10 Professional Practices - Prepare BCM Certification

1April 17, 2023

Business Continuity Management

10 Professional Practices

2April 17, 2023

Business Continuity Management – Course / Certification

BC-DR Professional

BCM Courses IT DRP Course

Pass Qualifying Exam with at least

75%

< 2 Years significant Experience

ABCP

Accumulate BC Experience

> 2 Years BC Experience + Expertise in atleat 3 Subject

areaCFCP

Exam Score >80%> 2 Years BC Experience +

Expertise in atleat 5 Subject area

CBCP

Exam Score >85%> 5 Years BC Experience +

Expertise in atleat 7 Subject area

MBCP

3April 17, 2023

Disaster Recovery Institute

DRI International’s Education Program--

1. BCLE 100: Project Management Principles

2. BCLE 200: Introduction to principle of risk Management

3. BCLE 300: Introduction to Business Impact Analysis

4. BCLE 400: Developing Business Continuity Strategies

*

*

9. BCLE 900: Crisis Communications coordination of external Agencies

10. BCLE 1000: Introduction to Business Continuity Mgmt

11. BCLE 2000: BCM for Advanced professional

4April 17, 2023

Business Continuity Management

BASIC ELEMENTS--

1. What you do to reduce risk before an Event

2. How you respond during an event

3. What you to do recover after an event

5April 17, 2023

Business Continuity ManagementDifferent Phases ( Also called 6R)

1. REDUCE– steps taken before an incident to identify and mitigate risk

2. RESPOND– Planned reaction to manage during an event

3. RECOVER-- To recover the CRITICAL data

4. RESUME-- To start CRITICAL activity +start recovering non critical data

5. RESTORE-- Resumption of non critical activity

6. RETURN– Final movement back to original location

6April 17, 2023

Professional Practices for Business Continuity Professionals…

1. PROJECT INITATION AND MANAGEMENT

2. RISK EVALUATION AND CONTROL

3. BUSINESS IMPACT ANALYSIS

4. DEVELOPING BUSINESS CONTINUITY STRATEGIES

5. EMERGENCY RESPONSE AND OPERATIONS

6. DEVELOPING AND IMPLEMENTING BC PLANS

7. AWARENESS AND TRAINING PROGRAMS

8. MAINTAINING AND EXERCISING BC PLANS

9. CRISIS COMMUNICATION

10.COORDINATION WITH EXTERNAL AGENCIES

7April 17, 2023

Business Continuity Problem Statement…

Internal or External event interrupts one or more of your

business processes

Time – Length of interruption -- causes situation to

become a Disaster

Amount of data loss and criticality of processes – level of

disaster

DIASTER is unplanned calamitous event causing great damage or loss

8April 17, 2023

BC Program Purpose…

Protect your….

People

Information

Operations

Organization

For any BC Program protecting people is primary and most important aspect

9April 17, 2023

BC Program Objectives…

Ensure continuity and survival of organization

Planned reaction and management of interruption

Planned resumption and recovery of operations and

systems after an interruption

The restoration or replacement of asset to a “permanent”

site after an interruption

10April 17, 2023

Why is BC Program Important ?

Safeguards human life

Minimizes confusion and enables effective decisions in

time of crisis

Reduce dependency on specific personnel

Minimize loss of data, revenue, customers

Facilitates timely recovery of business functions

Maintain public image and reputation

Minimize time spent in decision making during crisis

11April 17, 2023

Trends and directions..

The wonder of the Web is that the customer knows about problems

the same time you do. There is no camouflage

THEN NOW

PRTECT CRITICAL BUSINESS PROCESSES

PROTECT THE DATA CENTRE

12April 17, 2023

1. Project Initiation and Management

PURPOSE:

To provide an understanding of how to establish the need and obtain management support for a Business Continuity Management (BCM) Program in your organization and to organize and manage the program to initiate the process to completion within agreed upon time and budget limits.

Objective:

1. Establish the Need for Business Continuity

o Reference relevant legal/regulatory/statutory/contractual requirements and restrictions Like

▬ Banking regulations (BC-177)▬ NFPA 1600 (National Fire Protection Association

▬ Graham Leach Bliley Act

▬ Prudent Man Act

▬ HIPAA

▬ BASEL II

▬ Sarbanes- Oxley

13April 17, 2023

1. Project Initiation and Management Objective (cont):

2. Identify business practices (e.g., just-in-time inventory) that may adversely impact the

organization’s ability to recover following a disaster event

3. To document what is industry standard and what competition is doing

4. Communicate the need for business continuity plan (

By BIA

Suggesting strategies for safeguarding critical functions

Develop awareness by means of formal reports

By relating BCP benefits to organizational mission, objectives and operations

5. Involve Executive Management in BCP Project

Defining approval chain is critical for success

6. Establish Planning/Steering Committee : Roles and responsibilities

14April 17, 2023

1. Project Initiation and Management

Objective (cont):

7. Develop Budget requirements

Clearly define resource requirement

Clearly define financial requirement

8. Identify Planning team(s) and responsibility

Emergency Mgmt/ Crisis response/ Crisis Mgmt Team

BCP Teams (multi-location, multi-divisions, etc)

Recovery/response and restoration team

9. Develop Documentation requirements and responsibility

10. Continuously report to senior mgmt thru regular status report and obtain senior mgmt approvals.

Key of project mgmt success is: a) Choice of right people b) Involve first level mgmt in project c) Senior mgmt commitment

15April 17, 2023


PURPOSE:

Determine the events and external surroundings that can adversely affect the organization and its facilities with disruption as well as disaster, the damage such events can cause, and the controls needed to prevent or minimize the effects of potential loss. Provide cost-benefit analysis to justify investment in controls to mitigate risks

Objective:

1. Identify risk and threats that organisation is exposed to

2. Probability of their occurrence

3. Identify critical functions

4. Impact of the threats

5. Control required to mitigate the threat

6. Cost-Benefit analysis of control Vs Risk

16April 17, 2023


Understand the loss potential:

1. THREATS -- Cause/Event

2. RISKS --- Effect

3. PROBABILTY --- frequency/chances

4. VULNERABILITY

Threat Vulnerability Risk

ASSETS Cause Probability Effect

17April 17, 2023

2. RISK EVALUATION AND CONTROL Identify exposures from both internal and external sources. These

should include, but not be limited to, the following:

a) Natural, man-made, technological, or political disasters

b) Accidental versus intentional

c) Internal versus external

d) Controllable risks versus those beyond the organization’s control

e) Events with prior warnings versus those with no prior warnings

Determine the probability of events

a) Information sources

b) Credibility

Create methods of information gathering

Develop a suitable method to evaluate probability versus severity

Establish cost benefit analysis to be associated with the identified loss potential

18April 17, 2023

2. RISK EVALUATION AND CONTROL Select exposures most likely to occur and with greatest impact

Identify Controls and Safeguards to Prevent and/or Mitigate the Effect of the Loss Potential

Considerations: The actions taken to reduce the probability of occurrence of incidents that would impair the ability to conduct business.

a) Physical protection

b) Physical presence

c) Logical protection

d) Location of assets

e) Procedural controls

19April 17, 2023

2. RISK EVALUATION AND CONTROLRisk Evaluation and Control 1. Establish disaster scenarios based on risks to which the organization is exposed. The

disaster scenarios should be based on these type of criteria: severe in magnitude, occurring at the worst possible time, resulting in severe impairment to the organization’s ability to conduct business.

2. Evaluate risks and classify them according to relevant criteria, including: risks under the organization’s control, risks beyond the organization’s control, exposures with prior warnings (such as tornadoes and hurricanes), and exposures with no prior warnings (such as earthquakes).

3. Evaluate impact of risks and exposures on those factors essential for conducting business operations: availability of personnel, availability of information technology, availability of communications technology, status of infrastructure (including transportation), etc.

4. Evaluate controls and recommend changes, if necessary, to reduce impact due to risks and exposures

Controls to inhibit impact exposures: preventive controls (such as passwords, smoke detectors, and firewalls)

Controls to compensate for impact of exposures: reactive controls (such as hot sites)

20April 17, 2023


PURPOSE: Identify the impacts resulting from disruptions and disaster scenarios that can affect the

organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.

OBJECTIVE: • Establish critical functions• Determine qualitative and quantitative impacts of the disruptions

• Prioritize activities

• Establish RTO and RPO

• Establish interdependencies of functions

• Document the list of vital records

21April 17, 2023

3. BUSINESS IMPACT ANALYSISIdentify the impacts resulting from disruptions and disaster scenarios that can affect the

organization and techniques that can be used to quantify and qualify such impacts. Establish critical functions, their recovery priorities, and interdependencies so that recovery time objective(s) and recovery point objective(s) can be set.

OBJECTIVE: • Establish critical functions• Determine qualitative and quantitative impacts of the disruptions

• Prioritize activities

• Establish RTO and RPO

• Establish interdependencies of functions

• Document the list of vital records

PURPOSE: • To provide business rationale for a business continuity plan

• To provide a factual, understandable and informative set of findings that mgmt can use

to provide direction for development of BCP

• To communicate the inherent vulnerabilities of the business units

22April 17, 2023

3. BUSINESS IMPACT ANALYSISRecovery Time Objective (RTO) : Time within which Business functions or applications systems must be recovered to

acceptable levels of operational capability to minimize the impact of the outage

RTO’s are often used as basis of: • Establishing priorities

• Developing strategies

• As a determinant as to whether or not the event is a disruption or a disaster

Recovery Point Objective (RPO) :1. Potential loss transactions2. Tolerable data loss3. Target recover point in time4. Last available data backup

23April 17, 2023

3. BUSINESS IMPACT ANALYSIS Assess Effects of Disruptions, Loss Exposure, and Business Impact

Effects of disruptions▬ Loss of assets: key personnel, physical assets information assets, intangible asset▬ Disruption to the continuity of service and operation▬ Violation of law/regulation▬ Public perception

Impact of disruptions on business▬ Financial▬ Customers and suppliers▬ Public relations/credibility▬ Legal▬ Regulatory requirements/considerations▬ Environmental▬ Operational▬ Personnel▬ Other resources

24April 17, 2023

3. BUSINESS IMPACT ANALYSIS Assess Effects of Disruptions, Loss Exposure, and Business Impact

Determine Loss Exposure ▬ Quantitative

1. Property loss2. Revenue loss3. Fines4. Cash flow5. Accounts receivable6. Accounts payable7. Legal liability8. Human resources9. Additional expenses/increased cost of working

▬ Qualitative1. Human resources2. Morale3. Confidence4. Legal5. Social and corporate image6. Financial community credibility

25April 17, 2023


Determine minimum resource requirements for recovery and

resumption of critical functions and support systems ▬ Internal and external resources

▬ Owned versus non-owned resources

▬ Existing resources and additional resources required

Interdependencies between the business processes ▬ Intradepartmental

▬ Interdepartmental

▬ External relationships

The BIA provides mgmt key information for making strategic decisions regarding business continuity and recovery

26April 17, 2023


Determine and guide the selection of alternative business recovery operating

strategies for recovery of business and information technologies with in the

recovery time objective, while maintaining the organization’s critical functions

OBJECTIVE:

1. Understand Available Alternatives and Their Advantages,

Disadvantages, and Cost Ranges, including mitigation as a recovery

strategy

2. Identify Viable Recovery Strategies within Business Functional Areas

3. Consolidate Strategies

4. Identify Off-Site Requirements and Alternative Facilities

5. Develop Business Unit Strategies

6. Obtain Commitment from Management for Developed Strategies

27April 17, 2023


1. Identify Enterprise-wide and Business Unit Continuity Strategic Requirements Review business continuity issues

1. Timeframes2. Options3. Location4. Personnel5. Communications (crisis/media and voice/data) Compare internal/external solutions Identify alternative continuity strategies

1. Do nothing2. Defer action3. Manual procedures4. Reciprocal agreements 5. Alternative site or business facility 6. Alternate source of product 7. Third-party service providers/outsourcers 8. Distributed processing 9. Alternative communications 10. Mitigation 11. Preplanning

Assess risk associated with each optional continuity strategy

28April 17, 2023


2. Assess Suitability of Alternative Strategies Against the Results of a Business Impact

Analysis

3. Prepare Cost/Benefit Analysis of Continuity Strategies and Present Findings to Senior

Management

4. Select Alternate Site(s) and Off-Site Storage 1. Criteria

2. Communications 3. Agreements considerations 4. Comparaison techniques 5. Acquisition

6. Contractual consideration

5. Develop, implement and exercise enterprise-wide plans for business continuity

6. Develop, implement and exercise Business Units plans for business continuity in line with

enterprise-wide plan

7. Develop strategies to recover/restore▬ Telecommunications▬ Voice communications

▬ Data communications

Strategies should be developed at organizational as well as functional level

29April 17, 2023


Develop and implement procedures for response and stabilizing the situation following an

incident or event, including establishing and managing an Emergency Operations Center

to be used as a command center during the emergency.

OBJECTIVE:1. Identify Potential Types of Emergencies and the Responses Needed (e.g.,fire ,

hazardous materials leak, medical)

2. Identify the Existence of Appropriate Emergency Response Procedures

3. Recommend the Development of Emergency Procedures Where None Exist

4. Integrate Disaster Recovery/Business Continuity Procedures with Emergency

Response Procedures and Escalation Procedures

5. Identify the Command and Control Requirements of Managing an Emergency

6. Recommend the Development of Command and Control Procedures to Define

Roles, Authority, and Communications Processes for Managing an Emergency

7. Ensure Emergency Response Procedures are Integrated with Requirements of

Public Authorities (Refer also to Subject Area 10, Coordination With Public

Authorities)

30April 17, 2023


1. Identify Components of Emergency Response Procedure A. Reporting procedures

I. Internal (escalation procedures) a. Local b. Organization (decision-making process)

II. External (response procedures) a. Public agencies and media b. Suppliers of products and services

B. Pre-incident preparation I. By types of disaster

a. Acts of nature b. Accidental c. Intentional

II. Management continuity and authority III. Roles of designated personnel

C. Emergency actions a. Evacuation b. Medical care and personnel counselling c. Hazardous material response d. Firefighting e. Notification f. Other

31April 17, 2023


D. Facility stabilization

E. Damage mitigation

F. Testing procedures and responsibilities

2. Develop Detailed Emergency Response Procedures

A. Protection of personnel

B. Containment of incident

C. Assessment of effect

D. Decide optimum actions

3. Identify Command and Control Requirements

A. Designing and equipping the Emergency Operations Center

B. Command and decision authority roles during the incident

C. Communication vehicles (eg., e-mail, radio, messengers, and cellular telephones,

etc.)

D. Logging and documentation methods

32April 17, 2023


4. Command and Control Procedures A. Opening the Emergency Operations Center B. Security for the Emergency Operations Center C. Scheduling the Emergency Operations Center teams D. Management and operations of the Emergency Operations Center E. Closing the Emergency Operations Center

5. Emergency Response A. Develop, implement, and exercise emergency response procedures, including determination of priorities for actions in an emergency B. Develop, implement, and exercise procedures such as first aid and medical treatment; identify location and develop procedures for transportation to nearby hospitals Identify Command and Control Requirements

6. Recognize potential need to establish liaison with external agencies (e.g.,

statutory agencies, emergency services such as fire departments and police, insurers, loss adjusters, etc.), and specify type of information these agencies may require

7. Establish procedures with public authorities for facility access

8. Establish procedures with third-party service providers, including appropriate contractual agreements

33April 17, 2023


Emergency Response components

1. Escalation and reporting procedures

2. Emergency notification procedure for internal and external parties

3. Life safety procedures

4. Identify types of emergencies and responses needed

5. Identify current procedures/ recommend new

6. Define core roles and responsibility

7. Testing procedures and responsibilities

Planning must take place before you have a emergency so that there is a coordinated, effective response that protects your organization and minimize the damage

34April 17, 2023

6. Developing and Implementing Business Continuity Plans

Design, develop, and implement Business Continuity and Crisis Management plans that provides continuity within the recovery time objective and recovery point objective.

OBJECTIVE:Document procedures required to continue, recover and restore the functional capability

of the organization.

SOME KEY TASK:1. Develop teams and tasks2. Develop specific steps to minimize the risks of outage and restore normal

operations3. Document the plan

SOME KEY DELIVERABLES:1. Emergency response plans and procedures2. Crisis communication procedures3. Coordination with external agencies4. The draft plan

35April 17, 2023


TYPES OF PALNS :

1. Crisis Mgmt Plan

2. Disaster recovery plan

3. Emergency response plan

4. Business Continuity plan

5. Business Unit Plans

6. COOP (Continuity of operation)

These are jointly called Business Continuity Management

Business Continuity Plan products:

Information

1. WHO executes recovery actions

2. WHAT is needed to recover, resume, continue ore restore business function

3. WHERE to go to resume corporate, business and operations functions

4. WHEN business functions and operations must resume

5. HOW --- detailed procedures for recovery, resumption, continuity and restoration

36April 17, 2023


SUCCESSFUL PALNS :

1. Clear and concise

2. Coordinated with suppliers and vendors

3. Senior management support/organisation commitment

4. On-going/part of strategic effort

5. Appropriate budget

6. Backups and offsite storage programs

7. Fully documented and exercised regularly

8. Risk are managed

9. Vulnerability are prioritized

10. Flexible and adaptable

11. Information security inbuilt with the plan

REVIEW COMPONENTS:

1. Is the plan consistent with the findings of the BIA

2. Are roles and responsibility defined

3. Are resources in place

4. Can plan be implemented

37April 17, 2023


STRUCTURE :1. Develop General Introduction or Overview A. General Information:

• Introduction

• Scope

• Objectives

• Assumptions

• Responsibility overview

• Testing

• Maintenance

B. Plan activation:• Notification

• Disaster declaration procedure

• Mobilization procedures

• Damage assessment concepts

C. Team Organisation

D. Policy Statement

E. Emergency Operations Centres

38April 17, 2023


STRUCTURE (contd.) :2. Develop Administration Team Documentation A. Identify continuity functions for the following, including qualifications,

responsibilities and resources required 1. Communications (public relations/media, client and employee) 2. Personnel/human resources 3. Security 4. Insurance/risk management 5. Equipment/supplies purchasing 6. Transportation 7. Legal

B. Other specialist coordinator/team responsibilities 1. Relations/liaison with regulatory bodies 2. Investor relations 3. Relations with other involved groups (e.g., customers and suppliers) 4. Labour relations

C. Develop specific procedures for each function or building identified above: 1. Department/individual/building plans 2. Checklists 3.Technical procedures

39April 17, 2023


STRUCTURE (contd.) :

3. Develop Business Operations Team Documentation A. Operating department plans 1. Essential business functions 2. Information protection and recovery 3. Activation actions 4. Disaster site recovery/restoration actions 5. End-user computing needs

B. Action sections 1. Recovery teama. Personnelb. Responsibilitiesc. Resources

C. Action plans 1. Specific department/individual plans 2. Checklists 3. Technical procedures

40April 17, 2023



4. Develop Communication Systems A. Voice communications recovery plans

1. Phone lines, including in-bound, toll-free (1-800) lines, and fax lines

2. Voice mail, voice response units, and other voice-based services

3. Alternate arrangement for automated voice response during a disaster

B. Data communications recovery plans

1. Data communications with mainframe-based information systems

2. Local area network (LAN) recovery for work area recovery

3. Wide area network (WAN) recovery for restoring global connectivity

4. E-mail, groupware, and other data communications-based work support

C. Emphasize and ensure detailed and up-to-date documentation of voice and

data communications networks throughout the enterprise

41April 17, 2023



5. Implement the Plans A. Ensure that required tasks are completed for plan implementation

1. Acquiring additional equipment

2. Contractual arrangements

3. Preparing backup and offsite storage

4. Appropriate documentation for plans in place

B. Develop test plans, schedules, and test reporting procedures

1. Acquiring additional equipment

2. Contractual arrangements

3. Preparing backup and off-site storage

C. Develop maintenance, updating, and reporting procedures

42April 17, 2023

7. Awareness and Training Program

Prepare a program to create and maintain corporate awareness and enhance the skills

required to develop and implement the Business Continuity Management program

or process and its supporting activities.

1. Define Awareness and Training Objectives

2. Develop and Deliver Various Types of Training Programs as appropriate a. Computer-based b. Classroom c. Test-based d. Instructional guides and templates

3. Develop Awareness Programs a. Management b. Team members c. New employee orientation and current employee refresher program

4. Identify Other Opportunities for Education a. Professional business continuity planning conferences and seminars b. User groups and associations c. Publications and related Internet sites

5. Identify Vehicles for corporate awareness

43April 17, 2023


Prepare a program to create and maintain corporate awareness and enhance the skills

required to develop and implement the Business Continuity Management program

or process and its supporting activities.

1. Define Awareness and Training Objectives

2. Develop and Deliver Various Types of Training Programs as appropriate a. Computer-based b. Classroom c. Test-based d. Instructional guides and templates

3. Develop Awareness Programs a. Management b. Team members c. New employee orientation and current employee refresher program

4. Identify Other Opportunities for Education a. Professional business continuity planning conferences and seminars b. User groups and associations c. Publications and related Internet sites

5. Identify Vehicles for corporate awareness

44April 17, 2023


Purpose of Awareness Program

1. Increase knowledge and awareness on how to prepare for and respond to

emergency situations

2. Knowing how to respond to an event will increase the chances of survival

3. Making employee aware of the risks to the organisation and the impact of those

risks

4. Making employees aware of the plans in place to protect them from a disaster

5. Training employees how to respond during disaster

6. Orients new employees to BCM program

Awareness and training activities should be designed to meet the needs of the target audience

45April 17, 2023

8. Maintaining and Exercising Business Continuity Plans

Pre-plan and coordinate plan exercises, and evaluate and document plan

exercise results. Develop processes to maintain the currency of continuity

capabilities and the Plan documents in accordance with the organization’s

strategic direction. Verify that the Plans will prove effective by comparison

with a suitable standard, and report results in a clear and concise manner

Objective:

1. Assesses viability of the plan

2. Practice procedure before the disaster

3. Satisfy the legal and audit requirements

4. Identifies the area which need modification

5. Enables BCM program to retain active, up-to-date, understood and usable

6. Demonstrate the ability to recover

7. Provides mechanism for maintaining and updating plan

8. Ensure plan is effective to achieve targeted RTO

46April 17, 2023


“The safety policy and procedures were in place;

the practice was deficient”

--- extract from Lord Cullen’s report into the Piper Alpha Disasters

I hear. I forget

I see. I remember

I do. I understand--- Chinese Proverb

47April 17, 2023


1. Establish an Exercise Program

A. Develop an exercise strategy that does not put the organization at risk, is practical, cost-effective, and appropriate to the organization, which ensures a high level of confidence in recovery capability

B. Employ a logical, structured approach (effectively analyze complex issues) C. Create a suitable set of exercise guidelines

2. Determine Exercise Requirements

A. Define exercise objectives and establish acceptable levels of success

B. Identify types of exercises, and their advantages and disadvantages 1. Walk-throughs/ tabletop 2. Simulations 3. Modular/component (call trees, applications, etc.) 4. Functional (specific lines of business) 5. Announced/planned 6. Unannounced/surprised

C. Establish and document scope of the exercise (participants, timing, etc.)

48April 17, 2023

8. Maintaining and Exercising Business Continuity Plans3. Develop Realistic Scenarios

A. Create exercise scenarios to approximate the types of incidents the organization is likely to experience and the problems associated with these incidents

B. Map scenarios identified to different test types

4. Establish Exercise Evaluation Criteria and Document Findings

A. Develop criteria aligned with exercise objectives and scope 1. Measurable and quantitative 2. Qualitative

B. Document results as per criteria identified 1. Expected versus actual results

2. Unexpected results

5. Create an Exercise Schedule A. Develop a progressive, incremental schedule B. Set realistic time scales

49April 17, 2023


6. Prepare Exercise Control Plan and Reports a. Define exercise objectives and select an appropriate scenario

b. Define assumptions and describe limitations

c. Identify resources required to conduct the exercise, identify participants; ensure all

understand the objectives and their roles

d. Identity exercise adjudicators (umpires), and clearly identify all roles and

responsibilities

e. Provide a timetable of events and circulate to all participants, facilitators, and

adjudicators

f. In the event of a real situation occurring during an exercise, you may want to have a

predetermined mechanism for cancelling the exercise and invoking your real

business continuity process

7. Facilitate Exercises a. Execute the exercise(s) as planned above

b. Audit exercise actions

50April 17, 2023


8. Post-Exercise Reporting a. Provide a cogent, comprehensive summary with recommendations, commensurate

with levels of confidentiality requested by exercise umpire/ adjudicator or as specified by the subject organization

9. Feedback and Monitor Actions Resulting from Exercise

a. Conduct debriefing sessions to review exercise results and identify action items for

improvement.

b. Identify actions and owners for recommendations; confirm owner acceptance

c. Confirm time schedules for completing or reviewing agreed actions

d. Monitor (and escalate where necessary) progress to completion of agreed actions

10. Define Plan Maintenance Scheme and Change control procedure a. Ensure that scheduled plan maintenance addresses all documented

recommendations b. Analyze business changes with business continuity planning implications c. Develop change control procedures to monitor changes d. Create proper version control—develop plan reissue, distribution, and circulation

procedures e. Identify plan distribution list for circulation

51April 17, 2023


11. Establish Status Reporting Procedures a. Establish reporting procedures 1. Content 2. Frequency 3. Recipients

12. Audits A. Audit the BCP’s Structure, Contents, and Action Sections 1. Determine if a section in the BCP addresses recovery considerations 2. Evaluate the adequacy of emergency provisions and procedures 3. Recommend improved positions if weaknesses exist

B. Audit the BCP’s Documentation Control Procedures 1. Determine whether the BCP is available to key personnel 2. Review update procedures 3. Demonstrate that update procedures are effective by auditing test results4. Examine the provision of secure backup copies of the BCP for emergency use 5. List those individuals with copies of the BCP 6. Ensure that BCP copies are current

“The goal of testing and exercising your plan is not to find out if it works, but to determine how it doesn’t”

52April 17, 2023

9. Public relation and crisis communication

Develop, coordinate, evaluate, and exercise plans to communicate with

internal stakeholders (employees, corporate management, etc.) external

stakeholders (customers, shareholders, vendors, suppliers, etc.) and the

media (print, radio, television, Internet, etc.)

OBJECTIVE:

1. Establish Programs for Proactive Crisis Communications

2. Establish Necessary Crisis Communication Coordination with External

Agencies (local, state, national government, emergency responders, regulators,

etc.)

3. Establish Essential Crisis Communications with Relevant Stakeholder Groups

4. Establish and Exercise Media Handling Plans for the Organization and its Business

Units

53April 17, 2023


1. Identify and Develop a Proactive Crisis Communications Program a. Internal (corporate and business unit level) groups

b. External groups (customers, vendors, suppliers, public)

c. External agencies (local, state, national governments, emergency responders,

regulators, etc.)

d. Media (print, radio, television, Internet)

2. Establish Essential Crisis Communication Plans with External Agencies as appropriate.

A. Develop ongoing procedures/tools to manage relationships with multiple agencies

as appropriate

1. Local/state/national emergency services

2. Local/state/national civilian defence authorities

3. Local/state/national weather bureaus

4. Other governmental agencies as appropriate

54April 17, 2023


3. Establish Essential Communications Plans with Internal and External Stakeholders to ensure they are kept informed as appropriate

A. Develop ongoing procedures/tools to manage relationships with multiple stakeholders as appropriate

(1) Owners/stockholders (2) Employees and their families (3) Key customers (4) Key suppliers (5) Corporate/headquarters management (6) Other stakeholders

4. Establish Essential Crisis Communications Plans with the Media outlets

A. Develop ongoing procedures/tools to manage relationships with the media 1. Print (newspapers, journals,etc.) 2. Radio 3. Television 4. Internet

55April 17, 2023


5. Develop and Facilitate Exercises for Crisis Communication Plans

A. Establish exercise objectives annually

B. Coordinate and execute exercises

C. Debrief and report on exercise results, including action plans for revisions

What is Crisis Communication?

Effective and managed communication about an even or occurrence that can impact

people, organization and communities Simple Direct Honest

56April 17, 2023


Key component of messages

1. Clear and easy to comprehend

2. Repeated constantly

3. Integrated with message sent to other audiences

4. Consistent

5. Be up front regarding confidential information

6. Speak to the specific audiences’ concerns

7. Use personal language and acknowledge emotions

8. Appreciate the individuality of the responses

Perception is Reality

57April 17, 2023

10. Coordination with Public authorities

Establish applicable procedures and policies for coordinating response, continuity, and restoration activities with external agencies (local, state, national, emergency responders, defense, etc.) while ensuring compliance with applicable statutes or regulations.

OBJECTIVE:

1. Identify and Establish Liaison Procedures for Emergency Management

2. Coordinate Emergency Management with External Agencies

3. Maintain Current Knowledge of Laws and Regulations Concerning

Emergency Management as it pertains to a particular organization

58April 17, 2023


1. Identify Applicable Laws and Regulations Governing Emergency Management

A. Gather/identify sources of information on applicable laws and regulations

(disaster recovery, environmental cleanup, business resumption, etc.) and

determine their impact to own organization and/or industry

B. Identify statutory requirements for the industry in which the organization

participates

2. Identify and Coordinate with Agencies Supporting Business

Continuity aims

A. Identify and develop procedures with external agencies providing disaster

assistance (financial and resources) to manage the ongoing relationships

as appropriate

B. Work with statutory agencies to conform to legal and regulatory

requirements as appropriate

59April 17, 2023


3. Develop and Facilitate Exercises with External Agencies

A. Establish exercise objectives annually

B. Coordinate and execute exercises

C. Debrief and report on exercise results, including action plans for revisions

60April 17, 2023

Thank YouSource: http://www.drii.org/DRII/ProfessionalPractices/about_professional.aspx

10 Professional Practices - Prepare BCM Certification

Documents

Transcript of 10 Professional Practices - Prepare BCM Certification