Manning at Conventional Marine Terminals - OCIMF

~ White Paper ~
The New Business

Continuity Model
Written by: Dan Wilder

CBRA, Six Sigma Green Belt
Published on: October 6th, 2008

Version 1.0
Document Classification: Public Domain
Dan Wilder publishes this document for the use of Public Domain. It contains public information, ideas and concepts and is free to distribute and use
without restriction except noted herein. All reference material shown herein is depicted for the sole purpose of illustrating the subject of this whitepaper
and shall remain the property of is listed owner and shall not be reproduced without written consent.
Author does not warrant nor make claims that this information is in any way warranted. Use of this material is at the users own risk.
2008 Dan Wilder, All Rights Released.
White Paper
The New Business Continuity Model
Version 1.0
Table of Contents
1
2
3
Introduction ......................................................................................................... 6
The Big Question Why? ................................................................................. 6
The Standards .................................................................................................... 7
3.1
3.1.1
3.2
3.2.1
3.3
3.3.1
3.3.2
4.1.1
4.1.2
4.1.3
4.1.4
4.2
4.2.1
4.2.2
What is ISO / IEC 27000................................................................................................. 10
Its not just a regulatory requirement any more..................................................12

COSO ............................................................................................................................. 12
Governance Risk & Compliance (GRC) ......................................................................... 13
What is BCM? .......................................................................................................15

Building Blocks................................................................................................................ 16
BCM Organizational Ownership ..................................................................................... 18
BCM Strategy.................................................................................................................. 18
BCM and Risk Management........................................................................................... 18
Why BCM? ............................................................................................................19

Strategic Value................................................................................................................ 19
Sustainability and Resiliency .......................................................................................... 19
The BCM Model................................................................................................ 19

5.1
5.2
5.2.1
5.2.2
5.2.3
5.2.4
5.2.5
5.3
5.3.1
5.3.2
5.3.3
5.4
5.5
5.5.1
5.5.2
5.5.3
5.5.4
What is ISO / IEC 20000................................................................................................... 9
ISO 27000 Family Business Continuity ..............................................................10
The Business Continuity Paradigm................................................................... 15

4.1
ISO 20000 Family Service Delivery......................................................................7
Business Continuity Management Components ...................................................20

Where to Start .......................................................................................................20
Business Continuity Planning ......................................................................................... 21
Establishment of the Business Continuity Management Team ...................................... 21
Establishment of a Business Continuity Steering Committee......................................... 22
Defining the Policy .......................................................................................................... 22
Defining Management Components ............................................................................... 23
Conducting the BIA ...............................................................................................24

BIA - Identifying Critical Needs .................................................................................. 24
BIA - Business Critical Functions / Systems................................................................... 24
BIA - Outage Impact Analysis......................................................................................... 25
Risk Assessment...................................................................................................26
Risk Mitigation .......................................................................................................26
Risk Mitigation Crisis Points Defined ........................................................................... 27
Importance of Defining Risk Points................................................................................. 28
Risk Cost Modeling ......................................................................................................... 28
Mitigating Risks............................................................................................................... 29
Business Continuity Plan Creation.................................................................... 30

6.1
6.2
6.2.1
6.2.2
6.2.3
6.2.4
6.2.5
6.2.6
6.2.7
6.2.8
6.2.9
Creating the Business Continuity Plan ..................................................................30

BCM Process Components ...................................................................................30
BCM Master Plan............................................................................................................ 31
BCM Communications Plan............................................................................................ 32
BCM Common Processes Plan ...................................................................................... 32
BCP Site Plans ............................................................................................................... 32
BCP Sub-Plans ............................................................................................................... 33
BCP Contingency Plans.................................................................................................. 33
Validating the BCP.......................................................................................................... 33
BCM Program - Document Flow..................................................................................... 34
Business Continuity Planning Recap........................................................................... 35
Public Domain
Page 2 of 58
Modified: August 26, 2008
White Paper
7
Version 1.0
Business Continuity Plan Execution ................................................................. 36

7.1
BCP Execution Team Leadership Tree ..............................................................36
7.1.1
7.1.2
7.1.3
7.1.4
7.2
Plan Elements .......................................................................................................38
7.2.1
7.3
7.4
EMT Team Component................................................................................................... 37

EOC Team Component .................................................................................................. 37
BCC/DRC Team Component.......................................................................................... 38
BCT Component ............................................................................................................. 38
Main Points of Coverage ................................................................................................ 39
BCM Execution Process........................................................................................40

BCP Execution Recap........................................................................................41
BCM Plan Management & Reporting................................................................ 41

8.1
Plan Management .................................................................................................42
8.1.1
8.1.2
Document Management ................................................................................................. 42

Plan Management Reporting .......................................................................................... 43
BCM Governance ............................................................................................. 44

9.1
Audit Types ...........................................................................................................44
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.2
9.3
10
Preparatory Audit (-) ......................................................................................................... 45

Feasibility Audit (+) ........................................................................................................... 45
Due Diligence Audit (-) ..................................................................................................... 45
Compliance Audit (+) ........................................................................................................ 45
Investigative Audit (+) ....................................................................................................... 46
Audit Type Usage..................................................................................................46

Performance Metrics .............................................................................................46
BCM Review ................................................................................................. 47
Figures and Tables

Figure 1: ITIL v2 Service Continuity Management ..................................................... 8
Figure 2: ITIL v3 Model .............................................................................................. 9
Figure 3: Business Continuity Management Life-cycle model (source BS259991:2006)..................................................................................................................... 11
Figure 4: ITIL CoBIT Coverage ................................................................................ 12
Figure 5: GRC Automating Compliance................................................................... 14
Figure 6: GRC Bi-Directional Compliance Mapping ................................................. 14
Figure 7: GRC Complex Relationship Mapping ....................................................... 15
Figure 8: BCM Components .................................................................................... 20
Figure 9: BCM Organization .................................................................................... 22
Figure 10: BCM Components .................................................................................. 23
Figure 11: Disaster Recovery Timeline .................................................................... 27
Figure 12: Risk Cost Model Trending Example........................................................ 29
Figure 13: BCM Process Components..................................................................... 31
Figure 14: BCM Document Flow Diagram ............................................................... 35
Figure 15: BCM Team Leadership Components...................................................... 37
Figure 16: BCP in Action.......................................................................................... 40
Figure 17: BCM Process Flow ................................................................................. 41
Figure 18: Plan Management................................................................................... 42
Figure 19: Document Management Flow ................................................................. 43
Figure 20: Sample Reports ...................................................................................... 44
Public Domain
Page 3 of 58
White Paper
Version 1.0
Figure 21: Audit Types............................................................................................. 45

Figure 22: CoBIT Performance Metrics.................................................................... 47
Public Domain
Page 4 of 58
White Paper
Version 1.0
Intentionally Left Blank
Public Domain
Page 5 of 58
White Paper
Version 1.0
1 Introduction
As we all know, everything evolves over time; the way we do business, services
provided and the urgency of delivery. When Katrina hit the Gulf Coast, not many
companies were prepared for what would come after the hurricane. Many simply
boarded up the windows and hoped for the best. Others evacuated with their
personal possessions and many with just the clothes on their backs. The purpose
behind this whitepaper is to explore what companies should be doing to protect
themselves in todays market and environment.
An article referenced on this topic written by David Honour, editor, Continuity Central
back in March of 2003 reflects how long this dilemma has been exposed
(http://www.continuitycentral.com/feature003.htm). Even Homeland Security &
FEMA published guidance to help companies identify the bare essentials needed to
survive (http://www.ready.gov/business/plan/planning.html)
(http://www.fema.gov/business/bc.shtm). Many companies are subjected to
government regulations to ensure some level of protection is in place for the
financial numbers reported. Others require more stringent guidelines to protect
stockholders and the public alike.
The business community has raised the topic to the point where the International
Standards Organization launched a call for change in 2002 and has subsequently
been working on a set of new standards since. The latest ISO reference on this
topic is ISO/PAS 22399:2007 which provides general guidance for an organization
(private, governmental, and non-governmental) to develop its own specific
performance criteria for incident preparedness and operational continuity, and to
design an appropriate management system.
The concepts and theories depicted herein have been independently presented to a
wide cross-section of industry experts with great acceptance. This whitepaper is the
compilation of these concepts into a single model to address the ever pressing issue
of facilitating a functional Business Continuity program. Within this whitepaper we
will explore what it takes to enable companies of all industries to become resistant to
catastrophic events as well as improve the operability of normal services. The
concepts depicted herein are derived from a formulation of several years research
of business and industry best practices along with the very latest industry and
international standards1. Thus the Paradigm shift begins
2 The Big Question Why?

As the economy moves faster and faster to a global economy, it is imperative that
organizations big and small take note of how they protect themselves from a variety
1
Disclaimer: This document is not intended to be all inclusive for all the standards or best practices listed. To further understand each standard
or best practice you are encouraged to research them separately. Additionally, businesses, companies and organizations are used
synonymously where they all refer to the primary entity being safeguarded.
Public Domain
Page 6 of 58
White Paper
Version 1.0
of disasters, which will enable them to not only grow but become sustainable. The
importance of sustainability as a provider of goods and services has reached this
global market place as a key factor in the selection process of these goods and
services. The overriding requirements by governments and businesses alike are to
ensure that the supply chain can be maintained!
The approach presented herein has been designed by a team of engineers to
preserve the revenue stream through stabilization of the services provided. This
stabilization has reduced risk and improved sustainability for its customers, which
has been driven by the market place and governing requirements. This approach
differs from the traditional examples provided from companies representing software
solutions within the Governance, Risk Compliance (GRC2) market segment through
an ingrained operational framework of processes with metrics similar to what the
Committee of Sponsoring Organizations of the Treadway Commission (COSO3)
framework represents.
Because most companies maintain global operations, the approach is driven and
managed to the international body of standards along with local, regional, industry,
and governmentally imposed requirements. These standards are currently evolving
from a collection of many individual standards to several families of standards similar
to what the ISO 9000 family achieved for Quality Management.
3 The Standards
Now that weve introduced the reasons for this whitepaper, lets discuss the
standards that pertain to this topic. Several factors need to be understood. First is;
the International Standards Organization4 has recognized the need for businesses to
use standards for normal operations that will prepare them for the global economy
(ISO/PAS 22399:2007). The International Standards that are currently under
development are the ISO 20000 family of standards that incorporate the ITIL
methods for the Service Delivery models companies may need to use. There is also
the ISO 27000 family of standards that are incorporating the ISACA CoBIT
methods for all companies to use to incorporate measurements of stability. These
new standards are referred to as Business Resiliency which is described as the
ability for a business to resist known and unknown crisis.
3.1 ISO 20000 Family Service Delivery

The ISO 20000 family of standards are developed around the ITIL5 (Information
Technology Infrastructure Library) methods
(http://www.itil.org/de/isoiec20000/index.php) also known as the IT Service
Management Standard.
All rights reserved by Open Compliance & Ethics Group (OCEG) http://www.oceg.org
All rights reserved by Commission of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org
All rights reserved by International Standards Organization (ISO) - http://www.iso.org/iso/home.htm
5
All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
3
4
Public Domain
Page 7 of 58
White Paper
Version 1.0
The ITIL-ISO 20000 model depicted in Figure 1 below defines IT Service

Continuity Management levels to ensure management controls and
processes are in place to meet the service requirements.
Figure 1: ITIL v2 Service Continuity Management
However the ITIL model has been replaced with the new ITIL v3.
A new generation of the ITIL, ITIL V3, has recently been published. This
new version represents an important evolutionary step in ITILs life. ITIL
Refresh as it is referred, has transformed the guidance from providing a
great service to being the most innovative and best in class. At the same
time, the interface between old and new approaches is seamless so that
users do not have to reinvent the wheel when adopting it.
V3 allows users to build on the successes of V2 but take IT service
management even further. In general, V3 makes the link between ITILs
best practice and business benefits both clearer and stronger. The main
development is that V3 guidance takes a lifecycle approach (Figure 2), as
opposed to organizing according to IT delivery sectors.
ITIL is now based on five core lifecycle titles:

1. Service Strategy
2. Service Design
3. Service Transition
4. Service Operation
5. Continual Service Improvement
Public Domain
Page 8 of 58
White Paper
Version 1.0
Figure 2: ITIL v3 Model
3.1.1 What is ISO / IEC 20000
As stated on ITIL.ORG, this standard is derived from the British Standard 15000
and is a common reference for all companies, regardless of business sector, size
or type.
The standard is designed to provide IT services for both internal and external
customers as a basis of common terminology with an integrated approach for the
processes used to provide these services.
It is closely aligned with industry best practices recommended for Service
Support and Delivery.
In addition to Industry standards, the ISO standard provides clear specifications
and information as to how an organization must align itself to internationally
accepted certifications and processes.
These processes provide the management controls necessary to provide the
service capability in standard measure across all government and industry
sectors.
This unification of measurement of service delivery and support controls enables
service users to evaluate the service value to organizational standards with
confidence.
This standard is defined in using these process areas:
Management System
PISM Planning and Implement
Planning and Implementation
Public Domain
Page 9 of 58
White Paper
Version 1.0
Relationship Processes
Service Delivery Processes
Resolution Processes
Control Processes
Release Processes
3.2 ISO 27000 Family Business Continuity

The ISO 27000 family of standards is still in the development process. This family of
standards is defined as the Business Continuity standard. Within the ISO 27000
family, certain existing standards have been enumerated in to this new family.
3.2.1 What is ISO / IEC 27000

Currently the ISO 17799 Information Security standard and certification process has
been established as ISO 27002 and ISO 27001 respectively. Some of the additional
elements that will be covered in this standard are listed as:
Subcommittee /
Working Group
JTC 1/SC 27/WG 1
JTC 1/SC 27/WG 2
JTC 1/SC 27/WG 3
JTC 1/SC 27/WG 4
JTC 1/SC 27/WG 5
Title
Information security management systems - The convener can be
reached through: BSI
Cryptography and security mechanisms - The convener can be reached
through: JISC
Security evaluation criteria - The convener can be reached through: SIS
Security controls and services - The convener can be reached through:
SPRING SG
Identity management and privacy technologies - The convener can be
reached through: DIN
As with the ISO 20000 family, British Standard BS259998 Business Continuity
Management is the foundation for this family of standards. With this standard,
ISACA Governance methodology found in CoBIT9 is being incorporated to provide
the management controls and measurements to establish common processes,
structures and terminology.
The recent release of the British Standard BS25999-1:200610 has provided the global
body of standards a preview of what the ISO standard will represent.
BS 25999-1:2006 is a code of practice that takes the form of guidance and

recommendations. It establishes the process, principles and terminology
of Business Continuity Management (BCM), providing a basis for
understanding, developing and implementing business continuity within an
organization and to provide confidence in business-to-business and
business-to-customer dealings.
In addition, it provides a comprehensive set of controls based on BCM
best practice and covers the entire BCM lifecycle (see Figure 3)
BS 25999 is published in two parts:
8
The British Standard incorporates several existing standards as illustrated at http://www.pas56.com/ . The blending of British Standards as
depicted at http://pas56.standardsdirect.org/ represent what the ISO Development committee has defined as the defined goal of ISO 27000
which is outlined in ISO/PAS 22399:2007.
9
CoBIT is a registered trademark of ISACA methodology and can be found at http://www.isaca.org/
10
BS25999-1:2006 can be found at http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563
Public Domain
Page 10 of 58
White Paper
Version 1.0
BS 25999-1 Business Continuity Management Part 1: Code of practice.

This document takes the form of good practice guidance and
recommendations, indicating what practices an organization should or may
undertake to implement effective BCM. Organizations may choose to follow
all or part of the Code of practice. The Code can be used for self-assessment
or between organizations. The Code is not a specification for BCM.
BS 25999-2 Business Continuity Management Part 2: Specification. This
document sets out specifically what an organization shall do to implement
BCM. It is for use by internal and external parties, including certification
bodies, to assess the organizations ability to meet regulatory and customer
requirements as well as the organizations own requirements. BS 25999-2
contains only those requirements that can be objectively audited and a
demonstration of successful implementation can therefore be used by an
organization to assure interested parties that an appropriate business
continuity management system (BCMS) is in place.
Initial work by practitioners in 1999 resulted in a widely accepted
representation of the BCM life cycle. With the publication of BS 25999-1 in
2006, a new illustration of the BCM life cycle was introduced
NOTE: A free demo of BS 25999 online is available go to www.bsiglobal.com/bs25999online

Figure 3: Business Continuity Management Life-cycle model (source BS25999-1:2006)
11
11
All Rights Reserved British Standards Institute (BSI) - http://www.bsi-global.com/en/
Public Domain
Page 11 of 58
White Paper
Version 1.0

3.3 Its not just a regulatory requirement any more
The primary driver for these standards is to establish a global compatibility along
with the ability to measure the maturity of organizations to these standards. The
implication of governance aligning with service delivery shown in Figure 4 example
clarifies the use of multiple standards to achieve the objective of adherence and
compliance. The BCM Model will discuss the organizational structure and processes
established by new industry standards to meet the objectives of maintaining and
managing a Business Continuity Management Program.
Figure 4: ITIL CoBIT Coverage
12
3.3.1 COSO
Under the COSO Framework the definition, creation and use of Internal Controls (IC)
to successfully meet objectives is paramount to the overall success of the
organization. This is where objective setting is a precondition to the internal control.
Through objective setting an organizations management can identify risks
associated with the achievement of the desired objective. Each risk must be ranked
on its impact and probability to set the correct control parameters.
In mitigation of these risks, internal controls are designed and implemented to
effectively mitigate the associated risk through the ongoing success measurement
process. This allows the organization to adjust as needed to meet the objective
through continual measurement which will improve the quality of the defined process.
Generally COSO Internal Controls fit well within the ITIL and CoBIT frameworks, as
shown in Figure 4 above, to provide the measurement of operational support
processes but the COSO framework is primarily used for the safeguarding of
12
Public Domain
Page 12 of 58
White Paper
Version 1.0
financial processes within an organization that sustain the executive level fiduciary
and regulatory responsibilities.
3.3.2 Governance Risk & Compliance (GRC)

Numerous groups and entities have launched similar programs to address elements
of what the BCM embraces. This includes an industry segment defined as GRC
from two different groups.
3.3.2.1 Open Compliance & Ethics Group (OCEG)
This group set out to establish a CoBIT like framework that includes domains that
bridge numerous functions and processes. The OCEG Framework or Capability
Model utilizes a Universal System Outcomes concept.
Universal System Outcomes are the expected and measurable results of a highperforming GRC system defined in these process segments.
Inform & Integrate
Detect & Discern
Organize & Oversee
Assess & Align
Monitor & Measure
Prevent & Promote
Respond & Resolve
Utilizing 8 Integrated Components with 8 Universal Outcomes
Enhance Organizational Culture
Increase Stakeholder Confidence
Prepare & Protect the Organization
Prevent, Detect & Reduce Adversity
Motivate & Inspire Desired Conduct
Improve Responsiveness & Efficiency
Optimize Economic & Social Value
Achieve Business Objectives
Each with its own Elements
Each Element embodies a number of related Practices in a high-performing
GRC system. Each Element includes a discussion of Principles and Common
Sources of Failure, as well as the Practices that support success.
3.3.2.2 Object Management Group GRC Round Table (GRC-RT)
This group understands the utilization of similar compliance requirements and
establishes a process for utilization, first by capturing the regulatory requirements.
Public Domain
Page 13 of 58
White Paper
Version 1.0
Figure 5: GRC Automating Compliance
GRC-RT Diagram 13
Then by creating mappings between each compliance requirement element through

a pertinent industry framework object to an identified internal control. Most of these
will be bi-directional mappings with data flowing in both directions.
Figure 6: GRC Bi-Directional Compliance Mapping
When defining the regulation mapping through a framework, many relationships will
develop that will economize on the overall process of compliance management.
13
All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/
Public Domain
Page 14 of 58
(http://www.grcroundtable.org/GRC_RT_Overview.pdf)
White Paper
Version 1.0
Figure 7: GRC Complex Relationship Mapping
GRC-RT Diagrams 14
The BCM Model attempts to provide a singularity of tasks and controls needed to
meet the objective of compliance, risk mitigation and business sustainability most like
the GRC-RT method shown above with the role up to management needed to
govern the processes. This assumes that the pertinent industry model reflected
continues to address the ever changing regulations, thus the need for automating the
process as much as possible.
4 The Business Continuity Paradigm

With the standards represented above, a Business Continuity Paradigm has taken
shape. The context of this whitepaper will build on this paradigm to present a new
model that organizations can use to establish a foundation of Business Continuity
Practices and Principles where metrics can be devised to provide both qualitative
and quantitative results of operational readiness performance to management.
These foundations of collaborative methods are now referred to herein as the
Business Continuity Management (BCM) and align with both the published and
unpublished ISO standards referenced. As such, this BCM Model is designed to
provide an advance look into what the BCM future beholds.
4.1 What is BCM?

BCM is a board owned and driven set of processes established to facilitate the
functions and services of the organization, which are defined by a strategic and
tactical framework that:
14
All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/
Public Domain
Page 15 of 58
(http://www.grcroundtable.org/GRC_RT_Overview.pdf)
White Paper
Version 1.0
Proactively improves the resiliency of the organization against a disruption

that impedes the organizations ability to achieve its key objectives.
Provides a validated and tested method of recovery of the organizations
ability to provide the functions and services at a predefined level within a
predefined time.
Affords the organization the ability to deliver a proven capability to manage its
business while preserving its brand image and reputation.
4.1.1 Building Blocks

Much like what Program Management (PM) enables for holistic management of
projects within an organization; BCM provides a similar level of management and
fiduciary responsibility to mitigate risks to the continual operations of business. This
systematic process facilitates organizational maturity and business resiliency utilizing
these essential building blocks:
1) BUSINESS CONTINUITY (BC): Establishes the ability of an organization to
provide service and support for its customers and to maintain its viability
before, during, and after a business continuity event (i.e. disaster / crisis,
natural or man made). BC in itself is only a starting point.
2) PLAN, DO, CHECK, ACTION (PDCA): An adaptation of the Deming wheel.
While the Deming wheel stresses the need for constant interaction among
research, design, production, and sales, the PDCA Cycle asserts that every
managerial action can be improved by careful application of the sequence:
plan, do, check, action. Later in Deming's career, he modified PDCA to
"Plan, Do, Study, Act" (PDSA) so as to better describe his
recommendations. In Six Sigma programs, the PDSA cycle is called
"Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature
of the cycle must be explicitly added to the DMAIC procedure. The PDCA
cycle implies a continual methodology of process improvement. Where
each process includes controls that provide measurement of success that is
used to define overall operation success. One poor process does not
cause an organization to fail, systemic failure occurs where numerous
process enable failure over time.
3) BUSINESS CONTINUITY PLANNING (BCP): Is the process of developing
and documenting arrangements and procedures that enable an
organization to respond to an event that lasts for an unacceptable period of
time and return to performing its normal Business Critical Functions and/or
supporting System (BCFS) after an interruption. BCP is the documentation
to facilitate the process of mitigation of risk to the operation of an
organization in preparation of the eventual crisis.
4) RISK MANAGEMENT (RM): Risk management is a structured approach to
managing uncertainty related to a threat, a sequence of human activities
including: risk assessment, strategies development to manage it, and
mitigation of risk using managerial resources. Whereas risk management
tends to be preemptive, business continuity planning (BCP) was invented to
deal with the consequences of realized residual risks. The necessity to
have BCP in place arises because even very unlikely events will occur if
given enough time. Risk management and BCP are often mistakenly seen
as rivals or overlapping practices. In fact these processes are so tightly tied
Public Domain
Page 16 of 58
White Paper
Version 1.0
together that such separation seems artificial. For example, the risk
management process creates important inputs for the BCP (assets, impact
assessments, cost estimates etc). Risk management also proposes
applicable controls for the observed risks. Therefore, risk management
covers several areas that are vital for the BCP process. However, the BCP
process goes beyond risk management's preemptive approach and moves
on from the assumption that the disaster will realize at some point. This
includes the assessment of each risk and where appropriate, the
establishment of mitigation controls to manage the process designed to
minimize the risks potential impact.
5) BUSINESS CONTINUITY MANAGEMENT (BCM): Is defined15 as a holistic
management process that identifies potential impacts that threaten an
organization with associated risk, and provides a framework for building
resiliency with the capability for an effective response which safeguards the
interests of its key stakeholders, reputation, brand and value creating
activities. This management structure includes the facilitation of recovery,
continuity and/or restoration in the event of a disaster or crisis through the
management of an overall contingency program and through training,
rehearsals, and reviews, to ensure the plan(s) stays current and up to date.
This framework facilitates the entire process of preparing for the inevitable
crisis to strike which engage processes to mitigate the impact of risk to the
business operation. All of which provides for a sustainable and resilient
organization with the emphasis on Risk Mitigation with Governance which
is engrained in the day-to-day operation of business.
This implies that BCM specifically provides:
A level of managerial oversight at the appropriate organizational level which
has a stake in the continual operations of business with fiduciary
responsibilities.
Quality processes that mitigates Critical Business Functions and/or support
Systems (BCFS).
Processes that must:
correlate to measurable financial impacts,
be rated according to their risk potential,
include their individual probability of disruption as reflected in Service Level
Agreement (SLA) management,
be quantifiable through metrics measurement,
and incorporate continual improvement.
BCM is the entire organizations responsibility. Each entity and resource has a stake
in the success of the organization as a whole, which emphasizes that the
organization will need to:
Identify, define and prioritize potential impacts in advance
Create a framework to mitigate and manage risks, of each, within industry
standard guidelines
Defend the organization against the potential of loss, with the resiliency to quickly
recover in the event of a crisis
15
Definitions to the BCM terms used herein can be found in Appendix A
Public Domain
Page 17 of 58
White Paper
Version 1.0
Utilize industry best practices in creation and execution of the Business

Continuity Management Lifecycle (Figure 3).
4.1.2 BCM Organizational Ownership

To establish ownership and drive the BCM principles throughout the organization, a
BCM strategy must be created and approved by a governing board within the
organization which has board level executive stakeholders. The reason ownership
must reside at this level is clear. The board owns the overall resiliency of the
organization and as such they own the ability to manage resiliency. This is
reinforced by many governmental regulations such as Sarbanes-Oxley (SOX)16
within the United States, where the CEO and CFO must personally attest to the
validity of the financials reported.
4.1.3 BCM Strategy

Most organizations, regardless of size, have strategic directives to attain. These
may be necessary to grow business by increasing the product and services delivered
or to improve the availability of the goods and services provided. The consequences
of not pairing these directives to a means of resiliency are usually devastating to the
continued operation of an organization. This may include loss of profits, customers,
up to and including loss of life. The survival of an organizations reputation or
existence is at stake!
NOTE: According to research by the University of Texas, when companies
suffer a catastrophic data loss, 94 percent of them fail: 43 percent never
reopen, and the remaining 51 percent close within two years.
The alignment of the organizational strategic goals and objectives must be

incorporated into the BCM Strategy to ensure that the organization can achieve both.
The organizational structure needed to facilitate this process is within what this
model refers to as a BCM Steering Committee17. The full BCM structure will be
defined further on in this paper.
The key is that BCM recognizes the importance and need for stakeholders at the
highest organizational level to ensure the organizations survivability and resiliency is
properly prioritized and subsequently maintained. As the stakes rise with new
ventures, BCM is the solution for the subsequent consequences of disruptions which
have a direct and implied fiduciary impact that also include a probable regulatory
consequence.
4.1.4 BCM and Risk Management

BCM has a direct relationship with most forms of Risk Management. The principle
behind BCM is to Risk Mitigation with Governance. This principle incorporates
many elements and types of risk management into the BCM Strategy and
subsequent program. One of the primary derivatives of a BCM program is to
establish direct feedback to the board level management on the State of Readiness
which provides the Value-Add needed by the board to ensure a sustainable
operation and to enable viable decisions!
16
Information on SOX can be found at http://www.sec.gov/divisions/corpfin/faqs/soxact2002.htm and the full SOX ACT HR:3763 http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_bills&docid=f:h3763enr.txt.pdf
17
This model will identify organizational roles and responsibilities paired with the BCM Process defined herein that utilize existing operational
resources for most of the stated requirements. Only a small complement of resources used to facilitate the BCM Process are actually needed
where the actual number varies depending on the size and complexity of an organization.
Public Domain
Page 18 of 58
White Paper
Version 1.0
4.2 Why BCM?

The principle reason BCM is needed is it forms an important element of
organizational management, provisioning of service and efficient and effective
deployment of resources very similar to the way Program Management performs a
rollup of resources and financials into a holistic view. This provides transparency into
the operational State of Readiness at most process points to effectively manage the
organization to its optimal state of maturity and subsequent efficiency.
This model encapsulates the benefit of utilization of existing resources for the
facilitation of risk mitigation through the adaptation of appropriate internal controls,
thereby reducing the burden of cost normally associated with a separate structure.
4.2.1 Strategic Value

The alignment of BCM with an organizations strategic vision and the utilization of
available skilled resources provide a substantive value to achieve the organizations
strategic objectives and goals. When the organization relies upon BCM as an asset
within the definition of its strategy, the organization can only realize a higher than
normal probability of successful achievement.
4.2.2 Sustainability and Resiliency

All organizations strive to remain operable for a long duration, which translates into
sustainability. To achieve sustainability the organization must have a program that
drives to this goal. The BCM Model outlines the organization and processes needed
to achieve sustainability. The use of sustainable practices, though utilization of
continually improving processes, a level of resiliency is established. Resiliency
enables an organization to undergo higher levels of risk impacts and remain
operational. Quality of service may degrade, but only to predefined levels. Thus,
financial downturns, major service disruptions, or natural disasters can all be
mitigated with appropriate controls in place to ensure the proper State of Readiness
is maintained at all times.
5 The BCM Model

Over the history of the industrialized world, companies, organizations and
businesses struggled with how to protect; what they built, how they are generating
revenue, and all important, how to continue to grow. Facing sometimes catastrophic
crisiss and financial down turns, many strong and prosperous entities survived. For
those many that failed can be summed up in these three words; were they
prepared?
Survival of the Fittest played out in real-time revealed those who continue to
operate today were prepared, and those that arent, were not. History has identified
that if an organization does not have a contingency plan, the probability for it to
sustain a long term existence is slim.
While there is no silver bullet with any framework, the BCM Model is a research
compilation of standards, processes and experience that brings together for the first
time a comprehensive framework for organizations to use for the sole purpose of
being prepared!. The BCM Model will walk through the ownership, fiduciary
Public Domain
Page 19 of 58
White Paper
Version 1.0
responsibilities, along with the processes to create and sustain a program to mitigate
most common events. Included is essential information to protect the organizations
interests and assets. In this ever changing global economy, organizations will need
every advantage afforded them to survive. How this is accomplished is the basis of
the BCM Model with the underlying theme Risk Mitigation with Governance.
5.1 Business Continuity Management Components

Business Continuity Management model defines these elements into tactical aspects
of a BCM Process. BCM Process utilizes functional components to facilitate the
Risk Mitigation with Governance principle. These structures of functional
components are:
Business Continuity Steering Committee
Business Continuity Management Team
Business Continuity Plan Administrator
Business Continuity Leads or Business Continuity Coordinators/Disaster
Recovery Coordinators
Business Continuity Teams
Figure 8: BCM Components
5.2 Where to Start

Most organizations find it difficult to identify the starting point of their Business
Continuity program. A few indicators will clearly identify the starting point and help
identify the effort needed to establish a quality program. Here is a list of some of
those indicators:
Has a Business Impact Analysis been conduction within the last 24 months?
Utilizing the data from the Business Impact Analysis, was a Risk Assessment
conducted and critical functions and systems identified?
Public Domain
Page 20 of 58
White Paper
Version 1.0
Does existing documentation exist that can be used for planning purposes?
Is the existing documentation adequate for the critical systems?
Is there Executive stakeholder buy in and support?
Has ownership of the various elements been established and accepted?
Has funding been granted and approved?
Are short and long term business & IT objectives aligned?
Once these indicators have been resolved, most organizations will succeed with
establishment of a Business Continuity Management program.
Here is where we start.
5.2.1 Business Continuity Planning

Now that we have established the objectives driving the Business Continuity
program, we can now begin planning. To start with, the senior management team
will have defined a Business Continuity Strategy (BCS) to match what they see as
business risks needing mitigation surrounding the most common loss of business
services. At a minimum the BCS should include the following policies, processes,
and/or concepts:
A defined policy governing the Business Continuity Program,
Process for the identification of the Business Continuity Management Team
and subsequent crisis or emergency management team structure (including
the structure used to facilitate creation, maintenance, execution and training
of the Business Continuity Plan),
Process for assignment identification, functional responsibilities, and approval
of the BCSC team along with governance structure as needed,
Conduct a Business Impact Analysis (BIA) to identification of the areas of
Business Critical Function and/or System (BCFS) that need to be protected,
along with the general scope of need for the various BCFS and respective
locations of operation.
Risk Assessment on all high priority and/or critical BCFS items to include a
probability and impact value. These risk values will ensure internal controls
can be established with appropriate thresholds for success measurement.
With these elements understood, planning can proceed with the identification and
establishment of resources along with appropriate funding needed to satisfy the
business objectives driving the BCM program utilizing the following components.
5.2.2 Establishment of the Business Continuity Management Team

The Executive Management should identify the requirements of the Business
Continuity Management Team (BCMT). A high-level organizational structure of the
BCMT is needed to identify who should serve on this team and what responsibilities
each role will play in the functional operation of the BCMT. At a minimum the BCMT
should include:
At least one Executive, one Senior Management representative, and then
what ever level of management is deemed appropriate to represent the full
operational complement of the overall organization,
An organizational structure that will provide the appropriate level of authority
on those areas of the organization that will most likely be directly involved
with Business Continuity execution,
Public Domain
Page 21 of 58
White Paper
Version 1.0
The designation of a Crisis or Emergency Management Team (EMT) from

current management that will facilitate the execution of the Business
Continuity Plan (BCP),
The emergency declaration classification types, rules and criteria.
Figure 9: BCM Organization

BUSINESS CONTINUITY MANAGEMENT PROGRAM:
An ongoing management and governance process supported by
senior management and resourced to ensure that the necessary
steps are taken to identify the impact of potential losses, maintain
viable recovery strategies and plans, and ensure continuity of
products/services through exercising, rehearsal, testing, training,
maintenance and assurance.
(BCMT)
BCM
Steering
Committee
Designated Senior &

Executive Managers
Executive Management
Team and Assignees
BCM
Team
BCM
Business Continuity
Management Organization
BCM
Emergency
Management
Team
(BCSC)
(EMT)
Risk
Management
through
Governance
Designated Managers
SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery

Management Team. Associated terms: Crisis Management Team.
BUSINESS CONTINUITY MANAGEMENT TEAM (BCMT):

A group of individuals functionally responsible for directing
the development of the business continuity plan, as well as
responsible for participation in the declaring a disaster and
aiding the recovery process, both pre-disaster and postdisaster. Also referred to as the Executive Emergency
Management Team (EEMT)
SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management
Team. Associated terms: Emergency Management Team.
BCM
Corrdinator
(DRC/BCC)
0
BC
Team
Organizational
Designee
Departmental
Designees
(BCT)
BUSINESS CONTINUITY TEAM (BCT):

Designated individuals responsible for developing,
execution, rehearsals, and maintenance of the business
continuity plan, including the processes and procedures.
BUSINESS CONTINUITY STEERING COMMITTEE (BCSC):

A committee of decision makers, process owners,
technology experts and continuity professionals, tasked with
making strategic recovery and continuity planning decisions
for the organization.
EMERGENCY MANAGEMENT TEAM (EMT):
A group of managers functionally responsible for
execution of the business continuity plan, as well as
responsible for declaring a disaster and providing
direction during the recovery process, both pre-disaster
and post-disaster.
BUSINESS CONTINUITY MANAGEMENT (BCM):

A holistic management process that identifies potential impacts that
threaten an organization and provides a framework for building
resilience with the capability for an effective response that
safeguards the interests of its key stakeholders, reputation, brand
and value creating activities. The management of recovery or
continuity in the event of a disaster. Also the management of the
overall program through training, rehearsals, and reviews, to ensure
the plan stays current and up to date.
SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery Management

Team. Associated terms: Emergency Management Team.
DISASTER:
A sudden, unplanned calamitous event causing great
damage or loss as defined or determined by a risk
assessment and BIA; 1) Any event that creates an inability on
an organizations part to provide Business Critical Functions
for some predetermined period of time. 2) In the business
environment, any event that creates an inability on an
organizations part to provide the critical business functions
for some predetermined period of time. 3) The period when
company management decides to divert from normal
production responses and exercises its disaster recovery
plan. Typically signifies the beginning of a move from a
primary to an alternate location.
BUSINESS CONTINUITY COORDINATOR (BCC):

A role of the BCM program that leads & coordinates
planning and implementation for recovery of an
organization, location or unit for nontechnical functions.
SIMILAR ROLES: Business Recovery Coordinator, Business Recovery Planner
May also act as a Plan Administrator
DISASTER RECOVERY COORDINATOR (DRC):

A role of the BCM program that leads & coordinates
planning and implementation for recovery of an
organization, location or unit for technical functions.
SIMILAR ROLES: Disaster Recovery Planner, and Disaster Recovery Administrator
May also act as a Plan Administrator
SIMILAR TERMS: Business Interruption; Outage; Catastrophe
THREAT:
A combination of the risk, the consequence of that risk, and
the likelihood that the negative event will take place.
Associated term: risk. Example Threats: Natural, Man-made,
Technological, and Political disasters.)
5.2.3 Establishment of a Business Continuity Steering Committee

The Business Continuity Steering Committee (BCSC) shall be created by the
Business Continuity Management Team (BCMT). The BCSC shall be populated with
representation of all Business Critical Functions and/or supporting System (BCFS)
areas with management and senior employees by referral from a member of the
BCMT and approved by Executive Management. The BCSC team must have both
executive management and broad employee based support to provide an effective
and representative body that will be viewed by all as the appropriate members of the
organization to provide Business Continuity vision and direction. This team will be
responsible for providing the organization with strategic oversight on all Business
Continuity initiatives, policies, processes, plans and structures. The BCSC shall meet
on a regular schedule, not less than quarterly, and rely on the Business Continuity
Management Team for all fiduciary requirements identified.
5.2.4 Defining the Policy

The Business Continuity Steering Committee should establish a policy that will
provide an overall guidance to the teams implementing Business Continuity. A highlevel policy must be published to identify several factors to the organization as a
whole. The Business Continuity policy should set the expectations the organization
Public Domain
Page 22 of 58
White Paper
Version 1.0
has for all employees, contractors and agents. These should be as clear and concise
as possible and must be approved by executive management with enforceable
terms.
The Business Continuity Policy should include:
Overall Business Continuity mission statement
Company Business Continuity objectives
Who participates in Business Continuity
Enforceable terms deemed necessary
Governance
5.2.5 Defining Management Components

The Business Continuity Steering Committee should establish a management
structure to facilitate the execution of the BCM Program. The Components of the
Business Continuity Management Structure should include:
Identification of the Owners of the main Business Continuity Plans (BCP)
needed to appropriately respond to a crisis.
Establish a Business Continuity Strategy (BCS) to provide direction aligned
with business objectives.
Define a recovery management process that includes metrics for all Business
Critical Function and/or supporting Service (BCSF).
The conduct of a Business Impact Analysis to provide vital financial ties to
each identified BCFS.
Facilitate the establishment of the Business Continuity Sub-plan ownership at
the operational level through the Business Continuity Team. (BCT)
Figure 10: BCM Components
BCM
Business Continuity
Management Components
BUSINESS CONTINUITY MANAGEMENT PROCESS:

The Business Continuity Institutes BCM process (also known as the
BC Life Cycle) combines 6 key elements: 1) Understanding Your
Business 2) Continuity Strategies 3) Developing a BCM Response 4)
Establishing a Continuity Culture 5) Exercising, Rehearsal & Testing
6) The BCM Management Process
BC / DR
Plan
BCM
Strategy
DHLGM
Department Managers
BCM
Designee
BUSINESS INTERRUPTION:
Any event, whether anticipated (i.e., public service strike) or
unanticipated (i.e., blackout) which disrupts the normal course of
business operations at an organizations location. Similar terms:
outage, service interruption. Associated terms: business
interruption costs, business interruption insurance.
Recovery
Management
(BCMS)
BIA
BRP / DRP
External Auditor
BCT
BUSINESS CONTINUITY STRATEGY (BCMS):

An approach by an organization that will ensure its recovery and continuity
in the face of a disaster or other major outage. Plans and methodologies are
determined by the organizations strategy. There may be more than one
solution to fulfill an organizations strategy. Examples: Internal or external
hot-site, or cold-site, Alternate Work Area reciprocal agreement, Mobile
Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc.
BUSINESS CONTINUITY PLAN (BCP):
Process of developing and documenting arrangements and
procedures that enable an organization to respond to an event
that lasts for an unacceptable period of time and return to
performing its critical functions after an interruption.
SIMILAR TERMS: Business Resumption Plan, Continuity Plan, Contingency Plan,
Disaster Recovery Plan, Recovery Plan.
DISASTER RECOVERY PLAN (DRP):

The management approved document that defines the
resources, actions, tasks and data required to manage the
technology recovery effort. Usually refers to the technology
recovery effort. This is a component of the Business
Continuity Management Program.
SIMILAR TERMS: Business Continuity Management Plan, Recovery Plan.
RECOVERY:
Implementing the prioritized actions required to return the
processes and support functions to operational stability
following an interruption or disaster.
RECOVERY POINT OBJECTIVE (RPO):
From a business perspective RPO is the maximum
amount of data loss the business can incur in an event.
The targeted point in time to which systems and data
must be recovered after an outage as determined by the
business unit.
BUSINESS RESUMPTION PLANNING (BRP):

TERM Currently Being Reworked
SIMILAR TERMS: Business Continuity Planning, Disaster Recovery Planning
DISASTER RECOVERY PLANNING (DRP):

The technological aspect of business continuity planning.
The advance planning and preparation that is necessary to
minimize loss and ensure continuity of the Business Critical
Functions and supporting Systems of an organization in
the event of disaster.
SIMILAR TERMS: Contingency Planning; Business Resumption Planning;
Corporate Contingency Planning; Business Interruption Planning; Disaster
Preparedness.
BUSINESS IMPACT ANALYSIS (BIA):

A process designed to prioritize Business Critical Functions
and supporting Systems by assessing the potential
quantitative (financial) and qualitative (non-financial) impact
that might result if an organization was to experience a
business continuity event.
RECOVERY TIME OBJECTIVE (RTO):

The period of time within which systems, applications, or
functions must be recovered after an outage (e.g. one
business day). RTOs are often used as the basis for the
development of recovery strategies, and as a determinant
as to whether or not to implement the recovery strategies
during a disaster situation.
SIMILAR TERMS: Maximum Allowable Downtime
Public Domain
Page 23 of 58
White Paper
Version 1.0
5.3 Conducting the BIA

To fully understand the potential impact any loss of service could have on business,
a Business Impact Analysis (BIA) should be conducted. The conduct of a BIA
should be scheduled every 3 to 5 years to keep the information used for loss
identification current. A BIA should be performed prior to the BCS creation to ensure
that the organization has identified the BCFSs that represent what the loss potential
is, how it can be mitigated, and what the implications to the services provided would
mean to the recipient of those services. When a BIA is re-conducted after the BCM
Program is in place, it will be used to update the BCFS list and financial risks of
each. The Business Continuity Management Team and Business Continuity
Steering Committee participants may be adjusted based upon the information
provided.
The following few slides describe the essence of the BIA:
5.3.1 BIA - Identifying Critical Needs

The critical needs should be identified within all departments. Critical needs include
all information, processes, activities and equipment needed to continue operations
should a department be destroyed or become inaccessible. To determine the critical
needs of the organization, each department should document all important functions
performed within that department. This information can be gathered by documenting
daily activities within each department.
An analysis over a period of two weeks to one month can indicate the principle
functions performed inside and outside the department, and assist in identifying the
necessary data requirements for the department to conduct its daily operations
satisfactorily. This determines the Business Critical Function and/or supporting
Service (BCSF) which are critical functions / systems relied on to perform critical
business functions, System or application interfaces, that require a Maximum
acceptable outage for the system considering both the user perspective and the
technical perspective.
5.3.2 BIA - Business Critical Functions / Systems

To Identify Business Critical Function and/or supporting Service (BCSF) some of the
diagnostic questions that are asked include:
What specialized equipment is used in the department and how is it used?
What are lead times for replacing critical equipment?
If the on-line systems were not available, how could the department continue
to function?
What parameters, guidelines, or procedures would be necessary to limit
exposure during on-line systems downtime (i.e., management approval may
be required of checks or disbursements above specified dollar amounts)?
What is the minimum staff and floor space needed to continue operations at
another facility?
What special forms and supplies are needed for each departmental area?
What communication devices (i.e., telephones, facsimile equipment, and data
transmission equipment) would be necessary to continue operations?
Public Domain
Page 24 of 58
White Paper
Version 1.0
Which employees have been trained to carry out several departmental jobs or
responsibilities and could fill positions of key employees if they were
unavailable?
5.3.3 BIA - Outage Impact Analysis

Once the critical needs have been documented, it is important to determine the
impact of an outage to the critical systems and business functions. The impact
depends on the type of outage that occurs, and the time that lapses before normal
operations can be resumed. The following information should be carefully analyzed:
Impact Analysis is defined by these six areas:
1. Business Function Description
2. Critical Systems
3. Dependencies
4. Workflow Impact
5. Future Business Function Changes
6. Impact of Not Processing
Business Function Description is:
1. Size of the business function (e.g., total revenue, number of
employees, number of patients, etc.)
2. Main purpose of the business function (e.g., revenue generation,
administrative, customer service, support function, ancillary function,
etc.)
3. Critical operations performed.
Critical Systems Description is:
1. Systems relied on to perform critical business functions
2. System or application interfaces
3. Maximum acceptable outage for the system, considering both the
user perspective and the technical perspective
Dependencies Description is:
1. Dependencies between business functions
2. Dependencies between departments
3. Dependencies between systems
Workflow Impact Description is:
1. Loss of controls
2. Major bottlenecks
3. Potential stop in the workflow
4. Complete interruption of the workflow
Future Business Function Changes Description is:
1. Systems
2. Procedures
3. Operations
4. Personnel
5. Organization
6. Other changes
Impact of Processing Failure Description is:
1. Impact on customer service
2. Noncompliance with government regulations
3. Noncompliance with existing contracts
4. Increase in personnel requirements
Public Domain
Page 25 of 58
White Paper
Version 1.0
5. Loss of revenue
6. Loss of business
7. Increased operating costs
8. Penalties
9. Loss of financial management capability
10. Loss of competitive edge
11. Loss of goodwill
12. Negative media coverage
13. Loss of stockholder confidence
14. Legal actions
15. Other impacts
Redundancy Levels Description is:
Existing and required redundancy levels throughout the organization to
accommodate critical systems and functions:
1. Hardware
2. Information
3. Personnel
4. Services
Alternate Processing Methods Description is:
1. Alternate processing methods for the critical functions in the event of
a systems outage
2. Impact of using the alternative processing method
3. Alternate processing costs
5.4 Risk Assessment

The Business Critical Functions and/or Services identified in the BIA must now be
analyzed to determine their impact and probability of disruption to establish a
ranking of each. Once the BCFS risks are ranked to a common scale (usually 1 to 3
or 1 to 5 with 1 having the highest priority i.e. Severity 1), then planning prioritization
is applied and a list of plans generated. The object is the mitigation of risk for the
highest ranked items first, then working down through the list until all critical items
have mitigation plans that are ready for validation. Re-ranking may take place as
more information is discovered during the risk assessment process.
Risk assignments are used to design internal controls (ICs) and thresholds that
provide measurement of success which feed the State of Readiness metrics.
These same ICs should also be mapped to any regulatory requirements to ensure a
total risk is known and measured.
NOTE: Priority ranking should follow what ever scale is used within the current
Incident / Problem Management system to take full advantage of established
processes. Universal use of common terms within this process should also be
adopted to avoid communication failures and confusion.
5.5 Risk Mitigation

It is important to identify risks, associate the cost of each and trend it over time,
however, if the risk is never mitigated then it will continue to be a drain on the
organizations sustainability which may ultimately lead to its demise. To address this
topic, continual improvement processes mandate that this information be analyzed
Public Domain
Page 26 of 58
White Paper
Version 1.0
and addressed where appropriate for a given organizations goals and objectives.
Mitigating every risk is too costly, even for the largest of organizations.
Understanding the risks implications to the current business strategy will provide the
most cost effective means of Risk Mitigate any organization can afford.
The Disaster Recovery Timeline shown in Figure 11 illustrates the elementary points
of risk that must be identified, evaluated and prioritized for impact that incorporates a
business established tolerance. This must be accomplished for every Business
Critical Function and/or supporting Service (BCSF) identified in the BIA. This
recovery data will be included in any Service Level Agreement (SLA) established
with the service provider whether internal or external.
Figure 11: Disaster Recovery Timeline
5.5.1 Risk Mitigation Crisis Points Defined
Public Domain
RPO is the last known point of valid data on a system by system or function
by function basis. This is the starting point of data restoration and is owned
by IT as agreed too by Business.
RTO is the technical point of restoration of a system or function. This is the
starting point where processing can restart after the failure. It is owned by IT
as agreed too by Business.
MTD is the point at which all recovery processing has been completed
while processing current normal daily activities. This is the actual return to
Business As Usual state. This is solely owned by business.
Page 27 of 58
White Paper
Version 1.0
WRT is the amount of time and effort needed to recover from the crisis.
This includes the reentry of data from;
The point of the crisis back to the RPO,
The manual data collected from the point of crisis to the RTO,
And the processing of current daily data needed to stay current with the
expectation of business services
Most companies fail because they do not plan this recovery period
5.5.2 Importance of Defining Risk Points

Failure to identify a point of risk is opening the flood gates and inviting in a crisis.
Each BCFS must have its Risk Points defined and accepted by business and the
service or function provider.
Risk Point failures;
Lack of adequately define Risk Points will cause failure
Lack of organizational participation in Risk Point metrics establishment will
cause failure
How to you create SLAs without Risk Point definitions and measurements?
(You cant!)
Establishing Risk Points with Metrics is essential to the successful creation of
every BCM Plan (BCP, Sub-BCP) and the sustainability of business!
Identification of regulatory requirements inclusive with the risk points ensures
compliance is included in the success measurement.
5.5.3 Risk Cost Modeling

Utilizing the financial data from the Business Impact Analysis (BIA) for each
Business Critical Function and/or supporting Service (BCSF) a Risk Cost Model can
be created to identify the underlying cost for each BCFS along with the projected
revenue stream disrupted in the event of its failure. Building this model requires
business participation to adequately track and trend the risk cost over a period of
time. The resulting Risk Cost Model represents the BCM Models ability to provide
Value Add by providing another vantage point of an organizations sustainability.
Research does not reveal an industry targeted risk level to achieve; however, we
were able to extrapolate from other risk models and business objectives to establish
a risk target of 2% or less. The example below uses Top Line Revenue as a basis
for the risk cost analysis. Governments and other organizations may need to use
Bottom Line Revenue. In either case, the target should complement the
organizations strategic goals and objectives.
Public Domain
Page 28 of 58
White Paper
Version 1.0
Figure 12: Risk Cost Model Trending Example
NOTE: Investment in Risk Mitigation through a BCM Program is a long term

business objective, to suggest otherwise is setting the stage for failure.
5.5.4 Mitigating Risks

The BIA is essential to establish the parameters for mitigating risk. What do we do
with this information?
Identifies the Business Critical Function and/or supporting Service (BCFS)
with supporting financial data
Identifies the priorities business places on each BCFS, usually financially
driven
Identifies the cost to business if the BCFS were to fail. Supporting services of
the BCFS should retain the same status as the high level business function.
How do we use this information?
Build Risk Cost models utilizing real financial data on a BCFS by BCFS basis
that reflects a real State of Readiness
Establish a financial connection for each BCFS and their supporting services
that include resources, service contracts and SLAs.
Through planning risk is mitigated thus establishing a Value Add by providing
a form or Revenue Protection not currently available to the business.
How is this accomplished?
Risk Point identification with established business tolerance / threshold
metrics for each
Service Level Agreements that have real achievable metrics
Risk Cost Modeling to show the financial implications of risk mitigation (ROI)
Risk Analysis using Strategic Plan as a long term projection of impact
severity and probability of occurrence
What does it provide?
Identifies priority for funding mitigation solutions
Public Domain
Page 29 of 58
White Paper
Version 1.0
Enables cooperative planning between provider and user

Establishes path to successful achievement of strategic business goals and
objectives
Affordable Sustainability with attainable Resiliency
6 Business Continuity Plan Creation

The preparation stage of the BCM Model and all industry leading standards mandate
the creation of plans to facilitate the continuity of operations. The creation of these
plans is where many fail to get a program off the ground. This aspect of the process
is defined with what plans would represent a minimal scenario for any organization
along with a structured process for integrating them together to attain a sustainable
program. The effort to create the documentation required is no small task, however,
without the basis to draw upon, the program and subsequently the operations is
destined to fail.
Engaging the appropriate resources is required for the successful creation of
contingency plans. Ownership must reside with the appropriate assigned skill to
enable the execution when required. The basic literary level of each plan should
address the principle of utilizing a similar skill near or at the level required to perform
daily management. Utilizing these basic principles will enhance the probability of
successful creation of the plans needed.
6.1 Creating the Business Continuity Plan

With the full understanding of What BCM is, the process of creating the Business
Continuity Plan (BCP) can now take place. With the BCM organizational structure
defined, resources assigned, a Business Impact Analysis (BIA) conducted, Risk
Assessment completed with mitigation steps identified and with an approved BCS
documented, the next step is to create the Business Continuity Plan. The BCP is
created, maintained and administered by the Business Continuity Plan Administrator
(BCPA) to include:
Identification of all BCFSs and their associated risks to business, along with
the appropriate resources to facilitate the execution of safeguarding and
restoring each BCFS.
The processes, procedures, actions, tasks and/or steps used to mitigate the
risks identified for the various plausible scenarios at each business location,
Identification of all locations included, along with any sub-plans needed to
provide adequate coverage for each risk to be mitigate,
A clear communications process to identify, evaluate, declare and recover
from most typical causes to loss of service delivery capability or disaster that
includes all required resources, roles, locations, with information publication
types and guidelines,
The process for Business Continuity Plans updates organizational
awareness, training and periodic validation testing.
6.2 BCM Process Components

We can now explore what plan components are used within the BCM.
Public Domain
Page 30 of 58
White Paper
Version 1.0
The BCM utilizes several types of components to provide appropriate coverage and
management of the process. The BCM Process Components define the areas and
types of plans used.
NOTE: Figure 13 depicts the various plan components and potential uses.
The components include:
Organizational level management that includes the BCM Program charter,

goals, objectives and controls. This will include:
Master Plan,
Communications Plan,
Common Process plan to facilitate the interoperations with all other plans.
Operational level management includes Business Continuity Plans that detail
the actions taken. This will include:
Site (Location) Plan,
Sub-Plans with the specific task taken by the skilled resource teams,
Contingency Plans are usually at the Department level to provide guidance to
safeguard items across multiple locations that are the responsibility of a
department.
Figure 13: BCM Process Components
6.2.1 BCM Master Plan

The BCM Master Business Continuity Plan (Master BCP) is used by senior
management to establish the overall governing process for facilitating Business
Continuity. (Owner: BCMT) The BCM Master Plan is the BCP document that
contains the primary policies, process, procedures and actions needed protect the
organization from serious BCFS loss.
The BCM Master BCP should include the organizations policy and vision with
dealing with emergencies, either man made or natural. The processes listed in the
Public Domain
Page 31 of 58
White Paper
Version 1.0
plan will include the BCP Communications Plan; EMT, BCC/DRC and BCT team
activities; organized by major crisis type, location crisis type and contingencies with
checklists for the various BCFSs and actions required for each. If situational
contingencies have been prepared, they will be identified and referenced within the
BCM Master Plan. Recovery activities for each BCFS and location will be referenced
for EMT guidance and execution.
6.2.2 BCM Communications Plan

The ability to communicate during any crisis or emergency is paramount to
successful BCP execution. (Owner: BCMT). A BCM Communications Plan must be
created to become a primary section of the BCP Master Plan to ensure identification
of all BCM resources for all sites and functions the BCP is intended to cover.
The Communications Plan will also list all Notification and Reporting schedules/lists
required to ensure appropriate resources are engaged and informed with the current
status published in accordance within organizational policies and guidelines. The
BCM Communications Plan should include the following contact information:
Identification of the BCMT and subsequent CMT/EMT
Identification of the organizations business locations with BCFS
Identification of the BCC/DRC by location and function
Identification of the BCT by location and function
Identification of the external contingencies, emergency facilities, key venders
and key customers, or other contingency contact information deemed
appropriate
6.2.3 BCM Common Processes Plan

The ability to manage status and instruct flow during the execution of a crisis or
emergency is a key basis to successful business risk mitigation. (Owner: BCMT) A
BCM Common Processes Plan must be created and become a complementary
section to both the BCP Master and Communication Plans to ensure status reporting
and execution of activities between the EMT and the BCC/DRC is properly managed
and maintained.
The Common Processes Plan will list all Status Notification and Reporting schedules
required to ensure the EMT is fully informed as to the current status of the crisis or
emergency and all actions engaged by the BCC/DRC. The BCM Common
Processes Plan should include the following information:
Meeting requirements for all teams to establish Command & Control
requirements
Common Status Reporting Schedules and activities
Common steps taken by the EMT, EOC, BCC, DRC and BCT
Other common activities that is required within the execution of all BCPs
6.2.4 BCP Site Plans

To successfully execute the mitigating actions needed to protect the organization
from loss at the Facility level, action steps must be planned in great detail using BCP
Site Plans. (Owner: BCC, DRC).
A BCP Site Plan is the level of actions or steps taken by the resources physically
protecting the organizational assets within a single facility. The actions listed within a
Site Plan shall be defined as a major BCFS and/or operational system that may be
Public Domain
Page 32 of 58
White Paper
Version 1.0
disrupted from normal operation during the course of a crisis or emergency. BCFSs
or Systems will be listed by standard reference nomenclature so as not to
disseminate misleading or confusing information or status.
The Site Plans will define the steps needed by a reasonably skilled resource to
protect sites BCFSs or Systems. The resource executing these steps may not be
fully skilled on the BCFS or System so the level of detail provided must not make any
assumptions of the depth of specific skills required. Each Site Plan will include a
safeguard list of items addressed, the current status of each, and reference
information that may be used to assist in execution in the event of the performed
action failure.
6.2.5 BCP Sub-Plans

To successfully execute the mitigating actions needed to protect the organization
from loss, lower level action steps must be planned in great detail using BCP SubPlans. (Owner: BCC, DRC, BCT).
A BCP Sub-Plan is the lowest level actions or steps taken by the resources
physically protecting the organizational assets. These actions shall be defined by
BCFS and/or technological system(s) that may be disrupted from normal operation
during the course of a crisis or emergency. BCFSs or Systems will be listed by
standard reference nomenclature so as not to disseminate misleading or confusing
information or status.
The Sub-Plans will define the steps needed by a reasonably skilled resource to
protect BCFSs or Systems. The resource executing these steps may not be fully
skilled on the BCFS or System so the level of detail provided must not make any
assumptions of the depth of specific skills required. Each Sub-Plan will include a
safeguard list of items addressed, the current status of each, and reference
information that may be used to assist in execution in the event of the performed
action failure.
6.2.6 BCP Contingency Plans

To plan for the less likely but more catastrophic crisis situations, such as total loss or
extended disruption of operational work space, or for those other scenarios that have
major impact in more focus situations. (Owner: BCC, DRC, BCT).
A BCCP is more directed to location, facility or site relocation in the event of a
catastrophic failure or loss of operational work space. A BCCP is also established
for those extreme circumstances that may be presented where Normal Business or
System Function can not be readily restored to service.
These plans will identify alternate work locations, resources, equipment, or other
planned alternatives needed to safeguard life and organizational assets.
Off site lock boxes for business critical data or intellectual property is just an example
of what a BCCP may cover. Contingency contracts for space and assets needed to
temporarily relocate the BCFS to maintain a minimum level of service.
Alternative processes or requirements for a given set of circumstances to mitigate
failure at the site level
6.2.7 Validating the BCP

Once the BCP is approved, it should be validated for the types of situations it is
designated to provide coverage. (Owner: BCPA). Prior to validating the BCP,
Public Domain
Page 33 of 58
White Paper
Version 1.0
training of all resources should be scheduled to ensure a basis of understanding is

established for all organizational functions and resources. A Validation without
sufficient knowledge will result in inaccurate capability data.
BCP Validation is defined as an ongoing process to ensure the highest State of
Readiness is maintained throughout an organization. The BCPA shall, as a
continual administrative and governance function of their role, conduct tests on
select portions of the BCP in accordance with an established schedule.
Each validated shall be accomplished by execution of select components of high
risks to ensure the fundamental BCP sections meet the desired expectation. The
BCP validation is a test of execution against the resulting simulated BCFS failure.
Testing must be performed periodically to ensure a highest level of readiness is
maintained at all times.
A review of the BCP Validation should be provided to the BCMT as soon as it is
available. The same sections of a BCP should not be validated in consecutive tests
to provide a wider cross-section of validation and subsequent quantification of
readiness statistics.
6.2.8 BCM Program - Document Flow
Public Domain
This illustrates the BCM program document flow process.

This process contains management level plans, site level plans and
department level plans.
Sub-plans are used by the subject matter experts to execute tasks, provide
information and reestablish baselines.
Add and remove elements in the document flow illustrated in Figure 14 below
to meet the needs of the organization.
Page 34 of 58
White Paper
Version 1.0
Figure 14: BCM Document Flow Diagram

Business Continuity
Management Level
The BCM Level is used by the
EMT & EOC to manage the BCM Process
BCM Master Plan

BCM Communications Plan
BCM Common Processes Plan
Department Plans facilitate the

BCM at the Department level
and are Contingency Plans
Business Continuity
Plan Level
Departmental
Plans
BCM
Business
Continuity Plans
(Site BCP)
BCM
Site Plans facility the

BCM at the local level
Business Continuity
Sub-Plan Level
Documents are classified into four (4)

categories that represent Sub-Plan content types
Sub-Plans contain the information or
tasks that the Business Continuity Team
perform or use to mitigate risk
Configurations
Executive Dept
Legal Dept
HR Dept
Finance Dept
Sales Dept
Product Development Dept
Operations Dept
Customer Solutions Dept
Cisco 28xx Router Configuration

Cisco 37xx Switch Configuration
Cisco 38xx Router Configuration
Cisco Aironet 12xx Wireless AP Configuration
Cisco Call Manager Configuration
Domestic (ST) database Configuration
Handheld Scanner Configuration
HP 42xx/43xx Printer Configuration
JBM Cellular Broadband Configuration
Local Site File and Printer Server Configuration
MOS model 500 Scale Configuration
Site Active Directory Configuration
Site Invoice Printer Configuration
Zebra (105xx, 28xx) Printer Configuration
Site Emergency Contact List
Site Emergency Contact List for all Vendors
Site Inventory of IT Equipment
Site Inventory of OPS Equipment
Site Listing of LAN IP Ranges
Information
Site Evacuation Plan
SOP
These risk mitigating actions safeguard the

companys ability to continue to operate normally
Tasks
Domestic (ST) Database Server Recovery Tasks

Emergency Power Generator Recovery Tasks
ID Mail Sorting Machine Recovery Tasks
Libra Mail Sorting Machine Recovery Tasks
Local Site File and Printer Server Recovery Tasks
Setup Tasks for Domestic (ST) Admin Stations
Setup Tasks for Domestic (ST) Coding Station
Setup Tasks for Domestic (ST) Receiving Station
Site Active Directory Recovery Tasks
Site Automation Equipment Recovery Tasks
Site Data Communications Recovery Tasks
Site Server Room Equipment Recovery Tasks
Site Voice Communications Recovery Tasks
6.2.9 Business Continuity Planning Recap

To recap what is needed to establish BCM, remember that the first thing to do is to
establish a BCM organizational structure that includes the BCMT, BCSC, BCPA,
BCC, DRC and BCT. The next step is to have the BIA with subsequent Risk
Assessment conducted. With the information from the BIA create a BCS aligned
with the business strategic vision. Then create the plans, use the BCP Components
to identify the plans needed:
Master Plan
Communications Plan
Common Process Plan
Site or Facility Plans
Sub-Plans
Contingency Plans
Final step is to validate the plans by running tests using them and establishing a
review schedule to keep the plans current and ready.
Public Domain
Page 35 of 58
White Paper
Version 1.0
7 Business Continuity Plan Execution

When it comes to execution, Time is Money! The BCM Model makes every attempt
to 1) utilize current operational resources and skills and 2) put the right information in
the hands of those who will have the greatest impact of mitigating the risk exposed.
This requires that the BCM Program be fully structured with an organization that
includes the required management and skilled resources. An assignment of roles
and responsibilities for each is imperative to swift execution. To further enhance the
timeliness of execution, continual training and awareness is a must to keep fresh the
reasons why they need to stay with the program.
The components of the BCM Program outlined goes to great lengths to establish the
appropriate command and control structure that meets governmental guidelines and
industry standards. The elements shown have been successfully implemented
within a global enterprise and are proven functionally expedient.
7.1 BCP Execution Team Leadership Tree

To facilitate the execution of the BCP, the BCT Structure will need to identify the
various lead elements. During execution of the BCP, the BCM requires the
establishment of Lead components to facilitate the organizations management
structure for declaration, execution, management and reporting of the tasks to
execute to protect the organization from extended periods of loss of services.
The BCP Lead Components are established as part of the overall BCM
organizational structure which includes the EMT Lead, EOC Lead, BCC/DRC Leads
for the locations affected and optionally the COOP Leads for the various systems
impacted. These leads are the primary response team leads to manage the
execution of all tasks performed by the BCT. Each lead has defined organizational
responsibilities and associated sub-plans.
Public Domain
Page 36 of 58
White Paper
Version 1.0
Figure 15: BCM Team Leadership Components
7.1.1 EMT Team Component

To provide management during BCP execution, the Emergency Management Team
is responsible for declaration, execution, restoration and risk mitigation. The EMT
shall be a predefined group of senior managers who are assigned on a rotational
basis to lead the BCM Process in the event of a crisis or emergency. This team is
also known as the Crisis Management Team (CMT).
The EMT Lead is the designated member of the BCMT that is on call to handle the
management role within the execution of the BCM Process. The EMT Lead shall
identify, qualify and declare emergencies using the BCM policies and guidelines for
each and remains the central management role and shall provide status reporting to
the Executive Emergency Management Team (EEMT) throughout the declared
emergency period. The EMT shall dispatch resources to execute applicable sections
of the identified BCPs as deemed appropriate to mitigate the risk of service loss to
the organization. The EMT shall participate in a post restoration review to identify
any BCP changes that may need to be addressed to ensure an evolving, self
correcting BCM process.
7.1.2 EOC Team Component

During the execution of the BCP, a central impact issue tracking, status collection,
and information command post must be established. The EOC shall be formed as
the primary function of the central Help or Service Desk function during the execution
of the BCM process as deemed by the EMT.
The EOC shall report to the EMT for all BCP assignments and communicate directly
with the BCC/DRC, and as needed to the BCT, at the location or locations impacted.
Public Domain
Page 37 of 58
White Paper
Version 1.0
The EOC shall provide organizational communications as directed by the EMT in

accordance with the BCP Communication and Common Processes Plans. All
system, functional, and organizational status collection shall be directed to the EOC
for central collection and redistribution as deemed appropriate by the EMT, or in
accordance with the BCP.
7.1.3 BCC/DRC Team Component

When the EMT requires execution of a BCP, a specialized local leadership team is
required to oversee the steps needed to mitigate risk. The BCC/DRC is the
predetermined local functional lead that is directed by the EMT to plan, prepare, and
execute the BCP and/or Sub-Plan steps needed to identify and perform the tasks
required to protect the organizations BCFSs.
The BCC/DRC shall identify the BCT needed at the impacted location (Site, Facility
or Office) and provide the BCT roster to the EMT. The EMT shall direct the
BCC/DRC on all actions taken to mitigate risk. The BCC/DRC is responsible for the
assigned locations business and system continuity, operational status and
restoration of impacts that impair the continued operations of service from that
location.
The location resource, system and business status is to be reported to the EOC by
the BCC/DRC to ensure the EMT is kept abreast of all situational changes. The
BCC/DRC shall utilize the EMT to facilitate and coordinate activities required outside
of the location where the BCC/DRC is located.
7.1.4 BCT Component

To execute the BCP, resources must be assigned functional responsibilities at each
location covered by the plan. The BCT is a pool of resources that is used to execute
the mitigation of risks or restoration from BCFS loss specific using specific resource
skills to step through the tasks needed to plan, prepare, or restore from a defined
condition.
These resource skills are identified on a function by function and location by location
basis and may include a specific function senior member to lead for the execution of
a specific task such as an Emergency Coordinator (EC), Emergency Response
Team (ERT), Area Coordinators (AC) or Evacuation Managers (EM). These
specialized roles will be used by the BCC / DRC as needed to facilitate the execution
of the tasks required by the BCP.
The BCC and/or DRC are the designated lead for a given set of functional areas at a
specified location. A BCC or DRC may oversee multiple functional areas but should
be limited to the location at which they regularly perform their daily work. The
location BCT will be directed by the BCC or DRC as needed to complete the tasks
identified in the BCP using the specified BCP Sub-plans.
7.2 Plan Elements

The BCP shall include various components to provide proper coverage of all
Business Critical Function and/or supporting Service (BCSF). BCPs consist of
numerous components and elements that are used to facilitate the organizations
execution of recovery processes. The typical BCP elements are:
Public Domain
Site (Location or Facility) Plans

Critical Function Plans
Page 38 of 58
White Paper
Version 1.0
Sub-Plans
Contingency Plans
Each of these BCP Elements is designed for a specific purpose to protect people,
places and things. Through these plans, risk to the organization is mitigated and
resiliency established. The Process of Execution shall outline all of the elements
leading up to this point in a flow that will provide a Continual Self Improvement
aspect to ensure the process does not grow stagnant.
7.2.1 Main Points of Coverage

There are three main areas each BCP will utilize and a forth as needed
Prepare:
These are the advance action steps that can be performed to safeguard
assets in preparation for or at the very beginning of a crisis, including
activating the resources needed
Safeguard:
These are the action steps that can be performed during the crisis to
safeguard assets and mitigate further risk
Restore:
These are the action steps that can are performed to return operations to
normal after the crisis has ended
Recover:
These are the action steps that are needed to replace a function, system,
facility that has been damaged which cannot simply be restored and placed
back into normal service
Public Domain
Page 39 of 58
White Paper
Version 1.0

Figure 16: BCP in Action
Business Continuity Plans in Action
Actions &
Reporting
Actions &
Reporting
Crisis
Reported
To
Helpdesk
Prepare
Actions &
Reporting
Restore
Site OPS BCP
Recover
Task
Task
Normal
Operations
Safeguard
Notification,
Actions & Reporting
EOC
Activated &
Notifies
Actions &
Reporting
EMT
Site IT BCP
Notifications,
Actions & Reporting
Normal
Operations
Resume
Recover
Prepare
Restore
Actions &
Reporting
Safeguard
Actions &
Reporting
Actions &
Reporting
Actions &
Reporting
EMT Declares Crisis & is Notifications
BCT Teams
Prepare
BCT Teams
Mitigate Risk,
Monitor & Report
BCT Teams
Recover/Restore
EMT Declares Crisis End
7.3 BCM Execution Process

The BCP shall follow a defined process to ensure that all assets are safeguarded
against risk. A synopsis of what this process entails:
1) Incident reported to HD (EOC)
2) EOC evaluates Incident to BCM criteria
3) EOC notifies on call EMT
4) EMT declares Status
5) EOC notifies
6) BCC & DRC activate BCPs
7) BCC & DRC report status to EOC
8) EOC collects status and provides to EMT
9) EMT with BCC & DRC determine BCP steps to take to mitigate risk
10) BCT engaged to complete BCP tasks
11) EMT Declares status
12) Post Emergency Meeting to identify BCP gaps and strategies to include in BCPs
Public Domain
Page 40 of 58
White Paper
Version 1.0

Figure 17: BCM Process Flow
End
BCM
Communications
Plan
BCP
Master Plan
Identify
BCT needed to
mitigate Impact
risks
{EMT}
Emergency
Situation
Declaration
Notification
{EOC}
Emergency
Situation
Restoration
Notification
{EOC}
Emergency
Situation
End
Notification
{EOC}
Activate
Emergency
Support Teams
EOC / EMT /BCT
{EMT}
Declare
Emergency
{EMT}
Declare
Restoration
{EMT}
Declare
End
{EMT}
Preliminary
Emergency
Situation
Notification
{EMT}
Execute
Site & Dept
BCP
-Prepare{BCC / DRC}
Execute
Site & Dept
BCP
-Safeguard{BCC / DRC}
Prepare
for
Impact
{BCT}
BCP
SubPlans >
{BCT}
Emergency
Status / Issue
Data
Collection
{EOC}
Execute
Site & Dept
BCP
-Restore{BCC / DRC}
BCP
Identify
Locations,
Functions &
Systems Impacted
{EOC / EMT}
Evaluate
Emergency
Impact
{EMT}
BCP
Probability of
Emergency
Identified
{EOC /EMT}
Evaluation of
BCP Actions
{EMT}
Identify
Alternate
Locations &
Resources
BCP
START
Execute
Site & Dept
BCP
-Recovery{BCC / DRC}
Legend
EMT
BCT
EOC
7.4 BCP Execution Recap

To recap what is needed to execute the BCP, remember that the first thing to do is
to identify the BCM organizational structure needed, this includes the BCMT, BCSC,
BCPA, BCC, DRC and BCT. The next step is to have the BCP validated through a
test exercise. During the BCP execution, collect the data reported to the EOC and
EMT for analysis.
The plans that should be executed are:
Master Plan
Communications Plan
Sub-Plans
Contingency Plans
Final step is to analysis the execution process and data collected to ensure all
aspects are covered.
8 BCM Plan Management & Reporting

Plan Management and Reporting is the main area of coverage that will require a
separate functional team. This is due in part to the specialized skills required to set,
establish and maintain the BCM Program. The following topics should be included
in the coverage.
Public Domain
Page 41 of 58
White Paper
Version 1.0
Reporting on the Crisis or Emergency should be accomplished in a post

execution report to the EMT by the BCPA.
General feedback from the BCT as to the effectiveness of the BCP should be
reviewed and considered for BCP changes and improvements.
Training on the BCP should be scheduled periodically for most BCFSs, Systems
and Locations not less than once every 24 months.
Annual review and updates will ensure the BCP is kept current with changes in
business or organizational structures.
Plan Management, including creation, updates, publications and aging is vital to
the State of Readiness of any organization.
Governance to ensure compliance and readiness is managed and maintained
Communications to the organization about Business Continuity should be made
several times a year, especially prior to known seasonal changes that could
impact business operations.
Business Continuity awareness is always a great topic for monthly organizational
publications.
8.1 Plan Management

The BCM Plan Management tool provides a quick view (scoreboard) of the current
status by site & team or by company and team. Used to provide instant visibility on
readiness status
Figure 18: Plan Management
18
8.1.1 Document Management

Document management is typically one of those items that never get off the ground
within a continuity program. Most see it as a hindrance to preparedness. The issue
is that if the effort is made to create and maintain plans to establish a risk
management program, managing change is vital! Document management provides
the ability not only to store and retrieve files; it also typically comes with some level
of workflow automation and versioning. Automation is important for organizations
18
All rights reserved by CPO http://www.cpo.com
Public Domain
Page 42 of 58
White Paper
Version 1.0
that have a small team managing the BCM Program, where versioning is critical to
validation of appropriate coverage.
After a recovery, contingency or restoration process is complete is too late to
determine if you have the latest information available. Then with the legal
implications, no business should operate without knowing it is using the latest
available.
Figure 19: Document Management Flow
Readiness
Plan
Management
Create Plan
PDF
Placeholders
Recovery Items
Reporting
Create / Updated
Recovery Items
Process
Report State
Of
Readiness
Create Plan
Document
Checklist
Plan
Documents
Age
Expiration
Event
SME Interviews
for Plan &
Document
Creation
New Plan /
Document
Creation
Plan /
Document
Review
Schedule
Planning
Validation
Plan Review
& Approval
Process
Testing &
Validation
Process
Document
Workflow
Management
Document
Management
System
Document
Update
Complete
Document
Repository
8.1.2 Plan Management Reporting

Reporting on the State of Readiness is crucial to the companys ability to resist the
impact of dealing with emergency or crisis throughout the year. Measurement of
readiness is required by ISO Standards to identify maturity level.
Management of readiness is dependant on visibility into the State of Readiness at
the company, site and team levels. Scoreboards provide a quick graphical view of
current state. Consolidated Readiness Reports provide the drill down needed to
identify critical points of failure or weakness. Plan document management is the key
to a successful State of Readiness. Identification of readiness of the various risks is
essential to safeguard the company
These snapshots of a site readiness report depict both graphical and textual versions
of the data. Remember, Reporting is a requirement of readiness!
Public Domain
Page 43 of 58
White Paper
Version 1.0
Figure 20: Sample Reports
19
9 BCM Governance
The BCM Models Risk Mitigation with Governance principle use of the ISACA
CoBIT model for auditing requires an understanding of the Domains and there
relationship to Business Goals and Objectives and how to use IT Resources
within the IT Process illustrated in the CoBIT framework. These are established
to ensure a level of business understanding and identify a qualifying maturity level.
The model is fully defined within the published CoBIT standard, whereas this
document will outline the CoBIT model information needed for the purpose of
providing structure and guidance to each BCM audit.
9.1 Audit Types

There are many types of audits that can be conducted. The business purpose an
audit will define the type used. This section will describe the various types of audits
and when each should generally be used. It is important to understand that the
selection of the correct audit type for the given set of circumstances is imperative to
achieve the desired results. Not every audit type is required nor desired to be
conducted, audit type selection is paramount to ensure audit scope and reporting
match the requested need.
To validate the State of Readiness of plans, standard audit principals apply. The
Audit Types diagram, Figure 21 below, depicts the main types of audits used within
industry today. The diagram depicts the audit types as they may be used within a
BCM Planning process step for representation of possible use. Each audit type will
be defined for the purpose of use within this process with an established frequency
of use as represented by (+) for common and (-) for those less commonly used.
19
All Rights reserved by CPO http://www.cpo.com
Public Domain
Page 44 of 58
White Paper
Version 1.0
Figure 21: Audit Types
9.1.1 Preparatory Audit (-)

A preparatory audit is generally conducted at the beginning of a project such as the
identification phase. Figure 21 depicts this as the Initiation of a BCP Plan. This audit
will scope the preparation aspects of the targeted project or program and its uses to
establish a basis for work scope required to move forward. These audits are usually
conducted to identify skills needed to define a project, program, product, concept or
idea.
9.1.2 Feasibility Audit (+)

A feasibility audit is just what it implies, to identify the possibility of an idea or concept
for a project or program. Figure 21 depicts this as the transitory phase from the BCP
Initiation to the BCP Assessment. This audit will scope the probability of success of
the idea or concept for execution with a cost benefit analysis. This type of audit is
usually conducted to identify and create a business case for the purpose of funding a
project, program or product.
9.1.3 Due Diligence Audit (-)

A due diligence audit is a much broader type of audit and is more frequently
conducted to identify work effort assignment clarity. Figure 21 depicts this as the
BCP work effort area of the process. This audit will scope the ability for a skill to
complete a task within the confines of a project, program, procedure or process.
This type of audit is generally used to identify failures of skills within processes and
will provide a resulting failure and risk report.
9.1.4 Compliance Audit (+)

A compliance audit is the most common of all audit types and is most frequently
conducted to identify adherence to standards. Figure 21 depicts this as the entire
BCP process. This audit will scope the identified process required by regulatory
(government, industry or business) requirements. This type of audit is used to
identify process or procedural failures for the purpose of metrics measurement and
improvement with a resulting failure measurement, risk identification and
Public Domain
Page 45 of 58
White Paper
Version 1.0
recommendation for improvement based upon the governing standards. The CoBIT
model focuses primarily on this audit type.
9.1.5 Investigative Audit (+)

An investigative audit is just as in implies, which is to research a process, procedure,
product, operation or function to identify fault or failure points. Figure 21 depicts this
as the post delivery analysis area of the BCP process. This audit will scope the area
to be investigated with an understanding of broadening as needed by the
investigative process which implies a liberal scope for the audit process. This type of
audit is used solely when a suspected failure is present and further information is
required to clearly identify the fault for reporting and risk assessment.
9.2 Audit Type Usage

Within an organization BCM Program the focus of audits will primarily pertain to the
Compliance audit type for the purpose of measurement within the ISACA CoBIT
maturity model for IT services delivered. However, the conduct of a Root Cause
Analysis (RCA) uses an Investigative audit type as a basis for providing factual
results when a service delivery failure occurs. The Feasibility audit type is used for
the purpose of developing business cases to improve or develop a process which
includes changes in and/or a new; services, products or functions to meet business
needs. Preparatory and Due Diligence audit types are not normally conducted
within the audit process unless a business need identifies the specific requirements
for their conduct.
9.3 Performance Metrics

Industry best practices utilize ISACA CoBIT Governance Performance Metric for
most governance activities. Metrics are needed to ensure compliance to plan for
determination of the State of Readiness. The graphic in Figure 22 illustrates the
complexities involved with establishing metrics. The appropriate metric is the one
that provides the greatest value to the desired objective. An organization will need
to identify and determine what those objectives are and then design metrics using
the process shown to define the measurement system used.
Public Domain
Page 46 of 58
White Paper
Version 1.0
Dr
iv
e
Measure achievement
Dr
iv
e
Measure
Measure
Dr
iv
Measure
Measure
Improve and realign
Figure 22: CoBIT Performance Metrics
20
10 BCM Review
Now that we all understand what is Business Continuity Management utilizing the
new ISO standards and its importance to the continued operation of business, what
does BCM mean to You?
1. Managing a Business Continuity Program is an Organizational responsibility
2. Must have a Basis: Risk Analysis, BIA, Risk Cost Modeling
3. Plans have owners, owners must accept responsibilities, and its a culture!
4. Use the right Tools to facilitate the BCM process
5. Reporting is key to providing Value Add
6. BCM is Risk Mitigation with Governance
20
All Rights Reserved by ISACA http://www.isaca.org
Public Domain
Page 47 of 58
White Paper
Version 1.0
Appendix A BCM Definitions

The following pages identify the some of terms used within the Business Continuity
Industry and are used within this BCM Model. These definitions are derived from
several Internet sources:
Disaster Recovery Journals Business Continuity Glossary

http://www.drj.com/glossary/glossleft.htm
ISACA International body of Governance Standards http://www.isaca.org/
ITIL International body on Service Delivery Standards
http://www.itil.org/en/index.php
Disaster Recovery Institute International http://www.drii.org/DRII/
International Standards Organization http://www.iso.org/iso/home.htm
American Standards Organization http://www.ansi.org/
Wikipedia http://en.wikipedia.org
Object Management Group http://www.omg.org
GRC Roundtable http://www.grcroundtable.org
And many more
Definitions:
BUSINESS CONTINUITY (BC): The ability of an organization to provide service and
support for its customers and to maintain its viability before, during, and after a
business continuity event.
BUSINESS CONTINUITY MANAGEMENT (BCM): A holistic management process
that identifies potential impacts that threaten an organization and provides a
framework for building resilience with the capability for an effective response that
safeguards the interests of its key stakeholders, reputation, brand and value creating
activities. This includes the facilitation of recovery, continuity and/or restoration in
the event of a disaster and the management of the overall program through training,
rehearsals, and reviews, to ensure the plan(s) stay current and up to date.
This implies that an organization needs to identify and define the potential
impacts; create a framework to mitigate and manage risks, within industry
standard guidelines, to defend the organization against the potential of loss with
the resiliency to quickly recover in the event of a disaster.
This is accomplished by using industry best practices in creation and execution
of a Business Continuity Management Process (BCMP).
BCM is the entire organizations responsibility, for each entity within an
organization has a stake in the success of the organization as a whole!
BUSINESS CONTINUITY MANAGEMENT PROCESS (BCMP): The Business

Continuity Institutes BCM process (also known as the BC Life Cycle) combines 6
key elements:
1. Understanding Your Business
2. Continuity Strategies
3. Developing a Business Continuity Management Response
Public Domain
Page 48 of 58
White Paper
Version 1.0

4. Establishing a Continuity Culture
5. Exercising, Rehearsal & Testing
6. Evolving Business Continuity Management Process
The BCMP implies that an organization needs to define the process under which
it will execute the Business Continuity concepts using the 6 key elements above.
BUSINESS CONTINUITY MANAGEMENT TEAM (BCMT): A group of individuals

functionally responsible for directing the development and execution of the business
continuity plan, as well as responsible for declaring a disaster and providing direction
during the recovery process, both pre-disaster and post-disaster. This is a
component of the BCMP.
Management Team.
Associated Terms: Crisis Management Team, Emergency Management Team.
The BCMT must have a guiding principle to ensure the company is adequately
protected with a vision into the direction the company plans to explore in the near
and long term.
This is accomplished by developing a BCS that encompasses both the
companys current state and future direction.
The BCMT is chartered with management oversight of the BCMP and all
subsequent teams, plans, processes needed to achieve Business Continuity.
They have direct responsibility to ensure that the BCS objectives are met within
the execution of the BCMP and utilize the BCPA to administer all aspects of the
BCMP.
The BCMT or designee shall be the organizational entity to officially declare an
emergency situation that will evoke the execution of the BCP and subsequent
respective plans.
BUSINESS CONTINUITY OR DISASTER RECOVERY COORDINATOR

(BCC/DRC): A role of the BCM program that coordinates planning and
implementation for overall recovery of an organization or unit(s).
SIMILAR ROLES: Business Recovery Coordinator, Business Recovery Planner,
Disaster Recovery Planner, and Disaster Recovery Administrator
This implies that an organization needs to identify the local resources that will
physically execute the BCP or DRP.
This is accomplished by designating a primary and alternate resource for each
location for both business operational (BCC) and technological (DRC) functions
to participate in the execution of all local and enterprise-wide BC or DR plans.
The BCC/DRC is responsible for ensuring the local plans are up to date,
coordinate the local plans with the BCPA to bring them in sync with the BCP,
execute their plans under the management of the BCMT or designee.
The BCMT should maintain a location by location BCC/DRC list.
BUSINESS CONTINUITY PLAN (BCP): A management approved document that

provides guidance on the system restoration for emergencies, disasters,
mobilization, and for maintaining a State of Readiness to provide the necessary
Public Domain
Page 49 of 58
White Paper
Version 1.0
level responsiveness to business interruptions, outages and disasters. This is a

SIMILAR TERMS: Business Resumption Plan, Continuity Plan, Business Continuance
Contingency Plan, Disaster Recovery Plan, Recovery Plan.
This implies that an organization must create a plan that includes all aspects of
the BCM for the organization.
The BCP shall include reference to all other BC or DR plans used by the
organization so as to ensure risk is mitigated and contingencies are identified.
This is accomplished by the BCMT directing the BCPA to create a plan that
meets the objectives outlined in the BCSC and meets industry standards for
BCM.
The BCPA is directly responsibility for the creation and execution of the BCP for
both actual declared emergencies and for periodic updates and testing.
BUSINESS CONTINUITY PLAN ADMINISTRATOR (BCPA): The designated

individual responsible for plan documentation, maintenance, and distribution. This is
a component of the BCMP.
This implies that an organization needs to identify a qualified resource to manage

the Business Continuity Plans and Program.
To accomplish the tasks assigned, this resource should be dedicated full time to
the BCPA role to ensure Business Continuity is maintained at all times and to
assist in the development of a BC friendly work environment throughout the
organization.
The BCPA is responsible for and has direct management authority of the
creation, planned execution and adherence to, the BCMP. The BCPA sits on the
BCMT and BCSC panel and participates in the creation of the BCS.
The BCPA may also participate in the development of Continuity of Operations
Plan (COOP) for the normal operation of business to ensure synergy between
normal and emergency operational conditions.
The BCPA should periodically report on the BC readiness of the organization.
BUSINESS CONTINUITY PLANNING (BCP): Process of developing and

documenting arrangements and procedures that enable an organization to respond
to an event that lasts for an unacceptable period of time and return to performing its
Business Critical Functions and/or supporting System (BCFS) after an interruption.
SIMILAR TERMS: Business Resumption Plan, Continuity Plan, Business Continuance
Contingency Plan, Disaster Recovery Plan, Recovery Plan.
This implies that an organization needs to identify the needs of the business to
support its continued operations in the event of a crisis that impedes its ability to
provide normal services to its customers.
Business Continuity is accomplished through an organizational structure called
the Business Continuity Management Team (BCMT) that uses a process called
the Business Continuity Management Process (BCMP) to appropriately and
swiftly react to most anticipated and unanticipated disruptions of that service.
BUSINESS CONTINUITY STEERING COMMITTEE (BCSC): A committee of

decision makers, process owners, technology experts and continuity professionals
Public Domain
Page 50 of 58
White Paper
Version 1.0
that are tasked with making strategic recovery and continuity planning decisions for
the organization. This is a component of the BCMP.
This implies that an organization needs to identify the resources that should
participate on the BCSC that will adequately provide coverage for all BCFS,
Corporate Vision and Future Direction Planning.
The selection and designation of resources to the BCSC is accomplished by the
BCMT and must be approved and supported by the Senior Executive
Management Team.
The BCSC is chartered with strategic oversight of the Business Continuity
Strategy (BCS), Business Continuity Management Process (BCMP), Business
Continuity Plan (BCP), Disaster Recovery Plan (DRP), Executive / Management
Succession Plan (EMSP), Continuity of Operations Plan (COOP), along with all
subsequent supporting processes needed to protect the company from
operational risks that results in financial loss or direct exposure to catastrophic
fiduciary failure.
BUSINESS CONTINUITY STRATEGY (BCS): An approach by an organization that

will ensure its recovery and continuity in the face of a disaster or other major outage.
Plans and methodologies are determined by the organizations strategy. There may
be more than one solution to fulfill an organizations strategy. This is a component of
the BCMP.
EXAMPLES: Internal or external hot-site, or cold-site, Alternate Work Area reciprocal
agreement, Mobile Recovery, Quick Ship / Drop Ship, Consortium-based solutions, etc.
This implies that the BCMT must identify the most common natural and manmade impacts to business first so as to plan for the lowest level impact to the
major impact events.
In order to accomplish this task, the BCSC employs the BCMT to list the types of
Crisis and/or Disasters that would impact the companys ability to operate.
These are usually identified along with the identification of the Business Critical
Functions and/or supporting Systems (Mission Critical Activities and Supporting
Systems).
Together the BIA will identify the Business Critical Functions and/or supporting
Systems (BCFS) and the BCT will identify the plausible impacts and probability of
each identified scenario.
The BCS is defined and approved by the BCSC and executed using the BCMP.
BUSINESS CONTINUITY TEAM (BCT): Designated individuals responsible for

developing, executing, rehearsing, and maintaining the business continuity plan,
including the processes and procedures. This is a component of the BCMP.
SIMILAR TERMS: Disaster Recovery Team, Business Recovery Team, and Recovery
Team.
Associated Term: Crisis Response Team, Emergency Management Team.
This implies the BCMP requires the BCMT to designate individuals from the
various departments, organizations and teams to participate not only in the
Business Impact Analysis (BIA) but in the entire BCMP.
Representatives of the BCT should be those individuals who are directly involved
with or support the Business Critical Functions and/or supporting Systems
Public Domain
Page 51 of 58
White Paper
Version 1.0
(BCFS) with a sufficient cross-section of resources and alternate designees to

participate in the recovery of each function listed.
If the BCFS are performed at multiple locations, designated representatives from
each location should also be included in the BCT. The BCT is utilized by the
BCC/DRC during the execution of BC/DR plans for the specific functions required
to recover or restore BCFS.
The BCMT should maintain a location by location, function by function BCT list.
BUSINESS CRITICAL FUNCTIONS / SYSTEM (BCFS): The critical operational

and/or business support functions that can not be interrupted or unavailable for less
than a mandated or predetermined timeframe without significantly jeopardizing the
organization. An example of a business function is a logical grouping of
processes/activities that produce a product and/or service such as Accounting,
Staffing, Customer Service, etc.
This could pertain to assets described as an item of property and/or component

of a business activity/process owned by an organization. There are three types
of assets: physical assets (e.g. buildings and equipment); financial assets (e.g.
currency, bank deposits and shares) and non-tangible assets (e.g. goodwill,
reputation)
Functions or systems that are used to determine the trade marked identity of an
organization within their respective industry, nationally or globally may be
considered a Business Critical Functions and/or supporting Systems (BCSF)
The critical operational and/or business support activities (either provided
internally or outsourced) required by the organization to achieve its objective's
i.e. services and/or products. Such as applications that support business
activities or processes that could not be interrupted or unavailable for 24 hours or
less without significantly jeopardizing the organization
SIMILAR TERMS: Mission Critical; Mission Critical Activities/Applications; Critical

Systems
BUSINESS IMPACT ANALYSIS (BIA): A process designed to prioritize Business

Critical Functions and/or supporting Systems (BCFS) by assessing the potential
quantitative (financial) and qualitative (non-financial) impact that might result if an
organization was to experience a business continuity event. This is a component of
the BCMP.
This implies that an organization should first have a BIA conducted with an
external firm specializing in this concept to identify the Business Critical
Functions and/or supporting Systems (aka Mission Critical Activities and
Supporting Systems) and include a detailed risk assessment to quantify the BIA
findings.
The BIA should be a coordinated effort with the BCMT and BCT to provide a
current analysis of business impact.
The resulting BIA should be used by the BCMT to create and document the BCS
for the company.
The BCS will need to be approved by the BCSC and implemented using the
BCMP.
Public Domain
Page 52 of 58
White Paper
Version 1.0
BUSINESS INTERRUPTION: Any event, whether anticipated (i.e., public service

strike) or unanticipated (i.e., blackout) which disrupts the normal course of business
operations at an organizations location.
SIMILAR TERMS: Outage, Service Interruption.
Associated Terms: Business Interruption Costs, Business Interruption Insurance.
BUSINESS INTERRUPTION COSTS: The impact to the business caused by

different types of outages, normally measured by revenue lost.
Associated Terms: Business Interruption, Business Interruption Insurance.
BUSINESS INTERRUPTION INSURANCE: Insurance coverage for disaster related

expenses that may be incurred until operations are fully recovered after a disaster.
Business interruption insurance generally provides reimbursement for necessary
ongoing expenses during this shutdown, plus loss of net profits that would have
been earned during the period of interruption, within the limits of the policy.
Associated Terms: Business Interruption, Business Interruption Costs.
CONTINUITY OF OPERATIONS PLAN (COOP): A COOP provides guidance on

the system State of Readiness to provide the necessary level of information
processing support commensurate with the mission requirements/priorities identified
by the respective functional proponent. The Federal Government and its supporting
agencies traditionally use this term to describe activities otherwise known as
Disaster Recovery, Business Continuity, Business Resumption, or Business
Continuance Contingency Planning (BCCP).
For the purpose of brevity, COOP will be defined herein as the normal business
operational plan used to handle every day issues of supporting the business.
This implies that an organization needs to identify the Standard Operating
Procedures (SOP) used for daily activities in the support of normal business
functions.
The SOPs should be detailed processes governing such functions as Issue
Management, Change Management, System Management Administration,
Procurement Management, Resource Management, Corporate Policies and
Corporate Communications.
DISASTER: A sudden, unplanned calamitous event causing great damage or loss

as defined or determined by a Risk Assessment and Quantified by a Business
Impact Analysis (BIA);
1) Any event that creates an inability on an organizations part to provide
Business Critical Functions and/or supporting Systems (BCFS) for some
predetermined period of time.
2) In the business environment, any event that creates an inability on an
organizations part to provide their critical function for some predetermined
period of time.
3) The period when a companys or organizations management decides to
divert from normal production responses and exercises its Business
Continuity Plans (BCP) Disaster Recovery Plans (DRP) and/or Business
Public Domain
Page 53 of 58
White Paper
Version 1.0
Continuance Contingency Plans (BCCP). Typically signifies the beginning of

a move from a primary to an alternate location.
SIMILAR TERMS: Business Interruption; Outage; Catastrophe
DISASTER RECOVERY (DR): Activities and programs designed to return the entity
to an acceptable condition. The ability of an organization to respond to an
interruption in services by implementing a disaster recovery plan which will restore
an organization's Business Critical Functions and/or supporting Systems (BCFS).
DISASTER RECOVERY PLAN (DRP): The management approved document that
defines the resources, actions, tasks and data required to manage the technology
recovery effort. Usually refers to the technology recovery effort. This is a
SIMILAR TERMS: Business Continuity Plan, Recovery Plan, Business Resumption
Plan, Business Continuance Contingency Plan.
This implies that an organization needs to identify the means by which it will
recover from a failure of technology due to expected or unexpected means.
This is accomplished by documenting the various technology systems and
components, planning how to swiftly restore each and resources needed to
facilitate the restoration activities.
The technology department managers over each area of functionality are
responsible for documenting, planning, supporting and providing skilled
resources to ensure the normal operation and survivability of the technology
under their control.
The plan should include reference to the external documents maintained as part
of the Standard Operating Procedures (SOP) of the technology and call for the
transfer of this information to this plan in the event of its execution.
DISASTER RECOVERY PLANNING (DRP): The technological aspect of business

continuity planning. The advance planning and preparation that is necessary to
minimize loss and ensure continuity of the Business Critical Functions and/or
supporting Systems (BCFS) of an organization in the event of disaster.
SIMILAR TERMS: Business Continuance Contingency Plan; Business Resumption
Planning; Corporate Contingency Planning; Business Interruption Planning; Disaster
Preparedness.
This implies that an organization not only needs to provide Business Continuity,
but that it needs to have the ability to recover from impeding situations rapidly to
mitigate business risk.
Disaster Recovery is primarily a technological function to restore business
capability that is accomplished using the Disaster Recovery Plan (DRP) identified
within the Business Continuity Plan (BCP) derived by the Business Continuity
Plan Administrator (BCPA) under the direction of the Business Continuity
Management Team (BCMT).
EMERGENCY MANAGEMENT TEAM (EMT): A group of managers functionally

responsible for execution of the business continuity plan, as well as responsible for
Public Domain
Page 54 of 58
White Paper
Version 1.0
declaring a disaster and providing direction during the recovery process, both predisaster and post-disaster.
Management Team.
Associated Terms: Crisis Management Team, Executive Emergency Management
Team.
The EMT is a line manager that declares and directs the execution of the BCM.
The EMT is chartered with management oversight of the EOC, BCC & DRC and
all subsequent teams, plans, processes needed to achieve Business Continuity.
They have direct responsibility to ensure that the BCMT objectives are met within
the execution of the BCM Process and utilize the Emergency Command Center
(EOC) to administer execution aspects of the BCM.
BCM Process is accomplished through the utilization of the EOC and
organizational level management plans.
The EMT shall be a group of seasoned managers that are on a rotational on-call
basis.
EXECUTIVE / MANAGEMENT SUCCESSION PLAN (MSP): A predetermined plan

for ensuring the continuity of authority, decision-making, and communication in the
event that key members of executive management unexpectedly become
incapacitated. This is a component of the BCMP.
This implies that an organization needs to identify a succession plan for all levels
of management. Executive Management succession is considered critical to the
operation of the business and must be planned in advance.
To accomplish this, the Executive Managers shall identify alternate designees for
themselves and their direct reports. This type of information is considered
company secret and should not be made public inside or outside the company
without the CEO or Presidents prior approval and only provided to internal
resources on a Need to Know basis.
This plan should only be openly executed in the direst situations or internally if
designated resources are unavailable at the time of the declared emergency.
This plan should contain the organizational structure and the list the
management alternate designees.
INTERNAL CONTROLS (IC): COSO defines internal control as a process, affected

by an entitys board of directors, management and other personnel. This process is
designed to provide reasonable assurance regarding the achievement of objectives
in effectiveness and efficiency of operations, reliability of financial reporting, and
compliance with applicable laws and regulations.
1. Internal control is a process. It is a means to an end, not an end in itself.
2. Internal control is not merely documented by policy manuals and forms. Rather, it is
put in by people at every level of an organization.
3. Internal control can provide only reasonable assurance, not absolute assurance, to
an entitys management and board.
4. Internal control is geared to the achievement of objectives in one or more separate
but overlapping categories.
Similar Terms: IT Controls, Audit Controls, Business Controls, Operational Controls,
ICS all refer to a type of control used to provide a quantifiable measurement that
Public Domain
Page 55 of 58
White Paper
Version 1.0
represents the level of success in achieving a stated objective.

http://en.wikipedia.org/wiki/Internal_control
OUTAGE: The interruption of automated processing systems, infrastructure, support

services, or essential business operations, which may result, in the organizations
inability to provide services for some period of time.
SIMILAR TERMS: Outage, Service Interruption.
PLAN DO CHECK ACTION (PDCA): An adaptation of the Deming wheel. While the
Deming wheel stresses the need for constant interaction among research, design,
production, and sales, the PDCA Cycle asserts that every managerial action can be
improved by careful application of the sequence: plan, do, check, action. Later in
Deming's career, he modified PDCA to "Plan, Do, Study, Act" (PDSA) so as to better
describe his recommendations. In Six Sigma programs, the PDSA cycle is called
"Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature of the
cycle must be explicitly added to the DMAIC procedure.
Similar Terms: The Deming Cycle or Wheel is the concept of continuously rotating
wheel used by W. E. Deming to emphasize the necessity of constant interaction among
research, design, production, and sales so as to arrive at an improved quality that
satisfies customers.
PROGRAM MANAGEMENT (PM): Is the process of managing multiple ongoing

inter-dependent projects. Program Management also reflects the emphasis on
coordinating and prioritizing resources across projects, departments, and entities to
ensure that resource contention is managed from a global focus. Program
management provides a layer above project management focusing on selecting the
best group of programs, defining them in terms of their constituent projects and
providing an infrastructure where projects can be run successfully but leaving project
management to the project management community.
Key factors in program management:
Governance: The structure, process, and procedure to control operations and

changes to performance objectives.
Standards: Define the performance architecture.
Alignment: The program must support higher level vision, goals and objectives.
Assurance: Verify and validate the program, ensuring adherence to standards
and alignment with the vision.
Management: Ensure there are regular reviews, there is accountability, and that
management of projects, stakeholders and suppliers is in place.
Integration: Optimize performance across the program value chain, functionally
and technically.
Finances: Tracking of finances is an important part of Program management and
basic costs together with wider costs of administering the program are all
tracked.
Infrastructure: Allocation of resources influences the cost and success of the
program. Infrastructure might cover offices, version control, and IT.
Planning: Develop the plan bringing together the information on projects,
resources, timescales, monitoring and control.
Public Domain
Page 56 of 58
White Paper
Version 1.0
Improvement: Continuously assess performance; research and develop new

capabilities; and systemically apply learning and knowledge to the program.
RISK MANAGEMENT (RM): Risk management is a structured approach to

managing uncertainty related to a threat, a sequence of human activities including:
risk assessment, strategies development to manage it, and mitigation of risk using
managerial resources.
The strategies include transferring the risk to another party, avoiding the risk,
reducing the negative effect of the risk, and accepting some or all of the
consequences of a particular risk.
Risk management is simply a practice of systematically selecting cost effective
approaches for minimizing the effect of threat realization to the organization. All
risks can never be fully avoided or mitigated simply because of financial and
practical limitations. Therefore all organizations have to accept some level of
residual risks.
The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types
of threats caused by environment, technology, humans, organizations and
politics. Intangible risk management identifies a new type of risk - a risk that has
a 100% probability of occurring but is ignored by the organization due to a lack of
identification ability.
EXAMPLES: When deficient knowledge is applied to a situation, a knowledge risk

materializes. Relationship risk appears when ineffective collaboration occurs.
Process-engagement risk may be an issue when ineffective operational procedures
are applied. These risks directly reduce the productivity of knowledge workers,
decrease cost effectiveness, profitability, service, quality, reputation, brand value, and
earnings quality. Intangible risk management allows risk management to create
immediate value from the identification and reduction of risks that reduce productivity.
Common Risk Treatments include:
Avoidance (eliminate)
Reduction (mitigate)
Transference (outsource or insure)
Retention (accept and budget)
Similar Terms: Enterprise Risk Management (ERM), Financial Risk Management (FRM),
Intangible Risk Management (IRM), Operational Risk Management (ORM), Associated
Risk, Acceptable Risk, Indirect Risk.
Public Domain
Page 57 of 58
White Paper
Version 1.0
Intentionally Left Blank
Public Domain
Page 58 of 58

Manning at Conventional Marine Terminals - OCIMF

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Manning at Conventional Marine Terminals - OCIMF

Hochgeladen von

Copyright:

Verfügbare Formate

~ White Paper ~

The New Business

Written by: Dan Wilder

Published on: October 6th, 2008

What is ISO / IEC 27000................................................................................................. 10

Its not just a regulatory requirement any more..................................................12

What is BCM? .......................................................................................................15

Why BCM? ............................................................................................................19

The BCM Model................................................................................................ 19

What is ISO / IEC 20000................................................................................................... 9

ISO 27000 Family Business Continuity ..............................................................10

The Business Continuity Paradigm................................................................... 15

ISO 20000 Family Service Delivery......................................................................7

Business Continuity Management Components ...................................................20

Conducting the BIA ...............................................................................................24

Business Continuity Plan Creation.................................................................... 30

Creating the Business Continuity Plan ..................................................................30

Modified: August 26, 2008

Business Continuity Plan Execution ................................................................. 36

BCP Execution Team Leadership Tree ..............................................................36

Plan Elements .......................................................................................................38

EMT Team Component................................................................................................... 37

BCM Execution Process........................................................................................40

BCM Plan Management & Reporting................................................................ 41

Plan Management .................................................................................................42

Document Management ................................................................................................. 42

BCM Governance ............................................................................................. 44

Audit Types ...........................................................................................................44

Preparatory Audit (-) ......................................................................................................... 45

Audit Type Usage..................................................................................................46

BCM Review ................................................................................................. 47

Figures and Tables

Modified: August 26, 2008

Figure 21: Audit Types............................................................................................. 45

Modified: August 26, 2008

Intentionally Left Blank

Modified: August 26, 2008

2 The Big Question Why?

Modified: August 26, 2008

3.1 ISO 20000 Family Service Delivery

Modified: August 26, 2008

The ITIL-ISO 20000 model depicted in Figure 1 below defines IT Service

ITIL is now based on five core lifecycle titles:

Modified: August 26, 2008

Figure 2: ITIL v3 Model

3.1.1 What is ISO / IEC 20000

Modified: August 26, 2008

The New Business Continuity Model

3.2 ISO 27000 Family Business Continuity

3.2.1 What is ISO / IEC 27000

BS 25999-1:2006 is a code of practice that takes the form of guidance and

Modified: August 26, 2008

BS 25999-1 Business Continuity Management Part 1: Code of practice.

NOTE: A free demo of BS 25999 online is available go to www.bsiglobal.com/bs25999online

All Rights Reserved British Standards Institute (BSI) - http://www.bsi-global.com/en/

Modified: August 26, 2008

The New Business Continuity Model

Modified: August 26, 2008

3.3.2 Governance Risk & Compliance (GRC)

Modified: August 26, 2008

Figure 5: GRC Automating Compliance

Then by creating mappings between each compliance requirement element through