Business Continuity Management

Introduction
• Business interruption does happen on account of a crisis, disasters (both natural & man-made)
• What is significant is how much of the consequences of such interruptions can the business
afford?
• Business Continuity Management is the act of proactively working out a way to prevent, if
possible, and manage the consequences of a crisis, limiting it to the extent that a business
can afford.
• Business Continuity is about identifying those parts of your business that you can’t afford to
lose – such as information, stock, premises, staff – and Management how to maintain these if
an incident occurs.
• Any incident, large or small, whether it is natural, accidental or deliberate, can cause major
disruption to organization. But if plan in advance, rather than waiting for it to happen,
Organization will be able to get back to business in the quickest possible time. Delays could
mean loss of valuable business to competitors, or in the worst case business is no longer able
to continue.
 Introduction (Continue…..)
• Business continuity management (BCM) provides organizations with the
effective methods needed to protect them from the impacts and consequences of
major incidents or disasters though structured and controlled programs.
• Proper and effective BCM programs can put the organizations in the driving seat and let
them control courses of action by proactively detecting and managing the risks
and threats that can lead to disasters. Equally, they keep the organization in a
ready state to react to disasters and mitigate their impacts and losses. 
• BCM is not rocket science. It’s a scientific, logical, and practical methodology that can
be customized and enhanced. Now, with the existence of globally accepted standards,
BCM programs enjoy common sets of specifications that can be translated into practical
implementations and tangible results.
• Adopting BCM is not an option; it’s a survival decision and is the right step towards
protecting an organization.
 Need for Business Continuity Management (BCM)
• There are various threats and vulnerabilities to which business today is exposed. They could
be:
– catastrophic events such as floods, earthquakes, or acts of terrorism
– accidents or sabotage
– outages due to an application error, hardware or network failures
– Pandemic Outbreaks such as Covid-19, H1N1, SAARS
• Some of them come unwarned. The key is to be prepared and be able to respond to the crisis
when it does happen, so that the organization survives; its losses are minimized; it remains
viable and it can be “business as usual”, even before the customers feel the effects of the
downtime. An effective Business Continuity Plan serves to secure businesses against financial
disasters.
• The bonus: customer satisfaction, enhanced corporate image and no dip in the market
share.
 Main features of BCM

Maintained There will be specific focus on three

Readiness
State major elements of a BCM program:
Proactive 1.Technology,
Risk & Threat Agility &
Management Maturity 2. Premises, and
3. people.
As these elements represent the
Business critical aspects of any organization
Continuity and they are the areas where
Management disasters hit organizations hard.
 BCM & Standards
• One of the main features of modern BCM programs is standardization.
• There are several published standards that are recognized in the BCM field.
 ISO22301: societal security – business continuity management systems –
requirements. 
 ANSI/ASIS SPC.1-2009: organizational resilience. 
 ISO27031: information technology – security techniques – guidelines for information
and communication technology readiness for business continuity. 
 ISO/IEC 24762: information technology – security techniques – guidelines
for information and communication technology disaster recovery services.
Benefits of effective BCM programs
Mitigating
disasters
and failures,

Protection Enhancing
the
of
organization’s
stakeholders operational
interests performance

BCM
Benefits
Enhancing Enhancing
public image public image
and and
perception perception

Mitigating
disasters
and failures
 BCM- Relation with Risk Management & Insurance 
BCM & Risk Management
• BCM and risk management are related disciplines and do,
from certain angles, look like they are doing the same job.
• The fact that BCM and risk management are related leads
to thoughts of the nature and future of this relationship. 
• BCM forms part of the overall risk management
framework, focusing on the risks related to an
organization’s operations and assets.
• Through the various activities of the BCM life cycle, an
organization can understand its core activities and focus
its resources towards managing their risks.
• This makes the process of risk management more efficient
and relevant.
• BCM also enhances an organization’s capability to take
“higher” risks as it allows the organization to manage
expected failures or incidents effectively and as required.
BCM & Insurance
• With the increasing adoption of BCM disciplines across the
world, insurance companies have started looking into an
organization’s BCM program and capabilities as an
important factor when providing their services.
• Logically, the more effective an organization’s BCM
program is, the less likely it is that major incidents
will impact the organization and, consequently, the less
would be the amount that insurance companies would
have to pay to the organization. This also leads to smaller
premiums being paid to the insurance companies.  
• The relationship is not unidirectional. Insurance coverage is
a widely used risk mitigation option that is usually used for
low-probability, high-impact risks.
• Organizations can seek the help of insurance companies in
designing the appropriate insurance coverage based on the
results of the BCM life cycle and an under- standing of the
organization’s critical operations and assets.
• In the end, the interests of the insurance companies and
the organization are the same. Organizations want larger
coverage and smaller premiums while insurance
companies want fewer incidents and compensation claims.
Both interests are achievable through effective BCM
programs.
 SETTING UP THE BCM PROGRAM 
• BCM is an important feature of successful organizations, where it is recognized as a program that is
ongoing, maintained, and progressively enhanced.
• BCM needs careful setup and solid foundations in order to succeed and deliver its goals and
objectives.
• Gathering key success factors  The setup of the BCM program should be carefully thought out and
implemented. History and the results from various implementations suggest several key
success factors that can help the program succeed and sustain success. Some of the key success
factors are-
– Effective top-management involvement, commitment, and support
– Relevance to Organization
– Meeting regulatory requirements and audit guidelines
– Sufficient resources
– Effective communication
– Satisfactory coverage of key product & services of organization
 Establishing the BCM governance model
• The BCM program should be established on a clear and effective governance model in order to facilitate its
implementation and success.
• The model should have the various policies, roles, responsibilities, and accountabilities assigned
to relevant stakeholders.
• The fact that BCM programs are organization-wide dictates that the associated governance model should
be effective, adaptive, and enforced across the organization.  
• Typical BCM governance models should have the following features:  
– Involve the top management and display its commitment. 
– Include all BCM-relevant programs and practices like IT disaster recovery and physical security.
– Have clear and documented roles and responsibilities. 
– Facilitate decision making, issue and conflict escalation and resolution, and policy enforcement.
– Have effective representation from key areas across the organization. 
– Is subject to continuous audit and review.
– Have open and effective communication channels. 
•  The BCM governance models have three main components:  
– BCM policy 
– BCM reporting and management structure 
– BCM roles and responsibilities.
 RUNNING THE BCM LIFE CYCLE 
• BCM implementations follow a logical sequence Business
of activities by which information flow and Impact
Analysis
analysis are conducted. These activities and
implementations are grouped in phases or stages, Risk
where each phase or stage makes use of the Testing Assessment
others. The progressive, continuous sequence of
these phases or stages is called the BCM life cycle.
• The term “life cycle” very descriptive and fit for
the overall BCM purpose and concept. The first
word “life” indicates progression, development, Training & BCM
Awareness Strategy
growth, and maturity. The second word “cycle”
indicates continuity, iteration, and persistence. BCM
planning
Both provide strong indicators to many of the &
features that successful BCM programs should Implemen
tation
possess.
 1. Business Impact Analysis
• Business impact analysis is the most important phase within the BCM life cycle.
It constitutes the foundation or basis upon which all later stages and phases depend. 
• The objectives of BIA are to identify: 
– The environment in which the organization exists; 
– what the stakeholders’ requirements are; 
– what the regulatory or statutory/legal requirements are; 
– what the key, or core, activities within the organization are; 
– what assets or resources, internal and external, support key activities; 
– what impacts there would be on the organization in the case of a failure of key, or core, activities
over time; 
– The interdependencies between internal and external resources and assets; 
– The organization’s obligations towards external entities. 
• Identifying the above would allow the BCM program to be built to “serve and protect” the
most critical aspects of the organization, thus ensuring the survival of the organization
should disasters and crises occur.
 1. Business Impact Analysis
• The BIA process needs careful planning, follow-up, and coordination to succeed.
• It also requires relatively extensive resources to complete it.
• The BIA process would follow the logical sequence of: 

Challenging,
Reporting and
Gathering data and validating, and Analyzing and
approving BIA
requirements;  signing off data and reviewing; 
results.
requirements; 
 1.1 Data Gathering approaches
One should gather details about:  
– processes and activities within the scope; 
– resources required for conducting processes and
Questionnaire activities; 
– internal and external dependencies between processes
and activities; 
Workshops Interviews – impacts over time when not performing the processes
and activities; 
– the maximum time that can be tolerated without
performing the processes and activities; 
Gathering – the maximum data loss tolerated for the processes and
data and activities; 
requirements; – technology used to conduct the processes and
activities; 
– the key people, staff availability and succession
planning; 
– resources required for recovering processes and
activities in alternative working locations.
 1.1 Data Gathering approaches
There are some specifications that are globally adopted in BCM programs and are identified within the BIA:
• Critical: 
Using the word critical to label certain processes/activities indicates there are severe impacts for not
performing them and there is a higher level of priority for managing these processes/activities.
– The definition of critical is highly dependent on the organization and its environment.
– It should be understood and communicated that labeling a certain process/activity as critical does not indicate that
the others are luxury or cosmetic processes/ activities. It just highlights that it has higher a priority for recovery.
– In the event of disaster, the recovery process should be flexible enough to allow for the recovery of less critical
processes/activities, when needed. 
• Recovery time objective (RTO): 
The RTO is the time objective or goal for restoring the processes/activities.
Recovery point objective (RPO): The RPO defines the currency level of data, and electronic and hard
copies, needed to properly perform the process/activity.
It defines the maximum data loss acceptable and is one of the major inputs to the organization’s backup
and archiving processes.
 1.1 Data Gathering approaches
• When specifying impacts, there is a set of common areas of impact to investigate and
identify.
• Following are the principal areas to consider for investigation of impacts.
Customer & Regulations & Brand & Information &
Financial Health & Safety
Client Services Laws Reputation Data
• Direct Losses • Inability to • Non Adherence • Damage to • Threat to • Loss of data
• Indirect losses deliver the to law & brand value human life • Poor
• Integrity & services to regulations • Improper • Weak control & information
credibility of customers & • Fines & public protection of strategy
financial clients penalties perception assets
reports • Improper or
poor service
levels

When investigating specific impacts, the impact measurement and rating scheme should be established:
qualitatively or quantitatively. If numbers are available and accessible, quantitative impacts are more
accurate, yet at the end there should be some lines drawn to determine criticalities and priorities;
that’s when we go back to the qualitative approach. Otherwise, the qualitative approach seems more
usable and applicable.
1.2 Challenge, validate, and sign off data and requirements
• The information provided from the first phase of data and requirements gathering should be put through several
challenge and validation cycles at different levels.
• The main reason for this is to ensure that correct data are provided and requirements documentation is properly
produced. The main concerns about the provided data are incompleteness, inaccuracy, and unfair
(overestimation or underestimation) ratings of requirements.  
• The first challenge and validation level is with the process/activity owner and BCM coordinator. For this level, all
sections of the BIA should be visited, making sure that all data and ratings are provided and are justifiable. If there
are noticeable points or concerns to highlight, they need to be brought up for discussion in order to be resolved. 
• If they are not resolved, these concerns need to be raised to the next validation level: the business unit head. For
this, a one-to-one meeting between the business unit head and the BCM coordinator should be held. Within that
meeting, the questionnaire should be introduced and its various sections walked through.
• This meeting is the right place to raise any unresolved issues or noticeable points that require clarification and
decisions to be made. Once finalized, the business unit should sign off the questionnaire for completeness and
accuracy of data provided.  

There’s one guideline to follow here; the data contained within the BIA questionnaire is owned by
the business unit. The people at the various business units are the experts in their areas and they
are responsible for the validity of the information they provide. The BCM team’s role is to help
them follow the process properly. The more the BCM team follows this guideline, the more
successful it is in the BCM program.
 1.3 Analyze, report, and approve BIA results
• The analysis of data and requirements provided through the BIA questionnaire focuses on defining
the RTO, RPO, and criticality of processes/activities within the scope.
• It also defines the resources required to continue working and recover the processes/activities at
alternative work locations. Achieving such a results is not easy and it involves many variables.
Impacts related to staff well-being, adherence to regulations and laws, financial implications,
reputation and image, and other impacts should be investigated taking into consideration the
dependency map of the processes/activities.
• There’s also the concept of “seasonality” of processes. The season of a process/ activity is when
the criticality of this process/activity becomes higher due to more severe impacts being expected.
Examples of seasonal processes/activities are payroll, regulatory reporting, stock inventories,
etc. 
• When defining the BIA results, there should be room for scenarios where
some processes/activities may be highly utilized in disasters or crises while they enjoy moderate
utilization in normal working conditions. For example, the organization’s website or portal may
not be critical to the operations and business but during a disaster it could be very helpful for
internal and external communications. Thus its criticality is upgraded and a more demanding RTO
and RPO are required.  
• Once all the requirements have been defined, a report should be produced for the BCM owner
and committee containing all of the BIA results.
 1.3 Analyze, report, and approve BIA results
• A typical BIA report would include:  
– An introduction explaining its purpose and methodology; 
– An executive summary highlighting the most important results and issues; 
– Consolidated BIA results for all the processes/activities within the scope;
– Detailed BIA results for individual business units; 
– Concerns and issues highlighted within the BIA process; 
– Recommendations. 
•  Approval of the BIA results is the responsibility of the BCM owner and
committee. Their approval should be documented.
 2. Risk and threat assessment
• After the critical aspects of the organization have been identified, Organization should start proactive
approach towards protecting them. BCM is not only about reacting to and recovering from disasters;
it is also about mitigating the probability of their occurrence and their impacts when they do occur.  
• A comprehensive look at the critical aspects of an organization would identify the main components
of these. These components are:  
– people 
– premises 
– technology 
– information 
– supplies 
– stakeholders. 
• Having this component breakdown should make the process of threat identification easier and more
focused.
• The list of threats facing the above components of critical aspects of an organization is highly
dependent on the organization’s environment and nature. But the main point here is to keep an open
mind, not only about external threats but also any internal weaknesses that may introduce high
impacts.
 2. Risk and threat assessment
Common Threats & Risks

Fire Floods Earthquakes Data Loss Wars

Non
Riots & public
compliance to Power
security & Vendor Failure System Failure
law & Destructions
disturbance
Regulations

Electro-
Severe Weather
Fuel Shortage mechanical Negligence Low Morale
Conditions
Failures

Sabotage/ Information Reputation Pandemic

Loss of key staff
Vandalism security failure Damage outbreak
 2. Risk and threat assessment
• External threats and internal weaknesses are translated into risks by defining
probabilities and impacts where:  
  Risk = Probability x Impact 
• Graphically, a matrix is used to illustrate the various ratings of risks.
• A selection should be made here between using a quantitative approach or a
qualitative approach for defining probabilities and impacts.
• It is suggested that it is kept simple and consistent with the approach used in the
BIA.
High      
Medium      
Low      
Inpact

  Low Medium High

Probability
 2.1 Risk treatment options
• Identifying external threats and internal weaknesses is only one step; deciding how to treat them comes next.
Risk treatment should be in line with the organization’s risk appetite and risk tolerance. Risk appetite is simply
how much risk the organization is willing to take, or manage. Related to risk appetite is risk tolerance, which
defines the amount of risk the organization is willing to accept. It is the organization’s pain threshold for
risk.  There are common risk and threat treatment options to select from:
– Accept or tolerate: Risk is usually accepted when the impact is low, regardless of the probability. In the
worst cases, high-probability, low-impact risks are annoyances to normal operations and working
conditions.
– Transfer or share: Transferring or sharing risks is widely used for low- probability, high-impact risks.
Usually, this type of risk is very hard to justify in terms of cost. Common implementations of risk transfer
are using insurance and outsourcing. The tricky part is keeping an eye on how the third party (insurance
company or outsourcing company) is managing the risk. 
– Terminate or avoid: When possible and cost-effective, organizations aim to eliminate the source of the
risk, thus moving the probability to minimal value. 
– Treat or mitigate: Mitigation of risks is the option chosen when the probability cannot be minimized
effectively but the impact can be. To minimize the impact, the organization implements certain measures
to control the risk. 
• As a rule, managing certain risks requires a mix of treatment options, for example managing risks to continuity
and protecting your organization’s critical aspects in a cost-effective manner.
 2.2 Process of threat and risk assessment 
• The process of threat and risk assessment starts with looking at the components forming the
critical aspects of the organization and trying to identify the threats that face them and which
could affect their operations. There are suggested sources that can help you identify the
threats and risks:  
– Risk registers maintained at your organization 
– Recent incidents that have occurred 
– Internal and external audit reports 
– Industry studies 
– Insurance studies and reports 
– Interviews with stakeholders and staff.
• After defining the risk and threat sources, define what will be used for the scoring methods
for both probability and impact.
•  The next step is to decide how to treat identified threats and risks, bearing in mind both
applicability and cost.
•  The final step in this process is to document your selected options to treat threats and risks
along with the estimated costs in a risk treatment plan. The BCM owner and committee
should approve this document.
 3. Strategies and risk treatment plans
• Organization need to decide what strategies should be selected to satisfy the
continuity requirements and how the threat and risk assessment management
actions will be translated into practical and applicable plans. This phase in the BCM
life cycle is called determining the BCM strategy.
• In this context, the BCM strategy may be referred to as the BCM continuity
options. The two terms are used interchangeably.  The main outcomes of the
strategies selected will be:  
– The minimization of probabilities and impacts of threats and risks facing
the organization; 
– Ensuring continuity and protection of critical aspects of the organization; 
– The introduction of higher levels of redundancy and resilience to the organization; 
– The introduction of flexibility for recovery of non-critical aspects of the organization.
 3. Strategies and risk treatment plans
• The guidelines for choosing the right BCM • The scope of the strategies and RTPs is mapped to
strategies and RTPs are:   the organizational components listed as :
Effectiveness: 

How effective is the selected strategy and RTP in 
minimizing the probability and impact of threats
and risks, protecting the critical aspects defined, People 
and meeting continuity requirements (RTO, RPO,
etc.)? 
Cost benefit analysis:  Stake-
Premises 
holders
The selected strategy and RTP should have a stron
Business
g cost-benefit case and analysis. As a guideline, continuity –
the cost of implementing the strategy and RTP RTPs-Scope of
should not exceed the financial cost of the aspect strategies
being protected or the loss resulting from a threat Supplies  technology 
or disaster happening.
Applicability: 
Information 
The selected strategy and RTP should be practical 
and possible to implement. There’s not much use
in designing ideal strategies and RTPs that only
work in an ideal world.
 3.1 People
• People are the core BCM objective and ensuring their protection and continuity is not an easy thing to
build in and establish. The strategies and RTPs for the people component should serve four main goals: 
– protection of their safety and well-being; 
– Minimizing threats and risks arising from people and staff; 
– Ensuring their availability as appropriate for recovery and continuity; 
– maintaining sufficient levels of core knowledge, skills, and competencies throughout recovery and continuity phases. 
• To achieve these goals, there are suggested continuity strategies: 
– Maintain sufficient and distributed documentation of critical processes, procedures, and activities. 
– Implement multi-skill and knowledge transfer activities and training programs. 
– Implement succession planning and job rotation programs for critical people  working in critical processes and
activities. 
– Maintain an inventory of qualified contractors ready to join the organization. 
• Organization may consider using recruiting agencies or headhunters to help. 
– Implement talent management to minimize talent and skill concentration in  one group or in one location.
– Consider outsourcing some of your critical processes to an external party while maintaining sufficient controls and
measures to protect the organization against relevant risks. 
• The RTPs should focus on the following techniques: 
– strictly implementing health and safety processes; 
– maintaining strict information security controls for people and staff.
 The importance of people  & Succession planning 
• Organizations are established to achieve certain goals and fulfill specific visions. The most important enabler for
the achievement of such goals and visions is people.
• Using the word people rather than staff or employees is intentional. In the wider circle of interest being
considered, people refer to all humans in relation to the organization. Staff, employees, their families and
connections, clients, customers, the local community, etc. all fall under the definition of people.
• Most of the risks will result in the non-availability of staff or employees during recovery phases after crisis/
disasters are over and, therefore, the organization will be affected. 
• Succession planning  Succession planning is a common strategy to plan for the continuity of human re- sources. It
is mostly concerned with employees but it can also be useful in freeing up employees that are needed by family,
relatives, or friends. 
• The idea of succession planning is to create a sufficiently large number of employees who are capable of handling
the tasks required. Capable means that they possess similar expertise and share relatively common knowledge.
• There are some common techniques for performing succession planning. These techniques may work collectively
or separately, depending on their applicability in the organization’s environment
– knowledge documentation and creation of knowledge bases 
– job rotation 
– shadow backups 
– distribution of critical processes over a larger number of people 
– training 
– outsourcing.
 3.2 Premises 
• Strategies and RTPs focusing on premises ideally concentrate on scenarios resulting in the
non-usability of the sites and locations of the organization.  The most common approach for
BCM strategies for premises is the use of alternative locations if disasters or incidents occur.
There are, however, other BCM strategies that may be useful to the organization such as: 
– using alternative locations provided by professional hosting service  providers; 
– having reciprocal agreements with other organizations that share an industry, geography, or infrastructure; 
– using remote working solutions (whether from home or other locations); 
– using ad-hoc locations as required in times of disaster; 
– outsourcing disrupted services to professional providers. 
• There are several points that need an extra degree of focus and attention. The first of these is
that when selecting alternative locations, the risks and threats that surround the primary
location should be minimized as much as possible in the alter- native one. Some of the
preferable features that alternative locations should have are as follows:  
– They are sufficiently distant from primary locations. 
– They have ease of access and use. 
– They are easy to activate and deactivate.
– They can accommodate extra staff and workloads. 
– They have minimized risks by nature. 
– They possess sufficient infrastructure.
 3.2 Premises 

• The definition of each of the above features is left to the organization and how much
they are willing to invest in their alternative locations. Alternative locations may be left
unused except for times of testing and invocation or may be locations that are already
active and in use. 
• The second point is that when selecting professional hosting service providers, extra
care should be given to the contractual terms covering the type and length of use,
invocation, testing, and security, and the privacy issues of both parties and
the information situated at those sites. The same concepts apply for reciprocal
agreements.  As for the RTP focusing on premises, the range of options should focus
on: 
– implementing strict physical security and environmental preparations to protect the facilities
and premises from incidents and disruptions; 
– considering extra protection measures in terms of insurance and maintaining sufficient coverage
for protecting facilities and premises.
 3.3 Technology 
• Technology plays a very important role in an organization, where it is now considered the backbone of operations
and information usage. When designing and selecting BCM strategies to deal with technology, the restricting
factors are:  
– continuity specifications (RTO, RPO, criticality, recovery requirements); 
– candidate locations to host technology services; 
– Distance between technology locations; 
– connectivity readiness and deployment; 
– capability to outsource technology infrastructure and services to professional service providers. 
• The selected BCM strategies list can contain:  
– deploying redundant infrastructure, systems, and technology services at different locations either inside the organization or
externally by utilizing professional hosting service providers; 
– preparing locations for providing technology services while deploying and  activating technology services at times of disaster. 
• The selected strategy should be flexible enough for update and enhancement due to the evolving nature of
technology in terms of complexity and advancement.  
• The RTPs covering technology are highly integrated with the continuity strategy as they should focus on
introducing more resilience to technology. Resilience means the ability and capability of the organization to
recover from incidents in a rapid manner without the organization being affected.  
• The integration between BCM and information security is highly visible in this con- text. Most of the RTPs handling
technology are within the domain of information security where the above-mentioned four main requirements
are met in a cost- effective and practical manner.
 3.4 Information
• Information is the lifeblood of an organization. Interactions of the various types of information define
many of the organizational components. Strategies selected for information should satisfy four main
requirements:  
– Confidentiality: Services and information should be available only to relevant stakeholders.
– Integrity: Relevant services and information should be reliable, consistent, and meaningful as required. 
– Availability: Services and information should be available to relevant stake- holders when needed without significant,
unacceptable delays.
– Currency or freshness: Services and information should be up to date and current as required by the stakeholders. 
• The strategies should also cover all types of information: electronic and hard copy:  
– Hard copies: Consider using document management and archiving solutions for keeping electronic copies of originals. You
may also want to distribute your vital records over multiple locations and sites. Some organizations dedicate specific sites
and locations for the storage of documentation, filing, and archiving. You may want to make copies of those hard copies
and store them off site. 
– Electronic data: The most common strategy is using backup tapes and/or replication to redundant environments, on site
and off site. The main inputs for this strategy are the RPO and retention policy, which contain the backup/ replication and
information storage policies.  
• RTPs for information are shared with the technology RTPs and are covered through a robust information
security program. RTPs should meet the four main requirements mentioned earlier:  
– Storage locations for hard copies and electronic data media should be protected against external and internal factors that
can jeopardize the information for any of the four requirements. 
– Tapes should be tested regularly to make sure they are usable and data residing on them is usable. 
– Disposal of information should also be done in a way that protects the organization from unauthorized access to
information.
 3.5 Supplies  
• Organizations today exist in a world of interactions and interdependencies. An organization’s
products serve as inputs and supplies to other organizations. Therefore, it is critical for an
organization not only to look after its internal operations and environments, but also to
consider its reliance on others to maintain its operations and environment.  
• The BCM strategies for supplies should focus on:  
– Maintaining additional levels of critical supplies at various locations; 
– Diversifying sources of critical supplies; 
– Developing contractual agreements with vendors for consistent, just-in-time deliveries of critical
supplies.  
• RTPs for supplies should also cater for:  
– Regular delivery of critical supplies; 
– Making sure suppliers and vendors have validated business continuity plans or alternative procedures
that are reliable and auditable; 
– Enforcing agreements and contracts with vendors and suppliers against bad performance, and poor
delivery or non-delivery of supplies.
 3.6 Stakeholders  
• Internal and external stakeholders are those who are linked to the
organization and have an interest in it. They are consequently affected when
disasters and incidents affect the organization. Different types of stakeholder
require different needs to be met. It is difficult to identify the appropriate
BCM strategies for all stakeholders. The main point here is to identify the
organization’s key stakeholders, discover their requirements, and design your
strategies to meet such requirements. In particular, stakeholders with special
needs should be catered for with regard to their welfare and protection.  
• Once the strategies and RTPs are selected, the BCM owner and committee
should sign them off in order to mandate other stakeholders within the
organization to start implementation and execution of the selected set of
strategies and RTPs.
 4. Planning and implementation  
• After Defining the continuity specifications and decided
the strategy to follow to meet such specifications,
Operations
organization get into the phase of documenting the Resumed
continuity plans and implementing selected strategies
Business
and RTPs. Continuity Plan
• Starting with BCM planning, let’s consider the situation
when a disaster hits. Most probably there will be some
chaos. There might also be some haphazard
decisions made that make the situation even worse. If Disaster
we want to plan for managing disasters and crises, then Controlled
we should be focusing on two main plans:  Crisis
Management
• The crisis management plan (CMP): The CMP should be  Plan
a well-structured yet simple plan to allow the
organization to manage the early stages of the disaster in
the most appropriate way.  Disaster
• Occurred
The business continuity plan (BCP): Once the situation 
comes under control, a typical BCP would allow the
organization to recover its functions, processes, and
assets to be operational again. Furthermore, the BCP
should allow the organization to fully recover itself to the
status it had before the disaster occurrence.
 4.1 Crisis management plan 
•  The main purposes of the CMP are to:  
– Perform proper situation assessments; 
– Initiate communication channels with all required stakeholders;
– control the situation and limit the impacts. 
• The main features of the CMP are simplicity and effectiveness and it should meet the
continuity specifications set earlier. The CMP should also be linkable to the BCPs that may be
invoked in later stages.  
• There are two main approaches to follow when developing the organization’s CMP:  
– The first approach is developing CMPs according to specific scenarios. The “scenario-based” CMP is
fit only to handle those scenarios that it is created for. Thus its effectiveness is relatively limited. 
– The second approach is developing CMPs according to impacts. CMPs that are based on impacts are
highly effective in all situations sharing same impacts. Yet they require more maturity of the
organization in defining the impacts of the disaster and selecting an appropriate CMP afterwards.  
• Contents of the crisis management plan  -A typical CMP should contain the following sections:  
– Purpose and scope: The plan should identify what services/processes/activities are included within
the plan and their relevant continuity specifications. 
– Roles and responsibilities: Specific responsibilities, roles, and authorities are documented within the
plan. 
Contents of the crisis management plan (Continue…)
– Invocation process: This describes how the plan will be invoked based on the  situational assessment in the
early stages of the disaster. The invocation of the plan may also include how people will be relocated and
relevant logistics of such invocation and relocation. 
– Document ownership and maintenance: The plan should identify the owner of the CMP, who is usually the
BCM owner. It should also identify how the plan will be maintained through version control and record
management processes.
– Contact information/emergency contacts: The plan should include all required contact information for the
CMP to be effective. 
– Tasks and actions: The plan should detail what tasks are to be performed and who will perform them. It
should also identify the success criteria of those tasks and actions. In particular, people-related tasks are the
most important of these. Since protecting people is the core objective of BCM, the CMP should have specific
actions to protect, evacuate, and maintain the welfare and safety of the people. 
– Internal and external communications and responses: The CMP should activate the communication
channels, internally and externally. This part is vital for the success of the organization in managing disasters
and crises. 
– Command centers and locations: It is very probable that primary work locations will be unusable or unfit to
work in at times of disaster. If this is the case, the CMP should identify the immediate alternative locations
from which the organization will be managing the disaster and the crisis. 
– Appendices: There might be some specific additional information required for effective management of the
crisis. The CMP should include all the required information as it will be the main reference for the
organization in time of disaster and crisis.
 4.2 Business continuity plan  
• CMPs are for managing the disaster at the organization level. They are responsible for ensuring that the
organization, as one entity, goes through the disaster safely and with minimum losses and impacts. CMPs
provide the basis from which more 
• specific plans are created and used.  BCPs, on the other hand, are those plans developed to recover
specific functions, processes, activities, or assets from disasters and ensure they provide their ser- vices
internally within the organization and externally to clients, vendors, and other stakeholders within
acceptable levels and specifications. Within BCPs fall the IT disaster recovery plans (DRPs), which we will
cover in more detail later in the book.  
• Contents of the BCP  
• A typical BCP’s contents should allow the recovery of specific functions according to approved continuity
specifications. These contents include:  
– Purpose and scope: The plan should identify what services/processes/ activities are included within
the plan and their relevant continuity specifications. 
– Roles and responsibilities: Specific responsibilities, roles, and authorities are documented within
the plan.
– Invocation process: This is how the plan will be invoked based on the situational assessment in the
early stages of a disaster. The invocation of the plan may also include how people will be relocated
and relevant logistics of such invocation and relocation.
Contents of the BCP (Continue..)
– Document ownership and maintenance: The plan should identify the owner of the BCP, who is
usually the process owner or department head. It should also identify how the plan will be
maintained through version control and records management processes. 
– Contact information/emergency contacts: The plan should include all required contact information
for the BCP to be effective. These contacts may be internal ones within the organization or external
ones like vendors, regulators, public authorities, insurers, etc. 
– Tasks and actions: The plan should detail what tasks are to be performed and who will perform
them. It should also identify the success criteria of those tasks and actions.
– Assets and resources required for recovery: The plan should identify the assets and resources
required to perform successful recovery. These requirements are to be specified over time in order to
cater for the logistics related to provision of these assets and resources. The assets/resources
categories may include people, locations and workspaces, technology and networking, data and
information relevant to the function, necessary supplies, and stakeholder communications. 
– Restoration process: There should be detailed information on how to get back to normal conditions
once the disaster situation ends.
– Appendices: There might be some specific additional information required for effective management
of the crisis. Such additional information may cover the testing history of the plan, major results of
the BIA and risk assessment, physical security aspects, and the maintenance procedure and history of
the plan.
 5. Awareness and training
• We have now progressed a good way into the BCM life cycle, from initiating the life cycle to BIA, risk and
threat assessment, BCM strategies and RTPs, and planning. Now we need to communicate all of this
progress to the relevant stakeholders for the organization. This communication has two main processes: 
– BCM awareness: BCM awareness creates an acceptable level of knowledge and understanding of the BCM
program within the organization and is targeted towards all of the organization’s stakeholders. 
– BCM training: The training stream aims to give specific skills and advanced knowledge to particular
stakeholders related to the BCM plans. BCM training builds upon the awareness process as stakeholders need
to be introduced to the program before advanced knowledge is transferred to them.  
• The BCM training and awareness processes start with the training needs analysis (TNA). Within the TNA,
you can identify the existing level of BCM knowledge and skills within the organization. Once existing levels
are defined, you need to define the desired levels of BCM knowledge and skills needed for the organization
and how these will be delivered.
• After delivering BCM training and awareness, we need to measure the effectiveness of these processes.
Useful tools for this may be:  
– the number of employees and relevant stakeholders who attended the training and awareness programs; 
– a review of the training and awareness material by peers or training professionals; 
– a diversity of methods and tools to deliver training and awareness material; 
– feedback, surveys, and comments received from recipients of the training and awareness material.  
 5. Awareness and training
• When delivering the training and awareness messages, make sure that the language used is relevant to the recipients’ levels
of knowledge and interest. The methods used to deliver the training and awareness messages vary from one organization to
another. Common methods may include:  
– internal and external portals and websites; 
– sessions and workshops; 
– orientation and induction programs for new staff; 
– electronic education solutions; 
– e-mails and newsletters; 
– contests and quizzes; 
– tours and road shows for important BCM initiatives and projects. 
• Training and awareness programs should be consistent and continuous, without burdening the recipients or diluting the
importance of the messages.  
• BCM awareness  As mentioned above, BCM awareness aims to create a sufficient level of knowledge across the organization
relevant to the BCM program, its components, and deliverables. The BCM awareness process should trigger the organization
stakeholders to:  
– appreciate the need for BCM and the benefits that it brings for them and for the organization; 
– know the form of the BCM program within the organization and its progress. 
•  BCM training
• The BCM training process builds advanced knowledge and skills within specific stakeholders to ensure that their
contribution to the BCM program, both in normal business conditions and in disruptions, is up to the level required. The
BCM training process splits into two main streams:  
– BCM training for the BCM team: BCM life cycle, BCM program management, crisis management, and BCM technical issues. 
– BCM training for other stakeholders: the training necessary for CMPs and BCPs.
 6. Testing
• The testing phase of the BCM life cycle aims mainly to validate the plans and documentation against recovery
objectives and continuity specifications. There are, however, other goals that testing serves.
– Testing is a very good tool to leverage the awareness and training levels of the relevant stakeholders, since active
participation and the iteration of tests and exercises instill good levels of knowledge and skills.
– Increases the level of confidence in the BCM program both inside and outside the organization as people see that the
plans they participated in developing are actually working and come into action when they are needed.
• Overall, improving the testing processes increases the level of BCM program maturity for the organization. Proven
evidence of testing is now a regular internal and external audit area as well as a regulatory requirement. 
• There are some guidelines that the BCM professional should follow when developing the testing and exercising
process. Certain types of test need careful planning as they themselves can turn into disasters to the organization.
Every test should serve a certain goal and have a specific objective. Doing haphazard tests serves no one and will
waste resources. They can easily make you lose support and momentum inside the organization for the BCM
program.  
• The testing process  
The BCM testing process starts with a testing plan. The testing plan is prepared at the beginning of each year and it
identifies the scope, types, dates, resources, and objectives of all tests. At a minimum, the scope of the testing plan
should cover the critical aspects of the organization at least once a year. Make sure to consult the BCM owner and
committee, process owners, auditors, and other stakeholders when preparing the testing plan. The plan should be
reviewed and approved by the BCM owner and committee.  Before the planned test date, the BCM professional
should introduce the test to the participants and obtain their sign-off on the test scope, type, date and time,
and steps.  After that, the tests are conducted and after execution the results reported to the BCM owner and
committee with observations and recommendations.  
 6. Testing
Test types  
BCM tests and exercises vary in terms of resource requirements and complexity:  
– Desk check: The desk-check test is the simplest of the BCM tests. Its main aim is to make sure that
the contents of the plans pass audit and challenge reviews. 
– Walk-through: Walk-through tests incorporate different participants who are relevant to the plans
being tested to make sure that all areas are covered with- in the plans and no gaps exist. 
– Simulation: Simulation tests provide an environment similar to a disaster and put several plans into
action to make sure plans that are linked to each other are working properly.
– Alternative site test: A partial or complete test of the alternative site defined in the plans may be done
to ensure its readiness to be activated in disasters. This type of test includes relocation of people,
activation of the site, invocation of the plan, and returning back to normal. It is important to make
sure that no interruption to the normal business operations occurs during these tests. 
– Full test: A full test activates all CMPs and BCPs that have been developed and demonstrates the
capability of the organization to manage disasters. However, this type of testing is the most
complicated and requires a high level of BCM maturity and planning to make sure that the test is
doable. Usually, organizations bring in experts in crisis management and BCM testing when they do
this type of test for the first few times until they possess the necessary knowledge, skills, and
resources to implement such tests.
 RERUNNING THE CYCLE
• A BCM program is continuous and ongoing by nature. BCM is not a project; neither is it a set of templates and documents
developed two years ago. The BCM life cycle is iterative by nature and the phases are rerun either periodically or
when needed to keep the BCM program fit for purpose and relevant.  
• The need to rerun the BCM life cycle  Organizations are dynamic entities which are continuously in a state of change
and evolution. The BCM program should be kept up to date, current, and relevant to the organization. Not doing this would
jeopardize an organization’s readiness to manage disasters and can increase the probability and impact of threats facing
the organization.  
• Triggers for rerunning the BCM life cycle  The BCM life cycle rerun is triggered by two types of triggers.  
Time triggers  
– Most standards and best practices suggest reviewing the BCM life cycle phases and components at least once a year.
Best practices suggest that critical aspects of the organization and their relevant documentation and preparations
should be revisited twice or more a year.  
Change triggers  
There are triggers other than time for rerunning the BCM life cycle, such as:  
– considerable staff turnover, especially for key staff; 
– new products and services; 
– considerable change in technology services and infrastructure; 
– new locations and premises; 
– considerable change in the organization’s strategy and direction; 
– new regulations and laws affecting BCM; 
– the occurrence of incidents or disasters. 
•  Successful BCM programs incorporate both triggers for rerunning the BCM life cycle.
 RERUNNING THE CYCLE
Nature of rerunning the BCM life cycle  
• Rerunning the BCM life cycle does not necessarily require the same resources and time required in the
first run. The BCM manager and his/her team should plan the life cycle rerun carefully with the best
utilization of resources and the achievement of the required goals.  We need to define the scope of
rerunning the life cycle. This means defining the aspects to be reviewed and updated organizationally
(departments, processes, etc.) and functionally (locations, technology, products and services, etc.).  
• Once the scope is defined, you need to plan for the rerun and get approval from the relevant stakeholders,
including the BCM owner and committee, department heads, and process owners. The planning should be
flexible in order to get the buy- in from them. Departments and process owners in particular have a lot
more to do than updating the BCM life cycle. The rerun can be in a small area that only needs a work
package or an agreed task list. It can also be a big rerun affecting a large part of the organization and so
needs to be delivered through a dedicated project. 
• Once buy-ins and approvals are there, we can start the rerun activities. Periodic and as-needed reporting
should be made available to the BCM owner and committee as well as relevant stakeholders. The result
will be an up-to-date and current BCM program that effectively minimizes threats and manages disasters.
 Questions-What we learn?
• What is business continuity management?
• What is the need of Business continuity management?
• What are the  Benefits of effective BCM programs?
• What are the  Emerging risk and threats?
• How BCM & Risk Management are related?
• How Effective BCM help reducing Insurance premiums?
• How to setup the BCM Program?
• What are the Key success factors of BCM , How they are gathered?
• How to establish Establishing the governance model of BCM?
• What is BCM Life Cycle?
• What are the elements of BCM cycle?
• What is the importance of Business impact analysis  how it is conducted?
• What are the Risk and threat assessment Strategies?
• What is the importance of People & premises ? What strategies are used to protect them?
• What is succession Planning
• What strategies are used to protect Information, Technology, Supplies & other stakeholders?
• What is risk treatment plans (RTPs)?
• How to Plan and implement BCM Awareness?
• What do mean by CMP & BCP? What is content of them?
• How to Train people on BCM?
• How Testing is carried of BCM
• Why to Rerun the BCM cycle? How it is done?
#stayhomestaysafe

Thank you!!!