Business Continuity Management (BCM)
-
Business continuity management (BCM) (a/k/a continuity planning and organizational resilience) is a planning process utilized by enterprises to anticipate business disruptions, and then to plan mitigation strategies to decrease the impact of such possible disruptions; to combination of anticipating possible disruptions and then planning mitigation strategic is known as “resiliency”.
-
Such BCM planning may generally entail several steps, such as: senior management determining why BCM may be important to the functioning of the enterprise, and then making a firm commitment to implementing BCM throughout the enterprise; performing an inventory of all critical products and services within the enterprise that may need to be protected from disruption; strategizing about what external or internal risks may impact such critical products and services, so they can be “hardened” against potential disruption; identifying the personnel and resources that the enterprise may need to deploy in the event of a potential disruption of such critical products or services to accomplish the hardening; mapping all enterprise operations, products and services to particular enterprise departments and divisions and then one step further, to the particular employees in such departments and divisions who actually implement such operations, products and services (similar to what would be done for a Sarbanes-Oxley – SOx – analysis); planning for alternatives to existing standard enterprise operations that would replace such existing standard enterprise operations, should they be eliminated (such as, for example: arranging in advance – perhaps through the use of paid options – for the availability of alternate facilities in the general area of a key main facility, in the event that the main facility must cease operations either permanently or temporarily; requiring key personnel to work from home until further notice; or, perhaps how to perform certain formerly-automated processes manually, until such processes can be automated again); documenting all the options agreed between senior management personnel and compiling all such options into a coherent, linear business continuity plan (BCP); testing the efficacy of such BCP through dry-run exercises, to determine if any tweaks to the BCP may be required; once any tweaks may have been incorporated into the BCP, then disseminating the revised coherent, linear plan to all relevant personnel within the enterprise (perhaps through both sending emails containing the BCP to the relevant personnel, and also publishing it on the enterprise intranet).
-
Evolving BCM may involve other types of generally-accepted business disciplines, philosophies, plans and practices, all of which should be addressed in detail in the BCM documentation, such as for example:
-
BCP – focuses on restoring normal operations to the enterprise as quickly as possible, in compliance with the recommendations in International Standards Organization (ISO) 22301; must be comprehensive enough to provide a clear framework for restoring operations, but flexible enough to accommodate any necessary contingencies (such as alternate work locations, alternate supply chains, alternate vendors, redefined roles, and the like);
-
business impact assessment (BIA) – a very comprehensive and time-consuming document to compile; perhaps the seminal document for all BCM; maps as many impact types as relevant personnel can imagine; details the impact of various types of disruptions on all aspects of the enterprise; should be revisited and tested preferably at least every six (6) months, but never less than annually, to allow for changed circumstances in the enterprise (typical BIA testing methodologies may include: table-top exercises – more or less stream-of-consciousness brainstorming sessions, often just occurring in a conference room, where the BIA team examines and goes over the plan together, providing constructive criticism, looking for gaps, and ensuring that all business units are represented in the BIA; structured walk-throughs – identifies weaknesses in logic by taking an objective approach, through the use of drills and role-playing; disaster simulation – attempts to determine whether a critical business function can be performed during an actual disaster, by creating an environment that simulates a chosen disaster model, including the use of all the equipment and personnel needed for realism); should assess the impacts of cascading disruptions; establishes the maximum tolerable period of disruption (MTPD) for the enterprise itself and each of the components thereof, generally expressed as a timescale of minutes, hours, or days; establishes the minimum recovery time objective (MRTO),for the enterprise itself and each of the components thereof, generally expressed as a timescale of minutes, hours, or days (the opposite of the MTPD); provides strategies for incident responses that must occur within the MTRO; specifies the business activities, operations, products, resources and services necessary to deliver the most important functions of the enterprise; provides for anticipated contractual, financial, legal and regulatory obligations during recovery; establishes anticipated spend guidelines for recovery operations; differs from a risk assessment, in that the risk assessment generally evaluates threats using a hazard and vulnerability analysis (HVA), whereas the BIA may generally use the failure modes and effects analysis (FMAE), which concentrates on various failure modes caused by various disruption events;
-
crisis communications – coordinates efficient and swift communication of a disruption event to all relevant personnel, with specific instructions about what to say and how to say it; lists all the personnel who must be notified; establishes and order of precedence for methods of communications; provides general guidance for the affected departments, divisions and facilities;
-
crisis management – ensuring that senior key personnel know their assigned responsibilities in the disruptive event, and have the ability to perform such responsibilities; acts to provide guidance and resources to the personnel in the enterprise to facilitate recovery, rather than doing the actual recovery work; setting the protocol for designating an event as disruptive; introducing almost a para-military discipline to encourage the designated people (perhaps called the “crisis management team” or the like) to respond in a particular manner and order to the disruptive event; establishing a set schedule for the response, location for a crisis management center of operations; and the like;
-
disaster recovery – general protocols to get the enterprise up and running again as quickly as possible; recovery objectives; who is responsible for managing recovery operations;
-
information technology (IT) disaster recovery – ensuring that all mission-critical data and personally-identifiable information (PII) has been previously backed up on servers in remote encrypted locations that may be easily accessed in the event of disruption at the main enterprise location; defines end-user hardware and software requirements; provides technical specifications for infrastructure requirements and security protocols; documents contact information for all those who must be serviced in each tranche of implementations;
-
whatever other risk-management-related disciplines that may be required.
-
-
BCM should be a standard corporate policy for all enterprises, since BCM protects customers from disruption in the supply chain, fulfills any applicable regulatory requirements, and demonstrates to the public the prudence of senior management (thus enhancing the reputation of the enterprise as a sophisticated, well-managed operation).
-
In order to address the potential need of all enterprise stakeholders (which, in this context means customers, management, regulators, and other interested parties), it may be necessary to form a BCM committee, to inventory the dependencies of such stakeholders, such as for example: contractual obligations; employee capabilities; health, safety and welfare legal requirements; industry-related regulatory requirements; published representations to customers; and the like.
-
Depending on the size and number of personnel in the enterprise, any employee with a familiarity regarding the enterprise operations, products and services and the enthusiasm to learn BCM principles may be tasked with the responsibility for managing the BCP, and such designation of someone to manage the BCP should be memorialized formally through a vote by the Board of Directors, followed by a corporate policy, pursuant to the enterprise bylaws, designating a particular title for the BCP manager (rather than designating a particular BCP manager only by name, which may be problematic in the event such named employee leaves the enterprise, and the corporate secretary forgets to update the relevant corporate policy with the name of the new BCP manager, whereas, if the corporate policy only designates a title, without specifying the name of a particular employee as BCP manages, the relevant corporate policy would not have to be updated with the name of any new named employee).
-
For larger enterprises with more employees, some well-qualified candidates for the responsibility of managing the BCP may be either the: chief compliance officer (CCO); chief financial officer (CFO); chief information officer (CIO); chief human resources officer (CHRO); chief operating officer (COO); chief risk management officer (CRMO); corporate secretary; director of audits; or the like.
-
Drafting and negotiating all BCM-related documents and legal support for all BCM-related tasks.
Progress_Page_Last_Updated_221104_1827
Marc Cunningham LLC NAVIGATION Home Contact Disclaimer This website is intended for informational purposes only. This website does not provide legal advice. Do not act or refrain from acting based on anything you may read on this website. Using this website or communicating with me does not form an attorney-client relationship. There is nothing on this website that requests any information from you, nor should you voluntarily provide any. ©2020 by Marc Cunningham LLC