BCLE 2000

Lesson 1: Program Initiation

and Management

Canadian Participant’s Guide

This four-day course has been developed by
DRI International and DRI Canada to provide a
comprehensive understanding of The Professional
Practices for Business Continuity Management and
their proper application within a business continuity
program. It is designed for the business continuity
professional with less than two-years’ experience.

© 2019 DRI International & DRI Canada. All rights reserved.

© 2019 DRI International & DRI Canada. All rights reserved.
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

The Professional Practices for Business Continuity Management

1. Program Initiation and Management
2. Risk Assessment
3. Business Impact Analysis
4. Business Continuity Strategies
5. Incident Response
6. Plan Development and Implementation
7. Awareness and Training Programs
8. Business Continuity Plan Exercise, Assessment, and Maintenance
9. Crisis Communications
10. Coordination with External Agencies

Professional Practice One: Program Initiation and Management

Objectives
 Establish the need for a business continuity program
 Obtain support and funding for the business continuity program
 Build the organizational framework to support the business continuity program
 Introduce key concepts, such as program management, risk awareness, identification of critical
functions/processes, recovery strategies, training and awareness, and exercising/testing

3
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Class Activity: Business Continuity Terminology

Define the following terms:
Business Continuity

Disaster Recovery

Risk Assessment

Business Impact Analysis (BIA)

Recovery Time Objective (RTO)

Recovery Point Objective (RPO)

Crisis Management

Incident Management

Incident Response

4
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Professional’s Role
1. Establish the need for a business continuity program
2. Obtain support and funding for the business continuity program
3. Coordinate and manage the implementation of the business continuity program throughout the entity.

1. Establish the Need for the Business Continuity Program

Three important concepts:
The business continuity program should be funded by leadership

Leadership may not support the business continuity program if they do not see value in it

Gaining leadership commitment should be accomplished before any other business continuity tasks

Other:

Other professionals may not be aware of how vulnerable their business is to all kinds of disasters. Establishing
the need for a business continuity program requires you perform the following tasks:
1.1. Research and reference relevant business, legal, regulatory, statutory, and contractual requirements and
restrictions both from an internal and external perspective, providing recommendations on compliance
and conformity for the entity
1.2. Reference relevant standards developed by national or international standards development bodies
and/or trade or industry associations
1.3. Identify and resolve any conflicts between the entity’s policies and relevant external requirements
1.4. Review existing audit reports to ensure the proposed business continuity program adequately addresses
any gaps or opportunities
1.5. State the benefits of business continuity within the context of the entity’s mission, objectives, and
operations
1.6. Explain the role of leadership, including their accountability and liability related to business continuity
1.7. Develop formal reports and presentations about the potential impacts of risks to the entity

5
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Why is Business Continuity Important?

Safeguard life, property and the environment

Minimize confusion and enable effective decision-making in a time of crisis

Minimize the loss of assets, controls, revenue, and impact upon customers

Provide products and services even during adverse conditions

To ensure the survival of the entity

To satisfy any legal, regulatory or contractual requirements

To facilitate the timely recovery of critical business functions

To maintain a favorable public image and reputation of the entity

Additional notes about why business continuity is important:

2. Obtain and Funding Support for the Business Continuity Program

To gain leadership support and commitment for the business continuity program, you must:
2.1 Develop a mission statement and/or charter for the business continuity program within the context of the
entity’s mission
2.2 Develop objectives, assumptions, and scope for the business continuity program within the context of the
entity’s mission, objectives, and operations
2.3 Develop budget requirements for the business continuity program
2.4 Define the business continuity program structure and identify potential policy needs and critical success
factors
2.5 Present the proposed business continuity program structure to obtain leadership support and approval for
the business continuity program
2.6 Identify leadership sponsors for business continuity program development
2.7 Obtain leadership approval for budget requirements
2.8 Establish an oversight body such as a steering committee to lead the business continuity program
2.9 Define the scope, responsibilities, and overall accountability of each member of the steering committee
and its support functions

Which item is similar to a business continuity policy statement and who signs it?

6
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Leadership Accountability and Liability

Leadership is accountable and liable to know and understand their legal responsibilities including:
1 The applicable laws

2 Any applicable regulations

3 Contractual and employment agreements

Important: Presenting legal and regulatory requirements to leadership is an effective way to establish the need
for business continuity management!

3. Coordinate and manage the implementation of the business

continuity program throughout the entity.
Listed below are major tasks to manage a business continuity program.
3.1 Lead the steering committee in driving the implementation of objectives, program structure, and critical
success factors
3.2 Develop or utilize existing policies, standards, and procedures for the business continuity program
3.3 State the purpose of and obtain resources needed for the business continuity program
3.4 Identify teams to support business continuity program implementation
3.5 Monitor the status of the ongoing budget impact of the business continuity program
3.6 Develop project plans for core components, such as the risk assessment and business impact analysis
processes. Outline any tasks required to support the approved critical success factors
3.7 Oversee the ongoing effectiveness of the business continuity program
3.8 Report to leadership on the status of the business continuity program on a regular basis

7
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Role of Leadership
 Protect and preserve the entity’s assets and resources
 Assignment key functional personnel to required roles
 Protect entity from consequences of:
 Business interruption
 Loss of business-critical information
 Inadequate protection of assets and resources
 Loss or disclosure of customer personal data
 Cyber-related issues

Role of the Steering Committee

 Define objectives, structure, policies and charter for the business continuity program
 Provide guidance and oversight for the business continuity program
 Provide the resources necessary to support the business continuity program
 Provide input and approval of business continuity projects objectives, scope and timeframes
 Assist in the definition of roles and responsibilities
 Provide support for business continuity projects and the business continuity professional
 Provide coordination and support for the plan development

The Business Continuity Professional’s Role

 Obtains leadership support
 Gathers information relevant to the business continuity program
 Organizes and manages business continuity program:
 Defines the program objectives
 Assesses the program risk
 Plans the program in detail
 Tracks and reports program progress
 Manages change

8
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Scope, Objectives and Assumptions

Three important elements of the business continuity program:
Scope - The boundary, or extent, to which a process, procedure, certification or contract applies – initially consider
the whole entity!
Objectives - Document what will be delivered at the end of the project and what benefit that will provide to the
entity
Assumptions - Document the assumptions you are making regarding the program (e.g., commitment from
management, funding, resources, etc.) In which of these three elements would you put exclusions?

Group Activity: Scope, Objectives, Assumptions

Develop the scope, objectives and assumptions for your entity’s business continuity program
Scope – The boundary, or extent, to which a process, procedure, certification, contract etc. applies. (ITIL) (IGR)
Initially consider the whole entity

Objective – something that you plan to do or achieve (Cambridge English Dictionary)

Assumption – something that you accept as true without question or proof (Cambridge English Dictionary)

9
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Developing a Business Continuity Program

Tasks in a typical business continuity program may include:

After the business continuity program is implemented, what tasks must follow on an ongoing basis?

10
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Managing the Business Continuity Program

Business continuity management is a continuous process!

Use
Useofofthe
theProfessional
Professional
Practices
Practicesframework
frameworktoto
develop,
develop,implement,
implement,maintain
maintain
the
thebusiness
businesscontinuity
continuity
program
program

Sample Business Continuity Program Timeline

11
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Sample Business Continuity Organization

Normal Operations

Execution
Crisis Management Team
(Steering Committee)
Emergency Response
Group/
Damage Assessment Team
Business Continuity Leader

Impa
ct

Corporate Business Technical

Support Team Recovery Teams Recovery Team

12
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Business Continuity Laws, Regulations and Standards

Laws
Created by duly authorized governments (Federal, state, municipal) – Legislative, Executive
Punitive- Criminal prosecution (Fines, Imprisonment), Civil litigation (Fines, Other penalties)

Regulations
Created by government/industry regulatory bodies
Punitive (Fines, Shutdown)
Subject to annual (operational/financial) audit conducted by a third party (Performance, Prescriptive)
Results are board issues
May create vendor requirements (due diligence) (e.g. Office of the Superintendent of Financial Institutions (OSFI),
Personal Information Protection and Electronic Documents Act (PIPEDA)

Standards
Voluntary (Non-punitive)
Conformity assessment through:
First-party – carried out by the entity itself
Second-party – carried out by a “interested party”, such as a customer or supplier
Third-party – carried out by an independent body, such as an audit firm
Standards are sometimes referenced in regulations
Standardization in a state of constant flux:
The Professional Practices for Business Continuity Management – revised every four years
ISO 22301 – revised or reaffirmed every 5 years
NFPA 1600 (the ANSI national standard) – revised every three years
CSA Z1600 (the Canadian national standard) – revised every three to five years

13
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Report to Leadership
 Set up a reporting structure and status reports
 Program compliance
 Exercise/test results
 Industry standards and benchmarking
 What are the competition and peers doing?
 Formal reports and presentations
 Know what they need to know
 The benefits and value of business continuity
 Compliance and conformity requirements
 The status and any changes to the business continuity program

Important Concepts
Professional Practices – Emphasize knowing each of the subject areas.

Establish the need for business continuity – Highlight how business continuity adds value to obtain “buy-in” for
the program.

Leadership support - leadership commitment is essential for an effective program.

Emphasize leadership may not support the business continuity program if they do not see value in it.

Program management – It is important to get leadership commitment in order to develop the plan and achieve
objectives.

Business continuity responsibilities – Emphasize leadership liability, the role of the steering committee, and of
the business continuity professional. Emphasize business continuity team members should be assigned
continuity responsibilities consistent with each member’s job description.

Steering committee – This group provides guidance, oversight and approval of resources for the business
continuity program.

14
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Class Exercise
1. Work in assigned teams
2. Select a team presenter
3. Be prepared to present your findings to the class
4. Develop a presentation to the leadership of your entity that addresses the following points:
a. The importance of business continuity
b. Any relevant regulations to your entity
c. The resource requirements for a program that need to be completed (e.g., risk assessment, business
impact analysis, business continuity plan)
d. A program plan overview with well-defined deliverables

The importance of business continuity:

Any relevant regulations:

Resource requirements for a project that needs to be completed:

A project plan overview with well-defined deliverables

15
BCLE 2000: Canadian Participant’s Guide Lesson 1: Program Initiation and Management

Knowledge Checks
Professional Practice One: Program Initiation and Management
Circle the best choice for each question below. There is only one correct answer for each question.
1. What information should be presented to leadership about the need for business continuity?
a. Mechanisms for exercising and auditing
b. The schedule for reporting progress
c. Legal and regulatory requirements
d. The entity’s increasing reliance on technology to conduct operations

2. Which team is responsible for defining the objectives, structure, policies and charter for the business
continuity program?
a. Functional recovery teams
b. Steering committee
c. Incident response team
d. Damage assessment team

3. What is the most critical element to the success of the business continuity planning effort?
a. The policy statement written by the business continuity professional
b. Leadership commitment
c. The business impact analysis
d. Documenting all changes

4. Which team provides resources and support to the business continuity program?
a. Incident response team
b. Steering committee
c. Business continuity development team
d. Technology recovery team

Canadian Resources
Public Safety Canada - Resources
https://www.publicsafety.gc.ca/cnt/rsrcs/index-en.aspx

16