The business continuity management program (BCM) covers the prevention, response and organization of actions required after an event which could significantly disrupt business operations. This ongoing program is more than an IT recovery plan. Here are the steps and components of a BCM, their relationships and the winning conditions necessary to implement such a program within a company.
- Governance and start-up
- Risk analysis
- Business Impact Analysis (BIA)
- Business continuity strategiesBusiness continuity plan development
- Tests and exercices
- Maintenance
The first step, governance and start-up, consists of setting the agenda by defining the scope and project management structure, as well as roles and responsibilities. It also includes the definition of a continuity management policy as well as resource allocation.
The next two steps consist of defining functional needs by conducting a risk analysis and a Business Impact Analysis (BIA). Risk analysis entails collecting data on existing threats and verifying whether the controls in place are properly designed and applied. This information can be gathered using questionnaires, interviews, workshops, etc. Next come data analysis and analysis validation, then a report will be prepared and presented to management for approval and agreement to proceed further.
The actions involved in the business impact analysis (BIA) stage are similar to those of risk analysis. However, data is collected on the impacts of an interruption of business activities. Also, it aims to gather data on the relationships and interdependencies with other business processes. Then, the minimum assets and resources required to perform the activity, as well as the maximum data lost (RPO – “Recovery Point Objective”) are identified. Data analysis consists of collecting and correcting information, and of determining the time required for recovery (RTO-“Recovery Time Objective”) in order to then categorize activities. After having validated the analysis, a BIA report is produced and presented to management for approval.
The next step consists of defining the business continuity strategies which are based on risk analysis and business impact analysis results. First, prevention and mitigation measures are implemented to minimize the likelihood of an adverse event arising or reduce its severity. They cover the various aspects of IT, business and office premises. Then, the recovery strategies aim to identify and assess needs (personnel, equipment and supplies, adequate sites, etc.) as well as actions enabling the restoration of a minimal level of service. For example, the use of alternative sites (“hot site”, “warm site”, “cold site”) or mobile units, the transfer of activities or resources to a subsidiary, the degradation of services, etc. may all be considered in order to meet the required recovery time. Finally, the strategy for staff shortages targets specific cases (e.g. pandemic) in order to obtain the skilled personnel required in a timely manner (recalling former employees, telecommuting, remote access, etc.).
The development and implementation of a business continuity plan includes a set of plans aiming to respond to major events and to restore minimal service, based on the results of the business continuity strategy step. These plans include the emergency measures and damage assessment plan, crisis management plan, crisis communication plan, preparation and response in case of staff shortage plan, functional continuity plans (for each department concerned), as well as the IT recovery plan.
The test and exercises step consists in validating the functionality and efficacy of the various plans mentioned above. There are five types of exercises, from simple to complex, beginning with a review, a paper-and-pencil exercise, a specialized exercise, a simulation by function and an integrated simulation. At least one test per year should be performed and all tests should be spread out over a 3 to 5 year period. Each test includes three phases: preparation, implementation and evaluation or assessment.
Finally, the maintenance step ensures that the business continuity management program is always functional and up to date with the various organizational, technological, personnel, and various other changes, while still meeting the defined needs. Maintenance also aims to ensure that the test or audit results will be considered in this step. The impacts of these changes will be analyzed and adjustments will be made to plans and communicated to the persons concerned.
In order to complete the continuity management program, it is important to pursue continuous awareness with staff and managers throughout each of the steps, to have qualified resources in this area (internal or external) and to obtain management’s support. This support should manifest itself through the adoption of a continuity management policy, validation of results and an agreement to carry out the steps by granting necessary budgetary and human resources for the implementation, monitoring and development of this program. In order to achieve an adequate level of CMP maturity, organizations must develop a continuity management culture.
Business continuity awareness and training is an important element in the continuity management program. To this end, Terranova provides information security awareness as well as business continuity awareness services. Get a demo.
By Patrick Paradis, Information security advisor