File Content -
4. Business Continuity Planning and Disaster Recovery Planning
4.1 Types of Plans
1. Emergency Plan
• The emergency plan specifies the actions to be undertaken immediately when a disaster occurs.
• Management must identify those situations that require the plan to be invoked e.g., major fire,
major structural damage, and terrorist attack.
• The actions to be initiated can vary depending on the nature of the disaster that occurs.
• When the situations that evoke the plan have been identified, four aspects of the em ergency
plan must be articulated.
First, the plan must show ‘who is to be notified immediately when the disaster occurs -
management, police, fire department, medicos, and so on’.
Second, the plan must show actions to be undertaken, such as shutdown of equipment,
removal of files, and termination of power.
Third, any evacuation procedures required must be specified.
Fourth, return procedures must be designated. In all cases, the personnel responsible for the
actions must be identified, and the protocols to be followed must be specified clearly.
2. Back -up Plan
• The backup plan specifies
− the type of backup to be kept,
− frequency with which backup is to be undertaken,
− procedures for making backup,
− location of backup resources,
− site where these resources can be assembled and operations restarted,
− personnel who are responsible for gathering backup resources and restarting operations,
− Priorities to be assigned to recovering the systems and a time frame for recovery of each
system.
• The backup plan needs continuous updating as changes occur.
3. Recovery Plan
• Recovery plans set out procedures to restore full information system capabilities. The plan might
also indicate which applications are to be recovered first.
• Recovery plan should identify a recovery committee that will be responsible for working out the
specifics of the recovery to be undertaken. The plan should specify the responsibilities of the
committee and provide guidelines on priorities to be followed.
• Periodically, they must review and practice executing their responsibilities so they are prepared
should a disaster occur.
• If committee members leave the organization, new members must be appointed immediately
and briefed about their responsibilities.
4. Test Plan
• The final component of a disaster recovery plan is a test plan.
• The purpose of the test plan is to identify deficiencies in the emergency, backup, or recovery
plans or in the preparedness of an organization and its personnel for facing a disaster.
• Periodically, test plans must b e invoked. Unfortunately, top managers are unwilling to carry out
a test because daily operations are disrupted. They also fear a real disaster could arise as a result
of the test procedures.
• To facilitate testing, a phased approach can be adopted.
First, the disaster recovery plan can be tested by desk checking and inspection and
walkthroughs, much like the validation procedures adopted for programs.
Next, a disaster can be simulated at a convenient time. Anyone, who will be affected by the
test (e.g. personnel and customers) also might be given prior notice of the test so they are
prepared.
Finally, disasters could be simulated without warning at any time. These are the acid tests of
the organization’s ability to recover from a catastrophe.
4.2 Types of Back -ups
• When the back -ups are taken of the system and data together, they are called total system’s back -
up. Various types of back -ups are given as follows:
1. Full Backup –
A full backup captures all files on the disk or within the folder selected for backup. With a full
backup system, every backup generation contains every file in the backup set.
However, the amount of time and space such a backup takes prevents it from being a realistic
proposition for backing up a large amount of data.
2. Incremental Backup –
An incremental backup captures files that were created or changed since the last b ackup,
regardless of backup type.
This is the most economical method, as only the files that changed since the last backup are
backed up. This saves a lot of backup time and space.
Normally, incremental backup are very difficult to restore. One will have to start with
recovering the last full backup and then recovering from every incremental backup taken since
3. Differential Backup –
A differential backu p stores files that have changed since the last full backup. Therefore, if a
file is changed after the previous full backup, a differential backup takes less time to complete.
Comparing with full backup, differential backup is obviously faster and more ec onomical in
using the backup space, as only the files that have changed since the last full backup are saved.
Restoring from a differential backup is a two -step operation: Restoring from the last full
backup; and then restoring the appropriate differential backup.
The downside to using differential backup is that each differential backup probably includes
files that were already included in earlier differential backups.
4. Mirror back -up –
A mirror backup is identical to a full backup, with the exception th at the files are not
compressed in zip files and they cannot be protected with a password.
A mirror backup is most frequently used to create an exact copy of the backup data.
4.3 Alternate Processing Facility Arrangements
• Security administrators should consider the following backup options:
1. Cold site –
If an organisation can tolerate some downtime, cold -site backup might be appropriate.
A cold site has all the facilities needed to install a mainframe system -raised floors, air
conditioning, power, commu nication lines, and so on.
An organisation can establish its own cold -site facility or enter into an agreement with another
organisation to provide a cold -site facility.
2. Hot site –
If fast recovery is critical, an organisation might need hot site backup.
All hardware and operations facilities will be available at the hot site. In some cases, software,
data and supplies might also be stored there.
It is expensive to maintain and usually shared with other organisations that have hot -site
needs.
3. Warm site –
A warm site provides an intermediate level of backup.
It has all cold -site facilities in addition to hardware that might be difficult to obtain or install.
For example, a warm site might contain selected peripheral equipment plus a small mainframe
with sufficient power to handle critical applications in the short run.
4. Reciprocal agreement –
Two or more organisations might agree to provide backup facilities to each other in the event
of one suffering a disaster. This backup option is relatively cheap, b ut each participant must
maintain sufficient capacity to operate another’s critical system.
5. If a third -party site is to be used for backup and recovery purposes, security administrators must
ensure that a contract is written to cover issues such as
how soon the site will be made available subsequent to a disaster;
the number of organization that will be allowed to use the site concurrently in event of
disaster;
the priority to be given to concurrent users of the site in the event of a common disaster;
th e period during which the site can be used;
the conditions under which the site can be used;
the facilities and services the site provider agrees to make available; and
What controls will be in place and working at the off -site facility.
4.4 Disaster Recovery Procedural Plan
• The disaster recovery planning document may include the following areas:
The conditions for activating the plans.
Emergency procedures, which describe the actions to be taken following an incident which
jeopardizes business operations and/or human life.
Fallback procedures, which describe the actions to be taken to move essential business activities
to alternate temporary locations, to bring business process back into operation in required time -
scale.
Resumption procedures, which describe actions to be taken to return to normal operation.
A maintenance schedule, which specifies ‘how and when the plan will be tested’, and the process
for maintaining the plan.
Awareness and education activities, which are designed to create an understanding of the
business continuity, process and ensure that the business continues to be effective.
The responsibilities of individuals describing who is responsible for executing which component
of the plan. Alternatives should be nominated as required.
Contingency plan document distribution list.
Detailed description of the purpose and scope of the plan.
Contingency plan testing and recovery procedure.
List of vendors doing business with the organization, their contact numbers and address.
Checklist for inventory taking and updating the contingency plan on a regular basis.
List of phone numbers of employees in the event of an emergency.
Emergency phone list for fire, police, hardware, software, supplier, customer, backup location
etc .
Medical procedure to be followed in case of injury.
Back -up location contractual agreement, correspondences.
Insurance papers and claim forms.
Primary computer centre hardware, software, peripheral equipment and software configuration.
Location of data and progr am files, data dictionary, documentation manuals, source and object
codes and back -up media.
Alternate manual procedures to be followed such as preparation of invoices.
Names of employees trained for emergency situation, first aid and life saving techniques.
Details of airlines, hotels and transport arrangements.
4.5 Business Continuity Planning
• Business Continuity Planning (BCP) is the creation and validation of a practical logistical plan for
how an enterprise will recover and restore interrupted critical functions within a predetermined
time after a disaster or extended disruption. The logistical plan is called a business continuity plan.
• When a risk manifests itself through disruptive events, the business continuity plan is a guiding
document that allow s the management team to continue operations. It is a plan for running the
business under stressful and time compressed situations.
• Business continuity covers the following areas:
i). Business Resumption Planning:
This is the operation’s piece of business co ntinuity planning.
ii). Disaster Recovery Planning:
This is the technological aspect of business continuity planning, the advance planning and
preparation necessary to minimize losses and ensure continuity of critical business
functions of the organization in the event of disaster.
iii). Crisis Management:
This is the overall co -ordination of an organization’s response to a crisis in an effective
timely manner, with the goal of avoiding or minimizing damage to the organization’s
profitability, reputation or ability to operate.
• The business continuity life cycle is broken down into four broad and sequential sections:
Risk assessment,
Determination of recovery alternatives,
Recovery plan implementation, and
Recovery plan validation.
4.5.1 Objectives and Goals of Busine ss Continuity Planning
• The primary objective of a business continuity plan is to minimize loss by minimizing the cost
associated with disruption and enable an organization to survive a disaster and to reestablish
business operations.
• The key objectives of the contingency plan should be to:
Provide the safety and well- being of people on the premises at the time of disaster;
Continue critical business operations;
Minimize the duration of a serious disruption to operations and resources;
Minimize immediate damage and losses;
Establish management succession and emergency powers;
Facilitate effective co -ordination of recovery tasks;
Reduce the complexity of the recovery effort; and
Identify critical lines of business and supporting functions.
• The goals of the business continuity plan should be to:
Identify weaknesses and implement a disaster prevention program;
Minimize the duration of a serious disruption to business operations;
Facilitate effective co -ordination of recovery tasks; and
Reduce the complexity of the recovery effort.
4.6 Developing a Business Continuity Plan
• The methodology for developing a BCP can be sub -divided into eight different phases. The
methodology emphasizes on the following:
Providing management with a comprehensive understanding of the total efforts required to
develop and maintain an effective recovery plan;
Obtaining commitment from appropriate management to support and participate in the effort;
Defining recovery requirements from the perspective of business functions;
Documenting th e impact of an extended loss to operations and key business functions;
Focusing appropriately on disaster prevention & impact minimization as well as orderly recovery;
Selecting business continuity teams that ensure proper balance required for plan develop ment;
Developing a business continuity plan that is understandable, easy to use and maintain; and
Defining how business continuity considerations must be integrated into ongoing business
planning and system development processes in order that the plan remains viable over time.
• The eight phases are given as follows:
1) Pre- Planning Activities (Business Continuity Plan Initiation)
2) Vulnerability Assessment and General Definition of Requirements
3) Business Impact Analysis
4) Detailed Definition of Requirements
5) Plan Development
6) Testing Program
7) Maintenance Program
8) Initial Plan Testing and Plan Implementation
4.6.1 Each of these phases are described below :
Phase 1 – Pre -Planning Activities (Project Initiation):
• This Phase is used to obtain an understanding of the existing and projected computing environment
of the organization.
• This enables the project team to:
refine the scope of the project and the associated work program;
develop project schedules; and
Identify and address any issues that could have an impact on delivery and success of the project.
• During this phase, a Steering Committee should be established. The committee should have the
overall responsibility for providing direction and guidance to the Project Team. The Project Manager
should work with the Steering Committee in finalizing the detailed work plan .
• Two other key deliverables of this phase are:
The development of a policy to support the recovery programs; and
An awareness program to educate management and senior individuals who will be required to
participate in the project.
Phase 2 – Vulnerability Assessment and General Definition of Requirements:
• Security and controls within an organization are continuing concern. This phase addresses measures
to reduce the probability of occurrence.
• This phase will include the following key tasks:
A thorough Security Assessment of the computing and communications environment including
personnel practices; physical security; operating procedures; backup and contingency planning;
systems development and maintenance; database security; data and voice communications
security; systems and access control software security; insurance; security planning and
administration; application controls; and personal computers.
The Security Assessment will enable the project team to improve any existing emergency plans
and disaster prevention measures and to implement required emergency plans and disaster
prevention measures where none exist.
Present findings and recommendations resulting from the activities of the Security Assessmen t
to the Steering Committee so that corrective actions can be initiated in a timely manner.
Define the scope of the planning effort.
Analyze, recommend and purchase recovery planning and maintenance software required to
support the development of the plans and to maintain the plans current following
implementation.
Develop a Plan Framework.
Assemble Project Team and conduct awareness sessions.
Phase 3 – Business Impact Assessment (BIA):
• A Business Impact Assessment (BIA) of all business units that are part of the business environment
enables the project team to:
identify critical systems, processes and functions;
assess the economic impact of incidents and disasters that result in a denial of access to systems
services and other services and facilities; and
assess the “pain threshold,” that is, the length of time business units can survive without access
to systems, services and facilities.
• The BIA Report should be presented to the Steering Committee. This report identifies critical service
functions and the timeframes in which they must be recovered after interruption.
Phase 4 – Detailed Definition of Requirements:
• During this phase, a profile of recovery requirements is developed and used as a basis for analyzing
alternative recovery strategies. The profile is developed by identifying resources required to
support critical functions identified in Phase 3.
• This profile should include hardware, software, and documentation , outside support, facilities and
personnel for each business unit.
• Recovery Strategies will be based on short term, intermediate term and long term outages.
• Another key deliverable of this phase is the definition of the plan scope, objectives and
assumptions.
Phase 5 – Plan Development:
• During this phase, recovery plans components are defined and plans are documented.
• This phase also includes the implementation of changes to user procedures, upgrading of existing
data processing operating procedures required to support selected recovery strategies and
alternatives, vendor contract nego tiations and the definition of Recovery Teams, their roles and
responsibilities.
• Recovery standards are also be developed during this phase.
Phase 6 – Testing/Exercising Program:
• The plan Testing/Exercising Program is developed during this phase. Testing /exercising goals are
established and alternative testing strategies are evaluated.
• Testing strategies tailored to the environment should be selected and an on -going testing program
should be established.
Phase 7 – Maintenance Program:
• Maintenance of the plans is critical to the success of an actual recovery. The plans must reflect
changes to the environments that are supported by the plans.
• It is critical that existing change management processes are revised to take recovery plan
maintenance into accoun t. Many recovery software products take this requirement into account.
Phase 8 – Initial Plan Testing and Implementation:
• Once plans are developed, initial tests of the plans are conducted and any necessary modifications
to the plans are made based on an analysis of the test results.
• Specific activities of this phase include the following:
Defining the test purpose/approach;
Identifying test teams;
Structuring the test;
Conducting the test;
Analyzing test results; and
Modifying the plans as appropriate.
4.7 Components of BCM Process
Components of BCM Process are given as follows :
1) BCM – Process
• The management process enables the business continuity, capacity and capability to be
established and maintained.
2) BCM – Information Collection Process
• The activities of assessment process do the prioritization of an enterprise’s products and services
and the urgency of the activities that are required to deliver them.
3) BCM – Strategy Process
• Finalization of business continuity strategy requires assessment of a range of strategies. This
requires an appropriate response to be selected at an acceptable level and during and after a
disruption within an acceptable timeframe for each product or service, so that the enterprise
continues to provide those products and services.
4) BCM – Development and Implementation Process
• Development of a management framework and a structure of incident management, business
continuity and business recovery and restoration plans.
5) BCM – Testing and Maintenance Process
• BCM testing, maint enance and audit testify the enterprise BCM to prove the extent to which its
strategies and plans are complete, current , accurate and Identifies opportunities for
improvement.
6) BCM – Training Process
• Extensive training in BCM framework, incident management, business continuity , business
recovery and restoration plans enable it to become part of the enterprises core value and provide
confidence in all stakeholders in the ability of enterprise to cope with minimum disruptions and
loss of service.
4.8 Business Continuity Management – Process :
• A BCM process should be in place to address the policy and objectives as defined in the business
continuity policy. The BCM Processes are mapped as follows:
4.8.1 Organization Structure
• The organization should nominate a person or a team with appropriate seniority and authority to
be accountable for BCM policy implementation and maintenance.
• It should clearly define the persons responsible for business continuity within the enterprise and
responsibility.
4.8.2 Implementing Business Continuity in the Enterprise and Maintenance
• In establishing and implementing the BCM system in the organization, managers from each function
on site represent their areas of the operation. These people are also responsible for the on going
operation and maintenance of the system within their area of responsibility.
• Top management should appoint the Manager (BCM) , responsible for implementation of BCM
policy. The Resource Planning Manager is supported by the Shift Leaders and Team Captains from
each function. The program should be communicated to all stakeholders with appropriate training
& testing.
• In implementation, the major activities that should be carried out include:
Defining the scope & context;
Defining roles and responsibilities;
Engaging and involving all stakeholders;
Testing of program on regular basis;
Maintaining the currency & appropriateness of business continuity program;
Reviewing, reworking and updating the business continuity capability, risk assessments (RA) and
bus iness impact analysis (BIAs);
Managing costs and benefits associated; and
Convert policies and strategies into action.
4.8.3 BCM Documentation and Records
• All document that form the BCM are subject to the document control and record control processes.
• The following documents are classified as being part of the business continuity management system
The business continuity policy;
The business continuity management system;
The business impact analysis report;
The risk assessment report;
The aims and objectives of each function;
The activities undertaken by each function;
The business continuity strategies;
The overall and specific incident management plans;
The business continuity plans;
Change control, preventative action, corrective action, document and record control process ;
Local Authority Risk Register;
Exercise schedule and results;
Incident log; and
Training program.
• To provide evident of the effective operation of the BCM, records demonstrating the operation
should be retained for a minimum period of 1 year, in line with enterprise’s policy.
• The nature of the record means that the retention is a statutory, regulatory or customer
requirement, it will be retained for the amount of time dictated.
• This also includes general and detailed definiti on of requirements as described in developing a BCP.
4.9 BCM Information Collection Process
• The pre- planning phase of Developing the BCP also involves collection of information.
• In order to design an effective BCM, it is pertinent to understand the enterprise from all
perspectives of interdependencies of its activities, external enterprises and including:
enterprise’s objectives, stakeholder obligations, statutory duties and the environment in which
the enterprise operates;
activities, assets and resources, that support the delivery of these products and services;
impact and consequences over time of the failure of these activities, assets and resources; and
Perceived threats that could disrupt the enterprise’s key products and services and the critical
activities, assets and resources that support them.
• Two other key deliverables of that phase are:
− the development of a policy to support the recovery programs; and
− an awareness program to educate management and senior individuals who will be requir ed
to participate in the business continuity program.
4.9.1 Business Impact Analysis (BIA)
• Business Impact Analysis (BIA) is a means of systematically assessing the potential impacts resulting
from various events or incidents. The enterprise should have a documented approach to conduct
BIA.
• It enables the business continuity team
− to identify critical systems, processes and functions,
− assess the economic impact of incidents and disasters that result in a denial of access to the
system, services and facil ities, and
− assess the "pain threshold, "that is, the length of time business units can survive without access
to the system, services and facilities.
• The BIA Report should be presented to the Top Management .This report identifies critical service
functio ns and the time frame in which they must be recovered after interruption.
• For each activity supporting the delivery of key products and services within the scope of its BCM
program, the enterprise should:
assess the impacts that would occur if the activit y was disrupted over a period of time;
identify the maximum time period after the start of a disruption within which the activity needs
to be resumed;
Identify critical business processes;
assess the minimum level at which the activity needs to be performed on its resumption;
identify the length of time within which normal levels of operation need to be resumed; and
Identify any inter -dependent activities, assets, supporting infrastructure or resources that have
also to be maintained continuously or recovered over time.
4.9.2 Classification of Critical Activities
• BCP leader and BCP team leaders in consultation with respective function owner shall carry out
Business Impact Analysis for infrastructure and business transactions.
• BIA will result in categorization (like vital, desirable and essential) of infrastructure and business
function following by disaster scenarios (Catastrophic, major, minor trivial) for various disaster
causes (fire, flood, system failure etc.), which is given as follows:
1. Bus iness Categorization (Vital/essential/desirable):
The parameter considered in deciding whether a function/service is Vital/Essential/Desirable
are:
− Loss of revenue;
− Loss of reputation;
− Decrease in customer satisfaction; and
− Loss of productivity (man -hours ).
These parameters shall be graded in a three- point scale 1-3 where,
1 = Low (L)
2 = Medium (M)
3 = High (H)
2. Disaster Scenarios (Major/minor/trivial/catastrophic):
The scenario of disaster shall be decided with the matrix given below:
− The X -axis represents the Business impact of the infrastructure and business transaction as
desirable (value=1), essential (value=2) or vital (value=3).
− The Y -axis represents likelihood of occurrence of the disaster on a three point scale (1- 3).
3 (minor) 6(Major) 9(Catastrophic)
2(Trivial) 4(Major) 6(Major)
1(Trivial) 2(Trivial) 3(Minor)
Fig. Business Impact [Desirable (1), Essential (2), Vital (3)]
4.9.3 Risk Assessment
• The risk assessment is assessment of the disruption to critical activities, which are supported by
resources such as people, process, technology, information, infrastructure supplies & stakeholders.
• It is the decision of the enterprise to select a risk assessment approach, but it is important that it is
suitable and appropriate to address all of the enterprise’s requirements.
• Specific threats may be described as events or actions, which could, at some point, cause an impact
to the resources, e.g. threats such as fire, flood, power failure, staff loss, staff absenteeism,
computer viruses and hardware failure.
• The Security Assessment will enable the business continuity team to improve any existing
emergency plans and to implement required emergency plans where none exist.
• Vulnerabilities might occur as weaknesses within the resources and can, at some point be exploited
by the threats, e.g. single points of failure, inadequacies in fire protection, electrical resilience,
staffing levels, IT security and IT resilience.
• Impacts might result from the exploitation of vulnerabilities by threats. As a result of the BIA and
the risk assessment, the enterprise should identify measures that:
reduce the likelihood of a disruption;
shorten the period of disruption; and
limit the impact of a disruption on the enterprise’s key p roducts and services.
• These measures are known as loss mitigation and risk treatment.
4.10 BCM Strategy Process
• Much preparation is needed to implement the strategies for protecting critical functions and their
supporting resources.
• The enterprise develo ps and documents a series of plans, which enable them to effectively manage
an incident with impacts on the site operations and subsequently recover its critical activities and
their supporting resources.
• The enterprise may adopt any strategy but it should take into account the implementation of
appropriate measures to reduce the likelihood of incidents and reduce the potential impact of those
incidents and resilience and mitigation measures for both critical and non -critical activities.
4.11 BCM Developmen t and Implementation Process
• The enterprise should have an exclusive organization structure, Incident Management Team / Crisis
management team for an effective response and recovery from disruptions.
• In the event of any incident, there should be a structure to enable the enterprise to:
confirm Impact of incident (nature and extent),
control of the situation,
contain the incident,
communicate with stakeholders, and
Coordinate appropriate response.
4.11.1 The Incident Management Plan (IMP)
• To manage the initial phase of an incident, the crisis is handled by IMP. The IMP should have top
management support with appropriate budget for development, maintenance and training.
• They should be flexible, feasible and relevant; be easy to read and understand; and provide the
basis for managing all possible issues, including the stakeholder and external issues, facing the
enterprise during an incidents.
4.11.2 The Business Continuity Plan (BCP)
• To recover or maintain its activities in the event of a disruption to a normal business operation, the
BCP are invoked to support the critical activities required to deliver the enterprise’s objectives.
• The recovery strategies may be two -tiered:
Business : Logistics, accounting, human resources, etc.; and
Technical: Informa tion Technology (e.g. desktop, server, mainframe computers, data & voice
networks).
• Recovery standards are developed during this phase.
4.12 BCM Testing and Maintenance Process
Various aspects of BCM Testing and Maintenance Process are given as follows:
4.12.1 BCM Testing
• A BCP has to be tested periodically because there will undoubtedly be flaws in the plan and in its
implementation. A BCM testing should be consistent with the scope of the BCP(s), giving due regard
to any relevant legislation and regulat ion.
• The BCP testing program should include testing of the technical, logistical, administrative,
procedural and other operational systems, BCM arrangements and infrastructure and technology
and telecommunications recovery, including the availability and relocation of staff.
• The frequency of testing should depend upon both the enterprise’s needs, the environment in
which it operates, and stakeholder requirements.
• In addition, it might lead to the improvement of BCM capability by:
Practicing the enterprise’s ability to recover from an incident;
Verifying that the BCP incorporates all enterprise critical activities , their dependencies &
priorities;
Highlighting assumptions, which need to be questioned;
Instilling confidence amongst exercise participants;
Rai sing awareness of business continuity throughout the enterprise by publicizing the exercise;
Validating the effectiveness and timeliness of restoration of critical activities; and
Demonstrating competence of the primary response teams and their alternatives.
• In case of Development of BCP, the objectives of performing BCP tests are to ensure that:
The recovery procedures are complete and workable.
The competence of personnel in their performance of recovery procedures can be evaluated.
There sources such as business processes, systems, personnel, facilities and data are obtainable
and operational to perform recovery processes.
The manual recovery procedures and IT backup systems are current and can either be
operational or restored.
The success or failure of the business continuity training program is monitored.
• Implementation:
Once plans are developed, initial tests of the plans are conducted and any necessary
modifications to the plans are made based on an analysis of the test results.
Specific activities of this phase include the following:
− Defining the test purpose/approach;
− Identifying test teams;
− Structuring the test;
− Conducting the test;
− Analyzing test results; and
− Modifying the plans as appropriate.
4.12.2 BCM Maintenance
• The BCM maintenance process d emonstrate
− the documented evidence of the proactive management and governance of the enterprise’s
business continuity program;
− the key people who are to implement the BCM strategy and plans are trained and competent;
− the monitoring and control of the BCM risks faced by the enterprise; and
− the evidence that material changes to the enterprise’s structure, products and services,
activities, purpose, staff and objectives have been incorporated into the enterprise’s BCP and
IMP .
• The maintenance tasks undertaken in Development of BCP are to:
Determine the ownership and responsibility for maintaining the various BCP strategies within
the enterprise;
Identify the BCP maintenance triggers to ensure that any organizational, oper ational, and
structural changes are communicated to the personnel who are accountable for ensuring that
the plan remains up -to -date;
Determine the maintenance regime to ensure the plan remains up -to -date;
Determine the maintenance processes to update the p lan; and
Implement version control procedures to ensure that the plan is maintained up -to-date.
4.12.3 Reviewing BCM Arrangements
• An audit or self -assessment of the enterprise’s BCM program should verify that:
All key products and services and their suppor ting critical activities and resources have been
identified and included in the enterprise’s BCM strategy;
The enterprise’s BCM policy, strategies, framework and plans accurately reflect its priorities and
requirements;
The enterprise’s BCM maintenance and exercising programs have been effectively implemented;
The enterprise’ BCM competence and its BCM capability are effective and fit -for-purpose and
will permit management, command, control and coordination of an incident;
The enterprise’s BCM solutions are effective, up-to -date and fit -for-purpose, and appropriate to
the level of risk faced by the enterprise;
BCM strategies and plans incorporate improvements identified during incidents and exercises
and in the maintenance program;
The enterprise has an ongo ing program for BCM training and awareness;
BCM procedures have been effectively communicated to relevant staff, and that those staff
understand their roles and responsibilities; and
Change control processes are in place and operate effectively.
4.13 BCM T raining Process
• An enterprise with BCM uses training as a tool to initiate a culture of BCM in all stakeholders by:
Developing a BCM program more efficiently;
Providing confidence in its stakeholders in its ability to handle business disruptions;
Increasin g its resilience over time by ensuring BCM implications are considered in decisions at all
levels; and
Minimizing the likelihood and impact of disruptions
• Development of a BCM culture is supported by:
Leadership from senior personnel in the enterprise;
Ass ignment of responsibilities;
Awareness raising;
Skills training; and
Exercising plans.
4.13.1 Training, Awareness and Competency
• While developing the BCM, the competencies necessary for personnel assigned specific
management responsibilities within the system have been determined.
• These are consistent with the competencies required by the organization of the relevant role and
are given as follows:
Actively listens to others, their ideas, views and opinions;
Provides support in difficult or challenging circumstances;
Responds constructively to difficult circumstances;
Adapts leadership style appropriately to match the circumstances;
Promotes a positive culture of health, safety and the environment;
Recognizes and ack nowledges the contribution of colleagues;
Encourages the taking of calculated risks;
Encourages and actively responds to new ideas;
Consults and involves team members to resolve problems;
Demonstrates personal integrity; and
Challenges established ways of doing things to identify improvement opportunities.
4.14 Business Continuity Management (BCM)
• Business Continuity Management (BCM), has emerged a very effective management process to help
enterprises to manage the disruption of all kinds, providing countermeasures to safeguard from the
incident of disruption of all kinds.
• In order to ensure effective implementation of BCM, the enterprise should conduct regular internal
audits to conform to the compliance of Business Continuity Process. The findings of the internal
audit should be reported to top management for necessary corrective action and improvements.
• BCM is business -owned, business -driven process that establishes a fit -for-purpose strategic and
operational framework that:
Proactively improves a n enterprise’s resilience against the disruption of its ability to achieve its
key objectives;
Provides a rehearsed method of restoring an enterprise’s ability to supply its key products and
services to an agreed level within an agreed time after a disruption; and
Delivers a proven capability to manage a business disruption and protect the enterprise’s
reputation and brand.
4.14.1 Key Terms related to Business Continuity Management (BCM)
• Business Contingency:
A business contingency is an event with the potential to disrupt computer operations, thereby
disrupting critical mission and business functions.
Such an event could be a power outage, hardware failure, fire, or storm. If the event is very
destructive, it is often called a disaster.
• BCP Process:
BCP is a process designed to reduce the risk to an enterprise from an unexpected disruption of
its critical funct ions and assure continuity of minimum level of services n ecessary for critical
operation .
The purpose is to ensure continuity of business and not necessarily the continuity of all systems.
The Plan provides guidelines for ensuring that needed personnel and resources are available for
both disaster preparation and incident response so as to ensure that the proper procedures will
be carried ou t to ensure the timely restoration of services.
• Business Continuity Planning (BCP) :
It refers to the ability of enterprises to recover from a disaster and continue operations with least
impact.
It is imperative that every enterprise whether profit -oriented or service- oriented has a business
continuity plan as relevant to the activities of the enterprise.
4.15 BCP Manual
• A BCP manual is a documented description of actions to be taken, resources to be used and
procedures to be followed before, during and after an event that severely disrupts all or part of
business operation.
• The BCP Manual is expected to specify the responsibilities of the BCM team, whose mission is to
establish appropriate BCP procedures to ensure the continuity of enterprise's critical business
function .
• Successful organizations have a comprehensive BCP Manual, which ensures process readiness, data
and system availability to ensure business continuity.
• The BCP is expected to provide:
Reasonable assurance to senior management of enterprise about the capability of the enterprise
to recover from any unexpected incident or disaster affecting business operations and continue
to provide services with minimal impact.
Anticipate various types of incident or disaster scenarios and out line the action plan for
recovering from the incident or disaster with minimum impact.
4.17 Advantage of Business Continuity
• The advantages of BCM are as follows :
The enterprise is able to proactively assess the threat scenario and potential risks;
The ent erprise has planned response to disruptions which can contain the damage and minimize
the impact on the enterprise; and
The enterprise is able to demonstrate a response through a process of regular testing and
trainings.
4.18 BCM Policy
• The BCM policy defines the processes of setting up activities for establishing a business continuity
capability and the ongoing management and maintenance of the business continuity capability.
• The main objective of BCP is to minimize/eliminate the loss t o enterprise’s business in terms of
revenue loss, loss of reputation, loss of productivity and customer satisfaction.
• BCM policy document is a high level document,
− which shall be the guide to make a systematic approach for disaster recovery,
− to bring about awareness among the persons in scope about the business continuity aspects and
− its importance and to test and review the business continuity planning for the enterprise in
scope.
• While developing the BCM policy, the enterprise should consider defining the scope, BCM
principles, guidelines and minimum standards for the enterprise.
• The objective of this policy is to provide a structure through which:
Critical services and activities undertaken by the enterprise operation for the customer will be
identified.
Plans will be developed to ensure continuity of key service delivery following a business
disruption, which may arise from the loss of facilities, personnel, IT and/or communication or
failure within the supply and support chains.
Invocation of in cident management and business continuity plans can be managed.
Incident Management Plans & Business Continuity Plans are subject to ongoing testing, revision
and updation as required.
Planning and management responsibility are assigned to a member of the relevant senior
management team.