What best-practice BCMS operations to adopt?
BCMS operations consist of the overall processes for putting business continuity in place so that an organization can deal with disruptions that might otherwise prevent it from meeting business objectives. But how do you know if you’re doing it right? In the following article, we lay out a best-practice approach to BCMS operations.
Planning and control for BCMS operations
The first step to getting BCMS operations right is planning. An organization should plan out the processes needed for its BCMS operations, and the resources required to support those processes.
One of the activities that stand out is the business impact analysis, which serves to identify the organization’s high-priority activities.
That analysis, as you likely know, measures the detrimental impacts that would result from prioritized activities being disrupted. However, businesses don’t need to perform an individual BIA on every activity. Instead, it makes more sense to perform a BIA on groups of activities.
During the analysis, dependencies will be identified and further examined during the risk assessment (RA). The RA, in turn, provides information that can be used to identify strategies for reducing the likelihood or impact of disruption.
How best to approach the RA? A best-practice process includes:
- Identification of risks from threats and vulnerabilities that are relevant to the organization’s context
- Analysis of risks based on consideration of potential causes and sources of risk and their likelihood and anticipated consequences
- Evaluation of risks to determine their significance to the organization
Business continuity strategies
After having identified prioritized activities and dependencies, an organization needs to go about protecting those activities from disruption.
However, a business should still plan how best to respond to disruptions and resume the activities that have been disrupted. What sort of business continuity strategies should be considered specifically?
Best practice suggests the following:
- Mitigating the risk of prioritized activities being disrupted
- Keeping disruption to a minimum
- Resuming essential operations within acceptable timeframes
- Ensuring effective communication during an incident
Add to that, a business should have a process for (1) identifying, (2) evaluating, (3) selecting, and (4) implementing business continuity strategies.
Planned response
Part of planning for a response, though, is identifying the people who will perform key roles during an incident. Indeed, creation of a suitable team structure and selection of suitable team members both enable the response to be coordinated and effective.
Add to that, team members should have pre-written structures (e.g., business continuity plan, incident response plan, media response plan, disaster recovery plan, etc.) that provide the information they require and the actions they need to take.
Whatever form it takes, that structure should address all aspects of the response – from detection to returning to business as usual, including communication between all participants.
What else should that response structure address? At a minimum:
- Command and control
- Incident detection and immediate response
- Communication during disruptions
- Recovery of technology systems
- Resumption of prioritized activities
- Return to business as normal
Exercising and testing
All BCMS operations need to be tested to ensure effectiveness. To that end, an organization should have a process for exercising and testing that (1) validates the effectiveness of chosen strategies, (2) promotes confidence in response structures, and (3) develops teamwork, competence, and knowledge of team members.
Exercises themselves should be performed at planned intervals and when there are significant changes within the organization or the context in which it operates.
Of course, there’s far more to BCMS operations than what we’ve written here.
For more best-practice strategies, check out Noggin’s breakdown: An Executive’s Guide to Business Continuity Standard, NCEMA 7000.
More on
