A comprehensive business continuity management system (BCMS) consists of several operational components, all of which must be in place in some form to enable an organization to respond effectively to an incident. EMSS provides consulting, support and training in all of the key areas. The operational components of a BCMS are illustrated in the following diagram:
Crisis / Incident Management
A core principle of incident management is the need to establish and enforce management relationships and authorities that enable decisive control over resources used to isolate and contain the disruptive incident, and to execute response and recovery plans as necessary. This is the purpose of the Incident Management Plan (alternatively “Crisis Management Plan”), which documents the procedures and responsibilities associated with the Incident Management Team. The Incident Management Plan will contain, at minimum, procedures for identifying and assessing an incident, and activating the Incident Management Team. In addition, the Incident Management Plan also contains position descriptions and operational checklists for each key Incident Management Team role.
A pandemic event has characteristics that force significant changes to the organization’s response strategy. Specifically, unlike many other threats, a pandemic entails no direct physical damage to facilities, technology infrastructure, or regional transportation and communications systems. Rather, the risks associated with a pandemic event lie exclusively with people: the organization’s employees, customers, and suppliers. Additionally, the duration of a pandemic event will often be measured over several months, whereas most other disruptive incidents end within a matter of minutes or hours. These factors require the organization to develop a specialized Business Continuity Plan that addresses the planning and response efforts specific to a pandemic event.
The essential purpose of the Business Impact Analysis (BIA) is to identify all business processes that the organization executes to accomplish its goals, and evaluate them as to the impacts that would be incurred over time in the event of their disruption. The result of this analysis yields a Recovery Time Objective (RTO) for each process, the time within which the process must resume execution to prevent an unacceptable loss to the organization. The BIA is a primary planning document for the operational elements of the business continuity program because it frames, in aggregate, the priorities and timelines for all business process recovery activities.
The Risk Assessment identifies all threats the organization faces and the relatively priority of those threats against one another based on the likelihood and potential impact of each threat. While the Risk Assessment does not have a direct bearing on the operational aspects of the business continuity program, it is essential as a mechanism for driving the organization’s risk prevention and mitigation activities, designed to prevent disruptive incidents from occurring in the first place. The Risk Assessment effectively extends the scope of the BCMS from tactical “response and recovery” to the broader notion of “organizational resiliency.”
A Business Continuity Plan (BCP) contains the detailed information necessary to implement identified business process recovery strategies. The typical BCP focuses on a department (or other work group, as may be identified by the organization) that has operational responsibility for one or more business processes that must be recovered in the aftermath of a disruptive event. The BCP will contain, at minimum, the resources needed to recover business processes within their identified Recovery Time Objectives (as documented in the Business Impact Analysis) and the procedures to be used in executing that recovery.
The ability to communicate quickly and effectively to key internal and external audiences often becomes the hallmark of a successful response effort. The Crisis Communication Plan articulates the organization’s communication strategies, roles and responsibilities specific to the task, target audience groups and the individuals accountable for maintaining appropriate communications with each, and templates designed to accelerate the process of creating key messages. The Crisis Communication Plan will also specify the authorities of the communications staff and the management relationship they will have with the corporate Incident Management Team.
Information Technology Disaster Recovery
The IT Disaster Recovery Plan (DRP) is a specialized form of BCP that addresses the recovery of technology assets. The DRP is typically framed as one or more documents and addresses the detailed technical steps necessary to relocate (if necessary) and restore systems and applications that have been disrupted. The timeframes for recovering systems and applications will be driven by the business process recovery times articulated in the Business Impact Analysis. It is important to note that having a DRP does not negate the need for an organizational BCP that addresses the recovery strategies and resources required to restore the business functions of the technology service provider’s staff.
Business Continuity Governance
Program Governance defines the business continuity program from the perspective of corporate policy, fundamental program goals and objectives, responsibilities and authorities of various roles within the program, and other subjects that define how the program will be administered.
1While not explicitly shown on the diagram – which focuses primarily on the operational components of a Business Continuity Management System – the BIA and Risk Assessment are essential planning tools. In particular, information gained through the BIA is a critical prerequisite to forming recovery strategies that are implemented through the Business Continuity Plans and the Information Technology Disaster Recovery Plan.