Beruflich Dokumente
Kultur Dokumente
Dan Wilder publishes this document for the use of Public Domain. It contains public information, ideas and concepts and is free to distribute and use
without restriction except noted herein. All reference material shown herein is depicted for the sole purpose of illustrating the subject of this whitepaper
and shall remain the property of is listed owner and shall not be reproduced without written consent.
Author does not warrant nor make claims that this information is in any way warranted. Use of this material is at the users own risk.
2008 Dan Wilder, All Rights Released.
White Paper
The New Business Continuity Model
Version 1.0
Table of Contents
1
2
3
Introduction ......................................................................................................... 6
The Big Question Why? ................................................................................. 6
The Standards .................................................................................................... 7
3.1
3.1.1
3.2
3.2.1
3.3
3.3.1
3.3.2
4.1.1
4.1.2
4.1.3
4.1.4
4.2
4.2.1
4.2.2
5.3
5.3.1
5.3.2
5.3.3
5.4
5.5
5.5.1
5.5.2
5.5.3
5.5.4
Risk Assessment...................................................................................................26
Risk Mitigation .......................................................................................................26
Risk Mitigation Crisis Points Defined ........................................................................... 27
Importance of Defining Risk Points................................................................................. 28
Risk Cost Modeling ......................................................................................................... 28
Mitigating Risks............................................................................................................... 29
Public Domain
Page 2 of 58
White Paper
The New Business Continuity Model
7
Version 1.0
7.1.1
7.1.2
7.1.3
7.1.4
7.2
7.2.1
7.3
7.4
8.1.1
8.1.2
9.1.1
9.1.2
9.1.3
9.1.4
9.1.5
9.2
9.3
10
Page 3 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 4 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 5 of 58
White Paper
The New Business Continuity Model
Version 1.0
1 Introduction
As we all know, everything evolves over time; the way we do business, services
provided and the urgency of delivery. When Katrina hit the Gulf Coast, not many
companies were prepared for what would come after the hurricane. Many simply
boarded up the windows and hoped for the best. Others evacuated with their
personal possessions and many with just the clothes on their backs. The purpose
behind this whitepaper is to explore what companies should be doing to protect
themselves in todays market and environment.
An article referenced on this topic written by David Honour, editor, Continuity Central
back in March of 2003 reflects how long this dilemma has been exposed
(http://www.continuitycentral.com/feature003.htm). Even Homeland Security &
FEMA published guidance to help companies identify the bare essentials needed to
survive (http://www.ready.gov/business/plan/planning.html)
(http://www.fema.gov/business/bc.shtm). Many companies are subjected to
government regulations to ensure some level of protection is in place for the
financial numbers reported. Others require more stringent guidelines to protect
stockholders and the public alike.
The business community has raised the topic to the point where the International
Standards Organization launched a call for change in 2002 and has subsequently
been working on a set of new standards since. The latest ISO reference on this
topic is ISO/PAS 22399:2007 which provides general guidance for an organization
(private, governmental, and non-governmental) to develop its own specific
performance criteria for incident preparedness and operational continuity, and to
design an appropriate management system.
The concepts and theories depicted herein have been independently presented to a
wide cross-section of industry experts with great acceptance. This whitepaper is the
compilation of these concepts into a single model to address the ever pressing issue
of facilitating a functional Business Continuity program. Within this whitepaper we
will explore what it takes to enable companies of all industries to become resistant to
catastrophic events as well as improve the operability of normal services. The
concepts depicted herein are derived from a formulation of several years research
of business and industry best practices along with the very latest industry and
international standards1. Thus the Paradigm shift begins
Disclaimer: This document is not intended to be all inclusive for all the standards or best practices listed. To further understand each standard
or best practice you are encouraged to research them separately. Additionally, businesses, companies and organizations are used
synonymously where they all refer to the primary entity being safeguarded.
Public Domain
Page 6 of 58
White Paper
The New Business Continuity Model
Version 1.0
of disasters, which will enable them to not only grow but become sustainable. The
importance of sustainability as a provider of goods and services has reached this
global market place as a key factor in the selection process of these goods and
services. The overriding requirements by governments and businesses alike are to
ensure that the supply chain can be maintained!
The approach presented herein has been designed by a team of engineers to
preserve the revenue stream through stabilization of the services provided. This
stabilization has reduced risk and improved sustainability for its customers, which
has been driven by the market place and governing requirements. This approach
differs from the traditional examples provided from companies representing software
solutions within the Governance, Risk Compliance (GRC2) market segment through
an ingrained operational framework of processes with metrics similar to what the
Committee of Sponsoring Organizations of the Treadway Commission (COSO3)
framework represents.
Because most companies maintain global operations, the approach is driven and
managed to the international body of standards along with local, regional, industry,
and governmentally imposed requirements. These standards are currently evolving
from a collection of many individual standards to several families of standards similar
to what the ISO 9000 family achieved for Quality Management.
3 The Standards
Now that weve introduced the reasons for this whitepaper, lets discuss the
standards that pertain to this topic. Several factors need to be understood. First is;
the International Standards Organization4 has recognized the need for businesses to
use standards for normal operations that will prepare them for the global economy
(ISO/PAS 22399:2007). The International Standards that are currently under
development are the ISO 20000 family of standards that incorporate the ITIL
methods for the Service Delivery models companies may need to use. There is also
the ISO 27000 family of standards that are incorporating the ISACA CoBIT
methods for all companies to use to incorporate measurements of stability. These
new standards are referred to as Business Resiliency which is described as the
ability for a business to resist known and unknown crisis.
All rights reserved by Open Compliance & Ethics Group (OCEG) http://www.oceg.org
All rights reserved by Commission of Sponsoring Organizations of the Treadway Commission (COSO) http://www.coso.org
All rights reserved by International Standards Organization (ISO) - http://www.iso.org/iso/home.htm
5
All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
3
4
Public Domain
Page 7 of 58
White Paper
The New Business Continuity Model
Version 1.0
However the ITIL model has been replaced with the new ITIL v3.
A new generation of the ITIL, ITIL V3, has recently been published. This
new version represents an important evolutionary step in ITILs life. ITIL
Refresh as it is referred, has transformed the guidance from providing a
great service to being the most innovative and best in class. At the same
time, the interface between old and new approaches is seamless so that
users do not have to reinvent the wheel when adopting it.
V3 allows users to build on the successes of V2 but take IT service
management even further. In general, V3 makes the link between ITILs
best practice and business benefits both clearer and stronger. The main
development is that V3 guidance takes a lifecycle approach (Figure 2), as
opposed to organizing according to IT delivery sectors.
All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
Public Domain
Page 8 of 58
White Paper
The New Business Continuity Model
Version 1.0
As stated on ITIL.ORG, this standard is derived from the British Standard 15000
and is a common reference for all companies, regardless of business sector, size
or type.
The standard is designed to provide IT services for both internal and external
customers as a basis of common terminology with an integrated approach for the
processes used to provide these services.
It is closely aligned with industry best practices recommended for Service
Support and Delivery.
In addition to Industry standards, the ISO standard provides clear specifications
and information as to how an organization must align itself to internationally
accepted certifications and processes.
These processes provide the management controls necessary to provide the
service capability in standard measure across all government and industry
sectors.
This unification of measurement of service delivery and support controls enables
service users to evaluate the service value to organizational standards with
confidence.
This standard is defined in using these process areas:
Management System
PISM Planning and Implement
Planning and Implementation
All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
Public Domain
Page 9 of 58
White Paper
Version 1.0
Relationship Processes
Service Delivery Processes
Resolution Processes
Control Processes
Release Processes
Title
Information security management systems - The convener can be
reached through: BSI
Cryptography and security mechanisms - The convener can be reached
through: JISC
Security evaluation criteria - The convener can be reached through: SIS
Security controls and services - The convener can be reached through:
SPRING SG
Identity management and privacy technologies - The convener can be
reached through: DIN
As with the ISO 20000 family, British Standard BS259998 Business Continuity
Management is the foundation for this family of standards. With this standard,
ISACA Governance methodology found in CoBIT9 is being incorporated to provide
the management controls and measurements to establish common processes,
structures and terminology.
The recent release of the British Standard BS25999-1:200610 has provided the global
body of standards a preview of what the ISO standard will represent.
8
The British Standard incorporates several existing standards as illustrated at http://www.pas56.com/ . The blending of British Standards as
depicted at http://pas56.standardsdirect.org/ represent what the ISO Development committee has defined as the defined goal of ISO 27000
which is outlined in ISO/PAS 22399:2007.
9
CoBIT is a registered trademark of ISACA methodology and can be found at http://www.isaca.org/
10
BS25999-1:2006 can be found at http://www.bsi-global.com/en/Shop/Publication-Detail/?pid=000000000030157563
Public Domain
Page 10 of 58
White Paper
The New Business Continuity Model
Version 1.0
11
11
Public Domain
Page 11 of 58
White Paper
Version 1.0
The primary driver for these standards is to establish a global compatibility along
with the ability to measure the maturity of organizations to these standards. The
implication of governance aligning with service delivery shown in Figure 4 example
clarifies the use of multiple standards to achieve the objective of adherence and
compliance. The BCM Model will discuss the organizational structure and processes
established by new industry standards to meet the objectives of maintaining and
managing a Business Continuity Management Program.
Figure 4: ITIL CoBIT Coverage
12
3.3.1 COSO
Under the COSO Framework the definition, creation and use of Internal Controls (IC)
to successfully meet objectives is paramount to the overall success of the
organization. This is where objective setting is a precondition to the internal control.
Through objective setting an organizations management can identify risks
associated with the achievement of the desired objective. Each risk must be ranked
on its impact and probability to set the correct control parameters.
In mitigation of these risks, internal controls are designed and implemented to
effectively mitigate the associated risk through the ongoing success measurement
process. This allows the organization to adjust as needed to meet the objective
through continual measurement which will improve the quality of the defined process.
Generally COSO Internal Controls fit well within the ITIL and CoBIT frameworks, as
shown in Figure 4 above, to provide the measurement of operational support
processes but the COSO framework is primarily used for the safeguarding of
12
All rights reserved by IT Infrastructure Library (ITIL) Organization - http://www.itil.org/en/ & http://www.itil-officialsite.com/home/home.asp
Public Domain
Page 12 of 58
White Paper
The New Business Continuity Model
Version 1.0
financial processes within an organization that sustain the executive level fiduciary
and regulatory responsibilities.
Public Domain
Page 13 of 58
White Paper
The New Business Continuity Model
Version 1.0
GRC-RT Diagram 13
When defining the regulation mapping through a framework, many relationships will
develop that will economize on the overall process of compliance management.
13
All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/
Public Domain
Page 14 of 58
(http://www.grcroundtable.org/GRC_RT_Overview.pdf)
White Paper
The New Business Continuity Model
Version 1.0
GRC-RT Diagrams 14
The BCM Model attempts to provide a singularity of tasks and controls needed to
meet the objective of compliance, risk mitigation and business sustainability most like
the GRC-RT method shown above with the role up to management needed to
govern the processes. This assumes that the pertinent industry model reflected
continues to address the ever changing regulations, thus the need for automating the
process as much as possible.
14
All rights reserved by Object Management Group (OMG) GRC Roundtable - http://www.omg.org/
Public Domain
Page 15 of 58
(http://www.grcroundtable.org/GRC_RT_Overview.pdf)
White Paper
The New Business Continuity Model
Version 1.0
Page 16 of 58
White Paper
The New Business Continuity Model
Version 1.0
together that such separation seems artificial. For example, the risk
management process creates important inputs for the BCP (assets, impact
assessments, cost estimates etc). Risk management also proposes
applicable controls for the observed risks. Therefore, risk management
covers several areas that are vital for the BCP process. However, the BCP
process goes beyond risk management's preemptive approach and moves
on from the assumption that the disaster will realize at some point. This
includes the assessment of each risk and where appropriate, the
establishment of mitigation controls to manage the process designed to
minimize the risks potential impact.
5) BUSINESS CONTINUITY MANAGEMENT (BCM): Is defined15 as a holistic
management process that identifies potential impacts that threaten an
organization with associated risk, and provides a framework for building
resiliency with the capability for an effective response which safeguards the
interests of its key stakeholders, reputation, brand and value creating
activities. This management structure includes the facilitation of recovery,
continuity and/or restoration in the event of a disaster or crisis through the
management of an overall contingency program and through training,
rehearsals, and reviews, to ensure the plan(s) stays current and up to date.
This framework facilitates the entire process of preparing for the inevitable
crisis to strike which engage processes to mitigate the impact of risk to the
business operation. All of which provides for a sustainable and resilient
organization with the emphasis on Risk Mitigation with Governance which
is engrained in the day-to-day operation of business.
This implies that BCM specifically provides:
A level of managerial oversight at the appropriate organizational level which
has a stake in the continual operations of business with fiduciary
responsibilities.
Quality processes that mitigates Critical Business Functions and/or support
Systems (BCFS).
Processes that must:
correlate to measurable financial impacts,
be rated according to their risk potential,
include their individual probability of disruption as reflected in Service Level
Agreement (SLA) management,
be quantifiable through metrics measurement,
and incorporate continual improvement.
BCM is the entire organizations responsibility. Each entity and resource has a stake
in the success of the organization as a whole, which emphasizes that the
organization will need to:
Identify, define and prioritize potential impacts in advance
Create a framework to mitigate and manage risks, of each, within industry
standard guidelines
Defend the organization against the potential of loss, with the resiliency to quickly
recover in the event of a crisis
15
Public Domain
Page 17 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 18 of 58
White Paper
The New Business Continuity Model
Version 1.0
Page 19 of 58
White Paper
Version 1.0
responsibilities, along with the processes to create and sustain a program to mitigate
most common events. Included is essential information to protect the organizations
interests and assets. In this ever changing global economy, organizations will need
every advantage afforded them to survive. How this is accomplished is the basis of
the BCM Model with the underlying theme Risk Mitigation with Governance.
Page 20 of 58
White Paper
The New Business Continuity Model
Version 1.0
Does existing documentation exist that can be used for planning purposes?
Is the existing documentation adequate for the critical systems?
Is there Executive stakeholder buy in and support?
Has ownership of the various elements been established and accepted?
Has funding been granted and approved?
Are short and long term business & IT objectives aligned?
Once these indicators have been resolved, most organizations will succeed with
establishment of a Business Continuity Management program.
Here is where we start.
Page 21 of 58
White Paper
Version 1.0
(BCMT)
BCM
Steering
Committee
Executive Management
Team and Assignees
BCM
Team
BCM
Business Continuity
Management Organization
BCM
Emergency
Management
Team
(BCSC)
(EMT)
Risk
Management
through
Governance
Designated Managers
BCM
Corrdinator
(DRC/BCC)
0
BC
Team
Organizational
Designee
Departmental
Designees
(BCT)
DISASTER:
A sudden, unplanned calamitous event causing great
damage or loss as defined or determined by a risk
assessment and BIA; 1) Any event that creates an inability on
an organizations part to provide Business Critical Functions
for some predetermined period of time. 2) In the business
environment, any event that creates an inability on an
organizations part to provide the critical business functions
for some predetermined period of time. 3) The period when
company management decides to divert from normal
production responses and exercises its disaster recovery
plan. Typically signifies the beginning of a move from a
primary to an alternate location.
THREAT:
A combination of the risk, the consequence of that risk, and
the likelihood that the negative event will take place.
Associated term: risk. Example Threats: Natural, Man-made,
Technological, and Political disasters.)
Page 22 of 58
White Paper
Version 1.0
has for all employees, contractors and agents. These should be as clear and concise
as possible and must be approved by executive management with enforceable
terms.
The Business Continuity Policy should include:
Overall Business Continuity mission statement
Company Business Continuity objectives
Who participates in Business Continuity
Enforceable terms deemed necessary
Governance
BC / DR
Plan
BCM
Strategy
DHLGM
Department Managers
BCM
Designee
BUSINESS INTERRUPTION:
Any event, whether anticipated (i.e., public service strike) or
unanticipated (i.e., blackout) which disrupts the normal course of
business operations at an organizations location. Similar terms:
outage, service interruption. Associated terms: business
interruption costs, business interruption insurance.
Recovery
Management
(BCMS)
BIA
BRP / DRP
External Auditor
BCT
RECOVERY:
Implementing the prioritized actions required to return the
processes and support functions to operational stability
following an interruption or disaster.
RECOVERY POINT OBJECTIVE (RPO):
From a business perspective RPO is the maximum
amount of data loss the business can incur in an event.
The targeted point in time to which systems and data
must be recovered after an outage as determined by the
business unit.
Public Domain
Page 23 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 24 of 58
White Paper
The New Business Continuity Model
Version 1.0
Which employees have been trained to carry out several departmental jobs or
responsibilities and could fill positions of key employees if they were
unavailable?
Page 25 of 58
White Paper
The New Business Continuity Model
Version 1.0
5. Loss of revenue
6. Loss of business
7. Increased operating costs
8. Penalties
9. Loss of financial management capability
10. Loss of competitive edge
11. Loss of goodwill
12. Negative media coverage
13. Loss of stockholder confidence
14. Legal actions
15. Other impacts
Redundancy Levels Description is:
Existing and required redundancy levels throughout the organization to
accommodate critical systems and functions:
1. Hardware
2. Information
3. Personnel
4. Services
Alternate Processing Methods Description is:
1. Alternate processing methods for the critical functions in the event of
a systems outage
2. Impact of using the alternative processing method
3. Alternate processing costs
Page 26 of 58
White Paper
The New Business Continuity Model
Version 1.0
and addressed where appropriate for a given organizations goals and objectives.
Mitigating every risk is too costly, even for the largest of organizations.
Understanding the risks implications to the current business strategy will provide the
most cost effective means of Risk Mitigate any organization can afford.
The Disaster Recovery Timeline shown in Figure 11 illustrates the elementary points
of risk that must be identified, evaluated and prioritized for impact that incorporates a
business established tolerance. This must be accomplished for every Business
Critical Function and/or supporting Service (BCSF) identified in the BIA. This
recovery data will be included in any Service Level Agreement (SLA) established
with the service provider whether internal or external.
Figure 11: Disaster Recovery Timeline
Public Domain
RPO is the last known point of valid data on a system by system or function
by function basis. This is the starting point of data restoration and is owned
by IT as agreed too by Business.
RTO is the technical point of restoration of a system or function. This is the
starting point where processing can restart after the failure. It is owned by IT
as agreed too by Business.
MTD is the point at which all recovery processing has been completed
while processing current normal daily activities. This is the actual return to
Business As Usual state. This is solely owned by business.
Page 27 of 58
White Paper
The New Business Continuity Model
Version 1.0
WRT is the amount of time and effort needed to recover from the crisis.
This includes the reentry of data from;
The point of the crisis back to the RPO,
The manual data collected from the point of crisis to the RTO,
And the processing of current daily data needed to stay current with the
expectation of business services
Most companies fail because they do not plan this recovery period
Public Domain
Page 28 of 58
White Paper
The New Business Continuity Model
Version 1.0
Page 29 of 58
White Paper
Version 1.0
Identification of all BCFSs and their associated risks to business, along with
the appropriate resources to facilitate the execution of safeguarding and
restoring each BCFS.
The processes, procedures, actions, tasks and/or steps used to mitigate the
risks identified for the various plausible scenarios at each business location,
Identification of all locations included, along with any sub-plans needed to
provide adequate coverage for each risk to be mitigate,
A clear communications process to identify, evaluate, declare and recover
from most typical causes to loss of service delivery capability or disaster that
includes all required resources, roles, locations, with information publication
types and guidelines,
The process for Business Continuity Plans updates organizational
awareness, training and periodic validation testing.
Page 30 of 58
White Paper
The New Business Continuity Model
Version 1.0
The BCM utilizes several types of components to provide appropriate coverage and
management of the process. The BCM Process Components define the areas and
types of plans used.
NOTE: Figure 13 depicts the various plan components and potential uses.
Page 31 of 58
White Paper
The New Business Continuity Model
Version 1.0
plan will include the BCP Communications Plan; EMT, BCC/DRC and BCT team
activities; organized by major crisis type, location crisis type and contingencies with
checklists for the various BCFSs and actions required for each. If situational
contingencies have been prepared, they will be identified and referenced within the
BCM Master Plan. Recovery activities for each BCFS and location will be referenced
for EMT guidance and execution.
Page 32 of 58
White Paper
The New Business Continuity Model
Version 1.0
disrupted from normal operation during the course of a crisis or emergency. BCFSs
or Systems will be listed by standard reference nomenclature so as not to
disseminate misleading or confusing information or status.
The Site Plans will define the steps needed by a reasonably skilled resource to
protect sites BCFSs or Systems. The resource executing these steps may not be
fully skilled on the BCFS or System so the level of detail provided must not make any
assumptions of the depth of specific skills required. Each Site Plan will include a
safeguard list of items addressed, the current status of each, and reference
information that may be used to assist in execution in the event of the performed
action failure.
Page 33 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 34 of 58
White Paper
The New Business Continuity Model
Version 1.0
Business Continuity
Plan Level
Departmental
Plans
BCM
Business
Continuity Plans
(Site BCP)
BCM
Business Continuity
Sub-Plan Level
Configurations
Executive Dept
Legal Dept
HR Dept
Finance Dept
Sales Dept
Product Development Dept
Operations Dept
Customer Solutions Dept
Information
SOP
Tasks
Public Domain
Page 35 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 36 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 37 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
White Paper
The New Business Continuity Model
Version 1.0
Sub-Plans
Contingency Plans
Each of these BCP Elements is designed for a specific purpose to protect people,
places and things. Through these plans, risk to the organization is mitigated and
resiliency established. The Process of Execution shall outline all of the elements
leading up to this point in a flow that will provide a Continual Self Improvement
aspect to ensure the process does not grow stagnant.
Public Domain
Page 39 of 58
White Paper
Version 1.0
Crisis
Reported
To
Helpdesk
Prepare
Actions &
Reporting
Restore
Recover
Task
Task
Normal
Operations
Safeguard
Notification,
Actions & Reporting
EOC
Activated &
Notifies
Actions &
Reporting
EMT
Site IT BCP
Notifications,
Actions & Reporting
Normal
Operations
Resume
Recover
Prepare
Restore
Actions &
Reporting
Safeguard
Actions &
Reporting
Actions &
Reporting
Actions &
Reporting
BCT Teams
Prepare
BCT Teams
Mitigate Risk,
Monitor & Report
BCT Teams
Recover/Restore
Public Domain
Page 40 of 58
White Paper
Version 1.0
BCP
Master Plan
Identify
BCT needed to
mitigate Impact
risks
{EMT}
Emergency
Situation
Declaration
Notification
{EOC}
Emergency
Situation
Restoration
Notification
{EOC}
Emergency
Situation
End
Notification
{EOC}
Activate
Emergency
Support Teams
EOC / EMT /BCT
{EMT}
Declare
Emergency
{EMT}
Declare
Restoration
{EMT}
Declare
End
{EMT}
Preliminary
Emergency
Situation
Notification
{EMT}
Execute
Site & Dept
BCP
-Prepare{BCC / DRC}
Execute
Site & Dept
BCP
-Safeguard{BCC / DRC}
Prepare
for
Impact
{BCT}
BCP
SubPlans >
{BCT}
Emergency
Status / Issue
Data
Collection
{EOC}
Execute
Site & Dept
BCP
-Restore{BCC / DRC}
BCP
Identify
Locations,
Functions &
Systems Impacted
{EOC / EMT}
Evaluate
Emergency
Impact
{EMT}
BCP
Probability of
Emergency
Identified
{EOC /EMT}
Evaluation of
BCP Actions
{EMT}
Identify
Alternate
Locations &
Resources
BCP
START
Execute
Site & Dept
BCP
-Recovery{BCC / DRC}
Legend
EMT
BCT
EOC
Page 41 of 58
White Paper
The New Business Continuity Model
Version 1.0
18
Public Domain
Page 42 of 58
White Paper
Version 1.0
that have a small team managing the BCM Program, where versioning is critical to
validation of appropriate coverage.
After a recovery, contingency or restoration process is complete is too late to
determine if you have the latest information available. Then with the legal
implications, no business should operate without knowing it is using the latest
available.
Figure 19: Document Management Flow
Readiness
Plan
Management
Create Plan
PDF
Placeholders
Recovery Items
Reporting
Create / Updated
Recovery Items
Process
Report State
Of
Readiness
Create Plan
Document
Checklist
Plan
Documents
Age
Expiration
Event
SME Interviews
for Plan &
Document
Creation
New Plan /
Document
Creation
Plan /
Document
Review
Schedule
Planning
Validation
Plan Review
& Approval
Process
Testing &
Validation
Process
Document
Workflow
Management
Document
Management
System
Document
Update
Complete
Document
Repository
Public Domain
Page 43 of 58
White Paper
The New Business Continuity Model
Version 1.0
19
9 BCM Governance
The BCM Models Risk Mitigation with Governance principle use of the ISACA
CoBIT model for auditing requires an understanding of the Domains and there
relationship to Business Goals and Objectives and how to use IT Resources
within the IT Process illustrated in the CoBIT framework. These are established
to ensure a level of business understanding and identify a qualifying maturity level.
The model is fully defined within the published CoBIT standard, whereas this
document will outline the CoBIT model information needed for the purpose of
providing structure and guidance to each BCM audit.
19
Public Domain
Page 44 of 58
White Paper
The New Business Continuity Model
Version 1.0
Page 45 of 58
White Paper
The New Business Continuity Model
Version 1.0
recommendation for improvement based upon the governing standards. The CoBIT
model focuses primarily on this audit type.
Public Domain
Page 46 of 58
White Paper
Version 1.0
Dr
iv
e
Measure achievement
Dr
iv
e
Measure
Measure
Dr
iv
Measure
Measure
20
10 BCM Review
Now that we all understand what is Business Continuity Management utilizing the
new ISO standards and its importance to the continued operation of business, what
does BCM mean to You?
1. Managing a Business Continuity Program is an Organizational responsibility
2. Must have a Basis: Risk Analysis, BIA, Risk Cost Modeling
3. Plans have owners, owners must accept responsibilities, and its a culture!
4. Use the right Tools to facilitate the BCM process
5. Reporting is key to providing Value Add
6. BCM is Risk Mitigation with Governance
20
Public Domain
Page 47 of 58
White Paper
The New Business Continuity Model
Version 1.0
Definitions:
BUSINESS CONTINUITY (BC): The ability of an organization to provide service and
support for its customers and to maintain its viability before, during, and after a
business continuity event.
BUSINESS CONTINUITY MANAGEMENT (BCM): A holistic management process
that identifies potential impacts that threaten an organization and provides a
framework for building resilience with the capability for an effective response that
safeguards the interests of its key stakeholders, reputation, brand and value creating
activities. This includes the facilitation of recovery, continuity and/or restoration in
the event of a disaster and the management of the overall program through training,
rehearsals, and reviews, to ensure the plan(s) stay current and up to date.
This implies that an organization needs to identify and define the potential
impacts; create a framework to mitigate and manage risks, within industry
standard guidelines, to defend the organization against the potential of loss with
the resiliency to quickly recover in the event of a disaster.
This is accomplished by using industry best practices in creation and execution
of a Business Continuity Management Process (BCMP).
BCM is the entire organizations responsibility, for each entity within an
organization has a stake in the success of the organization as a whole!
Page 48 of 58
White Paper
Version 1.0
The BCMP implies that an organization needs to define the process under which
it will execute the Business Continuity concepts using the 6 key elements above.
The BCMT must have a guiding principle to ensure the company is adequately
protected with a vision into the direction the company plans to explore in the near
and long term.
This is accomplished by developing a BCS that encompasses both the
companys current state and future direction.
The BCMT is chartered with management oversight of the BCMP and all
subsequent teams, plans, processes needed to achieve Business Continuity.
They have direct responsibility to ensure that the BCS objectives are met within
the execution of the BCMP and utilize the BCPA to administer all aspects of the
BCMP.
The BCMT or designee shall be the organizational entity to officially declare an
emergency situation that will evoke the execution of the BCP and subsequent
respective plans.
This implies that an organization needs to identify the local resources that will
physically execute the BCP or DRP.
This is accomplished by designating a primary and alternate resource for each
location for both business operational (BCC) and technological (DRC) functions
to participate in the execution of all local and enterprise-wide BC or DR plans.
The BCC/DRC is responsible for ensuring the local plans are up to date,
coordinate the local plans with the BCPA to bring them in sync with the BCP,
execute their plans under the management of the BCMT or designee.
The BCMT should maintain a location by location BCC/DRC list.
Public Domain
Page 49 of 58
White Paper
The New Business Continuity Model
Version 1.0
This implies that an organization must create a plan that includes all aspects of
the BCM for the organization.
The BCP shall include reference to all other BC or DR plans used by the
organization so as to ensure risk is mitigated and contingencies are identified.
This is accomplished by the BCMT directing the BCPA to create a plan that
meets the objectives outlined in the BCSC and meets industry standards for
BCM.
The BCPA is directly responsibility for the creation and execution of the BCP for
both actual declared emergencies and for periodic updates and testing.
This implies that an organization needs to identify the needs of the business to
support its continued operations in the event of a crisis that impedes its ability to
provide normal services to its customers.
Business Continuity is accomplished through an organizational structure called
the Business Continuity Management Team (BCMT) that uses a process called
the Business Continuity Management Process (BCMP) to appropriately and
swiftly react to most anticipated and unanticipated disruptions of that service.
Page 50 of 58
White Paper
The New Business Continuity Model
Version 1.0
that are tasked with making strategic recovery and continuity planning decisions for
the organization. This is a component of the BCMP.
This implies that an organization needs to identify the resources that should
participate on the BCSC that will adequately provide coverage for all BCFS,
Corporate Vision and Future Direction Planning.
The selection and designation of resources to the BCSC is accomplished by the
BCMT and must be approved and supported by the Senior Executive
Management Team.
The BCSC is chartered with strategic oversight of the Business Continuity
Strategy (BCS), Business Continuity Management Process (BCMP), Business
Continuity Plan (BCP), Disaster Recovery Plan (DRP), Executive / Management
Succession Plan (EMSP), Continuity of Operations Plan (COOP), along with all
subsequent supporting processes needed to protect the company from
operational risks that results in financial loss or direct exposure to catastrophic
fiduciary failure.
This implies that the BCMT must identify the most common natural and manmade impacts to business first so as to plan for the lowest level impact to the
major impact events.
In order to accomplish this task, the BCSC employs the BCMT to list the types of
Crisis and/or Disasters that would impact the companys ability to operate.
These are usually identified along with the identification of the Business Critical
Functions and/or supporting Systems (Mission Critical Activities and Supporting
Systems).
Together the BIA will identify the Business Critical Functions and/or supporting
Systems (BCFS) and the BCT will identify the plausible impacts and probability of
each identified scenario.
The BCS is defined and approved by the BCSC and executed using the BCMP.
This implies the BCMP requires the BCMT to designate individuals from the
various departments, organizations and teams to participate not only in the
Business Impact Analysis (BIA) but in the entire BCMP.
Representatives of the BCT should be those individuals who are directly involved
with or support the Business Critical Functions and/or supporting Systems
Public Domain
Page 51 of 58
White Paper
The New Business Continuity Model
Version 1.0
This implies that an organization should first have a BIA conducted with an
external firm specializing in this concept to identify the Business Critical
Functions and/or supporting Systems (aka Mission Critical Activities and
Supporting Systems) and include a detailed risk assessment to quantify the BIA
findings.
The BIA should be a coordinated effort with the BCMT and BCT to provide a
current analysis of business impact.
The resulting BIA should be used by the BCMT to create and document the BCS
for the company.
The BCS will need to be approved by the BCSC and implemented using the
BCMP.
Public Domain
Page 52 of 58
White Paper
The New Business Continuity Model
Version 1.0
For the purpose of brevity, COOP will be defined herein as the normal business
operational plan used to handle every day issues of supporting the business.
This implies that an organization needs to identify the Standard Operating
Procedures (SOP) used for daily activities in the support of normal business
functions.
The SOPs should be detailed processes governing such functions as Issue
Management, Change Management, System Management Administration,
Procurement Management, Resource Management, Corporate Policies and
Corporate Communications.
Page 53 of 58
White Paper
The New Business Continuity Model
Version 1.0
DISASTER RECOVERY (DR): Activities and programs designed to return the entity
to an acceptable condition. The ability of an organization to respond to an
interruption in services by implementing a disaster recovery plan which will restore
an organization's Business Critical Functions and/or supporting Systems (BCFS).
DISASTER RECOVERY PLAN (DRP): The management approved document that
defines the resources, actions, tasks and data required to manage the technology
recovery effort. Usually refers to the technology recovery effort. This is a
component of the BCMP.
SIMILAR TERMS: Business Continuity Plan, Recovery Plan, Business Resumption
Plan, Business Continuance Contingency Plan.
This implies that an organization needs to identify the means by which it will
recover from a failure of technology due to expected or unexpected means.
This is accomplished by documenting the various technology systems and
components, planning how to swiftly restore each and resources needed to
facilitate the restoration activities.
The technology department managers over each area of functionality are
responsible for documenting, planning, supporting and providing skilled
resources to ensure the normal operation and survivability of the technology
under their control.
The plan should include reference to the external documents maintained as part
of the Standard Operating Procedures (SOP) of the technology and call for the
transfer of this information to this plan in the event of its execution.
This implies that an organization not only needs to provide Business Continuity,
but that it needs to have the ability to recover from impeding situations rapidly to
mitigate business risk.
Disaster Recovery is primarily a technological function to restore business
capability that is accomplished using the Disaster Recovery Plan (DRP) identified
within the Business Continuity Plan (BCP) derived by the Business Continuity
Plan Administrator (BCPA) under the direction of the Business Continuity
Management Team (BCMT).
Public Domain
Page 54 of 58
White Paper
The New Business Continuity Model
Version 1.0
declaring a disaster and providing direction during the recovery process, both predisaster and post-disaster.
SIMILAR TERMS: Disaster Recovery Management Team, Business Recovery
Management Team.
Associated Terms: Crisis Management Team, Executive Emergency Management
Team.
The EMT is a line manager that declares and directs the execution of the BCM.
The EMT is chartered with management oversight of the EOC, BCC & DRC and
all subsequent teams, plans, processes needed to achieve Business Continuity.
They have direct responsibility to ensure that the BCMT objectives are met within
the execution of the BCM Process and utilize the Emergency Command Center
(EOC) to administer execution aspects of the BCM.
BCM Process is accomplished through the utilization of the EOC and
organizational level management plans.
The EMT shall be a group of seasoned managers that are on a rotational on-call
basis.
This implies that an organization needs to identify a succession plan for all levels
of management. Executive Management succession is considered critical to the
operation of the business and must be planned in advance.
To accomplish this, the Executive Managers shall identify alternate designees for
themselves and their direct reports. This type of information is considered
company secret and should not be made public inside or outside the company
without the CEO or Presidents prior approval and only provided to internal
resources on a Need to Know basis.
This plan should only be openly executed in the direst situations or internally if
designated resources are unavailable at the time of the declared emergency.
This plan should contain the organizational structure and the list the
management alternate designees.
Page 55 of 58
White Paper
The New Business Continuity Model
Version 1.0
PLAN DO CHECK ACTION (PDCA): An adaptation of the Deming wheel. While the
Deming wheel stresses the need for constant interaction among research, design,
production, and sales, the PDCA Cycle asserts that every managerial action can be
improved by careful application of the sequence: plan, do, check, action. Later in
Deming's career, he modified PDCA to "Plan, Do, Study, Act" (PDSA) so as to better
describe his recommendations. In Six Sigma programs, the PDSA cycle is called
"Define, Measure, Analyze, Improve, Control" (DMAIC). The iterative nature of the
cycle must be explicitly added to the DMAIC procedure.
Similar Terms: The Deming Cycle or Wheel is the concept of continuously rotating
wheel used by W. E. Deming to emphasize the necessity of constant interaction among
research, design, production, and sales so as to arrive at an improved quality that
satisfies customers.
Public Domain
Page 56 of 58
White Paper
The New Business Continuity Model
Version 1.0
The strategies include transferring the risk to another party, avoiding the risk,
reducing the negative effect of the risk, and accepting some or all of the
consequences of a particular risk.
Risk management is simply a practice of systematically selecting cost effective
approaches for minimizing the effect of threat realization to the organization. All
risks can never be fully avoided or mitigated simply because of financial and
practical limitations. Therefore all organizations have to accept some level of
residual risks.
The objective of risk management is to reduce different risks related to a preselected domain to the level accepted by society. It may refer to numerous types
of threats caused by environment, technology, humans, organizations and
politics. Intangible risk management identifies a new type of risk - a risk that has
a 100% probability of occurring but is ignored by the organization due to a lack of
identification ability.
Avoidance (eliminate)
Reduction (mitigate)
Transference (outsource or insure)
Retention (accept and budget)
Similar Terms: Enterprise Risk Management (ERM), Financial Risk Management (FRM),
Intangible Risk Management (IRM), Operational Risk Management (ORM), Associated
Risk, Acceptable Risk, Indirect Risk.
Public Domain
Page 57 of 58
White Paper
The New Business Continuity Model
Version 1.0
Public Domain
Page 58 of 58