BCMS-DOC-06-1 Business Continuity Management Plan

Page 1

Business Continuity Management Plan

ISO22301 Toolkit: Version 6 ©CertiKit


Business Continuity Management Plan

Implementation guidance The header page and this section, up to and including Disclaimer, must be removed from the final version of the document. For more details on replacing the logo, yellow highlighted text and certain generic terms, see the Completion Instructions document.

Purpose of this document The Business Continuity Management Plan sets out the objectives to be achieved within business continuity for the current financial year and a plan to deliver them.

Areas of the standard addressed This document is relevant to requirements in the following sections of the ISO22301 standard: •

6. Planning o 6.1 Actions to address risks and opportunities ▪ 6.1.1 Determining risks and opportunities ▪ 6.1.2 Addressing risks and opportunities o 6.2 Business continuity objectives and planning to achieve them ▪ 6.2.1 Establishing business continuity objectives ▪ 6.2.2 Determining business continuity objectives 7. Support o 7.1 Resources

General guidance Although this plan refers to a one-year time period, it is acceptable to cover a longer or shorter period if it is appropriate. Prior to the certification audit you must ensure that the plan has been communicated to relevant staff, that they have understood it and that these facts are evidenced e.g. via meeting minutes. The inviting and answering of questions during such a meeting is likely to show evidence of understanding. We would also recommend that the document is made available via the intranet if you have one or any other appropriate means.

Version 1

Page 2 of 17

[Insert date]


Business Continuity Management Plan

Review frequency We would recommend that this document is created each year as part of an exercise which should include significant business involvement to ensure that changed requirements are captured and feedback obtained. It should then be reviewed at least quarterly as part of your management review cycle.

Document fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name”. To update this field (and any others that may exist in this document): 1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name. 2. Press Ctrl A on the keyboard to select all text in the document (or use Select, Select All via the Editing header on the Home tab). 3. Press F9 on the keyboard to update all fields. 4. When prompted, choose the option to just update TOC page numbers. If you wish to permanently convert the fields in this document to text, for instance, so that they are no longer updateable, you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible, go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check you have updated all fields correctly. Further detail on the above procedure can be found in the toolkit Completion Instructions. This document also contains guidance on working with the toolkit documents with an Apple Mac, and in Google Docs/Sheets.

Copyright notice Except for any specifically identified third-party works included, this document has been authored by CertiKit, and is ©CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Version 1

Page 3 of 17

[Insert date]


Business Continuity Management Plan

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore, please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness or adequacy of our document templates; assumes no duty of care to any person with respect its document templates or their contents; and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 17

[Insert date]


Business Continuity Management Plan

Business Continuity Management Plan Financial Year 20xx/xx

Version 1

DOCUMENT REF

BCMS-DOC-06-1

VERSION

1

DATED

[Insert date]

DOCUMENT AUTHOR

[Insert name]

DOCUMENT OWNER

[Insert name/role]

Page 5 of 17

[Insert date]


Business Continuity Management Plan

Revision history VERSION

DATE

REVISION AUTHOR

SUMMARY OF CHANGES

Distribution NAME

TITLE

Approval NAME

Version 1

POSITION

SIGNATURE

Page 6 of 17

DATE

[Insert date]


Business Continuity Management Plan

Contents 1

Introduction ............................................................................................................... 8

2

Business continuity objectives .................................................................................... 9

3

Plan to achieve objectives ........................................................................................ 11

4

Resources to manage and improve the BCMS ........................................................... 13

5

4.1

Human resources ....................................................................................................... 13

4.2

Technical resources .................................................................................................... 13

4.3

Information resources ................................................................................................ 14

4.4

Financial resources..................................................................................................... 14

Risks and opportunities for the BCMS ...................................................................... 15 5.1

6

Risks to the BCMS and Opportunities for the BCMS..................................................... 15

Conclusion................................................................................................................ 17

Tables Table 1: Business continuity objectives ....................................................................................... 10 Table 2: Plan to achieve objectives ............................................................................................. 12 Table 3: Human resources required to run the BCMS .................................................................. 13 Table 4: Risks to the BCMS and Opportunities for the BCMS ........................................................ 16

Version 1

Page 7 of 17

[Insert date]


Business Continuity Management Plan

1 Introduction [Organization Name] is committed to establishing effective business continuity plans to protect its key business activities and meet its obligations to its stakeholders. As part of this commitment the organization has established a Business Continuity Management System (BCMS) which complies with the requirements of the ISO22301 international standard for business continuity and will be seeking certification to this standard in the near future. In line with the standard, it is essential that our business continuity objectives are consistent with our policies, measurable where practicable, communicated effectively within the organization (and outside where appropriate) and updated as part of the BCMS management review process. Objectives will be based on a clear understanding of our business continuity requirements, including those from interested parties, and will consider the results of business impact and risk assessments carried out at various levels within the organization. This document sets out the organization’s business continuity objectives and plans for the financial year YY/YY, including • • • • •

Who will be responsible What will be done What resources will be required When it will be completed How the results will be evaluated

This document should be read in conjunction with the following other components of the BCMS which give background information about the organization’s business continuity policy and requirements: • • •

Version 1

BC Context, Requirements and Scope Business Continuity Policy Business Impact Analysis Tool

Page 8 of 17

[Insert date]


Business Continuity Management Plan

2 Business continuity objectives In order to assess whether the BCMS is working as intended it is essential that clear objectives are defined, and a system of monitoring and measurement established to record progress against targets. High-level objectives for business continuity are described in the BCMS document BC Context, Requirements and Scope and the overall framework for setting lower-level objectives is defined in the Business Continuity Policy, also a key component of the BCMS. Methods for determining to what extent objectives are being met are set out in the document Process for Monitoring, Measurement, Analysis and Evaluation. As part of the BCMS management review process, objectives for business continuity are regularly set, reviewed and updated in the following major areas: • • • • • •

Quality: generally, how well the organization’s business activities are protected by the BCMS Capability: the knowledge, skills and experience available, mainly internally but also to some extent externally to the organization Cost: financial resources required to maintain and improve the BCMS Resource utilisation: how effectively organizational resources are employed Risk reduction: the degree to which known risks are treated to within acceptable limits Other: appropriate objectives that do not fall into any of the above areas

In discussion with the management team and based upon documented requirements, [Organization Name] has agreed specific objectives in the area of business continuity as shown in Table 1. Achievement against these objectives will be tracked as part of regular management reviews of the BCMS.

Version 1

Page 9 of 17

[Insert date]


Business Continuity Management Plan

#

AREA

OBJECTIVE

TASKS

MEASUREMENT METHOD

TARGET

TIMESCALE

PERSON RESPONSIBLE

1.

BIA

Ensure that all identified key business activities have a business continuity plan in place to protect them

Hold workshops to define plans

Percentage of key business activities with a plan

80%

12 months

BC Manager

2.

Testing BCPs

Ensure that all business continuity plans have been tested with the last 2 years

Agree testing schedule with top management

Percentage of plans tested within 2 years

75%

12 months

BC Manager

3.

Capability

Provide training in business continuity for key resources

Identify courses; secure training budget

Number of people trained

5

6 months

Person A

4.

Cost

Reduce amount spent on business continuity

Review budget to identify savings

Percentage reduction on last year’s budget

5%

12 months

BC Manager

5.

Resource utilisation

Increase number of days provided by business teams for analysis and testing

Agree allocation with top management

Percentage increase over last year’s commitment

10%

12 months

Team leaders

6.

Risk reduction

Reduce number of high priority risks on risk register

Increase focus on high priority risks; hold workshops to identify ideas

Percentage reduction

10%

9 months

BC Manager

Table 1: Business continuity objectives

Version 1

Page 10 of 17

[Insert date]


Business Continuity Management Plan

3 Plan to achieve objectives In order to achieve our objectives, it is essential that we have a clear plan that is adequately resourced and has the full support of top management. The success of this plan will determine whether [Organization Name] remains adequately protected against disruptive events and their potential impacts. The plan is shown in Table 2. The tasks required in order to achieve each objective are listed, together with the resources required, person responsible and completion timescale for each one. The method of evaluating the success of each task will vary according to the nature of the task, but an attempt to determine this is also shown. This plan will be managed in conjunction with background improvement activities, which may be driven by internal and external audit results, risk assessments and management reviews, amongst other sources. Additional, more detailed plans may also be created in order to control the activities required and take account of internal and external dependencies. Progress against the plan will be tracked by the Business Continuity Manager and reported to top management on a regular basis. In the event that a task is looking unlikely to be completed within the target timescale, the effect on the relevant business continuity objective should be evaluated. Depending on the conclusion, top management may decide whether or not to act, such as increasing the resources available, to improve the expected completion time. In the event that business continuity objectives are changed, the associated plan will also need to be revised.

Version 1

Page 11 of 17

[Insert date]


Business Continuity Management Plan

#

OBJECTIVE

TASKS

RESOURCES REQUIRED

PERSON RESPONSIBLE

COMPLETION TIMESCALE

EVALUATION METHOD

1.

All identified plans are in place

List plans Implement plans Verify plans

Specialist IT team Internal audit

Business Continuity Manager

12 months

List of signed off plans

2.

All business continuity plans have been tested with the last 2 years

Agree testing schedule Conduct tests Produce test reports

Operational staff time

Business Continuity Manager

12 months

Business Continuity test reports

3.

Training in business continuity has been provided for all key resources

Identify key resources Identify courses Attend courses Complete training records

Training budget Time of attendees

Business Continuity Manager

Six months

Training records

4.

Reduce amount spent on business continuity

Review budget Identify savings Evaluate effect of reduction

Finance Manager

Business Continuity Manager

12 months

Financial budget reports

5.

Increase number of days provided by business teams for business continuity activities

Agree allocation with top management Plan involvement Conduct activities Record days spent

Business teams

Chief Operations Officer

12 months

Timesheets of key personnel

6.

Reduce number of high priority risks on risk register

Hold workshops to identify ideas Implement ideas Reassess risks

Risk owners IT team

Business Continuity Manager

Nine months

Risk register

Table 2: Plan to achieve objectives

Version 1

Page 12 of 17

[Insert date]


Business Continuity Management Plan

4 Resources to manage and improve the BCMS In addition to the specific resources required to meet the objectives set out within this document, the following resources will be required on an ongoing basis to manage and improve the BCMS.

4.1 Human resources The human resources needed for the BCMS are shown in Table 3. For more details of the specific responsibilities and authorities of the roles described here, see the BCMS document Roles, Responsibilities and Authorities.

BCMS ROLE

RESOURCES REQUIRED

COMMENTS

Business Continuity Steering Group

1 day per quarter for each member

Assuming quarterly meetings

Business Continuity Manager

1 x Full Time Equivalent

Assumed to be a full-time role

Business Process Owners

1-3 days per quarter

Depends upon nature and number of processes owned

Department Managers

2 days per annum

Mainly awareness activities and participation in exercises and testing

IT Technicians

No additional resource

Business continuity is already part of relevant roles

IT Users

1 day per annum

Attendance at awareness events

Table 3: Human resources required to run the BCMS

[Describe any additional human resources that may be required e.g. contractors or secondments]

4.2 Technical resources [Set out any equipment and IT hardware and software that will be needed as part of running the Business Continuity Management System (BCMS)]

Version 1

Page 13 of 17

[Insert date]


Business Continuity Management Plan

4.3 Information resources [State what additional information you will need e.g. new reports from existing systems, access to external sources such as subscriptions to relevant organizations]

4.4 Financial resources [What additional budget, if any, is needed? When is it required and is it capital or revenue?]

Version 1

Page 14 of 17

[Insert date]


Business Continuity Management Plan

5 Risks and opportunities for the BCMS 5.1 Risks to the BCMS and Opportunities for the BCMS The following risks and opportunities have been identified to the plans to achieve the objectives set out in this document. These will be managed as part of regular management reviews of the BCMS.

INTERESTED PARTY

RISK AND OPPORTUNITY

MITIGATION

RESPONSIBLE PERSON

MONITORED BY

Shareholder

(r) Value of share price should be maintained

Continue to grow market share

CFO

CEO

(o) grow international markets

Research new international markets

Marketing Manager

CEO

(r) unable to continue manufacturing

Ensure that 2 or more suppliers per type of material are on the preferred list

Purchasing Manager/Production Manager

CFO

(r) Loss of electrical power to offices due to being cut off

Purchase 4 diesel generators for emergency backup power

Operations Manager/Production Manager

BCM

Purchase 2 emergency water holding tanks

Operations Manager/Production Manager

BCM

Ensure that all bills are paid within the time frame required

CFO

CEO

(r) Loss of sales and reputation

Increase marketing material

Marketing Manager

CEO

(o) Increase customer happiness could result in more referrals and increased sales

Ensure 24 hours response to customer feedback

Customer Support Manager

Operations Manager

(r) Injury to employees

Ensure that the H&S checks are being done and react quickly to identified problems

H&S Manager/Facilities Manager

Operations Manager

Material Suppliers

Services Suppliers •

Electrical

Water

(r) Loss of water supply to factory

IT Support

(r) Loss of access to data

Customers

Employees of the organization

Version 1

Page 15 of 17

[Insert date]


Business Continuity Management Plan

INTERESTED PARTY

Contractors providing external services to the organization

National or local government organizations

RISK AND OPPORTUNITY

MITIGATION

RESPONSIBLE PERSON

MONITORED BY

(r) failing to maintain compliance with the ISO standard and loss of certification

All new staff are to be given awareness training during induction

HR Manager

Quality Manager

(o) Identify better procedures for dealing with disruptions

Quick response to incidents to reduce potential downtime

BCM

Operations Manager

Ensure that all bills are paid within the time frame required

CFO

CEO

(r) loss of reputation in the market

Maintain positive company information in monthly blogs

Marketing Manager

CEO

(o) increase reputation in the market and be known as a reliable partner

Look for industry awards that we can go for to demonstrate our reputation

Marketing Manager

CEO

(r) fines for noncompliance

Check relevant national and local government departments websites. Any changes to be sent to the relevant departmental manager for implementation

BCM

(r) loss of external provided services which may impact upon the safety of employees and production of products

(r) business closed down (o) maintain a good reputation and be a leader in the market

Departmental Managers

Quality Manager

Table 4: Risks to the BCMS and Opportunities for the BCMS

This table is linked closely with Table 1 within the BCMS document BC Context Requirements and Scope.

Version 1

Page 16 of 17

[Insert date]


Business Continuity Management Plan

6 Conclusion This business continuity management plan is an essential part of the continual improvement of the BCMS within [Organization Name]. The objectives set for the year under consideration and the plans made to achieve them are intended to be challenging but achievable and will go a long way to protecting the organization from disruptive incidents that may occur both now and in the future.

Version 1

Page 17 of 17

[Insert date]


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.