Business Continuity Management Planning
Ultimately, the main output from any business continuity planning programme is a plan or plans. Having completed the BIA and risk assessment, and agreed a business continuity strategy; work can now start on the plan itself.
Plan structures varies from organisation to organisation: smaller organisations may have a single business continuity plan covering everything, whilst larger ones may have an overarching corporate plan supported by a number of functional or business unit plans.
Whatever structure you choose, ISO 22313 provides an invaluable checklist of the areas to cover. Some of the key elements of planning are explained below.
Roles and Responsibilities
The first stage in BCM planning is defining appropriate roles and responsibilities. In particular you need to define the team, or teams, who are responsible for coordinating the organisation’s response to a disruption. Smaller organisations may only need a single incident management team (IMT) but many larger organisations apply the Emergency Services model of having a hierarchy of teams as follows:
- Gold / Strategic
- Silver / Tactical
- Bronze / Operational
Whatever structure is decided upon, roles and responsibilities must be clearly documented. Further information on the composition of incident management teams is available in our Downloads section.
The value of business continuity planning will only be realised if the appropriate plans are invoked in a timely fashion. It is therefore essential to provide clear guidance, including:
- Who is authorised to invoke specific plans;
- What the triggers are for invoking; and
- How the invocation is effected.
There should also be a clear method of standing down teams once the incident is over.
Incident Management Plan
Developing a robust incident management plan is a vital part of the overall planning process. Typically the incident management phase will last for a few days after a disruption but, for example in a ‘flu pandemic, it could continue for several weeks. The core of the incident management plan is a series of checklists and aides-memoire to assist with decision-making in the early stages of an incident; these should include guidance on:
- Safety and welfare of staff and visitors;
- Locations where incident management teams and other critical staff can work from;
- Manual workarounds to mitigate the effect of loss of IT services; and
- Communicating with stakeholders and the media.
Business Recovery Plan(s)
The final stage of business continuity planning concerns the development of detailed plans for the restoration of different areas of the organisation and resumption of business as usual. The plans should give details of the recovery priorities, resources required, locations to be used and the people involved in managing the recovery. It should be borne in mind that business recovery may take a considerable period of time – possibly many months in the case of a serious disruption.
Once again, it is important to stress that business continuity planning must be supported by appropriate training and exercising.
We are happy to answer any questions about Business Continuity, Crisis Management, Information Security, Data Protection and Product Recalls.
How Can Cambridge Risk Solutions Help?
Cambridge Risk Solutions provides a range of services to assist with each stage of the Business Continuity Lifecycle. Alternatively, if you wish, you can outsource your entire Business Continuity Management function to us.
View some case studies of recent Business Continuity planning, training and exercising projects.