¶ Introduction
¶ Definition of BCM
“Business Continuity Management ('BCM') is a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities.”
¶ Global standards for BCM
The International Organization for Standardization (ISO) developed ISO 22301:2019 provides a framework for establishing, implementing, maintaining, and continually improving a Business Continuity Management System (BCMS). This BCP global standard outlines requirements for identifying potential threats, assessing their impact, and developing appropriate response and recovery plans.
Rev. 1: Contingency Planning Guide for Federal Information Systems Issued by the National Institute of Standards and Technology (NIST), SP 800-34 Rev. 1 offers guidance on developing contingency plans for information systems in federal agencies. While targeted at government entities, its principles are widely applicable to organizations across various sectors.
Control Objectives for Information and Related Technologies (COBIT) is a framework developed by the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute (ITGI). While primarily focused on IT governance and management, COBIT 2019 includes guidance on integrating business continuity and disaster recovery into IT processes.
Societal Security – Business Continuity Management Systems – provides guidance on the implementation of a Business Continuity Management System (BCMS) based on the requirements specified in ISO 22301. It offers detailed explanations and examples to help organizations interpret and apply the principles outlined in ISO 22301 effectively.
Societal Security – Emergency Management – Specifies requirements for establishing and implementing incident response processes within the context of emergency management. It outlines principles for incident detection, assessment, response coordination, communication, and recovery.
Risk Management – Provides guidelines for implementing a risk management framework within organizations. While not specific to business continuity, it offers principles and processes for identifying, assessing, and managing risks effectively, which are integral to developing robust business continuity plans.
Information Security Management Systems - The ISO 27000 series comprises a set of standards related to information security management systems. It serves as an overview and vocabulary guide for the entire series, providing foundational concepts and terminology used in information security management.
¶ Scope of BCM
Establishing and maintaining business continuity management processes begins with three steps:
1. Defining business continuity management
2. Identifying and defining the key components of a viable BCM framework, and
3. Placing BCM in the context of organizational risk management
Detail of Business Continuity Management (BCM)
Business continuity planning is the process through which organizations establish the capabilities necessary to protect their assets and continue key business processes after a disaster - an unexpected business interruption caused by natural or man-made events - occurs.
¶ Navigation
¶ Specific setups
¶ Step 1: Setup Loss type
Go to: GRC > Business continuity > Setup for business continuity > Loss type
- On the Action pane, click on the New button
- Enter a unique Loss type ID
- Enter a brief Description for the loss type
¶ Step 2: Setup Emergency response plans
It is assumed that Job plans have been setup. Job plans are used to view checklists.
Go to: GRC > Business continuity > Setup for business continuity > Emergency response plan
- On the Action pane, click on the New button
- Under the General Fast tab:
- Enter the Job plan ID
- Enter the Name of the job plan
- Enter a brief Description for the job plan
- Select the relevant Job plan group from the dropdown list
The Safety slider will by default be on Yes
- Expand the Checklist Fast tab
- Under the Checklist Index tab:
- Click on the Add button
- Enter the Line number
- In the Name field, enter the line description
¶ Step 3: Setup Continuity and disaster recovery category
Go to: GRC > Business continuity > Setup for business continuity > Continuity and disaster recovery category
- On the Action pane, click on the New button
- Enter a unique continuity and disaster recovery Category ID
- Enter a brief Description
¶ Step 4: Setup Continuity and disaster recovery type
Go to: GRC > Business continuity > Setup for business continuity > Continuity and disaster recovery type
- On the Action pane, click on the New button
- Enter a unique continuity and disaster recovery type ID
- Enter a brief Description for the type ID
¶ Step 5: Setup Teams
Business Continuity Management Team or BCM Team is a group of individuals appointed by Executive Management to implement and execute the BC Plan. During peacetime, this team serves as members of the BCM Working Committee.
Go to: GRC > Business continuity > Setup for business continuity > Teams
- On the Action pane, click on the New button
- In the Name field, type a name for the team
- Select a Team type from the dropdown list
¶ Step 5.1: The General Fast tab
- Enter a Description of the team
- Select an Administrator for the team from the dropdown list
- Select a Vendor account from the dropdown list (If applicable)
- Select the relevant Calendar and Cost type from the dropdown lists (if applicable)
- Select the Site and Department from the dropdown lists
- Select the relevant Level of detail for investigation, from the dropdown list (If applicable)
¶ Step 5.2: The Team members
- In the Button strip, click on the Add team members button
- on the Add team members dialog, select the people that you want to add to the team
- Click on the Add button
- Select the Team leader by ticking the box next to the relevant person’s name
¶ Step 6: Setup Business process administration
Go to: GRC > Business continuity > Setup for business continuity > Business process administration
- On the Action pane, click on the New button
- Enter a Name for the Business process
- Enter a brief Description for the Business process
- Select the Owner of the Business process from the dropdown list
- Select the Calendar of the Business process from the dropdown list
- In the Minimum workers field, enter the relevant number
- In the Total workers required field, enter the relevant number
- Select the Type from the dropdown list
- Select the Accounting arefrom the dropdown list
- Indicate whether this Business process is Critical
- Under the Tasks section, in the Button strip, click on the New button
- Enter the Task
- Enter a Description for the task
- Indicate whether this is an Optional task
- Select the relevant Task link from the dropdown list
- Select the relevant Assignment type from the dropdown list
- Select the person to whom the task is Assigned to from the dropdown list
- Select the relevant Contact person from the dropdown list
- Enter the Due date offset from target date (+/- days)
- Click on OK
- A copy of the template can be made by clicking on the Copy from template button on the Action pane
- Enter a Name for the new Business process
- Enter a Description for the new Business process
- To start the Business process, click on the Start process button on the Action pane
- Enter the Target date for the new Business process
- Click on Start
To view tasks and their statuses, go to: GRC > Workspaces > Business process for governance, risk and compliance
¶ Step 7: Setup Worker tasks
Worker tasks are selected on the Recovery strategy under the Tasks Fast tab
Go to: GRC > Business continuity > Setup for business continuity > Worker tasks
- On the Action pane, click on the New button
- Enter the Worker task
- Enter a brief Description for the worker task
- Enter additional notes in the Notes box provided
¶ Step 8: Setup Locations
Go to: GRC > Business continuity > Setup for business continuity > Locations
- On the Action pane, click the on New button
- Enter the Location ID
- Enter a Description for the location
- Select the relevant Site from the dropdown list
- Select the relevant Location (Work center) from the dropdown list
When the Active slider is moved to Yes on a location, the location will be displayed on the Location dropdown list on all HSE and GRC forms where Locations can be selected.
¶ Step 9: Setup Software applications
Go to: GRC > Business continuity > Setup for business continuity > Software applications
- On the Action pane, click the on New button
- Enter the Application name
- Enter a brief Description of the application
¶ Step 10: Setup Impact
Go to: GRC > Business continuity > Setup for business continuity > Impact
- On the Action pane, click the on New button
- Enter text describing the level of Impact
- Select the relevant Impact level from the dropdown list
- Enter additional notes in the Note box provided
¶ Step 11: Setup Signature type
Go to: GRC > Business continuity > Setup for business continuity > Signature type
- On the Action pane, click on the New button
- Under the Signature type Index tab:
- Enter a unique Signature type ID
- Enter a brief Description for the signature type
- In the Source field, select BCM from the dropdown list
- Select the Signature type that you want to add workers to
- Open the Worker Index tab:
- In the Remaining workers column, select the Worker that you want to link to the Signature type
- Click on the < button to move the Worker across to the Selected workers column
Only workers that have been linked to a Signature type can be selected under the Review and sign off Fast tab on the Continuity and disaster recovery Header
¶ Step 12: Setup GRC Parameters
¶ Step 12.1: Default signature type
Go to: GRC > Setup > Governance, Risk and Compliance parameters
- Under the Governance tab, expand the Business continuity Fast tab
- In the Signature type field, select the signature type that will be the default under the Sign off Fast tab on the Continuity and disaster recovery form
¶ Step 12.2: Notifications
Go to: GRC > Setup > Governance, Risk and Compliance parameters
- Under the Notifications tab, expand the Email templates for batch use Fast tab
- In the BC/DR review field, select the relevant email template to be used for the BC/DR review alert
¶ Step 13: Setup GRC actions and questions
Go to: GRC > Setup > GRC actions and questions
- On the Action pane, click on the New button
- In the Question ID field, enter the unique question ID
- In the Source field, select BIA (The questions will be displayed on the Business impact assessment form)
- In the Action field, select Strategy impact or Data confidentiality (These are Index tabs on the Business impact assessment, under the Assessment Fast tab)
- In the Field group field, select the Field group where the question should be displayed on the Business assessment impact form, under the Strategic impact Index tab, or under the Data integrity and confidentiality Index tab
- Select the relevant Answer type form the dropdown list
- Select the relevant Negative outcome from the dropdown list
- Enter the Question text in the note box under the grid
The Question text is the text that is displayed on the Business impact assessment, under the Assessment Fast tab under the Strategic impact- and Data integrity and confidentiality Index tabs.
For the Alert text that is displayed on the Activated plan under the General Fast tab:
- In the Source field, select BCM
- In the Action field, select Continuity & disaster recovery
- Enter the text that is to be displayed in the Alert field, in the Question text note box under the grid
A question must have an Answer type:
- Yes/No declaration – this will display the Question text with a tick box on the Business impact assessment form
- Yes/No answer - this will display the Question text with a tick box on the Business impact assessment form
- Free text – this will display the Question text with a free text input box on the Business impact assessment form
The response to the question is set by the Negative outcome setting:
- Force entry – The Business impact assessment form will not be able to be closed if this field is not completed i.e. a Tick is required in the tick box, or text in the free text box
- Warning – this will give a warning if there is no input against the question, but will allow the action to continue
- Ignore – the action can continue if there is no response to the question
¶ Step 14: Recovery strategy
Company recovery strategies are the strategies undertaken to preserve a company and prevent its shutdown. The key objective of company recovery strategies is to quickly identify and address the sources of its problems that may lead to its collapse.
Go to: GRC > Business continuity > Recovery strategy
- On the Action pane, click on the New button
- Enter a unigue Strategy ID
- Enter a Description for the recovery strategy
- Select the relevant Impact category from the dropdown list
- Select the Date on which the recovery strategy was created
- Select the relevant Status of the recovery strategy
- Select the relevant Loss type from the dropdown list
- Expand the Tasks Fast tab
- In the Button strip, click on the Add button
- Select the relevant Task from the dropdown list
- Enter the task Order
- Select the Previous task from the dropdown list
- Select the Subsequent task from the dropdown list
- Enter the Duration of the task
¶ Daily use
The following framework illustrates the components of business continuity planning:
¶ Step 15: Continuity and disaster recovery
BC/DR is a set of processes and techniques used to help an organization recover from a disruptive event (could be a disaster) and continue or resume routine business operations. It is a broad term that combines the roles and functions of IT and business in the aftermath of a disaster.
BC/DR enables organizations to adapt to and bounce back from disruptions while maintaining continuous business operations.
Go to: GRC > Business continuity > Continuity and disaster recovery
- On the Action pane, click on the New button
- On the Create new BC/DR dialog:
- Enter a Description for the new plan
- Select the relevant continuity and disaster recovery Category from the dropdown list
- Select the relevant continuity and disaster recovery Type from the dropdown list
- Select the relevant Site from the dropdown list
- Select the relevant Department from the dropdown list
- The Date created field is by default populated with Today’s date (this can be edited)
- The Created by field is by default populated with the logged in user (this can be edited)
- Click on OK
¶ Step 15.1: The General Fast tab
- Open the Continuity and disaster recovery Header view
- Under the General Fast tab:
- Select the Hazard related to the disaster
- The plan can only be activiated by clicking on the Activate button on the Action pane, once the Status has been changed to Approved
- Select the relevant Compliance obligation question from the dropdown list
- Select the relevant Alert question from the dropdown list. (This is the Alert text that will be displayed on the Activated plan)
- In the RTO value (Recovery Time Objective) field, enter the amount of time needed for stuff to be recovered or restored
- In the RPO value (Recovery Point Objective) field, enter the amount of time allowed to be without services or data without adverse impact
- In the MTPD field, enter the maximum tolerable period that you can allow before resuming your activities
- Enter the Time frame (Peak periods)
¶ Step 15.2: The Background Fast tab
- Enter an Introduction in the box provided
- Enter an Objective (MBCO) in the box provided
¶ Step 15.3: The Target Fast tab
¶ Step 15.3.1: The Business process Index tab
- In the Button strip, click on the Add button
- Select the relevant Business process from the dropdown list
- Indicate whether this business process is Critical
- The Total required workers and Minimum workers, will be populated according to the selected Business process
- Tick the SPOF (Single point of failure) box if it is relevant
- Additional comments can be entered in the note box under the grid
- Tick the Primary tick box for the relevant line
¶ Step 15.3.2: The Applications Index tab
- In the Button strip, click on the Add button
- Select the relevant Software application from the dropdown list
- Tick the SPOF (Single point of failure) box if it is relevant
¶ Step 15.3.3: The Locations Index tab
- In the Button strip, click on the Add button
- Select the relevant Location from the dropdown list
- Tick the SPOF (Single point of failure) box if it is relevant
¶ Step 15.3.4: The Objects Index tab
- In the Button strip, click on the Add button
- Select the relevant Object from the dropdown list
- Enter the relevant Quantity
- Tick the SPOF (Single point of failure) box if it is relevant
¶ Step 15.3.5: The Key contracts Index tab
- In the Button strip, click on the Add button
- Select the relevant Contract from the dropdown list
- Tick the SPOF (Single point of failure) box if it is relevant
The BC/DR inplace tick box will only be ticked if the primary vendor selected on the contract, has the BC/DR in place slider under the Vendor profile Fast tab, moved to Yes
¶ Step 15.4: The Approval Fast tab
- Select the Approver from the dropdown list
- Select the Approved date
¶ Step 15.5: The RACI Fast tab
- Select the Employee responsible from the dropdown list
- Select the Employee accountable from the dropdown list
- Select the Employee consulted from the dropdown list
- Select the Employee informed from the dropdown list
The default worker in the Employee responsible field, is the manager of the department selected under the General Fast tab
An email can be sent to the selected workers if they have a Primary email address
¶ Step 15.6: The Business impact assessment Fast tab
- In the Button strip, click on the Add button
- Select the relevant Assessment from the dropdown list
OR
- In Action pane, click on the Impact assessment button
- On the Impact assessment dialog:
- Enter an Assessment ID
- Enter a brief Description for the assessment
- Enter an Overall impact rating %
- Select the relevant Overall impact rating from the dropdown list
- Select the relevant Category impact from the dropdown list
- Enter a Note if required
- Click on the OK button
- In the Button strip, click on the Add button
- Select the Date created
- Select the relevant Risk register from the dropdown list
- Select the relevant Review frequency from the dropdown list
- In the To be reviewed by field, select the name of the person who is going to review the BC/DR plan
- The Next follow up date will be calculated by the system according to the selected Review frequency (Can be edited)
- Enter additional notes in the Follow up note box provided
- Buttons on the All planned GRC actions list page:
- Go to source entry – Opens the form from which the follow up action was created
- Close – Closes the action and removes the record from the list
- Send email notification – Sends an email notification to the selected worker in the Reviewed by field
- View pie chart – Displays a pie chart of all the planned GRC actions
- In the Button strip, click on the Add button
- Select the relevant Signature type from the dropdown list
- Select the relevant Worker from the dropdown list
- Select the relevant Supplier/Vendor from the dropdown list
- Enter the Date on which the plan was signed
- Use the tick boxes to indicate whether:
- Notifications were sent
- Business impact was assessed
- The plan was approved
- Activities have been completed
- Open the Continuity and disaster recovery Lines view
- Under the Line details Fast tab, open the Emergency response Index tab
- In the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Indicate whether this is the Emergency response plan for After hours
- Select the relevant Emergency response plan from the dropdown list
- Open the Recovery strategy Index tab
- In the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Select the relevant Recovery strategy from the dropdown list
- Indicate whether an Action plan and activities should be created based on the recovery strategy tasks
- an Action plan and related activities can be created
- an Activated plan will be created
- In the Action pane, click on the Status button and select Approved from the dropdown list
- In the Action pane, click on the Activate button
- On the Action plan with activities dailog, select the following for each line (Activity):
- Resposible worker
- Due date
- Click on the Create button
- Open the Recovery team Index tab
- In the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Select the relevant Recovery team from the dropdown list
- Open the Notifications Index tab
- On the left-hand side, in the Button strip, click on the Add button
- Select the relevant Category impact from the dropdown list
- Select the relevant Date of the notification
- Enter the specified time frame for sending the notification
- Select the notification Type from the dropdown list
- Enter additional Notes
- On the right-hand side, in the Button strip, click on the Add button
- Select the Worker to be notified form the dropdown list
- OR
- Select the Supplier/Vendor to be notified from the dropdown list
- Select the relevant Role from the dropdown list
- Open the Media response Index tab
- In the Button strip, click on the Add button
- Enter the Step number
- Enter Notes regarding the media response step
- Select the person Responsible for the step
- Enter Instructions for the responsible person to follow
- On the Action pane, click on the New button
- Enter a Description for the Business impact assessment
- Select the relevant Primary business process from the dropdown list
- The Date created will by default be today’s date (This can be edited)
- Enter the Renewal date for the Business impact assessment
- The logged in user’s name will by default populate the Created by field (This can be edited)
- The Status will by default be Created (This can be edited)
- Select the relevant Site from the dropdown list
- Select the relevant Department from the dropdown list
- In the MAO (Maximum Acceptable Outage) field, select the time frame during which recovery must become effective
- In the RTO value (Recovery Time Objective) field, enter the amount of time needed for stuff to be recovered or restored
- In the RPO value (Recovery Point Objective) field, enter the amount of time allowed to be without services or data without adverse impact
- In the Button strip, click on the Add button
- Enter the Objective of the assessment
- Select the Term of the objective
- Enter additional Notes
- Enter the Overall impact rating %
- Select the Overall impact rating from the dropdown list
- Enter additional Notes
- Under the Summary Index tab:
- Indicate the level of impact for the following:
- Financial impact
- Competitive situation
- Strategic impact
- Data integrity and confidentiality
- Intangible impact
- Under the Downtime impact Index tab:
- Indicate the level of impact for the following:
- 0-8 Hours
- 8-24 Hours
- 24-72 Hours
- 3-7 Days
- More than 7 days
- Under the Financial impact Index tab:
- Enter the Daily lost revenue value
- Enter the Operation cost increase value
- Enter the Total penalties value
- Answer the questions under the Competitive situation Index tab
- Answer the questions under the Strategic impact Index tab
- Click on the Commit button to save the data entered
- Answer the questions under the Data integrity and confidentiality Index tab
- Click on the Commit button to save the data entered
- Under the Intangible impact Index tab:
- Select the level of impact that the disaster will have on the following:
- Reputation
- Stakeholder confidence
- Customer satisfaction
- Regulatory impact
- Enter Comments in the spaces provided
- In the Button strip, click on the Add button
- Select the relevant Plan from the dropdown list
- In the Action pane, click on the Create activity button
- On the dialog, select the relevant activity Category
- Enter a Description for the activity
- Select the Responsible person from the dropdown list
- Enter the Due date for the activity
- The user can choose to Create a new action plan for the activity
- Add the activity to an existing action plan by selecting the relevant Action plan from the dropdown list
- Click OK
- On the Action pane, click on the New button
- Expand the General Fast tab
- Select the relevant Site from the dropdown list
- Select the relevant Department from the dropdown list
- Enter the Name of the plan
- Select the Continuity and disaster recovery Category from the dropdown list
- Select the Continuity and disaster recovery Type from the dropdown list
- Enter the Date on which the plan was created
- Enter the RTO value (Is related to downtime and represents how long it takes to restore from the incident until normal operations are available to users)
- Enter the RPO value (Limits how far to roll back in time, and defines the maximum allowable amount of lost data measured in time from a failure occurrence to the last valid backup)
- The Created from field, references the BC/DR ID that the plan was created from
- The Alert that is displayed, is the one selected on the BC/DR under the General Fast tab
- Expand the Introduction Fast tab
- Enter the Purpose of the plan in the note box provided
- Enter the Scope of the plan in the note box provided
- Enter the Assumptions of the plan in the note box provided
- Expand the RACI Fast tab
- Select the Employee responsible for the plan, from the dropdown list
- Select the Employee accountable for the plan, from the dropdown list
- Select the Employee consulted from the dropdown list
- Select the Employee informed from the dropdown list
- Expand the Action plans and checklists Fast tab
- The Action plans that were created from the BC/DR are displayed. The activities associated with the Action plans can be viewed in the Action plan lines.
- In the Action pane, under the Execution tab, click on the Compile checklist button to greate a new Checklist
- Expand the Execution metrics Fast tab
- Enter the number of Recovery strategies completed
- Enter the number of Tasks completed
- Enter the Actual duration in hours, for the work done so far
- Expand the Disruptive events Fast tab
- In the Button strip, click on the Add button
- Enter the Date on which the Disruptive event occurred
- Select the relevant Disruptive event from the dropdown list
- Enter the following on the Record a disruptive event dialog:
- Description of the disruptive event
- Enter the Date and time of incident
- Select the relevant Site from the dropdown list
- Select the relevant Location from the dropdown list
- Select the Reported by person’s name from the dropdown list
- Select the Basic cause of the incident from the dropdown list
- Select the relevant Department from the dropdown list
- Enter the Details of the incident
- Click on the OK button
- On the Create review actions dialog:
- Enter the From date that actions need to be created for
- Enter the To date that actions need to be created for
- Select the Department that actions need to be created for
- Enter the number of Due days
- Select the Review frequency from the dropdown list
- Click on the OK button
- Enter the following on the Impact assessment: downtime report dialog:
- From and To dates
- Select the relevant Department from the dropdown list
- Select the Status of the records that you want to print the report for, from the dropdown list
- Enter the relevant Overall impact rating % of the records that you want to print the report for
- Move the Show additional information slider to Yes if you want the report to print the following columns:
- Total workers required
- Minimum workers
- Type
- Click on OK
¶ Step 15.7: The Risks Fast tab
¶ Step 15.8: The Review and follow up Fast tab
A blue line will appear confirming that a Planned action has been created for the follow up
Once the user closes the Planned action on the All planned GRC actions list page, a record will be added under the Sign off Fast tab, indicating that the BC/DR plan has been reviewed
¶ Step 15.8.1: Planned actions
Go to: GRC > All planned Governance, Risk and Compliance actions
¶ Step 15.9: The Sign off Fast tab
OR
Only workers that have been linked to a Signature type can be selected under the Sign off Fast tab
¶ Step 15.10: The Line details Fast tab
When the Create action plan box is ticked and the BC/DR plan is approved and activated:
¶ Step 16: Business impact assessment
A BIA often takes place prior to a risk assessment. The BIA focuses on the effects or consequences of the interruption to critical business functions and attempts to quantify the financial and non-financial costs associated with a disaster. The business impact assessment looks at the parts of the organization that are most crucial. A BIA can serve as a starting point for a disaster recovery strategy and examine recovery time objectives (RTOs) and recovery point objectives (RPOs), and resources and materials needed for business continuance.
Go to: GRC > Business continuity > Business impact assessment
¶ Step 16.1: The General Fast tab
¶ Step 16.2: The Objectives Fast tab
¶ Step 16.3: The Overall impact Fast tab
¶ Step 16.4: The Assessment Fast tab
¶ Step 16.5: The Continuity and recovery plan Fast tab
If the Business impact assessment is done fron the BC/DR, a reference to the plan will already be under this Fast tab
¶ Step 16.6: Create activity
OR
¶ Step 17: Activated plan
Go to: GRC > Business continuity > Activated plans
¶ Step 18: Disruptive event
Go to: GRC > Business continuity > Record a disruptive event
The Disruptive event/Incident detail form will open
If a disruptive event was selected on an Activated plan, the link to it will be in the Related information pane inside the Continuity and disaster recovery Fact box
All recorded Disruptive events can be found non the All disruptive events in legal entity list page
Go to: GRC > Business continuity > All disruptive events in legal entity
¶ Step 19: Create review actions
Go to: GRC > Business continuity > Periodic > Create review actions
A notification will pop up under the Action center, informing the user that a Planned action was created and can be found on the All planned GRC actions workspace
¶ Reporting
¶ Step 20: Impact assessment: downtime report
Go to: GRC > Business continuity > Reports and Inquiries > Impact assessment: downtime report
