Business Continuity

Dr. Naseem Twaissi

What is business continuity?

Business continuity is about making sure that you have prepared your
business for the unexpected, so that when your business is affected by
some form of disruption you can continue to operate and get it back to a
normal level of operation as quickly as possible.

What is business continuity?

• Business continuity planning (BCP) is the process a company

undergoes to create a prevention and recovery system from
potential threats such as natural disasters or cyber attacks.

• BCP is designed to protect personnel and assets and make sure

they can function quickly when disaster strikes.

• BCPs should be tested to ensure there are no weaknesses,

which can be identified and corrected.

Who needs to have a plan?

Whether your business is large or small and whatever your location,
you can suffer a business interruption. This may come from an internal
source ie. loss of staff or an external one, such as loss of power supply,
in fact in almost 90% of cases, business threatening events are not as a
result of a major incident.

What Is Business Continuity Planning (BCP)?

BCP involves defining any and all risks that can affect the company's
operations, making it an important part of the organization's risk
management strategy. Risks may include natural disasters—fire, flood,
or weather-related events—and cyber-attacks. Once the risks are
identified, the plan should also include:

• Determining how those risks will affect operations.

• Implementing safeguards and procedures to mitigate the risks.

• Testing procedures to ensure they work.

• Reviewing the process to make sure that it is up to date.

• Business Continuity Management (BCM) benefits.

Business continuity maintains continuity of operations and service
delivery
Additional benefits of having a business continuity plan in place are:
 • Maintains the delivery of protective services to the public
which cannot be allowed to fail.
In the event of business disruption, it provides the on-going
ability to maintain a service or services to customers.
• Ensure that the organization is able to proactively identify the
impacts of an operational disruption.
• Enables you to make the right decisions quickly.
• Ensures that the business has in place an effective response to
disruptions which minimizes the impact on the organization.
• Knowledge of minimum levels and service delivery allows
support resources from other parts of the business to be used to
bolster disrupted areas.

Business continuity helps to build customer confidence

Additional benefits of having a business continuity plan in place are:

• Building customer trust and confidence.

• Appeal to customers in regulated markets.

• Increase the confidence of the customers over the

organization’s capability and thus being more competent, when
others fail to deliver.

Business continuity helps to build confidence within the organization /

business
Additional benefits of having a business continuity plan in place are:
 • Develops confidence in senior management's ability in being
able to respond to a series of incidents and events in a formal,
planned and tested way.
• There is an increased confidence in the general workforce in
that they understand their jobs are not at risk and that
something is being done to protect their livelihood.
• Makes CEO sleep better at night.

Business continuity is potentially lifesaving & provides competitive

advantage
Additional benefits of having a business continuity plan in place are:
• Ultimately customers prefer your product and service, leading
to possible increase in demand.
• Maintaining or increasing competitive position by: preventing
significant harm to your corporate image and reputation;
preventing the loss of customers and/or shareholder confidence;
maintaining contractual requirements from key customers,
partners (no disruption to your supply chain); preventing
reduction of market share.
• Could enhance your reputation; and might gain a competitive
advantage.
• Business continuity plan is an advantage for your customers
when faced with the competition.
• It may be a customer requirement to have a plan in place.
• Gives you competitive advantage over those who don't do it.
Business continuity provides compliance benefits
• Minimize financial loss.

Business continuity helps preserve brand value and company

reputation.
• Ensuring reputation of the organization in uncertain times (crisis
management -communication plan).

Business continuity ensures supply chain security and order fulfilment.

• Ensuring safety and health staff and visitors (safety and health).
• Business continuity helps the organization
• Is there a best practice approach to business continuity planning
• BCM program design and deployment – including the definition
of policies, standards and tools to support business continuity
efforts. In addition, an effective BCM program should include
assigning accountability and responsibility for each key area (e.g.,
crisis management, business resumption and IT disaster recovery)

• Business impact analysis (BIA) – establishing recovery objectives

(business and technology), as well as the associated justification
for each.

• Risk assessment – identifying and prioritizing threats and failure

scenarios to which the organization may be vulnerable.

• Strategy design and implementation – identifying and

implementing continuity strategies that best meet the
organization’s needs, based on a cost-benefit analysis and driven
by the results of the BIA and risk assessment.
• Plan documentation – documenting response, recovery and
restoration procedures to enable effective business continuity
operations.

• Testing – validating and continuously improving business

continuity strategies and plans.
• Training and awareness – increasing knowledge regarding
business continuity operations, both in terms of response/recovery
team members, as well as employees in general.

• Compliance monitoring and audit – establishing compliance with

internal and third-party business continuity standards.
 Business continuity management
Policy, Strategy and Tools

1.Establish the need for the business continuity program.

a. Research and reference relevant business, legal, regulatory,

statutory and contractual requirements and restrictions both from
an internal and external perspective, providing recommendations
on conformance and compliance for the organization.

b. Reference relevant standards developed by national or

international standards development bodies and/or trade or
industry associations.

c. Identify and resolve any conflicts between organizational policies

and relevant external requirements.

d. Review existing audit reports to ensure the proposed BCM

program adequately addresses any gaps or opportunities
previously identified (through either internal or external sources).

e. Identify business practices (such as complex supply chain

strategies implemented on a regional or global scale) that may
adversely impact the entity’s ability to recover following a
disaster event.

f. State the benefits of BCM and relate them to the entity’s mission,
objectives and operations.
 g.Explain executive management's/leadership’s role, including their
accountability and liability within the BCM Process.

h. Develop formal reports and presentations focused on increasing

the awareness and potential impact of risks to the organization
from a Business Continuity Management (BCM) perspective.

2.Obtain leadership/management support for the BCM program.

a. Develop a mission statement/charter for the BCM program.

b. Develop objectives for the BCM program tied to support of the

entity’s mission.

c. Develop Budget Requirements for BCM program.

d. Define BCM program structure, its policies and critical success

factors.

e. Present and obtain management/leadership support and approval

of BCM Program.

f. Identify executive sponsors for BCM program development.

g. Obtain executive approval for budget requirements.

 h. Gain agreement on the establishment of the Planning/Steering
Committee along with tactical support functions needed, including
primary and alternates for each role.

i. Define the scope, responsibilities and overall accountability of

each member of the Planning/Steering Committee and support
functions.

3.Coordinate and manage the implementation of the BCM program

throughout the entity.

a. Lead the designated Planning/Steering Committee in defining

objectives, program structure, policies and how critical success
factors will be managed.

b. Develop relevant policies, procedures and charters.

c. Clearly define and obtain resource needed for BCM program.

d. Identify teams for BCM program implementation including teams

that will participate in the execution

e. Monitor status of ongoing budget impact per existing

management process.
Training needs, skills, and competency framework

• What does a new member of staff need to know when they join
the organization?

• How might their competence be developed?

• What knowledge does the organization need to capture when an
individual leaves the organization?

• The generic training strategy below provides a useful

framework that will help scope the program of work.

• Identify relevant competences (what are the skills, knowledge

and attitudes needed by individuals who undertake BCM
roles?)

• Cluster and sequence the competencies Define specific learning

objectives (state what will participants be able to do after their
training)

• • Determine the amount of time and resources needed (this

may already exist, i.e. if you have a training department, BCM
could become part of the established training program)

• Choose learning methods and providers (see below)

• Decide how to monitor and evaluate progress (how will you

know you’ve achieved the training objectives?)

• Set up an administrative system This document provides a

framework to address the training implications of a BCM
program by looking at who needs to be trained, what they
might need training in, and how this training might be
undertaken.

Who needs training?

• The first issue here is what do we mean by training?

• We use the term here in its broadest sense encompassing

general awareness training to Master Classes for senior
managers. It could be argued that whereas emergency planning
requires certain people in an organization to have the
competence to respond to an external emergency, business
continuity requires all staff to know what their role is in order
to maintain critical services in the event of a disruption.

What training is required?

• The short answer is to provide a staff development program to

ensure staff are competent to play their role in BCM
arrangements. By competence we mean they have the
necessary knowledge, skills, and attitudes. Exactly what is
provided will depend on what their role is and their current
level of competence.

• A Training Needs Analysis (TNA) can help ensure training

resources are directed. Examples of specific training include:

• BCM awareness–where it fits in with corporate governance

arrangements and the general business cycle of the
organization.

• Awareness of what BCM is, the organizations commitment to it

(BCM Policy etc.) and what the organization's critical services
and functions are.
• Software training–if a particular software program is used to
support BCM arrangements staff will need the competence to
use it.

• Writing a BCM plan–the collection of documents required that

will enable an organization to deliver its critical services when
interrupted.

• Validating BCM arrangements–the skills needed to run an

exercise to test the plan.

• Incident management skills–generic skills such as

communicating effectively, team working, recording decisions,
assessing options, etc. but in the context of having limited
resources, being under pressure, and experiencing significant
organizational disruption.

• Developing a competency framework

• The purpose of this framework is to inform and drive continual,

effective, cross-functional, multi-level continuity planning
through holistic, integrated risk management practice in the
following ways:

• Establish a control environment to link corporate governance,

risk management, business planning and operational
performance to the University strategic direction (business
continuity program);
• Invest time, capital, tools and techniques to ensure BCM is a
fully embedded, auditable business management process
(business continuity planning);

• Provide senior managers with opportunities to obtain a sound

understanding of business continuity management and requisite
skills to implement business continuity effectively;

• Ensure the framework is sufficiently flexible to meet the

challenges of scalability, different University business profiles
and various geographic needs coupled with governance,
regulatory and legal regimes;

• Assist and manage events that require information and resource

coordination across multiple business functions and/or
campuses (Crisis Management Planning); and

• Uphold a resilience philosophy in which the University

business continuity capability always reflects the needs,
technology, structure and culture of its business.
• Developing and implementing a Business Continuity plan

• A business continuity plan is a documented, step-by-step plan

for immediate response, backup operations and post-disaster
recovery that will ensure the availability of critical resources
and facilitate the continuity of operations in a crisis situation.
Business continuity planning is what organizations do to stay in
business.

• A business continuity plan answers the question, “How will we

get our jobs done if we suffer a significant business disruption
 such as losing our facility?” Developing your business
continuity plan to include the worst-case scenario will help to
ensure that all your bases are covered, even with less
devastating events.

• Your first job will be to identify and prioritize the most

important business activities. These are essential business
functions that need to be maintained or restored during a
disruption. If your organization cannot get by without
performing a certain activity, then it belongs as an essential
function in your plan.

• Next, you’ll determine which people or groups both internal

and external to your organization are essential to getting these
jobs done.

• Then you’ll decide what steps these people will take and what
resources they will need.

Business Continuity Plan: Roles and Responsibilities

Business contingency roles and responsibilities are assigned to

individuals and their contact information is communicated to authorized
personnel.

As part of the establishment of a BC plan: One of the key areas is to

identify individuals who will be designated to be the key personnel
responsible for the restoration activities. A high level BC roles &
responsibilities section should include the following listed below :
The BC plan roles & responsibilities section will detail the names of the
assigned individuals, their roles, plan of action during disaster, what
they are responsible to recover along with their contact information.

This has to be reviewed and approved by the respective managers and

senior management for correctness.

Distribute copies of this contingency plan to all the defined key

contingency personnel.

Coordinate the contingency planning activities with incident handling

activities and review the contingency plan for each information system
under consideration.

Update the plan based on personnel leaving the organization,

information system ownership changes, or environment of operation
changes and problems encountered during the implementation,
execution, or testing.
Protect the plan from unauthorized disclosure and modification

In a much detailed level, the BC plan - roles & responsibilities should

include:

Designation of appropriate teams to implement the strategy. Each team

should be trained and ready to deploy in the event of a disruptive
situation requiring plan activation.

The specific types of teams required, The size of each team, specific
team titles, hierarchy designs are all based on the systems taken into
consideration.
Personnel should be chosen to staff these teams based on their skills and
knowledge. Ideally, teams would be staffed with the personnel
responsible for the same or similar operation under normal conditions.

Team members must understand not only the BCDR plan purpose, but
also the procedures necessary to execute the recovery strategy. Teams
must be sufficient in size to remain viable if some members are
unavailable to respond or alternate team members may be designated.

Team members should be familiar with the underlying goals and

procedures of other teams to facilitate inter-team coordination.

Plan for an alternate team - personnel from different geographic areas

should be chosen, to eradicate the possibility of disaster occurring in the
area where all team members reside. As an alternative, hiring
contractors or vendors can be done and such personnel have to be
coordinated and trained.
Team leader disseminates information to team members and approves
decisions on behalf of the team. An alternate to act as the leader to be
designated, if the primary leader is unavailable.

Each team will be managed by a Management Team, to provide overall

guidance in lieu of a major system disruption or emergency. This team
is responsible for activating the contingency plan, facilitating
communications among other teams and supervising the execution of
contingency plan operations, tests and exercises.

These teams are in turn managed by a senior management official, who

has the ultimate authority to activate the plan, and to make decisions
regarding spending levels, acceptable risk, and interagency
coordination.
The plan should also detail the order of succession as to who assumes
responsibility for the contingency plan execution in the event that the
highest authority is unavailable or unable to do so.
 Understanding the organization

An accurate assessment of the Category 1 responder’s organization

and its business is critical, as it will provide the basis upon which all
subsequent BCM policies and processes are base.
An understanding of the organization comes from:

• the organization's objectives, obligations, statutory duties and

• operating environment;

• the activities, assets and resources that support the delivery of

key

• products and services;

• assessing the impact and consequences of failure of these

• activities; and

• identifying and evaluating the threats that could disrupt these.

Category 1 responders should carry out a business impact analysis that
assesses over time the impacts if the activity was disrupted; and
establish the maximum tolerable period of disruption (MTPD) of each.
MTPDs can be worked out by looking at the:

• time period after disruption that the activity must be resumed;

• minimum level needed upon resumption; and
• time period for achieving normal levels of operation.

Key to this is identifying interdependencies (assets, infrastructure, and

resources) to be maintained

Category 1 responders should consider the following when assessing

impacts:

• the impact on staff or public wellbeing

• the impact of damage to, or loss of, premises, technology or
information;
• the impact of breaches of statutory duties or regulatory
requirements;
• Determining business continuity strategy
Category 1 responders should look at strategic options for its critical
activities while bearing in mind the most appropriate strategy will
depend on factors such as the maximum tolerable period of disruption,
cost, and consequences of inaction.

Strategies should be considered for the following areas :

• people - e.g. multi-skill training; separation of core skills; use of

third parties; succession
• planning; and knowledge retention and management.
• premises - e.g. alternative premises/locations; working from
home and remote sites.
• technology - e.g. geographical spread; holding emergency
replacement, such as old equipment and spares, additional risk
mitigation for unique or long lead-time equipment; remote
access; third-party.
• information - e.g. confidentiality; integrity; availability; and
currency.
• supplies - e.g.: storage of contingency stock at additional
location; third part arrangements; assessing the BC capability of
your suppliers; dual sourcing and; contractual and service level
agreements.

• stakeholders - e.g. protect the interests of key suppliers and good

relationship management. Senior managers should sign off
documented strategies

Developing and implementing a BCM

 Business continuity planning is at the heart of the BCM process. The
business continuity plans provide the framework in which the
Category 1 responder mobilizes its response to a BCM challenge in
the event of an emergency. Plans normally consist of an Incident
Management Plan, a Business Continuity Plan and a Business
Recovery Plan.
In developing all plans, consideration should be given to :

• keeping it short, simple and user-friendly - it will need to be

read and understood in challenging and pressured
circumstances;

• ensuring the assumptions contained are realistic – e.g. numbers

of staff directly affected by the incident, the effect of the
‘backlog trap) ’i.e. the impact of the accumulation of tasks left
uncompleted on recovery

Maintenance of the BCMS

Any organization that establishes and implements a BCMS needs to

follow the BCMS processes and deliverables, which are depicted in
 figure. The BCMS processes, also known as the BCMS process life
cycle mode consist of six phases.

The stages of the BCMS process life cycle

model is the following:

Stage one: business impact analysis

 The business impact analysis (BIA), which is conducted during the
first stage, analyzes the financial and operational impact of disruptive
events on the business areas and processes of an organization. The
financial impact refers to monetary losses such as lost sales, lost
funding, and contractual penalties. Operational impact represents
non–monetary losses related to business operations, and can include
loss of competitive edge, damage to investor confidence, poor
customer service, low staff morale, and damage to business
reputation.

Stage one: business impact analysis

• The BIA identifies the following information:

• Mission critical areas of the business and their processes;

• The extent of potential operational and financial impact to the

organization;
• Requirements for recovering disrupted critical business
processes.

The findings of the BIA enable an organization to determine the extent

of the overall effort needed to recover from potential business
disruption, thereby paving the way for developing the business
continuity strategy and business continuity procedures.

• The most important deliverables of the BIA are:

• Essential process identification;
 • Recovery times: maximum tolerable period of disruption
(MTPD), recovery time objectives (RTO);
• Minimum resource requirements.

Stage two: risk assessment

The risk assessment, which is composed of risk analysis and risk

evaluation, is performed on the critical processes identified during the
BIA stage. Risk analysis helps calculate the risk (impact x probability
of threat occurrence). The risk evaluation is made to find out the risk
significance. The main deliverable of this stage are the identification of
threat scenarios.

Stage three: business continuity strategy development

Business continuity strategy development “assesses the requirements

and identifies the options for recovery of critical processes and
resources in the event they are disrupted by a disaster,” (Alexander,
2016). The main purpose of this stage is to develop a business
continuity strategy that satisfies the business recovery requirements
identified in the BIA stage.
Stage four: operations resumption planning

An operations resumption plan “contains predetermined recovery

procedures and guidelines which organizations can follow during a
crisis situation to minimize impact to business,” The predetermined
procedures and guidelines prevent organizations from making on the
spot critical decisions in the middle of a crisis.
Stage five: business continuity exercising and testing

“The only way a company can assure that its BCMS arrangements are
validated is through exercises. The main purpose of the exercising stage
in the BCMS is to ‘validate the business continuity strategy, activities,
assumptions regarding times (MTPD, RTO), procedures and work
instructions specified in the business continuity plan,

Gaps and weaknesses within the plan are identified at this stage. The
idea is very simple: it is highly desirable to find the gaps and
shortcomings during an exercise rather than to discover them during a
real crisis situation. BCMS arrangements have to be practiced and, as a
consequence, will be reviewed and kept up to date. A company that
does not have records to show that its BCMS arrangements have been
tested and are ready to be implemented cannot assure it has a reliable
BCMS.

Stage six: business continuity plan maintenance

This stage maintains the business continuity plan in a constant ready-

state. The maintenance process of a BCMS is constant and dynamic. A
BCMS that is not constantly tested and updated will be of little help if a
disruptive incident hits the organization. Changes have to be monitored;
impacts, risk and continuity strategies need to be reevaluated; the
operations resumption plan needs to be updated; and exercises and
testing need to be evaluated.
 THE BUSINESS CONTINUITY PLAN

MAINTENANCE PROCESS

Once the business continuity arrangements have been tested, the role of
the maintenance stage becomes critical. Frequent internal and external
changes are common occurrences for business. Most of these changes
can potentially invalidate the business continuity plan unless it is
continually adjusted and modified to reflect these changes.

The main objective of this stage is to ensure that the BCMS always
remains current, complete, accurate and in a ready–state for execution.

To achieve its objective, the maintenance stage employs the processes

presented in figure two.

The maintenance processes are:

Business continuity plan change management

Without a business continuity plan change management process,

business continuity plan maintenance becomes very difficult. A change
management process addresses two of the most challenging aspects of
plan maintenance: monitoring changes in the organization and its
external environment; and controlling changes or revisions to the plan.
Figure three, shows the main steps of the business continuity change
management process.

Figure three: business continuity plan change management process

Changes in the organization and the external environment are monitored

in step one (figure three), and changes identified as having a potential
impact to the BCMS are revised in step two to determine if those
changes actually affect the business continuity arrangements. In step
two, business continuity plan change requests are issued for changes
that affect the plan. Step three processes the change requests and
updates the plan with necessary changes and revisions.

Business continuity plan change management process step one:

Monitor changes

Step one of the plan´s change management process represents the task
of constant monitoring of changes in the organization to identify
potential impacts of the plan. As presented in figure four changes to the
organization can occur at multiple levels in the main categories of
process, people and resources.

Any changes in processes, people and resources, can potentially require

changes to certain parts of the plan. For instance, a process–related
change can affect recovery priorities; a people-related change can affect
business continuity teams or notification procedures; and a resource–
related change can affect recovery requirements for IT systems.
Figure four: changes affecting business continuity arrangements

A business continuity plan is sensitive to changes that occur not only

internally within the organization but those externally in business
partners, vendors, alternate recovery facilities, and off site storage
facilities. The examples below demonstrate possible internal and
external changes related to processes, people and resources, that may
impact the plan.

Process related impacts

 • A new strategic product is introduced and, as a result, new
procedures are added to affected business units.

• A supplier has switched from manually processing orders to

automatic order processing.

• People related impacts

• An early retirement package is given to employees and as a

result a number of senior personnel have left the firm.

• Several key IT technical recovery team members have been

promoted to different departments and no longer perform the
same roles.

Resource related impacts

• The local area network supporting the organization´s critical

systems has changed from token–ring to an ethernet
architecture.

• The hot site vendor has recently upgraded its mainframe system
to accommodate additional customers. This has resulted in
certain configuration changes.

The output of this step consists of a compilation of monitored changes

that can potentially impact the business continuity arrangements.

Business continuity plan change management process

step two: review compiled changes, test results and audit results
The main purpose of this step is to review information that can
potentially affect the business continuity arrangements’ accuracy and
validity, and cause the organization to issue BCMS change requests.
There are three main sources of input to this step. The first source of
input is the compiled changes from step one; the second source is the
result of business continuity arrangements exercises or testing; and the
third source is the results of any business continuity plan audits. A
change manager, responsible for coordinating the processing of change
requests with business continuity teams, reviews the information from
these three sources in order to determine if it affects the plan. After this
review, one or more change requests are issued corresponding to the
information affecting the plan.

Thank You
Dr. Naseem Twaissi