BUSINESS CONTINUITY

MANAGEMENT

1. Establishing a BC Policy and

Objectives;
2. Ensuring the BCM Objectives are BCM
met; STRUCTURE
Assigning roles and
responsibilities;
MANAGEMENT
3. Allocating the resources for COMITMENT BCMS
implementing the BCM Program;
4. Actively participating in
selection of the BC Strategy;
5. Actively engaging in exercising Business Continuity Management
(BCM) is a comprehensive
and testing; management process essential to
6. Ensuring internal BCM ensure that the organisation is well
BCM Program
Programs audits are conducted; equipped to respond, in the most Owner
appropriate manner, to any kind of (CEO)
7. Conducting effective disruption, irrespective of type, Responsible for
management reviews of the BCM and ensure the continued continuous development,
availability of its identified priority
Program; and Products and/or Services ("BCM").
maintenance,
and coordination of the BCM
8. Directing and supporting Activities within their functions.
improvement of BCM Program. Business Continuity
Champions/Focal Identify their associates such as BCM PROGRAM
Points third-party suppliers, service STRUCTURE
(Functional Heads) providers and partners which
provide goods and services
needed to perform these
prioritized activities.

BCM Program
custodian (HSE/
BCM Framework ERM Director)

BCM Program
Manager (BCM
Function Manager)
STRATEGIC

Responsible for overseeing the .

overall resilience and the OPERATIONAL
suitability of contingency
measures by ensuring that BUSINESS SUPPORT
Executive emergency response, crisis
Determine Leadership management and business
Review, Carry Carry out the Understand continuity preparedness are at
Exercising and Determining Carry out the BIA
Evaluation and out BCM Develop and the scope of BCM acceptable and predefined
testing BC Strategies BC RA and map the levels.
Continual Awareness and implement BCP activities
organisation
Improvement Training

consists of appropriately qualified Organisational BCM capabilities and preparedness shall be

Carry out monitoring activities (e.g.
continuous and continual review,
internal audit, continual
improvement, external audit
processes etc.) to ensure that the
BCM arrangements are compliant
with ISO 22301:2019 – Societal
Security – Business Continuity
Management Systems and for a
robust and effective BCM
Program.
Carry out exercises and
other forms of testing and
evaluation to ensure that
BCP’s and their
supporting documentation
are current, effective and
‘fit for purpose’.
BCM Team and experienced personnel who communicated upwards to the relevant Higher Authority.
are collectively responsible for Strategic BCM expectations are communicated downwards that
Determining strategies Analyse the current level of Select which of these key The process of establishing, facilitating,
All priority business processes that support the delivery of operational include the following:
Identify, analyse and implementing, operating and • Minimum Business Continuity Objective (MBCO's);
impact to Products and/or business activities and their identifying key business Products and/or Services output are identified (e.g., human resources, finance
to mitigate (less the Services output if the key supporting processes, are
maintaining the BCM Program and planning, information technology and supply chain management etc.)
evaluate threats that activities, determining activities across the organisation . All operational activities considered critical to Product and/or
Carry out planned and impact of) the identified business activities and/or to be included as part of the Responsibility for the development, implementation, and continuous • Recovery Time Objective (RTO's); and
could prevent or delay whether these are Services outputs are identified, reviewed and prioritised to assess maintenance of supporting corporate recovery plans.
formalized BCM threats being realised their supporting processes BCM Program. The scope
the impact upon the continued delivery of those Products and/or
Develop and document business continuity are disrupted and the of BCM activities must focus considered to be of • Maximum Acceptable Outage (MAO's).
awareness and training before, during and after priority importance to Services, should a disruption occur to them. This includes (but is • Human resources succession plan,
plans to implement the activities to restore organisations entirely upon Products and/ The minimum documentary requirements for the Strategic Level of
at all levels of a disruption. preparedness to respond or Services output. maintaining its Products not limited to) ensuring that: BCM activity shall be as follows:
BC strategies. them. • Information technology disaster recovery plan;
management and staff. effectively. and/or Services output.
• Supply chain continuity plan; • Business Continuity Management policy;
The MBCO's set at strategic level are realistic and achievable;
• Logistics plan; and • Business Impact Analysis;
The RTO's set at strategic level are realistic and achievable;
• Finance plan. • Risk Assessments (i.e. ADNOC Group ERM
This level of BCM activity is required to be summarised in individual Business Frameworks);
The necessary levels of resources necessary to carry out BC Continuity Plan (BCP) documents. The minimum documentary requirements
for the business support level of BCM activity shall be as follows as minimum:
activities after a disruption are identified and available; and • Business Continuity Recovery Strategies;
• Business Impact Analysis/ Risk Assessment (BIA/RA);
The necessary BC strategies to improve preparedness for and to • IT Disaster Recovery Plan; and
• IT Disaster Recovery Plan (ITDRP);
respond effectively to a disruption are identified and implemented. • Business Continuity Plan
The minimum documentary requirements for the operational level • Business Continuity Recovery Strategies; and
of BCM activity shall be as follows as minimum:
• Business Continuity Plan

• Business Impact Analysis/ Risk Assessment

• IT Disaster Recovery Plan (ITDRP);
• Business Continuity Recovery Strategies; and
BCM Program Flow • Business Continuity Plan

BC Impact Matrix
DESIGN/
VALIDATION EMMBEDING BC IMPLEMENTATION \RECOVERY ANALYSIS
STRATEGIES POLICY
AND PROGRAM
MANAGEMENT

BCM EXERCISE &

The protection of
TEST
prioritized
BCP processes; BIA/RA BCM Policy

BCM
BCM Monitoring BC AWARENESS & IT DRP
Reducing, and
managing the Strategic BIA BIA/RA
Documentation
TRAINING impacts;

Recovery and
MBCO
resuming of
BCM Continual
Improvement prioritised 1. Context of 7. Business Impact 13.Awareness and
Training records
processes.
Analysis (BIA)/ Risk
Organization
Assessment (RA)
Methodology

RTO

2. BCM 14.Test and Exercises

08. Business Impact record
Objectives and Policy
Analysis (BIA)/ Risk
Assessment (RA)
MAO
Report

3. Roles and 15.Internal

09. Business
Responsibilities Audit record
Continuity Strategies

RPO

4. External and
10. Incident 16.Management
Internal issues and Review record
Response Plan (IRP)
interested parties

5. Competency of 11.Business Continuity 17.Corrections and

personnel Corrective actions
Plan (BCP)

6. Business Impact
Analysis (BIA) 12. Media Response Plan
(MRP) 18.Regulatory
requirements