Maintenance of a business continuity management system: a managerial approach

Published: Friday, 21 October 2016 10:38

When a business continuity management system (BCMS) has been established and implemented, a serious managerial challenge evolves: the BCMS has to be maintained and put into a continuous improvement process. In this article, Alberto Alexander. Ph.D, MBCI, looks at the activities that need to be performed to maintain and improve a BCMS.

Introduction

Any organization that establishes and implements a BCMS needs to follow the BCMS processes and deliverables, which are depicted in figure one. The BCMS processes, also known as the BCMS process life cycle model, (Alexander, 2009), consist of six phases.

BCMS process and deliverables

Figure one: BCMS process and deliverables

The stages of the BCMS process life cycle model are the following:

Stage one: business impact analysis
The business impact analysis (BIA), which is conducted during the first stage, analyzes the financial and operational impact of disruptive events on the business areas and processes of an organization. The financial impact refers to monetary losses such as lost sales, lost funding, and contractual penalties. Operational impact represents non–monetary losses related to business operations, and can include loss of competitive edge, damage to investor confidence, poor customer service, low staff morale, and damage to business reputation.

The BIA identifies the following information:

The findings of the BIA enable an organization to determine the extent of the overall effort needed to recover from potential business disruption, thereby paving the way for developing the business continuity strategy and business continuity procedures.

The most important deliverables of the BIA are:

Stage two: risk assessment
The risk assessment, which is composed of risk analysis and risk evaluation, is performed on the critical processes identified during the BIA stage. Risk analysis helps calculate the risk (impact x probability of threat occurrence). The risk evaluation is made to find out the risk significance. The main deliverable of this stage are the identification of threat scenarios.

Stage three: business continuity strategy development
Business continuity strategy development “assesses the requirements and identifies the options for recovery of critical processes and resources in the event they are disrupted by a disaster,” (Alexander, 2016). The main purpose of this stage is to develop a business continuity strategy that satisfies the business recovery requirements identified in the BIA stage.

Stage four: operations resumption planning
An operations resumption plan “contains predetermined recovery procedures and guidelines which organizations can follow during a crisis situation to minimize impact to business,” (Alexander, 2016). The predetermined procedures and guidelines prevent organizations from making on the spot critical decisions in the middle of a crisis.

Stage five: business continuity exercising and testing
“The only way a company can assure that its BCMS arrangements are validated is through exercises. The main purpose of the exercising stage in the BCMS is to ‘validate the business continuity strategy, activities, assumptions regarding times (MTPD, RTO), procedures and work instructions specified in the business continuity plan,’” (Alexander, 2016).

Gaps and weaknesses within the plan are identified at this stage. The idea is very simple: it is highly desirable to find the gaps and shortcomings during an exercise rather than to discover them during a real crisis situation. BCMS arrangements have to be practiced and, as a consequence, will be reviewed and kept up to date. A company that does not have records to show that its BCMS arrangements have been tested and are ready to be implemented cannot assure it has a reliable BCMS.

Stage six: business continuity plan maintenance
This stage maintains the business continuity plan in a constant ready-state. The maintenance process of a BCMS is constant and dynamic. A BCMS that is not constantly tested and updated will be of little help if a disruptive incident hits the organization. Changes have to be monitored; impacts, risk and continuity strategies need to be reevaluated; the operations resumption plan needs to be updated; and exercises and testing need to be evaluated.

The business continuity plan maintenance process

Once the business continuity arrangements have been tested, the role of the maintenance stage becomes critical. Frequent internal and external changes are common occurrences for business. Most of these changes can potentially invalidate the business continuity plan unless it is continually adjusted and modified to reflect these changes.

The main objective of this stage is to ensure that the BCMS always remains current, complete, accurate and in a ready–state for execution.

To achieve its objective, the maintenance stage employs the processes presented in figure two.

business continuity plan maintenance processes

Figure two: business continuity plan maintenance processes

The maintenance processes are:

Business continuity plan change management

Without a business continuity plan change management process, business continuity plan maintenance becomes very difficult. A change management process addresses two of the most challenging aspects of plan maintenance: monitoring changes in the organization and its external environment; and controlling changes or revisions to the plan. Figure three, shows the main steps of the business continuity change management process.

business continuity plan change management process

Figure three: business continuity plan change management process

Changes in the organization and the external environment are monitored in step one (figure three), and changes identified as having a potential impact to the BCMS are revised in step two to determine if those changes actually affect the business continuity arrangements. In step two, business continuity plan change requests are issued for changes that affect the plan. Step three processes the change requests and updates the plan with necessary changes and revisions.

Business continuity plan change management process step one: monitor changes
Step one of the plan´s change management process represents the task of constant monitoring of changes in the organization to identify potential impacts of the plan. As presented in figure four changes to the organization can occur at multiple levels in the main categories of process, people and resources.

Any changes in processes, people and resources, can potentially require changes to certain parts of the plan. For instance, a process–related change can affect recovery priorities; a people-related change can affect business continuity teams or notification procedures; and a resource–related change can affect recovery requirements for IT systems.

changes affecting business continuity arrangements

Figure four: changes affecting business continuity arrangements

A business continuity plan is sensitive to changes that occur not only internally within the organization but those externally in business partners, vendors, alternate recovery facilities, and off site storage facilities. The examples below demonstrate possible internal and external changes related to processes, people and resources, that may impact the plan.

Process related impacts

People related impacts

Resource related impacts

The output of this step consists of a compilation of monitored changes that can potentialy impact the business continuity arrangements.

Business continuity plan change management process step two: review compiled changes, test results and audit results
The main purpose of this step is to review information that can potentially affect the business continuity arrangements’ accuracy and validity, and cause the organization to issue BCMS change requests.There are three main sources of input to this step. The first source of input is the compiled changes from step one; the second source is the result of business continuity arrangements exercises or testing; and the third source is the results of any business continuity plan audits. A change manager, responsible for coordinating the processing of change requests with business continuity teams, reviews the information from these three sources in order to determine if it affects the plan. After this review, one or more change requests are issued corresponding to the information affecting the plan.

Business continuity plan change management process step three: process business continuity change requests
This step ensures that updates or revisions to the business continuity plan take place according to the change control procedures specified in the plan. The change requests resulting from the preceding step are processed in this step.

Business continuity plan testing

As presented in figure two, above, business continuity plan testing is the second process used to maintain the business continuity plan. Periodic tests are an excellent opportunity for improving the effectiveness and accuracy of the business continuity arrangements. Tests results can reveal the strengths, weaknesses, and gaps of various parts of the plan. The tests results also provide an opportunity to determine how well the plan's change management process, is implemented.

The following list characterizes the relative complexity of the testing methods:

Business continuity test schedule
Establishing a test schedule is an important element of maintaining a business continuity arrangement. “There are two main activities defining a test schedule. The first is to select appropriate test intervals: monthly, quarterly, semiannually, or annually. The second is assign a test method to each test interval. The assignment of a test method to a test interval should consider the test method's complexity (testing scope, effort, resources, costs).” (Alexander, 2016). Using a test schedule, therefore, gradually trains the teams to conduct more complex tests and allows the business continuity plan(s) to be completely evaluated. The results and experience from simpler tests are used to improve the business continuity arrangements, and prepare the teams for subsequent more complex tests.

Testing intervals
Tests can be conducted at different intervals such as monthly, quarterly, semiannually, or annually. Monthly tests use a checklist for the walkthrough method to verify currency and accuracy.

Business continuity training

Valid and up-to-date business continuity arrangements are of little value if the employees responsible for its improvement and execution do not have adequate training and awareness. The business continuity plan maintenance stage implements an enterprise wide continous awareness and training program. Management commitment is critical to the success of such a program. Management needs to ensure that a yearly business continuity planning budget includes sufficient funding for training and ensures that the employees participate in training.

Development of a business continuity awareness and training program is a four step process:

Periodic audits and frequent reviews of the organization´s awareness and training program are highly recommended to improve and maintain its quality. To assist with any audits the progress of the organization's awareness and training program should be tracked and documented.

Business continuity plan audits

Periodic business continuity audits are the fourth important acivity of business continuity plan maintenance. A business continuity audit involves an impartial review of the organization’s business continuity plan(s) and program to determine its compliance with the organization’s internal guidelines, and external regulations and standards. The scope of the audit needs to include all of the stages of the BCMS processes, presented in figure one, above. From a plan maintenance perspective, gaps and weaknesses in any of the these stages identified in an audit report will result in some of the following activities:

Summary

Maintaining business continuity arrangements in a constant ready-state is a complex and challenging task. The preceding sections of this article suggested the use of four different processes to help maintain the BCMS:

  1. Business continuity plan change management.
  2. Business continuity testing.
  3. Business continuity plan training.
  4. Business continuity plan audits.

The following guidelines should be considered to maintain the BCMS in a constant ready–state:

The author

Alberto G. Alexander, holds a Ph.D from The University of Kansas and a M.A. from Northern Michigan University. He is a member of the Business Continuity Institute and is managing director and international consultant with Eficiencia Gerencial y Productividad SAC Contact him at: alexander@eficienciagerencial.com. He is a professor at The Graduate Business School of ESAN. 

Bibliographical references