Business Continuity & Disaster Recovery Consultancy

The type of Business Continuity Plan(s) (BCP(s)) that you define, implement and continuously improve will depend on your organisational requirements, structure, culture and specific needs.

Specific Areas where A-GRC can assist you are:

• Risk and Vulnerability Assessments understanding the risks and impacts relevant to your business. Failure to understand risks means that all subsequent planning is almost certain to be flawed, leading to unnecessary cost and BCP(s) that may not be appropriate when needed. We can help you identify, quantify and treat these risks and enhance your ability to recover in case of need
• Define the Scope  it is essential that the scope of the business continuity plan is defined so that the boundaries of the project can be identified and the assets within the scope determined and agreed so that the risk to them can be determined and treated. We will also advise you on the scope statement to be used on your certificate if you want to proceed to gaining an ISO 22301 Certificate Of Registration.
• Gap Assessment perform a gap assessment of your implemented solution against the requirements of ISO 22301 or your own existing BCMS.
• Business Impact Analysis and Strategy work with your employees to determine which business processes are critical to ongoing organisational viability . This will produce a ‘view’ of the various impacts that a range of disruptions may have on your business and will identify which business processes and their resources are truly required to achieve business continuity and meet customer requirements for your products or services
• Develop Strategies work with your employees to investigate and develop strategies for recovering business operations and processes, on time and to the required service levels based on the findings of the Business Impact Assessment(s) undertaken. Usually, there are a number of different recovery options available that need to be fully explored before a final decision is taken. Appropriate strategies can then be developed, adopted and implemented to ensure a robust and repeatable business recovery is in place
• Business Continuity Plans once the appropriate strategy(ies) have been agreed, developed and implemented, the production of supporting BCP(s) can take place. Our Consultants work with your employees to ensure that the plans are workable and robust. These are then clearly documented and reviewed prior to being made available, as required, within your organisation in an accessible form and format. Plans will contain details of all relevant information needed for timely recovery and will typically include, but not be limited to:

• Action checklists
• Activation criteria
• Call lists (contact trees)
• Clear lines of escalation
• Communications plans
• Resource requirements (on site and off site)
• Other important information.

• Documented Procedures as well as the BCP(s), all other procedures to support the operation of the BCMS must be defined and developed. These will be developed by the A-GRC team either using existing documents as a base or creating new ones. Whichever process is used, the new procedures are developed in conjunction with your employees to maximise ‘buy in’ and to ensure that they accurately reflect your working practices.
• Implement and Awareness Training once the BCP(s) are developed, they need to be introduced to relevant employees appropriately. This means that there is the need for specialised training and our Consultants can assist in developing and delivering training and awareness programmes for all employees. Successful implementation of BCP(s) is critical to the whole BCM process. Employees with specific roles and responsibilities in the BCP(s) need to know what is expected of them if the BCP(s) are invoked and to be trained accordingly. Wider awareness of the plans must be made across the whole of your organisation as all employees need to know what plans are in place to protect both them and the organisation, should an interruption occur.
• Testing and Exercising just having a BCP is not enough, nor is having a BCP and training staff in how to use it. Once training has been undertaken, a programme of testing the BCP(s) must be undertaken for all of the management teams who have roles and responsibilities during any invocation to ensure they understand the BCP(s) and that the BCP(s) are ‘fit for purpose’. There are six different types of BCP testing that can be undertaken:

• Checklist copies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests
• Structured Walk-through BCP team members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors and validate assumptions
• Simulation a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency
• Parallel Run This is similar to simulation testing, but the primary site is not affected and critical systems are run in parallel at the alternative and primary sites and results compared
• partial implementation An element of the BCP is tested on its own, rather than having a full invocation of the BCP(s)
• full invocation this test involves a full invocation of the BCP in response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including employees and any external third party suppliers, participate in the test. This test is the most detailed, time-consuming, and expensive of all. On account of this, it is not performed that frequently
• Emergency Response Planning immediate action that takes place on discovery of any incident that may affect your normal operational capability and before BCP and Top Management decision makers are informed. A-GRC can assist you in developing an emergency response plan that ensures clear and concise corporate directives are supplied to all employees that might face situations requiring emergency response. These can include, but not be limited to:

• Bomb or device searching
• Disability evacuation
• Emergency assembly points
• Evacuation plans
• Fire training
• First aid training
• Floor warden programs
• Notification contact trees

• Crisis and Communication Planning we can help you develop a crisis management team and plan which will guide your enterprise-wide response to an event through a clear chain of command and determine the internal and external communications requirements.
• Review and Maintain BCPs and other procedures are living documents and as such, they need to be regularly reviewed and maintained to ensure that the information is correct and up to date. Typically, reviews take place after testing, auditing, on a fixed time frequency or on influencing change.
• Assistance in Gaining an ISO 22301 Certificate of Registration  we can assist you in gaining an ISO 22301 certificate of Registration. We use our standard 4 step process for this, that is well established and a proven method for obtaining certification for management standards Some other standards that provide assistance in the BCM arena are:

• PD ISO/TS 22318:2015 (Societal security. Business continuity management systems. Guidelines for supply chain continuity);
• BS ISO/IEC ISO 27031 (Information technology — Security techniques — Guidelines for information and communication technology readiness for business continuity)
• ISO/IEC ISO 24762 (Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services)

There are additional country specific standards that have not been listed above, but that will generally cover the same material and a number of Published Documents (PD) that provide further guidance.