The Ten Areas of Professional Practice of BCM (Business Continuity Management)

Given the need for companies across all industries to focus on business continuity and disaster recovery, it is useful to have a template or list of items that each company should consider when preparing an organizational structure to deal with crises. In his book, The Definitive Handbook of Business Continuity Management, Third Edition, Andrew Hiles provides useful guidance

As discussed earlier, DRII and BCI along with the DRJ have developed the Ten Areas of Professional Practice to provide practitioners with guidance on the development of an overall Business Continuity Management Program. With each incremental area included within your program, your recoverability increases. Each area will be discussed to include the implications to each of the components discussed earlier.

  1. Program Initiation and Management: Within this professional practice, the practitioner will be defining the scope of each component to be included within the program Questions needing to be addressed within this practice include: Will all locations be included? Who will champion the program within the organization? What are the overall objectives of the program? What is the time-frame for plan development and implementation? What structure should be employed?

  2. Risk Evaluation and Control: While it is important to utilize an all-hazards approach to planning, it is also important to understand the risks that the organization faces. During this phase, risks are evaluated based upon events or surroundings that could negatively impact the organization, including the people, facilities and technologies. Crisis Management, Emergency Response, Business Continuity and Disaster Recovery Teams should all be involved in the identification of the possible risks, determining the probability as well as their control.

  3. Business Impact Analysis: The business impact analysis (BIA) is an effective tool to be used by each group to determine the impacts to the organization of an outage and to thereby identify recovery time objectives for the business and technology. The Emergency Response Teams will use this information to help in making the determination of how to handle certain incidents. The Business Continuity Teams will use this information to understand dependencies and how they support others as well as to determine strategies for continuing the business functionality. Disaster Recovery Teams will use this information to determine how quickly they must have the technology available for the business and the Crisis Management Team will use it to prioritize the businesses in their overall recovery.

  4. Business Continuity Strategies: Based on the BIA and the risk evaluation, strategies will be developed to support the recovery goals. The Emergency Response Teams need to implement strategies to ensure the safe and effective evacuation of personnel and may be required to assist the business in the implementation of their strategy. The Business Continuity Teams and Disaster Recovery Teams will have to develop and implement strategies that will support the business within the recovery time required. The Crisis Management Team will also develop strategies to support the overall recovery, including automated notification systems, Emergency Operations Centers and communication strategies to name a few. It is important to note that the basis for these strategies is both the recovery time and point objectives in support of the organization's critical functions.

  5. Emergency Response and Operations: The emergency response and operations practice ensures the organizational readiness to respond to the immediate threat of an incident. While local authorities will assist as able, any organization needs to be able to respond internally until the authorities are able to respond. Again, these procedures impact each of the groups previously discussed.

  6. Business Continuity Plans: While the title of this practice may be misleading, this includes the design, development and implementation of the plans to support the business to include Disaster Recovery Plans for technology. The Emergency Response Teams need to be familiar with what the business is going to do to respond to a disaster in order to better support them. These plans provide a blueprint for the Business Continuity and Disaster Recovery Teams for their overall recovery. They also provide the Crisis Management Team with an overview of the procedures that need to occur as well as timing so that they can better coordinate and communicate.

  7. Awareness and Training Programs: If a plan is developed and no one knows about the plan or how to implement the plan, an organization has wasted time and resources. Each area needs to prepare a program in order to create and maintain awareness and training on their specific plans. There are many different levels of awareness that may be required, including a general awareness for non-response employees and much more in-depth training for actual responders.

  8. Business Continuity Plan Exercise, Audit and Maintenance: All plans should be tested in order to ensure their viability during an incident. There are many methods of exercising, including table-top, walk -through and simulation. The type of exercise should depend upon the objectives of the exercise and the maturity of the overall program being exercised. A key mantra in exercising is to 'Exercise as you would execute.' Each group should exercise the plans developed and, based upon the exercise, update their plans to include any additional actions identified. Additionally, regular audits of each of the plans should be performed to ensure the plans are being maintained within the policy of the organization.

  9. Crisis Communications: Crisis communication is intertwined through the plans for each of the areas. Consideration should be given to employees, customers, clients, vendors, regulators, community and media. When possible, scripts should be developed prior to an incident to provide guidance for the communication and to expedite communication as well as to ensure clarity. While the responsibility for Crisis Communications tends to be with the Crisis Management Team, communication is required across all groups and should therefore be a responsibility shared. During a crisis, communication is a key function and transcends across all areas' plans.

  10. Coordination with External Agencies: No organization is independent of the area where it resides. Consider a HAZMAT incident. Whether you are able to get back into your building depends upon the local authorities and agencies. During an incident is not the time to be introducing yourself to the authorities. Engage them in your exercises in order to better understand mutual expectations as well as applicable statutes and regulations. Ensure you understand their Standard Operating Procedures as this will increase the likelihood of an efficient recovery.

These areas are further delineated by the DRJ Editorial Advisory Board, in concert with partners ARMA, DRII, FSTC and NFPA, in the Generally Accepted Business Continuity Practices, describing specific actions planners must take to thoroughly cover each area. This can be found on the DRJ website.

Summary

While Crisis Management, Emergency Response, Business Continuity/Contingency Planning and Disaster Recovery are often used interchangeably, it has been demonstrated how those who use these terms in professional practice see each as unique segments or activities within the overall BCM discipline. The relatively brief lifespan of the Business Continuity discipline has been strongly influenced by both its practitioners and by the various vendors whose products and services alternatively support and compete with them.

 

From The Definitive Handbook of Business Continuity Management, Third Edition by Andrew Hiles. Copyright 2011 John Wiley & Sons, Inc. All Rights Reserved. Used by arrangement with John Wiley & Sons, Inc.