Professional Documents
Culture Documents
Introduction
BCM is concerned with considering what to do when it all goes wrong, and making sure that people and clients are not inconvenienced or put at risk when something does goes wrong. it should be undertaken by an organisation to manage its business and service continuity risks and to respond to community emergencies. it should be based on a whole-of-organisation approach, whereby all parts of the organisation must be involved in BCM.
the primary objective of BCM controls, strategies and plans is to ensure the uninterrupted availability and resilience of key or time sensitive resources, so that it supports the organisations critical business processes, operations and services. in essence, BCM is a holistic but integrated management process that provides a robust framework for building resilience with the capability for effective responses to potential events, regardless of cause, which affect the organisation. BCM also seeks to protect the interests of key stakeholders, organisational reputation, brand and value-creating activities.
the case for implementing strategies to manage BCM is compelling. Risk management is concerned with putting in place controls and treatments that seek to prevent or mitigate continuity risk, encompassing the establishment of appropriate strategies and plans. For the last two years, VMiAs Risk Framework Quality Review (RFQR) results have shown that BCM is an issue for a large number of our clients, particularly in relation to their dependence on it systems and lack of contingency planning. the following documents may provide further guidance on BCM: As/nZs 5050 Australian and new Zealand standards for Business Continuity Management, standards Australia (Draft). hB 221:2004 Business Continuity Management, standards Australia. hB 292:2006 A Practitioners guide to Business Continuity Management, standards Australia. isO/PAs 22399:2007 societal security: guidelines for incident preparedness and operational continuity management. Emergency Management Manual Victoria (February 2005).
1 Marsh, Business Continuity Management: Keeping your business in business, Phil Hobson, September 2006.
to be effective, we need to pay attention to the following principles2: BCM is part of the organisations risk management that considers a wide range of strategic and operational risks that have the potential to disrupt the achievement of organisational objectives BCM is an important contributor to the overall organisational resilience. BCM assists organisations to continue achieving its objectives. BCM drives organisational preparedness for managing disruptive events, proactively treating risk and establishing capability to manage potential impacts. BCM builds organisational capability to mitigate the likelihood of events occurring, and to respond to, manage and recover from these events. BCM seeks to understand organisational requirements for people, processes, information, assets and technology that will contribute to the achievement of its objectives through the conduct of BCM. BCM is an iterative process that is continually monitoring and reviewing external and internal contexts for change and responding to that change. BCMs iterative process drives continual improvement so that it contributes to organisational preparedness and resilience. BCM is focused on the understanding of uncertainty and how organisations could respond to and manage that uncertainty. BCM provides an analytical framework which assists decision makers in making informed choices on the management of continuity risk and events.
Due to inter-dependencies with other government agencies, an integrated, multi-agency organisational response at local, regional and national level may also be required if a community emergency does occur.
Criticalities
A committed Board or delegated management should be satisfied that sufficient infrastructure, budgetary and other resources are allocated and maintained in order for your organisation to be able to fulfil the objectives of a BCM program, and to continuously develop, maintain and implement relevant continuity plans throughout the life of your organisation. the BCM program is a continuous journey, rather than an end in itself. For BCM to be successful, it is necessary to focus on the following performance drivers: structured co-ordination - highly structured co-ordination arrangements ensure that all planning and systems, from the first response to recovery (restoration and resumption), are aligned and well understood and communicated, with roles and responsibilities clearly defined and documented workforce capability - develop workforce capability and competencies through plans, skills training and adequate provision of technical equipment and committed resources capacity building - build capacity planning dimensions into services and operations, including escalation processes and systems to manage possible surges in demand for services
there are overlapping, non-linear, clusters of activities that organisations have to consider doing before, during and after a disruption or an emergency. they overlap because one or more activities can be activated concurrently and/or sequentially.
always put the health, security and safety of all people first always seek to provide factual, rapid and transparent communications.
BCM strategic options include, but are not limited to: process transfer or relocation involves transfer of critical and/or time sensitive activities either internally (e.g. to another part or location of the organisation) or externally (e.g. to a third party location), independently or through a reciprocal/ mutual-aid agreement agreement to share resources through mutual aid arrangements (e.g. shared data centre) temporary/ manual workarounds as an alternative to transferring or relocating a process, it might be feasible to adopt a different way of working that provides an acceptable result in the short to medium term (e.g. using the stairs rather than lifts) change, suspend or terminate services, functions or processes that conflict with the organisations key objectives, statutory compliance or stakeholder expectation insurance for financial compensation for losses, used in combination with other strategies.
the exercising of continuity plans is essential. it ensures that disconnections, omissions and dependencies within plans are fixed before they are used in reality. As such, it is important to: test the system exercise strategies and plans ensure people are rehearsed in how to respond.
BCM Strategies
A critical concept in BCM is the recovery time objective (RtO). this is an agreed time between the point of a service disruption (occurrence of the event) and the point in which time-critical organisational processes, systems and infrastructure should be operational and updated to normal status. the applicable BCM strategy needs to have acceptable recovery time objectives that are aligned with the organisations objectives, risk management framework and risk appetite, and in compliance with applicable regulatory and contractual service obligations.
inter-operability of plans - ensure inter-operability of both planning and operational activities, with diverse arrangements and inter-connectedness with other component parts of the system.
All decisions on how organisations respond to incidents, regardless of cause, should be driven by the following basic principles:
BCM Plans
Continuity plans, as represented in Figure 3, collectively bring together the following topics and planning into either one single document (for smaller organisations) or several documents (for larger organisations). risk management planning overarching steps to establish the context, identify, analyse, evaluate, treat, monitor, and review risk, and communicate and consult crisis management planning steps taken to maintain reputation and to execute the relevant communication strategy or protocols response planning - steps taken to immediately respond to disruption or community emergency, ensuring human safety and security contingency planning - steps taken to activate or restore alternate processes, systems and physical locations, where appropriate and necessary recovery planning - steps taken to restore specified critical or key infrastructure requirements such as utilities, communications and technology restoration planning - steps to provide limited to normal business services and operations resumption planning - steps to bring service levels, operations and/or facilities back to business as usual, or providing back-to-normal services to clients from minimum service levels.
the continuous commitment of the Board and senior management is vital to ensure that the organisation can recover from an incident with upto-date business continuity strategies and plans.