Surviving a crisis and ensuring sustainable operations is a key corporate strategic objective and a fundamental requirement for any organisation.
Those responsible for management during emergency situations need to count on proven solutions. Recent experience with disruptive events such as natural disasters, pandemics, and terrorist attacks has shown that some organisations did not have a crisis management capability or adequate business continuity plans in place to maintain critical business activities during emergencies nor the disaster recovery capability to recover and survive.
Boards, and other stakeholders including Regulators, are increasingly focussing on this issue and are demanding that management address this critical issue that is a major risk in most organisations. Failure to plan, train, and test preparedness for the possibility of service interruptions may result in mild annoyances, through personal injury to catastrophic business failure.
The consequence of inadequate, poorly tested or not maintained BCP and DR plans can lead to the following and seriously affect an organisation :
- Damaged corporate reputation
- Destruction of property and facilities
- Civil litigation
- Regulatory or legislative penalties
- Lost market share
- Disclosure of information
A-GRC are uniquely placed to assist you as they not only can develop and implement business continuity and disaster recovery plans but have done so for other clients and used the guidance from ISO 22313 to implement it. Unlike some, we can ‘walk the walk’ and prove it.
A-GRC has developed its own methodology based on ISO 22301 that contains a Business Continuity Management Policy and all of the processes, procedures and plans that are required to develop a Business Continuity Management System (BCMS) based on the Deming cycle of:
that all of the major management systems standards have adopted.
The type of Business Continuity Plan(s) (BCP(s)) that you define, implement and continuously improve will depend on your organisational requirements, structure, culture and specific needs. Specific Areas where A-GRC can assist you are:
- Risk and Vulnerability Assessments understanding the risks and impacts relevant to your business. Failure to understand risks means that all subsequent planning is almost certain to be flawed, leading to unnecessary cost and BCP(s) that may not be appropriate when needed. We can help you identify, quantify and treat these risks and enhance your ability to recover in case of need
- Define the Scope it is essential that the scope of the business continuity plan is defined so that the boundaries of the project can be identified and the assets within the scope determined and agreed so that the risk to them can be determined and treated. We will also advise you on the scope statement to be used on your certificate if you want to proceed to gaining an ISO 22301 Certificate Of Registration.
- Gap Assessment perform a gap assessment of your implemented solution against the requirements of ISO 22301 or your own existing BCMS.
- Business Impact Analysis and Strategy work with your employees to determine which business processes are critical to ongoing organisational viability . This will produce a ‘view’ of the various impacts that a range of disruptions may have on your business and will identify which business processes and their resources are truly required to achieve business continuity and meet customer requirements for your products or services
- Develop Strategies work with your employees to investigate and develop strategies for recovering business operations and processes, on time and to the required service levels based on the findings of the Business Impact Assessment(s) undertaken. Usually, there are a number of different recovery options available that need to be fully explored before a final decision is taken. Appropriate strategies can then be developed, adopted and implemented to ensure a robust and repeatable business recovery is in place
- Business Continuity Plans once the appropriate strategy(ies) have been agreed, developed and implemented, the production of supporting BCP(s) can take place. Our Consultants work with your employees to ensure that the plans are workable and robust. These are then clearly documented and reviewed prior to being made available, as required, within your organisation in an accessible form and format. Plans will contain details of all relevant information needed for timely recovery and will typically include, but not be limited to:
- Action checklists
- Activation criteria
- Call lists (contact trees)
- Clear lines of escalation
- Communications plans
- Resource requirements (on site and off site)
- Other important information.
- Documented Procedures as well as the BCP(s), all other procedures to support the operation of the BCMS must be defined and developed. These will be developed by the A-GRC team either using existing documents as a base or creating new ones. Whichever process is used, the new procedures are developed in conjunction with your employees to maximise ‘buy in’ and to ensure that they accurately reflect your working practices.
- Implement and Awareness Training once the BCP(s) are developed, they need to be introduced to relevant employees appropriately. This means that there is the need for specialised training and our Consultants can assist in developing and delivering training and awareness programmes for all employees. Successful implementation of BCP(s) is critical to the whole BCM process. Employees with specific roles and responsibilities in the BCP(s) need to know what is expected of them if the BCP(s) are invoked and to be trained accordingly. Wider awareness of the plans must be made across the whole of your organisation as all employees need to know what plans are in place to protect both them and the organisation, should an interruption occur.
- Testing and Exercising just having a BCP is not enough, nor is having a BCP and training staff in how to use it. Once training has been undertaken, a programme of testing the BCP(s) must be undertaken for all of the management teams who have roles and responsibilities during any invocation to ensure they understand the BCP(s) and that the BCP(s) are ‘fit for purpose’. There are six different types of BCP testing that can be undertaken:
- Checklist copies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests
- Structured Walk-through BCP team members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors and validate assumptions
- Simulation a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency
- Parallel Run This is similar to simulation testing, but the primary site is not affected and critical systems are run in parallel at the alternative and primary sites and results compared
- partial implementation An element of the BCP is tested on its own, rather than having a full invocation of the BCP(s)
- full invocation this test involves a full invocation of the BCP in response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including employees and any external third party suppliers, participate in the test. This test is the most detailed, time-consuming, and expensive of all. On account of this, it is not performed that frequently
- Emergency Response Planning immediate action that takes place on discovery of any incident that may affect your normal operational capability and before BCP and Top Management decision makers are informed. A-GRC can assist you in developing an emergency response plan that ensures clear and concise corporate directives are supplied to all employees that might face situations requiring emergency response. These can include, but not be limited to:
- Bomb or device searching
- Disability evacuation
- Emergency assembly points
- Evacuation plans
- Fire training
- First aid training
- Floor warden programs
- Notification contact trees
- Crisis and Communication Planning we can help you develop a crisis management team and plan which will guide your enterprise-wide response to an event through a clear chain of command and determine the internal and external communications requirements.
- Review and Maintain BCPs and other procedures are living documents and as such, they need to be regularly reviewed and maintained to ensure that the information is correct and up to date. Typically, reviews take place after testing, auditing, on a fixed time frequency or on influencing change.
- Assistance in Gaining an ISO 22301 Certificate of Registration we can assist you in gaining an ISO 22301 certificate of Registration. We use our standard 4 step process for this, that is well established and a proven method for obtaining certification for management standards
Some other standards that provide assistance in the BCM arena are:
- PD ISO/TS 22318:2015 (Societal security. Business continuity management systems. Guidelines for supply chain continuity);
- BS ISO/IEC ISO 27031 (Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity)
- ISO/IEC ISO 24762 (Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services)
There are additional country specific standards that have not been listed above, but that will generally cover the same material and a number of Published Documents (PD) that provide further guidance.
Using the A-GRC approach to ISO 22301 covers:
- defining the context of the organisation
- understanding the business, its drivers, needs and expectations of the interested parties
- determining the scope of the BCMS
- establishing the BCMS.
- establishing management commitment throughout the organisation
- embedding Business Continuity Management (BCM) in the business
- planning for the BCMS, including defining business continuity objectives and how to achieve them
- ensuring appropriate support processes and procedure are in place
- implementing and operating the BCMS
- defining BCM strategies and selecting appropriate ones
- implementing supporting BCM procedures
- developing and testing BCP(s)
- monitoring, measuring and reviewing the BCMS
- auditing the BCMS
- management reviews of the BCMS
- continuous improvement of the BCMS
A-GRC has experience in implementing business continuity plans and BCMS’s for its Clients and taking a number of them through to gaining Certificates of Registration (Certification).
The A-GRC approach builds operational resilience by:
- allowing you to make contractual bids, where if you were not certified, you may be precluded
- assuring management and customers of information security levels in place
- demonstrating conformance to ISO 22301 verified by a third-party Conformance Assessment Body
- empowering employees to act according to the BCP(s)
- ensuring safety of employees
- ensuring security of physical assets
- ensuring that critical staff have trained alternates
- ensuring that processes and procedures for recovery are documented and tested
- facilitating recovery of business processes in order of criticality
- furthering BCM awareness within your organisation
- increasing customer confidence in your products and services
- making a public statement that you have addressed BCM
- managing and treating significant risks to reduce them to an acceptable level in line with risk appetite.
- A-GRC are justifiably proud of our 100% SUCCESS RATE, of achieving first time certification through an Accredited Conformance Assessment Body for our Clients
- A-GRC is committed to providing a consistently high value service to our Clients
- David Lilburn Watson, who remains personally ‘hands-on’ throughout the process, manages this process.
- to understand how the A-GRC suite of offerings can be used to transform your business, please contact us here
- we offer a free Health Check consultation for ISO 22301
- whatever other type of consultancy you require, we can possibly offer a free Health Check.