• Home
• News Archive
• About The LRF
  • LRF Structure
  • LRF Membership
• Major Incidents
• Advice
  • Flooding
• Public Plans
• Risk Register
• Business Continuity Management
  • BCM Lifecycle
  • BCM Emergency Pack
  • BCM Templates
  • BCM Advice
  • BCM Newsletters
  • BCM Contacts
• Useful Links
• Weather
• Mario Maps
• Members Area
  • Log In
  • Register

BCM - Lifecycle

The following pages will introduce you to the process of embedding Business Continuity Management through the Business Continuity Lifecycle process, developed by the Business Continuity Institute.

Step 1: Analyse Your Business

Step 2: Hazard Identification List

Step 3: Risk Assessment

Step 4: Develop Recovery / Response Plans

Step 5: Testing and Exercising your Plans

Step 1: Analyse your business

The first step of your business continuity plan is to think about the parts of your business that are crucial in keeping it going during and following a crisis. This step is called the Business Impact Analysis (BIA).
 
The BIA involves identifying the critical business activities within the business and determining the impact of not performing that function. Types of criteria for assessing the impact include:

• Customer service/satisfaction
• internal operations
• legal/statutory requiremen
• financial impacts

Once functions have been identified the BIA should look at the time dependencies for each and assign a Recovery Time Objective. This is the time span that the function could be suspended, if at all and how quickly the function/activity would need to be recovered.

Step 2: Hazard Identification Checklist

The next step in developing your Business Continuity Plan will be to Identify the risks that could cause a disruption to your operations. Most risks can be grouped into the following categories:

• People
• Premises
• Information (Electronic & Non-Electronic)
• Location
• Environmental
• Utilities / Services

Common risks experienced by businesses include:

• Fire/Flood
• Bomb/Terrorist threat
• Denial of access to premises
• Legal/Regulatory actions
• Utilities failures
• Burglary/Vandalism
• Staff sickness/absence
• Supplier failure

More information on potential risks can be found in UK Resilience Planning Assumptions.

Step 3: Risk Assessment

Once the risks have been identified they need to be assessed as to their potential to create disruption and the probability of occurrence. The analysis process could take the following form:

• Document the risks identified in previous step.
• List the likelihood of the risk occurring.
• List what arrangements you currently have in place to prevent or reduce the likelihood of the risk occurring.
• List what arrangements you could put in place to prevent or reduce the risk on your business.
• Assign a likelihood score for each risk.
• Plot the likelihood against the impact.
• Rank the risks and make an informed decision about what action to take.

The options are:

TREAT – use of BCM to reduce disruption by ensuring the activity continues at, or is recovered to, an acceptable level and within the timeframe stipulated in the BIA.

TOLERATE – you may decide that you are willing to accept the risk as the cost of implementing any risk reduction strategies outweigh the benefits.

TRANSFER – for some risks the best response may be to transfer them. This might be done by conventional insurance or contractual arrangements, or it might be done by paying a third party to take the risk in another way. This option is particularly good for mitigating financial risks or risks to assets.

TERMINATE – in some circumstances it might be appropriate to change, suspend or terminate the service, product, activity, function or process. This option ought only to be considered where there is no conflict with the businesses objectives, statutory compliance and stakeholder expectation. This approach is most likely to be considered where a service, product, activity, function or process has a limited lifespan.

Step 4: Develop Recovery/Response Plans

This step in the process is concerned with the development and implementation of appropriate plans and arrangements to ensure the management of an incident and continuity and recovery of critical activities that support key products and services. A developed plan may include the following:

• Purpose and Scope – It is important to clearly state the purpose and scope of the plan being developed.
• Document owner and maintainer – You should document who owns the plan and who is responsible for reviewing, amending and updating it at predetermined intervals.
• Roles and Responsibilities – The plan should list all individuals with a role in its implementation and explain what that role is.
• Plan Invocation – The method by which the plan is invoked should be clearly documented, setting out the individuals who have the authority to invoke the plan and under what circumstances.
• Contact Details – All plans should contain or provide a reference to the essential contact details for all key stakeholders, including all those staff involved in the implementation of the plan.
• Incident Management – You should document the tasks that will be required to manage the incident and the individuals responsible for each task.
• Communication Strategy – The plan should include a communications strategy detailing information to be given out or sought, by whom and in what format.

Step 5: Testing and Exercising Your Plans

This element of the BCM process ensures that the recovery plans developed are fit-for-purpose, up-to date and that they deliver the required response. Your BCM arrangements cannot be considered reliable until they are exercised and proved to be workable. Exercising should involve:

• Validating plans,
• Rehearsing key staff,
• Testing systems relied upon to deliver resilience.

The frequency and type of exercises will depend on your business, but you should take into account the rate of change and outcomes from previous exercises. As a minimum exercises should be conducted on an annual basis. The Four main types of exercising your plans are testing, discussion, table-top and live exercises.

Testing – not all aspects of your plan can be tested, but some crucial elements can, such as the contact list and the activation process.

Discussion – this is the cheapest and easiest exercise to prepare. This type of exercise will bring staff together to inform them of the plan and their individual responsibilities. It will include a discussion of the plan to identify problems and solutions.

Table-top exercise – this is a scenario based and is likely to offer the most efficient method of validating plans and rehearsing key staff. It brings staff together to take decisions as a scenario unfolds in very much the same way they would in the event of a real incident.

Live exercise – This ranges from a small scale test of one component, such as evacuation, through to a full scale test of all components of the plan.

What ever type of exercise you opt for, it is worth considering inviting other stakeholders, and in particular, those that you rely on to deliver your key products and services. It is also important to record and evaluate the event, through a debriefing immediately after the exercise and then written up in a lessons learned report with actions as necessary