Business Compliance and Recovery Management
Surviving a crisis and ensuring sustainable operations is a key corporate strategic objective and a fundamental requirement for any organisation.
Those responsible for management during emergency situations need to count on proven solutions. Recent experience with disruptive events such as natural disasters, pandemics, and terrorist attacks has shown that some organisations did not have adequate crisis management capabilities, and as a result did not survive.
Boards, and other stakeholders including Regulators, are increasingly focussing on this issue and are demanding that management address this critical issue that is a major risk in most organisations. Failure to plan, train, and test preparedness for the possibility of service interruptions may result in mild annoyances, through personal injury to catastrophic business failure.
- damaged corporate reputation;
- destruction of property and facilities;
- lost market share;
can seriously affect any organisation.
BCRM are uniquely placed to assist you as they not only can develop and implement business continuity and disaster recovery plans but have done so for themselves and been certified to BS 25999 (now ISO 22301) to prove it. Unlike some, we can ‘walk the walk’ and prove it.
BCRM has developed its own methodology based on ISO 22301 and ISO 22313 that contains a Business Continuity Management Policy and all of the processes, procedures and plans that are required to develop a Business Continuity Management System (BCMS) based on the Deming cycle of:
that all of the major management systems standards have adopted. Whilst the PDCA cycle is no longer mandated in Annex SL, many organisations still prefer to use this process.
The type of Business Continuity Plan(s) (BCP(s)) that you define, implement and continuously improve will depend on your organisational requirements, structure, culture and specific needs.
Specific Areas where BCRM can assist you are:
Risk and Vulnerability Assessments – understanding the threats, vulnerabilities and risks relevant to your business. Failure to understand risks means that all subsequent planning is almost certain to be flawed, leading to unnecessary cost and BCP(s) that may not be appropriate when needed. We can help you identify, quantify and treat these risks and enhance your ability to recover in case of need;
Define the Scope of Certification – it is essential that the scope for a Certificate of Registration is defined so that the boundaries of the project can be identified and the assets within the scope determined and agreed so that the risk to them can be determined and treated. We will also advise you on the scope statement to be used on your certificate.
Gap Analysis – perform gap analyses against the requirements of ISO 22301 or your own existing BCMS;
Business Impact Analysis and Strategy – work with your employees to determine which business processes are critical to ongoing organisational viability . This will produce a ‘view’ of the various impacts that a range of disruptions may have on your business and will identify which business processes and their resources are truly required to achieve business continuity and meet customer requirements for your products or services;
Develop Strategies – work with your employees to investigate and develop strategies for recovering business operations and processes, on time and to the required service levels based on the findings of the Business Impact Assessment(s) undertaken. Usually, there are a number of different recovery options available that need to be fully explored before a final decision is taken. Appropriate strategies can then be developed, adopted and implemented to ensure a robust and repeatable business recovery is in place;
Business Continuity Plans – once the appropriate strategy(ies) have been agreed, developed and implemented, the production of supporting BCP(s) can take place. Our Consultants work with your employees to ensure that the plans are workable and robust. These are then clearly documented and reviewed prior to being made available, as required, within your organisation in an accessible form and format. Plans will contain details of all relevant information needed for timely recovery and will typically include:
- action checklists;
- activation criteria;
- call lists (contact trees);
- clear lines of escalation;
- communications plans;
- resource requirements (on site and off site);
- other important information.
Documented Procedures – as well as the BCP(s), all other procedures to support the operation of the BCMS must be defined and developed. These will be developed by the BCRM team either using existing documents as a base or creating new ones. Whichever process is used, the new procedures are developed in conjunction with your employees to maximise ‘buy in’ and to ensure that they accurately reflect your working practices.
Implement and Awareness Training – once the BCP(s) are developed, they need to be introduced to relevant employees appropriately. This means that there is the need for specialised training and our Consultants can assist in developing and delivering training and awareness programmes for all employees. Successful implementation of BCP(s) is critical to the whole BCM process. Employees with specific roles and responsibilities in the BCP(s) need to know what is expected of them if the BCP(s) are invoked and to be trained accordingly. Wider awareness of the plans must be made across the whole of your organisation as all employees need to know what plans are in place to protect both them and the organisation, should an interruption occur.
Testing and Exercising – just having a BCP is not enough, nor is having a BCP and training staff in how to use it. Once training has been undertaken, a programme of testing the BCP(s) must be undertaken for all of the management teams who have roles and responsibilities during any invocation to ensure they understand the BCP(s) and that the BCP(s) are ‘fit for purpose’. There are six different types of BCP testing that can be undertaken:
- checklist – copies of the plan are sent to different department managers and business unit managers for review. This is a simple test and should be used in conjunction with other tests;
- structured walk-through – BCP team members and other individuals responsible for recovery meet and walk through the plan step-by-step to identify errors and validate assumptions;
- simulation – a simulation of an actual emergency. Members of the response team act in the same way as if there was a real emergency;
- parallel run – this is similar to simulation testing, but the primary site is not affected and critical systems are run in parallel at the alternative and primary sites and results compared;
- partial implementation – an element of the BCP is tested on its own, rather than having a full invocation of the BCP(s);
- full invocation – this test involves a full invocation of the BCP in response to an emergency. It mimics a real disaster where all steps are performed to test the plan. Systems are shut down at the primary site and all individuals who would be involved in a real emergency, including employees and any external third party suppliers, participate in the test. This test is the most detailed, time-consuming, and expensive of all. On account of this, it is not performed that frequently.
Emergency Response Planning – immediate action that takes place on discovery of any incident that may affect your normal operational capability and before BCP and Top Management decision makers are informed. BCRM can assist you in developing an emergency response plan that ensures clear and concise corporate directives are supplied to all employees that might face situations requiring emergency response. These can include, but not be limited to:
- bomb or device searching;
- disability evacuation;
- emergency assembly points;
- evacuation plans;
- fire training;
- first aid training;
- floor warden programs;
- notification contact trees;
Crisis and Communication Planning – we can help you develop a crisis management team and plan which will guide your enterprise-wide response to an event through a clear chain of command and determine the internal and external communications requirements.
Review and Maintain – BCPs and other procedures are living documents and as such, they need to be regularly reviewed and maintained to ensure that the information is correct and up to date. Typically, reviews take place after testing, auditing, on a fixed time frequency or on influencing change.
Assistance in Gaining an ISO 22301 Certificate of Registration – we can assist you in gaining ISO 22301 certification, something we have done for other Clients. We use our standard 4 step process for this, that is well established and a proven method for obtaining certification for management standards.
Two other standards that provide assistance in the BCM arena are:
Using the BCRM approach to ISO 22301 approach covers:
- defining the scope of the BCMS;
- understanding the business, its context and interested parties;
- establishing the BCMS;
- embedding Business Continuity Management (BCM) in the business;
- implementing and operating the BCMS;
- developing and testing BCP(s);
- monitoring and reviewing the BCMS;
- auditing the BCMS;
- management reviews of the BCMS;
- continuous improvement of the BCMS.
BCRM has experience in implementing ISO 22301 for its clients and taking a number of them through to certification.
The BCRM approach builds operational resilience by:
- allowing you to make contractual bids, where if you were not certified, you may be precluded;
- assuring management and customers of resilience and recovery / business continuity levels in place;
- demonstrating compliance verified by a third party Certification Body;
- empowering employees to act according to the BCP(s);
- ensuring safety of employees;
- ensuring security of physical assets;
- ensuring that critical staff have trained alternates;
- ensuring that processes and procedures for recovery are documented and tested;
- facilitate recovery of business processes in order of criticality;
- furthering BCM awareness within your organisation;
- increasing customer confidence in your products and services;
- making a public statement that you have addressed BCM;
- managing and treating significant risks to reduce them to an acceptable level in line with risk appetite.
- BCRM are justifiably proud of our 100% SUCCESS RATE, of achieving first time certification through an Accredited Certification Body for our Clients;
- BCRM is committed to providing a consistently high value service to our Clients;
- David Lilburn Watson, who remains personally ‘hands-on’ throughout the process, manages this process.
- to understand how the BCRM suite of offerings can be used to transform your business, please contact us
- we look forward to discussing your specific requirements, at your convenience;
- whatever other type of consultancy you require, we can possibly offer a free Health Check.