Business Continuity Management Planning
Ultimately, the main output from any BCM programme is a plan or plans. Having completed the BIA and Risk Assessment, and agreed a BCM strategy; work can now start on the BCM plan itself.
Plan structures varies from organisation to organisation: smaller organisations may have a single “BCM Plan” covering everything, whilst larger ones may have an overarching corporate plan supported by a number of functional or business unit plans.
Whatever structure you choose, ISO 22313 provides an invaluable checklist of the areas to cover. Some of the key elements of planning are explained below.
Roles and Responsibilities
The first stage in BCM planning is defining appropriate roles and responsibilities. In particular you need to define the team, or teams, who are responsible for coordinating the organisation’s response to a disruption. Smaller organisations may only need a single Incident Management Team (IMT) but many larger organisations apply the Emergency Services model of having a hierarchy of teams as follows:
- Gold / Strategic
- Silver / Tactical
- Bronze / Operational
Whatever structure is decided upon, roles and responsibilities must be clearly documented. Further information on the composition of Incident Management Teams is available in our Downloads section.
The value of BCM planning will only be realised if the appropriate plans are invoked in a timely fashion. It is therefore essential to provide clear guidance, including:
- Who is authorised to invoke specific plans;
- What the triggers are for invoking; and
- How the invocation is effected.
There should also be a clear method of standing down teams once the incident is over.
Incident Management Plan
Developing a robust Incident Management Plan is a vital part of the overall BCM planning process. Typically the incident management phase will last for a few days after a disruption but, for example in a ‘flu pandemic, it could continue for several weeks. The core of the Incident Management Plan is a series of checklists and aides-memoire to assist with decision-making in the early stages of an incident; these should include guidance on:
- Safety and welfare of staff and visitors;
- Locations where Incident Management teams and other critical staff can work from;
- Manual workarounds to mitigate the effect of loss of IT services; and
- Communicating with stakeholders and the media.
Business Recovery Plan(s)
The final stage of BCM planning concerns the compilation of the detailed plans for the restoration of different areas of the organisation and resumption of business as usual. The plans should give details of the recovery priorities, resources required, locations to be used and the people involved in managing the recovery. It should be borne in mind that business recovery may take a considerable period of time – possibly many months in the case of a serious disruption.
Once again, it is important to stress that BCM planning must be supported by appropriate training and exercising.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with each stage of the Business Continuity Lifecycle. Alternatively, if you wish, you can outsource your entire Business Continuity Management function to us.
View some case studies of recent Business Continuity planning, training and exercising projects.