¶ Introduction
Definition and scope of Business Continuity Management (BCM)
Establishing and maintaining business continuity management processes begins with three steps:
1. Defining business continuity management
2. Identifying and defining the key components of a viable BCM framework, and
3. Placing BCM in the context of organizational risk management
Detail of Business Continuity Management (BCM)
“Business Continuity Management (BCM) is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”
Business continuity planning is the process through which organizations establish the capabilities necessary to protect their assets and continue key business processes after a disaster - an unexpected business interruption caused by natural or man-made events - occurs.
¶ Navigation
¶ Specific setups
¶ Step 1: Setup Loss type
Go to: GRC > Business continuity > Setup for business continuity > Loss type
- On the Action pane, click on the New button
- Enter a unique Loss type ID
- Enter a brief Description for the loss type
¶ Step 2: Setup Emergency response plans
It is assumed that Job plans have been setup. Job plans are used to view checklists.
Go to: GRC > Business continuity > Setup for business continuity > Emergency response plan
- On the Action pane, click on the New button
- Under the General Fast tab:
- Enter the Job plan ID
- Enter the Name of the job plan
- Enter a brief Description for the job plan
- Select the relevant Job plan group from the dropdown list
The Safety slider will be Yes by default.
- Expand the Checklist Fast tab
- Under the Checklist Index tab:
- Click on the Add button
- Enter the Line number
- In the Name field, enter the line description
¶ Step 3: Setup Continuity and disaster recovery category
Go to: GRC > Business continuity > Setup for business continuity > Continuity and disaster recovery category
- On the Action pane, click on the New button
- Enter a unique continuity and disaster recovery Category ID
- Enter a brief Description
¶ Step 4: Setup Continuity and disaster recovery type
Go to: GRC > Business continuity > Setup for business continuity > Continuity and disaster recovery type
- On the Action pane, click on the New button
- Enter a unique continuity and disaster recovery type ID
- Enter a brief Description for the type ID
¶ Step 5: Setup Teams
Business Continuity Management Team or BCM Team is a group of individuals appointed by Executive Management to implement and execute the BC Plan. During peacetime, this team serves as members of the BCM Working Committee.
Go to: GRC > Business continuity > Setup for business continuity > Teams
- On the Action pane, click on the New button
- In the Name field, type a name for the team
- Select a Team type from the dropdown list
¶ Step 5.1: The General Fast tab
Enter the following information:
- A Description of the team
- Select an Administrator for the team from the dropdown list.
- Select a Vendor account from the dropdown list.
- Select the relevant Calendar and Cost type from the dropdown lists.
- Select the Site and Department from the dropdown lists.
- Select the relevant Level of detail from the dropdown list.
¶ Step 5.2: The Team members
- In the Action pane on the Teams form, click the Team types button
- On the Team types form, select the team that you are choosing members for
- Select the relevant tick boxes under the Restrict membership to include group
- Click Close
To add team members to the team:
- Expand the Team members Fast Tab
- Click the Add team members button
The Add team members form will open
- Select people that you want to add to the team
You can filter the list of people by name or by skill
- Select the team members and click Add
- Select the Team leader by ticking the box next to the relevant person’s name
¶ Step 6: Setup Business process administration
Go to: GRC > Business continuity > Setup for business continuity > Business process administration
- On the Action pane, click on the New button
- Enter a Name for the Business process
- Enter a brief Description for the Business process
- Select the relevant Process type from the dropdown list
- Select the Owner of the Business process from the dropdown list
- Select the Calendar of the Business process from the dropdown list
- Indicate whether this Business process is Critical
- Under the Tasks section, in the Button strip, click on the New button
- Enter the Task
- Enter a Description for the task
- Indicate whether this is an Optional task
- Select the relevant Task link from the dropdown list
- Select the relevant Assignment type from the dropdown list
- Select the person to whom the task is Assigned to from the dropdown list
- Select the relevant Contact person from the dropdown list
- Enter the Due date offset from target date (+/- days)
- Click OK
- A copy of the template can be made by clicking on the Copy from template button on the Action pane
- Enter a Name for the new Business process
- Enter a Description for the new Business process
- To start the Business process, click on the Start process button on the Action pane
- Enter the Target date for the new Business process
- Click on Start
¶ Step 7: Setup Worker tasks
Go to: GRC > Business continuity > Setup for business continuity > Worker tasks
- On the Action pane, click on the New button
- Enter the Worker task
- Enter a brief Description for the worker task
- Enter task notes in the Notes box provided
¶ Step 8: Setup Locations
Go to: GRC > Business continuity > Setup for business continuity > Locations
- On the Action pane, click the on New button
- Enter the Location ID
- Enter a Description for the location
- Select the relevant Site from the dropdown list
- Select the relevant Location (Work center) from the dropdown list
Where "Active" = Yes is selected on a location, this location will be displayed on the Location dropdown list on all HSE and GRC forms where Locations can be selected.
¶ Step 9: Setup Software applications
Go to: GRC > Business continuity > Setup for business continuity > Software applications
- On the Action pane, click the on New button
- Enter the Application name
- Enter a brief Description of the application
¶ Step 10: Setup Impact
Go to: GRC > Business continuity > Setup for business continuity > Impact
- On the Action pane, click the on New button
- Enter text describing the Impact
- Select the relevant Impact level from the dropdown list
¶ Step 11: Setup Resource roles
Go to: GRC > Business continuity > Setup for business continuity > Resource roles
- On the Action pane, click the on New button
- Enter the Role ID
- Enter a brief Description of the role
- At least one role should be marked as Default role
¶ Step 12: Setup Signature type
Go to: GRC > Business continuity > Setup for business continuity > Signature type
- On the Action pane, click on the New button
- Under the Signature type Index tab:
- Enter a unique Signature type ID
- Enter a brief Description for the signature type
- Select the Signature type that you want to add workers to
- Open the Worker Index tab:
- In the Remaining workers column, select the Worker that you want to link to the Signature type
- Click on the < button to move the Worker across to the Selected workers column
Only workers that have been linked to a Signature type can be selected under the Review and sign off Fast tab on the Continuity and disaster recovery Header
¶ Step 13: Setup GRC actions and questions
Go to: GRC > Setup > GRC actions and questions
- On the Action pane, click on the New button
- In the Question ID field, enter the unique question ID
- In the Source field, select BIA
- In the Action field, select Strategy impact/Data confidentiality
- Enter the Question text
- Select the relevant Answer type form the dropdown list
- Select the relevant Negative outcome from the dropdown list
The Question text is the text that is displayed on the Business impact assessment, under the Assessment Fast tab under the Strategic impact- and Data integrity and confidentiality Index tabs.
A question must have an Answer type:
- Yes/No declaration – this will display the Question text with a tick box on the Business impact assessment form
- Yes/No answer - this will display the Question text with a tick box on the Business impact assessment form
- Free text – this will display the Question text with a free text input box on the Business impact assessment form
The response to the question is set by the Negative outcome setting:
- Force entry – The Business impact assessment form will not be able to be closed if this field is not completed i.e. a Tick is required in the tick box, or text in the free text box
- Warning – this will give a warning if there is no input against the question, but will allow the action to continue
- Ignore – the action can continue if there is no response to the question
¶ Step 14: Recovery strategy
Company recovery strategies are the strategies undertaken to preserve a company and prevent its shutdown. The key objective of company recovery strategies is to quickly identify and address the sources of its problems that may lead to its collapse.
Go to: GRC > Business continuity > Recovery strategy
- On the Action pane, click on the New button
- Enter a Description for the recovery strategy
- Select the Date on which the recovery strategy was created
- Select the relevant Status of the recovery strategy
- Enter the Estimated duration of the recovery strategy
- Select the relevant Loss type from the dropdown list
- Expand the Tasks Fast tab
- In the Button strip, click on the Add button
- Select the relevant Task from the dropdown list
- Enter a brief Description of the task
- Enter the task Order
- Select the Previous task from the dropdown list
- Select the Subsequent task from the dropdown list
¶ Daily use
The following framework illustrates the components of business continuity planning:
¶ Step 15: Business impact assessment
A BIA often takes place prior to a risk assessment. The BIA focuses on the effects or consequences of the interruption to critical business functions and attempts to quantify the financial and non-financial costs associated with a disaster. The business impact assessment looks at the parts of the organization that are most crucial. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery time objectives (RTOs) and recovery point objectives (RPOs), and resources and materials needed for business continuance.
Go to: GRC > Business continuity > Business impact assessment
- On the Action pane, click on the New button
¶ Step 15.1: The General Fast tab
- Enter a Description for the Business impact assessment
- The Date created will by default be today’s date (This can be edited)
- Enter the Renewal date for the Business impact assessment
- The logged in user’s name will by default populate the Created by field (This can be edited)
- The Status will by default be Created (This can be edited)
- In the MAO (Maximum Acceptable Outage) field, select the time frame during which recovery must become effective
- Select the relevant Site from the dropdown list
- Select the relevant Department from the dropdown list
¶ Step 15.2: The Objectives Fast tab
- In the Button strip, click on the Add button
- Enter the Objective of the assessment
- Select the Term of the objective
- Enter additional Notes
¶ Step 15.3: The Overall impact Fast tab
- Enter the Overall impact rating %
- Select the Overall impact rating from the dropdown list
- Enter additional Notes
¶ Step 15.4: The Assessment Fast tab
- Under the Summary Index tab:
- Indicate the level of impact for the following:
- Financial impact
- Competitive situation
- Strategic impact
- Data integrity and confidentiality
- Intangible impact
- Enter the RPO value (Recovery point objectives)
- Enter the RTO value (Recovery time objectives)
- Under the Financial impact Index tab:
- Enter the Daily lost revenue value
- Enter the Operation cost increase value
- Enter the Total penalties value
- Answer the questions under the Competitive situation Index tab
- Answer the questions under the Strategic impact Index tab
- Click on the Commit button
- Answer the questions under the Data integrity and confidentiality Index tab
- Click on the Commit button
- Under the Intangible impact Index tab:
- Select the level of impact that the disaster will have on the following:
- Reputation
- Stakeholder confidence
- Customer satisfaction
- Regulatory impact
- Enter Comments in the spaces provided
¶ Step 15.5: The Continuity and recovery plan Fast tab
- In the Button strip, click on the Add button
- Select the relevant Plan from the dropdown list
¶ Step 15.6: Create activity
- In the Action pane, click on the Create activity button
- On the dialog, select the relevant activity Category
- Enter a Description for the activity
- Select the Responsible person from the dropdown list
- Enter the Due date for the activity
- The user can choose to Create a new action plan for the activity
OR
- Add the activity to an existing action plan from the drop-down list
- Click OK
¶ Step 16: Continuity and disaster recovery
Go to: GRC > Business continuity > Continuity and disaster recovery
- On the Action pane, click on the New button
BCDR is a set of processes and techniques used to help an organization recover from a disruptive event (could be a disaster) and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.
BCDR enables organizations to adapt to and bounce back from disruptions while maintaining continuous business operations.
¶ Step 16.1: The General Fast tab
- Open the Continuity and disaster recovery Header view
- Under the General Fast tab:
- Enter a Description for the new plan
- Select the Hazard related to the disaster
- Select the relevant continuity and disaster recovery Category from the dropdown list
- Select the relevant continuity and disaster recovery Type from the dropdown list
- The plan can only be activiated by clicking on the Activate button on the Action pane, once the Status has been changed to Approved
- The Date created field is by default populated with Today’s date (this can be edited)
- The Created by field is by default populated with the logged in user (this can be edited)
- Select the relevant Alert question from the dropdown list
- Select the relevant Site from the dropdown list
- Select the relevant Department from the dropdown list
- The Status is by default Created (this can be edited)
- Enter the RTO value (Recovery time objectives)
- Enter the RPO value (Recovery point objectives)
¶ Step 16.2: The Background Fast tab
- Enter an Introduction in the box provided
- Enter an Objective in the box provided
¶ Step 16.3: The Target Fast tab
¶ Step 16.3.1: The Business process Index tab
- In the Button strip, click on the Add button
- Select the relevant Business process from the dropdown list
- Indicate whether this business process is Critical
¶ Step 16.3.2: The Applications Index tab
- In the Button strip, click on the Add button
- Select the relevant Application from the dropdown list
¶ Step 16.3.3: The Locations Index tab
- In the Button strip, click on the Add button
- Select the relevant Location from the dropdown list
¶ Step 16.3.4: The Objects Index tab
- In the Button strip, click on the Add button
- Select the relevant Object from the dropdown list
¶ Step 16.3.5: The Key contracts Index tab
- In the Button strip, click on the Add button
- Select the relevant Contract from the dropdown list
¶ Step 16.4: The Approval Fast tab
- Select the Reviewer from the dropdown list
- Select the Review date
- Select the Approver from the dropdown list
- Select the Approved date
¶ Step 16.5: The RACI Fast tab
- Select the Employee responsible from the dropdown list
- Select the Employee accountable from the dropdown list
- Select the Employee consulted from the dropdown list
- Select the Employee informed from the dropdown list
An email can be sent to the selected workers if they have a Primary email address
¶ Step 16.6: The Business impact assessment Fast tab
- In the Button strip, click on the Add button
- Select the relevant Assessment from the dropdown list
¶ Step 16.7: The Risks Fast tab
- In the Button strip, click on the Add button
- Select the Date created
- Select the relevant Risk register from the dropdown list
¶ Step 16.8: The Follow up Fast tab
- Select the relevant Review Frequency from the dropdown list
- Select the name of the person who did the Review
- The Next follow update will be calculated by the system according to the selected Review frequency (Can be edited)
- Enter Follow up detail in the box provided
A blue line will appear confirming that a Planned action has been created for the follow up
¶ Step 16.8.1: Planned actions
Go to: GRC > All planned Governance, Risk and Compliance actions
- Buttons on the All planned GRC actions list page:
- Go to source entry – Opens the form from which the follow up action was created
- Close – Closes the action and removes the record from the list
- Send email notification – Sends an email notification to the selected worker in the Reviewed by field
- View pie chart – Displays a pie chart of all the planned GRC actions
¶ Step 16.9: The Review and sign off Fast tab
- In the Button strip, click on the Add button
- Select the relevant Signature type from the dropdown list
- Select the relevant Worker from the dropdown list
OR
- Select the relevant Supplier/Vendor from the dropdown list
- Enter the Date on which the plan was signed
- Use the tick boxes to indicate whether:
- Notifications were sent
- Business impact was assessed
- The plan was approved
- Activities have been completed
Only workers that have been linked to a Signature type can be selected under the Review and sign off Fast tab
- Open the Continuity and disaster recovery Lines view
¶ Step 16.10: The Line details Fast tab
- Under the Line details Fast tab, open the Emergency response Index tab
- In the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Indicate whether this is the Emergency response plan for After hours
- Select the relevant Emergency response plan from the dropdown list
- Open the Recovery strategy Index tab
- In the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Select the relevant Recovery strategy from the dropdown list
- Indicate whether an Action plan and activities should be created based on the recovery strategy tasks
When the BC/DR plan is Activated and this box is ticked, then an Action plan and related activities will be created.
- Open the Recovery team Index tab
- In the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Select the relevant Recovery team from the dropdown list
- Open the Notifications Index tab
- On the left-hand side, in the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Select the relevant Date of the notification
- Enter the specified time frame for sending the notification
- Select the notification Type from the dropdown list
- Enter additional Notes
- On the right-hand side, in the Button strip, click on the Add button
- Select the Worker to be notified form the dropdown list
- OR
- Select the Supplier/Vendor to be notified from the dropdown list
- Select the relevant Role from the dropdown list
- Open the Media response Index tab
- In the Button strip, click on the Add button
- Enter the Step number
- Enter Notes regarding the media response step
- Select the person Responsible for the step
- Enter Instructions for the responsible person to follow
¶ Step 17: Activated plan
Go to: GRC > Business continuity > Activated plans
- On the Action pane, click on the New button
- Select the relevant Site from the drop-down list
- Select the relevant Department from the drop-down list
- Enter the Name of the plan
- Select the Continuity and disaster recovery Category from the drop-down list
- Select the Continuity and disaster recovery Type from the drop-down list
- Enter the Date on which the plan was created
- Enter the RTO value (Is related to downtime and represents how long it takes to restore from the incident until normal operations are available to users)
- Enter the RPO value (Limits how far to roll back in time, and defines the maximum allowable amount of lost data measured in time from a failure occurrence to the last valid backup)
- The Created from field references the BCDR ID that the plan was created from
- Expand the Action plans and checklists Fast tab
- The Action plans that were created from the BC/DR are displayed
- In the Action pane, under the Execution tab, click on the Compile checklist button to greate a new Checklist
- Expand the Disruptive events Fast tab
- In the Button strip, click on the Add button
- Enter the Date on which the Disruptive event occurred
- Select the relevant Disruptive event from the drop-down list
¶ Step 18: Disruptive event
Go to: GRC > Business continuity > Record a disruptive event
- Enter the following on the Record a disruptive event dialog:
- Description of the disruptive event
- Incident type will by default be Disruptive event
- Select the relevant Site from the dropdown list
- Select the relevant Location from the dropdown list
- Select the Reported by person’s name from the dropdown list
- Enter additional details under the Other Field group
- Click on the OK button
The Disruptive event/Incident detail form will open
If a disruptive event was selected on an Activated plan, the link to it will be in the Related information pane inside the Continuity and disaster recovery Fact box
All recorded Disruptive events can be found non the All disruptive events in legal entity list page
Go to: GRC > Business continuity > All disruptive events in legal entity
