Practice
Guide
BUSINESS
CONTINUITY
Contents 1. Introduction
4. Determining strategy 13
5. Developing a response 19
7. Embedding BCM 31
APPENDIX 2: Glossary 35
Business Continuity GPG 1
1. Introduction
2 GPG Business Continuity
2. The BCM life cycle
A
M
T
The table (right) gives a more
IO
BC
N ’ S
EXERCISING,
MAINTAINING BCM DETERMINING
I N G
CU
DD
DEVELOPING AND LT
E
IMPLEMENTING BCM
B
RESPONSE
M R
E E
Business Continuity GPG 3
Managing the Programme The policy sets out what needs to
BCM programme management is first be done and by whom. Typically it would
concerned with managing the introduction cover:
and maintenance of business continuity > Corporate business continuity
principles into the organisation. It organisation and responsibilities:
should be based on a formal policy with – Senior management team
defined responsibilities and processes, all
documented as auditable evidence. – Steering committee
4 GPG Business Continuity
BCM life cycle – the key stages
BCM programme > E stablish management > Committee structure and project staffing
management organisation > BCM policy
> Standards and guidelines
Developing and > Identify detailed actions > Incident management plan for notification,
implementing a necessary and resources escalation and management of an incident
BCM response required to manage an (see, for example, Table 5)
interruption and maintain > B
CP to resume operations within a predefined
effective communications timescale (see, for example, Table 6)
with all affected parties
> A
ctivity resumption plan to resume individual
activities (see, for example, Table 7)
Business Continuity GPG 5
3. Understanding the
organisation
To begin the BCM life cycle you must Business Impact Analysis (BIA)
understand the organisation within which A BIA needs the following information:
the strategy is to be implemented.
> What resources and services are
Three principal tools are used in this critical to the core business activities
context:
> The potential impact of a disruption to
Business Impact Analysis (BIA) the provision of those resources and
services
Is a means of identifying, quantifying and
qualifying the consequences of a loss, > The stage at which, in terms of the
interruption or disruption of business duration of the disruption, the impact
activities over time. A BIA can be used at on the business would become
any level on any activity in the organisation. unacceptable.
Deciding the scope of the analysis
Risk Assessment (RA) may limit the maximum extent over
Estimates the likelihood of loss, interruption which a disruption is considered. This
or disruption from known threats. could be determined by geographical
considerations, regulations or statutes,
Continuity Requirements Analysis (CRA) products, markets or specific customer
Analysis (CRA) assesses the resources requirements.
required for a resumption of activities.
BIA methods
Collecting information from staff
responsible for core business activities
and their dependencies aids the choice of
continuity strategies.
Collection methods include:
> Workshops which provide rapid
results and engagement with the BCM
programme
> Questionnaires give a lot of data
although the quality varies
> Interviews offer good information but
are time consuming.
Combinations of the above can give
excellent results.
6 GPG Business Continuity
Table 1 Product and services exposure map
Responsible
Legal
Financial Reputation Regulatory manager
1 Product From contract RTO
MTPD MTPD MTPD (example
MTPD
names)
17 ETC.
Business Continuity GPG 7
A standard reporting format will improve The main outputs from a BIA are:
the consistency of recording and analysing > The Maximum Tolerable period of
information across multiple functions. Disruption (MTPD), leading to the
The types of questions and the objectives recovery time objective (RTO)
are the same whichever approach is – the timescale within which a
chosen. They include: function must be restored to enable
> Location of activities continuity of the business to be
maintained or resumed.
> The impact of losing the activity
> Recovery Point Objective (RPO)
> How long the organisation can last – the condition to which the situation
without the activity is to be restored to enable business
> Timeframes for activity resumption activities to resume effectively.
> Influences, such as peak periods or The output from the first stage of the
regulatory reporting BIA process would look similar to the
information shown in Table 1. The main
> What the alternatives are.
products of the company have been
Factors to consider include: listed vertically; below each are broad
> Volumes, e.g. calls per hour, output on sub-headings of their required resources
production line and services. For each, the MTPD has
been defined before exposure to a variety
> Contractual, regulatory or legal of business continuity concerns such
requirements as financial and reputation. The person
> Key tools to achieving continuity of responsible for recovery management is
the activity: buildings, processes, also identified.
suppliers (how many, where and Several products have a MTPD of 14 days
when) before there is a risk to the company’s
> People; staff (skill set), customers reputation. Therefore the company must
focus on RTOs for these which provide a
> Equipment; IT, telecommunications,
minimum level of acceptable service, and
manufacturing/industrial, plant
the RPO within this timeframe to avoid
> Data; paper and electronic damaging its customer relationships. The
> Dependencies; internal and external to RTO in Table 1 is 12 days in order to give
the organisation some margin.
8 GPG Business Continuity
DOs and DON’Ts
Business Continuity GPG 9
Table 2 Suggested prioritised risks
Risk Contingency
Resource Threat Likelihood Impact Risk Response
treatment plan
Supplies Transport disruption Medium Medium Reduce Contingency plan Contract private
transport
ETC.
10 GPG Business Continuity
The outcomes from an RA include the Continuity Requirements Analysis (CRA)
identification and documentation of:
The next step is the CRA. The aim is
> single points of failure to quantify the resources (eg, people,
> prioritised list of threats to the technology, telephony) that are required
organisation or specific business over time to resume and continue business
processes activities to a satisfactory level. In other
words, to operate at an acceptable level,
> input to the risk control management the RPO, within an acceptable time, RTO.
strategy and action plan to address This is usually done simultaneously with the
the risks BIA. Its purpose is to:
> documented acceptance of identified > provide resource information to
risks that are not to be addressed. develop the recovery strategy to
This activity should result in an support agreed service levels
understanding of: > identify resource requirements
> how and why an incident could have resulting from dependencies between
an adverse impact on your business internal activities and external suppliers.
> time thresholds for key activities that It is important to explore whether systems
must be re-established must be recovered to the status they had
when the failure occurred.
> the internal and external
dependencies they rely on. The RPO for IT systems will be derived from
the information restoration needs. The RPO
It should be remembered that:
is sometimes seen as “the amount of data
> It is impossible to identify all threats we could afford to lose”.
> estimates of probability are only It is also necessary to take account of
estimates additional activities generated by the
> impacts increase over time at interruption and clearing of backlogs. For
different rates example, a call centre may have to cope
with extra calls following an interruption.
> numeric scales may distort the
This information feeds into the business
perceived impact of minor events.
continuity strategy. Resource requirements
Unacceptable concentrations of risk or help us to evaluate alternative recovery
“single points of failure” should be brought solutions in terms of capacity and
to the attention of the business continuity performance.
sponsor with options for addressing the
issue. The decision to avoid, reduce, transfer
or accept the risk should be formally
documented and signed off (see Table 2).
Business Continuity GPG 11
Table 3 Matrix of resource requirements
RTO:
Vision Opticals – Direct to customer,
third party products
RPO:
Activity/Product
Dependencies
12 GPG Business Continuity
4. Determining strategy
In the BIA, the MTPD for key activities > Reciprocity Arrange to borrow
will have been determined, together with another organisation’s facilities
an RTO and RPO for each of those activities. > Relocate Move the workforce and
The BCM strategy sets out an appropriate workload temporarily to another
approach to recovering each activity. It location
is the selection of a goal (eg, “If we lose > Workaround Temporarily adopt an
access to building XX, we will relocate staff alternative approach to a process
to YY”) that needs to identify, in general
> Suspend Adjourn the activity until
terms, how many staff, what skills and what
normal service is restored.
resources we might need to have available
at the chosen locations, as well as any Different activities require different
necessary travel arrangements. solutions. Strategy selection is influenced
by practicalities such as the cost of
The BCM strategy describes what has to
implementation and maintenance.
be done, not how it has to be done. It
is therefore the selection of a high-level Transferring staff and operations takes time
response such as: and effort. Normally, a fast and seamless
recovery entails a more costly solution.
Replicate and restore Keep copies in
>
Therefore, it is important to ensure that
case the originals are lost or damaged
realistic RTOs and RPOs are set.
(most IT recovery plans are based on
this concept) Is it essential to recover systems to the
status they had when the failure occurred
> Repair Remedial work may be the
or, for example, will restoring yesterday’s
quickest method of recovering key
back-ups be sufficient?
resources
There are three main aspects to setting the
> Replace If supply is plentiful then key
BCM strategy to achieve the agreed RTO:
resources can be replaced quickly
> Selecting the tactics for continuing
the delivery of products and services
> Consolidating the resource
requirements
> Sourcing these requirements.
The various options must be fully
understood before selecting the
appropriate tactics.
Business Continuity GPG 13
Activity continuity strategies
For each activity, the most appropriate
tactics to meet the RTO must be selected The Business Continuity
based on cost, guarantees, additional Manager should be aware of
benefits and other factors. Agreements threat reduction techniques
may vary from verbal promises through to
contractually committed service levels. The
shorter the RTO, the more important the
reliability of the delivery becomes. You should ensure various stakeholders’
needs are satisfied or they may impede
People the recovery effort. For example, the local
Some of the following techniques should residents could press the local authorities
be considered: to refuse you permission to rebuild on the
site following a fire. For civil emergencies
> Process mapping Allowing staff to dialogue with local emergency responders
undertake unfamiliar roles may provide useful information, such as:
> Multi-skill training Of individuals > Recommendations for assembly points
> Cross-training of skills Across a and evacuation routes
number of individuals > Notice of specific hazards in the vicinity
> Succession planning. > Likely position of any traffic cordons
Additional skills may arise from permanent > Special access arrangements
or occasional use of third-party support.
Alternatively, an inventory can be made of > Participation in exercises.
staff skills not used in existing roles. The BC manager should be aware of threat
This might include previous experience reduction techniques, including:
in other roles – First-aid training, salvage
> Physical security where advice can be
or rescue experience or emergency
sought from security professionals
management skills.
> Information security. ISO 27001,
Many stakeholders (including customers,
Information Security Management
partners and contractors) may be affected
and ISO 17799, Code of Practice for
by an incident. In a major fire at your site
information security management,
contractors may be injured, local residents
provide useful guidelines.
evacuated and local businesses closed for
safety reasons or because of reduced trade. Premises
The organisation’s level of responsibility
(both legal and moral) for these groups The RTO is the principal determinant of
should be understood. worksite continuity tactics. Once the RTO
parameter has been satisfied cost and
availability will guide the choice of tactics.
14 GPG Business Continuity
Premises tactics include: resources are allocated in proportion
Do nothing This may be acceptable
> to the subscription.
for the least urgent activities identified > Use diverse location tactics
in the BIA. Where the RTO exceeds a This option moves the activity and
few months it allows time for buildings not the staff via dual-site operations
to be found and utilities installed post or continuous availability solutions. In
incident, all with minimal planning the event of an interruption at one site
and preparation. the business activities are transferred
Relocate your staff
> to alternative locations where staff
Move up Use existing accommodation and facilities are already prepared to
such as a training facility or canteen handle it.
to provide recovery space, or increase Equipment
office density. This needs planning and
preparation. With uninterruptible power supply (UPS)
Displacement High priority activity or back-up generators, some risks are
personnel could temporarily displace acceptable.
some of those who are performing less Risk reduction can use monitoring systems
urgent business processes. But beware to warn against utility or equipment failures
of unmanageable backlogs. and destructive threats, eg, sprinkler and
Remote working This includes fire suppression systems in buildings with
“working from home” and from a high loading of flammable materials or
other non-corporate locations such as expensive equipment.
hotels.
Possible recovery techniques to
Reciprocal agreements Great care
consider are:
must be taken when establishing
this type of agreement. It requires > Maintenance contracts, preferably
contracted regular testing. with local firms
Use third-party premises Third-party
> > Salvage engineers can often restore
alternative site arrangements may equipment after damage by fire or
be considered if they meet the RTO. water
Commercial services include fixed, > Asset restoration specialists can often
mobile and prefabricated premises. minimise damage after fire and flood
Dedicated work areas provide to equipment, buildings and papers,
exclusive use of the accommodation. and they may offer useful advice, as
“Syndicated” or “Subscription” well as being available on request
options offer access, provided the
accommodation is not already in use. > Use of local subcontractors or
This can be on a first come, first served competitors with similar equipment.
or an equitable share basis whereby
Business Continuity GPG 15
Technology There may also be limits on the distances
The loss of a data centre can have a major staff would be prepared to travel at short
financial impact on a business. There notice. Note that after an incident the
are several options, including in-house regulatory, statutory or business standards
resilience, recovery or third-party support. for information management still apply.
> Call redirection for telephony > Storing additional supplies at another
Most telecommunications operators location. If the supplies degrade over
offer solutions for redirecting calls time they should be rotated with
from one site to another. The logistics regular stock
of handling redirected calls must be > Changes in the core process may
addressed. require stored supplies to be changed
> Convergence of telephony and data (eg, headed stationery may need new
networks, VoIP (Voice over IP): address or contact details)
This creates new opportunities and > Delivery of stock at short notice
issues, since telephones and email
> Diversion of just-in-time deliveries to
are often used as alternatives if one
other locations
fails; these issues need to be assessed
and the risks and impacts thoroughly > Holding materials at warehouses or
analysed. shipping sites
Since business continuity incidents often
involve denial of access, back-up copies of
records should be kept at another location. You should ensure that
There is no ‘correct’ separation distance,
various stakeholders’ needs
but one must consider denial of access
factors such as loss of power or transport are satisfied or they may
disruption. impede recovery
16 GPG Business Continuity
Table 4 Recovery strategy for third party products
RTO:
Vision Opticals – Direct to customer,
third party products
RPO:
Activity/Product
Dependencies
Recovery strategy
Replicate/restore X
Repair
Replace X
(warehouse) X X
Reciprocity X
Relocate X
Workaround
Suspend X
(office) X
Business Continuity GPG 17
Techniques for reducing the impact of > Obtaining sign-off for financial and
supply interruptions include: resource provision
> Dual or multi-sourcing > Creating project and action plans
> Inspection of supplier’s business > Applying the agreed strategy.
continuity arrangements. This may The result is a set of recovery resources
include a requirement for certification and services for the restoration of business
to ISO22301 systems within their RTO and RPO.
> Holding inventories off-site, at another Executive management must make a
site or at the supplier’s site strategic evaluation and sign off the
> Penalty clauses on supply contracts strategy, together with the requisite
(no protection against bankruptcy) financial and resource provisions.
> Pre-acceptance of alternative In Table 4 we have addressed recovery
suppliers. strategies for the thirdparty products, part
of a direct to customer business.
Resource level consolidation
The following issues were considered:
The objective of resource level
consolidation is to understand and locate > We are going to relocate 10 staff.
the resources necessary to achieve the RTO What skills are required, where will
and RPO. they go, how will they get there and
what resources will they need?
It is necessary for two reasons:
> We will need to find alternative
> Co-ordinating the acquisition and warehousing facilities. Who will do
utilisation of resources can prevent that and what information will they
conflicts, such as when more than one need to source this?
operation expects to use the same
alternative workspace > We are going to replace any damaged
equipment. Who will do that and
> Bulk purchasing may be more efficient identify potential suppliers in
and cost-effective. advance?
Resource consolidation includes the > We will need to identify alternative
following stages: suppliers. Who are they and who will
> Aggregating resource requirements contact them?
from the CRA > We may need to replace lost stock,
> Evaluating each option against the so we are looking at a reciprocal
RTO and RPO and providing executive fulfilment arrangement with another
management with a strategic firm to supply products while we
evaluation recover our operation.
18 GPG Business Continuity
5. Developing
a response
This part of the process concerns the any incident is usually managed through
most detailed planning documents, which an IMP. At a tactical level the BCPs address
are also likely to be the most fluid. The business disruption from the initial
aim is to identify the actions and resources response through to the point at which
required to manage an interruption, normal business operations are resumed.
whatever its cause. Based on the BCM strategy, they provide
procedures and processes for the BCT,
Key requirements for an effective allocating roles and responsibilities. They
response are: must also give details regarding liaison with
> A clear procedure for escalation and external agencies such as recovery services’
incident control suppliers and emergency services.
> Communication with stakeholders If the event falls outside the scope of the
BCP, the situation should be escalated to
> Business continuity plans (BCPs) to
the senior incident management team
resume interrupted activities.
(IMT).
A BCP is a set of guidelines that require
Operationally, Activity Resumption Plans
interpretation by the business continuity
(ARPs) provide detailed guidelines for
team (BCT) according to circumstances.
the recovery teams to implement the
It is not possible – or even desirable – to
resumption of normal business functions
predict what might occur.
and support services.
The Incident Management Plan (IMP)
defines how strategic issues would be Incident Management Plan (IMP)
addressed and managed by the executive. The IMP provides a framework for
This may include incidents where there managing any incident. The plan should
is no physical disruption, right up to a contain initial prompts for action, such as
national emergency. Media response to a list of stakeholders to be contacted. The
BIA will offer useful pointers to potential
impacts which may need to be managed.
Wherever a BCM response is required the
IMT should be alerted.
If no IMP exists it may be useful to run an
exercise with the senior management team
so that the many requirements become
apparent (such as the need for a plan).
All incidents differ and so the IMP is a
framework of components and resources
that may be useful, rather than a rigid
procedure.
Business Continuity GPG 19
The roles of the team and specific
individuals should be documented.
Deputies should be identified for each role. All BCM strategies should
Responsibilities may include: take into account welfare
> Managing communications (see issues in an incident. Staff
section below) are more likely to co-operate
> Ensuring IMTs and BCTs are properly if their needs are met.
staffed
> Liaising with the BCT to agree the
resumption timetable At least two locations should be predefined
> Approving significant expenditure to act as an incident management centre
(control room or command centre). One
> Monitoring recovery progress and
is likely to be on-site where the senior
personnel performance
management team are based but the other
> Identifying and maximising should be off-site. The off-site location does
opportunities or advantages arising not have to be owned by the organisation.
from the incident By prior arrangement, a 24-hour hotel may
> Looking at the strategic impact, provide all the facilities required.
which may require significant Consideration should be given to:
changes in direction or open up new
> Communication: inbound and
opportunities
outbound
> Maintaining a decision log throughout
> Recording events, actions and issues
the incident.
> Monitoring the media
Clear invocation criteria should be set out,
and the persons able to initiate the call-out > Access control.
decided. This should encourage action The following resources should be
where there is doubt; it is easier to stand considered:
down a team than to activate them once
the incident is out of control. > Whiteboards or flip charts (and pens
that work)
The activation procedure should be
documented so decisions are not delayed. > Telephones, including an outgoing line
A number of alternative meeting locations and a recording facility
should be identified and, on invocation, the > Hotline/helpline facility
first person notified should select the most
> TV and radio
suitable, based on current information.
> Stationery
> A means of logging all actions
20 GPG Business Continuity
Table 5 Incident Management Plan
Site evacuation
Personnel accountancy
Communication (staff & others)
Emergency services liaison
Telephone reception for next of kin
Media & external communication
Transport assistance
Translation services
Incident management centre locations:
Incident management centre access arrangements:
Incident management centre resources
Location Desks/Chairs Phones PCs Fax Other Office
Materials /
Equipment
> Refreshments and nearby or on-site > An IMP
sleeping facilities > An incident communications plan
> A locked trunk (often called a ‘battle- > Demonstration of preparedness
box’ or ‘recovery box’), in which
hardware and information can be kept > Compliance with statutory, regulatory
offsite at the alternative location. and ethical requirements.
All BCM strategies should take into account The IMP should be documented. The
welfare issues during an incident and the template in Table 5 gives an example
recovery. Staff are more likely to co-operate of a suitable format. Major incidents
if their welfare needs are met. Issues to requiring an IMP can vary from those which
consider include individual special needs threaten the continued existence of an
during prolonged stay-in periods. organisation but have little impact outside
of it, to those which, like the Buncefield oil
An IMP should be succinct and clear depot explosion, can become a national
because it will be used under pressure in emergency.
stressful circumstances. The outcomes of
the process include:
Business Continuity GPG 21
The principles to be applied to the latter Key steps in developing a BCP are:
are exactly the same but there is increased > Appoint an owner for the BCP(s)
emphasis on health and safety and
liaison with emergency services. These > Define objectives and scope based on
are features which may have little or no the BCM policy and strategy
prominence in a purely internal issue such > Decide the structure, format,
as the failure in a supply chain. components and content
Appendix 1 describes the incident response > Gather information to populate the
structure employed by the UK emergency plan and prepare a draft plan
services. The model is suitable for
Circulate the draft plan for consultation
organisations with the potential for major
and review
health and safety incidents.
> Test/exercise the plan
The BCPs and the ARPs, are similar in
structure, but focus on different aspects of > Gather feedback from consultation
recovery: and amend the plan as appropriate.
> BCPs cover the management of All BCPs should be modular in design so
common resources such as facilities, that separate sections can be supplied to
information technology, finance teams on a need-to-know basis.
and personnel – in essence the Each section could be printed on different
organisation’s infrastructure coloured paper to provide ease of use and
> ARPs focus on the recovery of specific reference. Dynamic information, such as
activities, often customer facing, such contact details, should be in appendices
as order taking, customer helpdesks or which can be amended easily, with job
claims handling. titles rather than names in the main body
of the document.
Both types of plan have similar
considerations and structure dealing with Software products are available to help you
what has to be done by whom, when, build and maintain a BCP. However, normal
where and how. office software may well suffice and does
not require special training. Customised
Business Continuity Plans (BCPs) software, though, may prove helpful in plan
All BCPs should be ‘action orientated’, maintenance.
easy to reference at speed and exclude
superfluous information. The BCP should
document assumptions about the
maximum scale of the incident. If these are
exceeded then this should be escalated to
the IMT.
22 GPG Business Continuity
Table 6 Business Continuity Plan (BCP)
Location: Activity:
Alternative location:
Contact list
Business Continuity Plan – the contents > Actions
> Basic information – Responding to an invocation
– Document owner and maintainer – Decision making
– T eam members and their roles along – Mobilising resources
with named deputies – Initiating activity recovery
Responsibilities may include: – Receiving information from
– Liaising with emergency services other teams
– Obtaining information from – Reporting status to the IMT.
response teams > Resource requirements
– Reporting to the IMT – Personnel
– M
obilising suppliers of salvage and – Facilities and supplies
recovery services
– Technology, communications and
– Allocating available resources to data
recovery teams
– Security
– Invocation/mobilisation instructions.
– Transportation and logistics
There should be a number of possible
meeting locations, favouring those with – Welfare requirements
the required resources. On invocation – Emergency cash and payments
the first person notified should identify
– Any additional resource
the most suitable meeting place, plus a
requirements for specific activities
fallback based on current information.
– Contact information to access
required resources.
Business Continuity GPG 23
DOs and DON’Ts
24 GPG Business Continuity
> Conducting a resource requirements – Special procedures
analysis across all plans to define the – Work in progress issues
resource requirements for support
functions. – Consumables required.
Business Continuity GPG 25
Table 7 Activity Resumption Plan (ARP)
Primary
Action Deputy Primary considerations Support team
Responsibility
26 GPG Business Continuity
6. Exercise, maintain, DOs and DON’Ts
review
> DO include requirements for exercising,
All BC documents should be reviewed maintaining and reviewing in the BC policy
and the plans exercised at least annually. > DO ensure compliance is subject to
independent assessment
Reviews and exercises should also be
carried out whenever there is a significant > DO ensure there is regular confirmation of
roles, contact details and availability of BC
change to the business processes or response resources
environment. > DO ensure plans are subject to regular
No plan is reliable if it has not been exercising, at least annually
exercised, nor can the personnel involved be > DO ensure a formal issues log is created,
relied upon until they have had some form maintained and reviewed
of practice. BC exercises are crucial because
they develop the necessary competence, Concepts and assumptions
confidence and knowledge to act.
For any test to be ‘useful’, it needs to
Five stages of exercise are recognised, as meet the following criteria: Stringency,
detailed in Table 8. The normal progression realism and minimal exposure to additional
would be to start at the bottom with a risk. This may require some degree of
desktop exercise and work up towards compromise.
the full-scale exercise at the top. (Most
organisations limit themselves to > Stringency Ideally, tests should be as
stages 1-4.) realistic as possible, however, it may
not be practical to run certain tests
without altering ‘live’ procedures. This
applies especially to technical testing.
Realism This ensures that the
>
audience engages in the event and
ultimately gains more from it.
Minimal exposure Testing may
>
increase exposure to risk. The designer
of the test should ensure that the risk
and impact of disruption is minimised.
The business must understand and
accept the risk.
Business Continuity GPG 27
Table 8 Types of exercise
28 GPG Business Continuity
Table 9 Business Continuity Plan testing document
Remedial action
Incident discovery and notification Tested Effective
required
Business recovery
Business Continuity GPG 29
DOs and DON’Ts
No plan is reliable if it has > DO remind staff regularly about BCM
arrangements
not been exercised, nor can > DO ensure BC arrangements are on board
the personnel involved be meeting agendas at least once a year
relied upon until they have
had practice.
30 GPG Business Continuity
7. Embedding BCM
Business Continuity GPG 31
Appendix 1
Incident Response
32 GPG Business Continuity
Figure 1. Three-tier incident response structure
Senior
GOLD ESCALATION Strategic
(incident) Management
CONTROL
Business
SILVER Tactical
Continuity Team
Incident Response
BRONZE Operational & Business Unit
Resumption Teams
INCIDENT
OVERALL OBJECTIVE:
Back-to-normal as soon as possible
NORMAL TIMELINE
BUSINESS CONTINUITY
Business Continuity GPG 33
Answers to the following questions need to
be considered:
When an incident gets into > What are the messages?
the public domain, effective
> Who will form the IMT?
communication plays a
> What resources and facilities
key role in protecting an
are available?
organisation’s reputation.
> Are the IMT and spokespeople
properly trained?
When an incident or business discontinuity
gets into the public domain, effective
communication plays a key role in
protecting an organisation’s reputation.
34 GPG Business Continuity
Appendix 2
glossary OF TERMS
ItActivity
is necessary to consider:
Resumption Plan Detailed guidelines for operational recovery teams to implement
(ARP)Ownership of the plan
> the resumption of normal business functions and services.
Everybody involved should agree
Back-up A reserve copy of information which is deemed to be ‘Essential for
beforehand about the who, Recovery’,
how and including data and documentation.
what of communication.
Business Continuity The capability to continue essential business functions under all
(BC) Perception is reality
> circumstances.
Reputation
Business is affected
Continuity Institute by perceptions
The world’s leading membership organisation for BC practitioners.
(BCI)
> Act fast
Reticence
Business ruins reputations Those management disciplines, processes and techniques which
Continuity
Management (BCM) seek to provide the means for continuous operation of the essential
> Be as open as you legally and
business functions.
practically can
Business Continuity Plan (BCP) A set of procedures and processes to guide the Business Continuity
Show you have nothing to hide
Team in the tactical management of an incident.
> Show
Business you careTeam
Continuity Staff responsible for the tactical management of an incident.
(BCT)See it from your audiences’ point of
view.
Business Impact Analysis The process of identifying, and quantifying, the impacts on an
(BIA) enterprise of the effect of a incident, in both financial and
non-financial terms.
Continuity Requirements An assessment of the resources required for a resumption of
Analysis (CRA) activities.
Incident Any event which may be, or may lead to, a disaster.
Incident Management Plan A framework document to guide the Incident Management Team in
(IMP) the strategic management of any incident.
Incident Management Team Staff responsible for the strategic management of an incident.
(IMT)
Maximum Tolerable Period of The maximum period of time for which the business can afford to
Disruption (MTPD) be without a critical function or process.
Recovery Point Objective The point in a process or function which must be restored to enable
(RPO) continuity of the business operation to be maintained, or achieved.
Recovery Time Objective The time scale within which a function or business unit must be re-
(RTO) stored, usually determined by means of a Business Impact Analysis.
Business Continuity GPG 35
Appendix 3
Further Information
> www.noaa.gov
NOAA (National Oceanic & Atmospheric
Administration): covers climate and
weather patterns, including storm and
hurricane forecasts.
> www.bankofengland.co.uk/
financialstability
The Bank of England maintains
monetary and financial stability of the
United Kingdom.
36 GPG Business Continuity
About BIFM
The British Institute of Facilities Management (BIFM) is
the professional body for facilities management (FM).
Founded in 1993, we promote excellence in facilities
management for the benefit of practitioners, the
economy and society. Supporting and representing
over 16,000 members around the world, both
individual FM professionals and organisations, and
thousands more through qualifications and training.
We promote and embed professional standards in
facilities management. Committed to advancing the
facilities management profession we provide a suite
of membership, qualifications,training and networking
services designed to support facilities management
practitioners in performing to the best of their ability.
BIFM
Number One Building
The Causeway
Bishop’s Stortford
Hertfordshire CM23 2ER
ISBN: 978-1-909761-17-9
ISBN 978-1-909761-17-9
9 781909 761179
Price: £19.99