Whether you’re striving to build a business continuity (BC) program compliant with FFIEC, ISO 22301, NIST 800, NFPA 1600, SEC business continuity requirements, or any other set of industry standards, one truth applies across the board: To be effective and compliant at any level, business continuity, by definition, must be considered a continuous cycle—not a once-and-done exercise.
Built properly, a BC program should be stringent enough to provide ample protection in the event of a disruption; it should also be flexible enough to meet the changing needs of your organization over time. The key to creating such a program is to give it a strong foundation—with all the right components—and refine those components continuously. Not only will this approach ensure your organization’s ability to recover in a time of need, it also provides a broader framework for building resilience in all areas of the company, and serves as a way to safeguard the interests of your key stakeholders, reputation, brand, and value-creating activities.
The business continuity management (BCM) “lifecycle” is defined by industry best practices—those activities that are necessary to reap the greatest benefit from the planning process. In fact, each of the lifecycle components listed below is a requirement of FFIEC and ISO 22301, which means they must be present in a BC program if an organization hopes to be in compliance with FFIEC and ISO guidelines. (See the FFIEC IT handbook for a complete example of the guidelines.)
In the case of FFIEC regulations, which are the most rigorous, you must additionally provide evidence of your organization’s ongoing activities related to each stage of the lifecycle, including documentation of continuity planning tasks and action items in progress. And keep in mind that FFIEC regulations don’t apply to banks alone—if your organization operates outside the banking industry but provides services to a bank (for example, accounting services or software), you, too, are required to comply with FFIEC business continuity standards.
Whether you’re required to comply or not, the lifecycle below still applies. It is the accepted framework of BC programs across all industries—different sets of standards vary only in the required frequency of your activities. But all phases, cycled through regularly, are a necessary part of standards compliance across the board. (Your compliance budget, too, will play a role in the frequency of your activities and your risk management techniques.)
There are eight components to the business continuity management lifecycle; let’s take a closer look at each one below.
Eight Phases Of The Business Continuity Management Lifecycle
While the word “cycle” implies a series of events repeated continuously in the same order, for most mature BC programs the activities that comprise the lifecycle are dictated less by numerical order and more by a logical interweaving of activities, as will be explained in more detail below. (Clearly, you can’t do training or testing until you have plans developed.)
But if you’re kicking off a new program, these eight components should be completed in the order they appear below. Certain things will remain in place for as long as your BC program exists, like the support of a management committee. If your program is already in place, you won’t need to form a management team more than once, but you will continually revisit the structure and incorporate team interactions to make the program work.
Phase 1: Executive Management Support & Sponsorship
Management support is the cornerstone of all BC programs. Sure, you can try to get key personnel in various units to participate in business continuity activities without management support, but you won’t get very far. Once it becomes clear that management isn’t on board with your plans, it’s unlikely that anyone else will be, either.
For that reason, the lifecycle starts with designating an executive steering committee. This group will take official ownership of the process and have an active and frequent role in overseeing and attesting to the program, especially in the development phase. Getting executive leaders involved in business continuity gives the program credibility that will extend to all areas of the company and provides the decision-making power needed to take action.
Start by identifying four to five key executives best suited to serve on the committee. Initiate a meeting to discuss and define the group’s charter, as well as roles and responsibilities for each individual involved. Also discuss key program components, such as a mission statement and strategy, scope, objectives, and budget. Outline it all in a document that will serve as the “charter” for your business continuity program, directing all future activities.
An active steering committee has monthly meetings to discuss the progression of the program and make decisions as needed. Its support will always be a critical part of the life cycle. Years after inception, the committee will still be involved in various phases of the cycle, analyzing newly gathered information, approving next steps, and budgeting for upcoming planning activities.
Phase 2: Business Impact Analysis & Risk Assessment
Once you have management support, the next component of the BC lifecycle is the Business Impact Analysis (BIA) and risk assessment.
Business Impact Analysis
What is a Business Impact Analysis? A BIA (sometimes called a business impact assessment) provides you with a clear picture of the criticality of your business operations based on the processes they perform, and it helps you identify the dependencies (i.e., computer systems, specialized equipment, vital records, etc.) that must be in place for those processes to run. If a BIA is conducted according to this Business Impact Analysis definition, you should come away with a more realistic understanding of your company’s current state of operations, paving the way for creating a business recovery strategy that actually works.
- Assesses and prioritizes all business functions and processes, including their interdependencies, as part of a work flow analysis.
- Identifies the potential impact of business disruptions on your organization’s business functions and processes.
- Identifies legal and regulatory requirements for your organization’s business functions and processes.
- Estimates maximum allowable downtime and the acceptable level of losses associated with your business functions and processes.
- Acts as a kind of recovery time objective calculator, estimating recovery time objectives and recovery point objectives. (Have a look at this recovery time objective definition, which includes a more thorough explanation of recovery time objective vs. recovery point objective.)
MHA’s Business Impact Analysis methodology dictates that BIAs be performed at the business unit level—whichever business units were identified by the management team formed in Phase 1. Some companies choose to start by assessing only a few of their critical units; others may evaluate 15-20 units; still others evaluate all of their business units. Gathering the information above requires intensive interviews with relevant personnel in the selected business units, as well as the use of questionnaires. (See this business impact analysis guide and these business impact analysis steps to ensure you get the most out of the process.) The collected information comes together in a business impact analysis summary report.
Phase 2 also includes a risk assessment. If the BIA tells “what” would be impacted by a disruption, the risk assessment tells “how” impacts occur. Also referred to as a Threat & Risk Assessment, this step is important in understanding the kinds of risks that your organization faces.
Enterprise risk planning involves:
- Identifying conditions or situations that may cause a business process outage.
- Determining the probability of a risk occurring.
- Pinpointing threats and hazards across all areas of the organization.
According to the FFIEC, risk assessment should not only consider the risks associated with specific platforms, operating systems, networks, and more, but also their potential to compromise interconnected systems and processes.
A complete risk assessment matrix template includes disruptions across four categories (see the World Economic Forum’s Global Risk Report 2016 for additional help in creating a risk management matrix):
- Natural and environmental risks: earthquakes, floods, hurricanes, etc.
- Human-related risks: strikes, terrorist attacks, pandemics, etc.
- IT-related risks: critical systems failures, viruses, etc.
- Other types of risks: business competition, power failures, etc.
Based on the most likely threats, the threat severity (how serious the impact would be if the threat materializes), and the probability of occurrence, you can identify the most critical risks.
It’s important to understand the concepts of inherent vs. residual risk as they apply to business continuity. The risks that you’ve identified here, as well as the impact they would have on your critical processes should they occur, comprise the inherent risk—the risk to your company before any risk management measures have been put in place. Business continuity planning is all about mitigating risk, so you’ll want to be aware of your residual risk—the amount of risk that remains in a particular area once mitigating controls have been put in place. You can use a residual risk formula to evaluate the strength of your mitigating controls and how well your business recovery plans are likely to work. (Learn more about how to calculate residual risk and see a residual risk assessment example.) Residual risk management is a key component of successful business continuity programs.
Once you’ve completed both of these activities, it’s helpful to integrate the Business Impact Analysis report and risk assessment results into a single view. By looking at the two together, management can make more informed business decisions on how to better allocate funds to reduce risks and determine which risks the company is willing to assume.
Based on the results of the BIA report and risk assessment, you now know which areas to focus on. Your results should be reported back to the management team, which then signs off on the report, indicating that it’s time to get to work. Then begins Phase 3…
Phase 3: Business Continuity Strategy Design
The identified risks (in addition to your organization’s specific business continuity planning requirements) serve as input for the creation of continuity strategies.
The strategies you design should be comprehensive, detailing the roles and responsibilities of all individuals who will be involved in the response. Your strategies should aim to resume business as usual, and they may include having redundant infrastructure, securing service level agreements with service providers, having backup power supply, cross-training employees, or even having proper medication or masks for addressing pandemic situations. (Read here about the difference between disaster recovery plans and business continuity plans.)
Among the enterprise risk examples to consider are a fire or flood potentially damaging the premises and computer systems. To address this threat, your recovery strategy might include relocation of employees and operations to an alternate recovery site and the creation of a mirrored data center. Here’s another scenario: supplier or IT vendor failure that causes a loss of systems. Your recovery strategies could include the deployment of high availability hardware or fallback to a secondary site. Yet another common vulnerability: Single points of failure as it applies to IT—one of the disadvantages of virtualization that should be considered and planned for.
A facilitator will be required to lead discussions of strategy options among key business personnel. The information and strategies that arise should again be presented to the management team for approval before moving forward.
Phase 4: Business & IT Alignment
In this phase, you’ll identify the most cost-effective disaster recovery solution that meets two main requirements as identified by the information gathered in Phases 2 and 3: 1) the minimum application and data requirements, and 2) the time in which those application and data requirements must be met. The solution phase determines:
- Crisis management command structure.
- Secondary work sites.
- Telecommunication architecture between primary and secondary work sites.
- Data replication methodology between primary and secondary work sites.
- Applications and data required at the secondary work site.
- Physical data requirements at the secondary work site.
Using the information available to you from the previous phases, identify and select the appropriate recovery strategies and associated logistics to determine how continuity and recovery will be achieved based on the organization’s existing technology infrastructure and related components.
For example, one business unit may say it can’t be offline for more than two days without significant risk to business operations; IT says the systems necessary to run that unit won’t be available for 10 days. Such a significant gap in your disaster recovery measures needs to be addressed. The requirements for the business unit need to be aligned with the reality of what the company can support. Assess alternative strategies by their ability to mitigate loss and their ability to meet critical business requirements.
Keep in mind: The budget plays a key role in strategy alignment. Your organization must balance the feasibility of what it can and cannot do with the need to properly prepare for a disruption. While it may not be possible at the current time to meet business requirements as stated, compromises can be made and future goals set in motion so that a minimal amount of disruption occurs and recovery requirements can be met eventually.
Phase 5: Plan Development & Strategy Implementation
This is the final phase of strategy development, where you’ll develop detailed, step-by-step business recovery plans for each of the selected business units on how to recover critical business activities following an unplanned disruption. To make your plans uniform, it’s best to use a template developed in accordance with industry best practices.
Your final plans will take into consideration the following:
- Business unit-specific requirements (i.e., technology, equipment, people, relocation requirements, legal/regulatory requirements).
- Checklists for four distinct categories of disruptions:
- Loss of building or geographic region.
- Loss of technology, telecommunication, or equipment.
- Loss of resources (specifically people) or a pandemic-related event.
- Loss of a critical third-party channel.
- Checklists for three phases of managing a disruption:
- Response phase—activation, notification, and assessment of the situation.
- Recovery phase—implementing the requirements for operating within a non-business-as-usual scenario.
- Restoration phase—tasks involved in returning to business as usual.
If gaps have been identified between business recovery requirements and IT delivery times, they should be filled. In some cases the situation may require a manual workaround. Other times, there not be a good workaround. If power has gone out there may simply be nothing you can do, except to notify stakeholders that you are currently offline and working to resolve the situation. (Read more about power outage procedures for businesses and then use this checklist to create a power outage plan template.)
Need help writing a business recovery plan that works? This free guide lists the essential components your plan needs, as well as tips on writing a thorough recovery checklist.
All proposed recovery strategies should be presented to the executive team. Taking into consideration the organization’s risk tolerance and risk capacity (as well as the risk management budget and/or disaster recovery budget), they will decide to either accept the plans as you’ve presented them or make changes. (See more on risk tolerance vs. risk capacity.)
At this point, it may be useful to compare management’s risk tolerance with the level of residual risk you’ve identified in the plan. In cases where gaps need to filled, management may be willing to accept certain risks rather than take action to address them—for example, if it would cost $5 million to implement a change enabling systems to be recovered in two days, but fines for being offline would total $100,000, it makes financial sense to risk the consequences of a disruption. Should management decide to accept such a risk, it should be documented that they were made aware of the gap and the risk, and that they are willing to accept it; or, consider putting a risk mitigation plan in place to begin addressing the gap going forward. (Note that if the gap relates to a particularly critical business function or system, it may not be possible to accept the risk and remain in compliance with FFIEC guidelines.)
After plans are developed and strategies identified, move on to Phase 6.
Phase 6: Training & Awareness
All organizations should provide business continuity training and awareness to ensure all parties are aware of their primary and backup responsibilities in the event of an unplanned disruption. Training typically begins with more senior-level employees—for instance, supervisors responsible for the recovery of their business units. Ultimately, however, a formal training program should incorporate enterprise-wide training as well. The majority of governing agencies (e.g., FFIEC, ISO 22301) require employees at all levels be involved.
As a result of the training program all employees should be made aware of the following:
- The conditions that would necessitate the plan being called into action.
- The individuals responsible for implementing the business recovery plan for each business unit and the organization as a whole.
- What to do if those individuals are not available at the time of a disaster. (Some level of cross-training may be necessary.)
At this stage, it’s appropriate to introduce an awareness program to ensure that customers, service providers, and regulators know how to contact your organization if normal communication channels are inoperable. For employees, reporting or calling locations should be established to ensure that all personnel are accounted for and/or know what’s going on. Various methods can be used to distribute this information, such as wallet cards, Intranet postings, email messages, cell phone text messages, and calling trees. Work with your human resource department to be sure all contact information is current within the HR system and that it is securely maintained as well as readily accessible from a variety of locations.
Also, designate an individual who will take on the responsibility of communicating with external stakeholders and provide them with access to contact information for vendors, emergency services, transportation companies, and relevant regulatory agencies. Make sure all employees are trained to refer any inquiries to the selected media spokesperson(s).
Phase 7: Testing & Maintenance
Once the plans are documented and implemented they should be regularly tested or exercised.
For brand-new programs, this phase is more about introducing the recovery plans and relevant documents and reviewing the logistics of each plan as a group. It’s also appropriate to present a simple disruptive scenario to business units and discuss how they might respond and recover from the event. You can then walk through the action plan items together.
Mature programs may be evaluated with more complicated testing scenarios, either scheduled in advance or as the need arises, as determined by the steering committee. Testing may involve moving people to other locations, evacuation drills, calling tree tests, or transport arrangements, among other things. In an unannounced drill it’s entirely possible that one or more key team members will be out of the office, a realistic situation that also needs to be tested—how will the team perform in the absence of a leader?
Tests should be evaluated based on a specific checklist and the results shared with the executive team. Depending on the type of exercise and the governing agency involved, there are specific objectives that must be met and approved by the steering committee, including but not limited to:
- Was the system (or systems) recovered on time?
- Were transactions tested and validated?
- Did the team respond appropriately by notifying the relevant customers, suppliers, etc.?
Organizations change; therefore plans change. All information associated with your continuity program—contact information, vendor information, employee information, supervisors, etc.—should be kept current and be confirmed and updated on a regular (annual or biannual) basis.
Additionally, your plans may change based on test results. The expected and actual results of every test should be compared, and gaps identified. Those gaps indicate areas of your program that need improvement.
Phase 8: Compliance Monitoring & Auditing
It makes good business sense to regularly ensure that your program remains in compliance with the required standards. When it comes to compliance, best practices dictate that specific objectives for the audit are determined ahead of time. They may include:
- A review of documents from the previous examination for outstanding issues or problems.
- Management’s response to audit recommendations noted since the last examination.
- An interview with the management team to identify changes in management, business strategies, or internal business processes that could affect the recovery process.
- An evaluation of newly identified threats and vulnerabilities and how they may impact the recovery process.
Tracking compliance metrics frequently is also beneficial for your bottom line. It’s becoming commonplace for companies to ensure potential business partners are prepared in the event of an emergency—and that means checking to make sure their business continuity program is up to par and current. (According to the SEC’s business continuity guidance, it is required that financial advisors identify and assess third-party services critical to their operations.) They want to know:
- Does the program include all the life cycle components?
- Who are the steering committee members?
- Do they perform risk assessments (and can we see them)?
- What are their recovery strategies?
- When did they last perform testing?
- What were the test results?
- Were the most recent action items addressed and closed?
If you outsource business recovery services, that organization should be willing to handle these interactions on your behalf. Even if your organization isn’t required to comply with FFIEC business continuity standards, having a business continuity program that is carefully thought-out, well documented, and meticulously maintained is a selling point in an increasingly interdependent business landscape.
Does your business continuity program have all the components of the BCM lifecycle?
If not, BCMMetrics™ can help. The BCMMetrics™ suite of online business continuity software is a unique set of online BCM tools that gives you the power to elevate your BC program to a level of excellence.
The three BCM software tools included in the suite facilitate enterprise business continuity activities including program administration, crisis management, business recovery, IT disaster recovery, supply chain risk management, and third-party management. They include:
- BIA On-Demand (BIAOD) acts as a business impact analysis template, ensuring you ask the right questions for the best results. And it’s simple to migrate the results gathered from your business impact metrics into a BIA report to share with the executive team—with a few clicks you can generate details on each business unit, providing authoritative and insightful information for all stakeholders.
- Compliance Confidence (C2) evaluates your BC program against multiple major industry standards—including FFIEC, ISO, BCI, NFPA, NIST, and more—and gives you a “FICO-like” score for your business continuity planning. You can also do compliance benchmarking, comparing your own company’s score against the scores of other users in your industry.
- Residual Risk (R2) promotes BCM risk management by providing a simple, quantitative method for residual risk assessment and risk management performance. It enables you to assess the risk factor of each business unit or system/application recovery plan, weigh the importance of mitigating controls and evaluate them, establish risk tolerance levels, and perform a residual risk calculation for each plan.
It’s never been easier to build a world-class business continuity program. If you’d like to know more, schedule a free demo of our tools today.