ability to communicate during any crisis or emergency is paramount tosuccessful BCP execution. (Owner: BCMT). A BCM Communications Plan must becreated to become a primary section of the BCP Master Plan to ensure identificationof all BCM resources for all sites and functions the BCP is intended to cover.The Communications Plan will also list all Notification and Reporting schedules/listsrequired to ensure appropriate resources are engaged and informed with the currentstatus published in accordance within organizational policies and guidelines. The

BCM Communications Plan should include the following contact information: Identification of the BCMT and subsequent CMT/EMT Identification of the organization’s business locations with BCFS Identification of the BCC/DRC by location and function Identification of the BCT by location and function Identification of the external contingencies, emergency facilities, key venders

and key customers, or other contingency contact information deemedappropriate

6.2.3 BCM Common Processes Plan

The ability to manage status and instruct flow during the execution of a crisis oremergency is a key basis to successful business risk mitigation. (Owner: BCMT) A

BCM Common Processes Plan must be created and become a complementarysection to both the BCP Master and Communication Plans to ensure status reportingand execution of activities between the EMT and the BCC/DRC is properly managedand maintained.The Common Processes Plan will list all Status Notification and Reporting schedulesrequired to ensure the EMT is fully informed as to the current status of the crisis oremergency and all actions engaged by the BCC/DRC. The BCM CommonProcesses Plan should include the following information:

Meeting requirements for all teams to establish Command & Controlrequirements

Common Status Reporting Schedules and activities Common steps taken by the EMT, EOC, BCC, DRC and BCT

Other common activities that is required within the execution of all BCPs

6.2.4 BCP Site Plans

To successfully execute the mitigating actions needed to protect the organizationfrom loss at the Facility level, action steps must be planned in great detail using BCPSite Plans. (Owner: BCC, DRC).

A BCP Site Plan is the level of actions or steps taken by the resources physicallyprotecting the organizational assets within a single facility. The actions listed within aSite Plan shall be defined as a major BCFS and/or operational system that may be


33/58

White Paper



Version 1.0

disrupted from normal operation during the course of a crisis or emergency. BCFSsor Systems will be listed by standard reference nomenclature so as not todisseminate misleading or confusing information or status.The Site Plans will define the steps needed by a reasonably skilled resource toprotect site’s BCFSs or Systems. The resource executing these steps may not befully skilled on the BCFS or System so the level of

Documents

Manning at Conventional Marine Terminals_OCIMF