Implementation process 

One of the most important elements of managing any project or programme is the assignment of responsibilities.

The owner of a BCM programme will typically be someone in senior management, preferably at board level, so they have greater influence.

Assigning overall BCM ownership in this way ensures a top-down approach, so staff can see commitment from the highest level in the organisation.

Once responsibilities have been agreed and assigned, the programme can be implemented.

The overall implementation scope consists of:

• BCM programme management
• Understanding the organisation
• Determining the BCM strategies
• Developing the BCM response
• Embedding the BCM culture throughout the organisation

The management of the BCM programme is tackled in the same way as any project. Begin by defining what’s in scope, then set the objectives, agree the tasks and timescales, define the actual deliverables, assign responsibilities, and issue the delivery milestones.

Your BCM arrangements cannot be considered reliable until they are exercised and have proved to be workable.

It’s good practice to ensure that all staff in your organisation who have business continuity responsibilities receive training on BCM.

Programme management  

Business continuity management is an ongoing process. Once the cycle has been completed for the first time, it should begin again. There are many reasons for this, including the following.

• The organisation is unlikely to get it ‘right first time’ and a certain amount of practice will be required.
• The organisation itself won’t stand still, as new products, locations and business strategies will affect the way BCM is approached.
• Even though an organisation might reach the point of BCM maturity, it may decide to take the next step of gaining certification aligned to a standard, such as ISO 22301.

The BCM programme must deliver quality documentation, which will guide staff through the early stages of risk assessment and help them manage a serious disruptive event.

There are a number of activities that should be undertaken on an ongoing basis to ensure that BCM continues to be embedded in the organisation and remains current. Activities include:

• making sure that the BC plans, and related documents, are regularly reviewed and updated.
• continuing to promote business continuity across the organisation.
• administering the exercise programme.
• keeping the BCM programme updated through lessons learned and good practice.

Security incident management

Incidents can have a big impact on your organisation in terms of productivity, cost, and reputation. Quickly detecting and responding to incidents will help to prevent further damage and lessen the financial and operational impact.

Business continuity and disaster recovery start with the incident management process, as illustrated below.  Key facets of disaster recovery and incident management can be found or referenced within a BCP, including risk management.

Figure 1: Incident management

Risk management protects the organisation against failures and disruptive incidents. A good risk management approach will be embedded throughout your organisation and complement the way you manage other business risks. 

Other important elements of incident management are:

• Detection to observe that something disruptive has occurred and that remedial action needs to be taken.
• The response by organisation’s staff and possibly third parties to the incident.
• The speed at which the organisation recovers to a normal or near-normal state following the incident.

Learning from incidents identifies gaps and issues with your response capability, meaning you will be better prepared for any future incidents.

Understanding the organisation

Understanding a business impact analysis, continuity requirements analysis, and risk assessment, will enable you to better understand your organisation. This is a key element of BCM and the foundation from which the whole process is built.

To fully understand the organisation, the ‘mission-critical’ areas of the business need to be defined. These could be any area of the business, for example operations, finance, sales, marketing, and HR.

Senior management will direct the programme manager to the appropriate members of staff who can provide more detailed information. This will help in carrying out the business impact analysis. A BIA:

• Identifies and documents your key products and services.
• The critical activities required to deliver these.
• The impact that a disruption of these activities would have on your organisation.
• The resources required to resume the activities.

The consequences to the organisation might be directly in the form of financial loss – indirectly, in the form of brand and reputational damage.

The next step will be to perform a continuity requirements analysis or CRA, identifying the resources required to achieve recovery. This will subsequently enable the organisation to determine the most appropriate recovery strategies.

You should focus your risk assessment on the critical activities and supporting resources identified in the BIA stage. Your risk assessment will look at the likelihood and impact of a variety of risks that could cause a business interruption. In some cases, this will be based on historical data which is a quantitative risk assessment approach, or expert opinion which is a qualitative approach.

The actual risk is then calculated as the consequence multiplied by the likelihood, and the results are plotted on a risk matrix (illustrated below). This will allow the organisation to decide which risks to address first. Then, the options for dealing with the identified risks (e.g., avoid, accept, tolerate, reduce, transfer) can be evaluated.

Figure 2: A risk matrix