BCMS-DOC-06-1 Business Continuity Management Plan

Page 1

Business Continuity Management Plan

ISO22301 Toolkit Version 4R1 ŠCertiKit


Business Continuity Management Plan

Implementation Guidance (The header page and this section must be removed from final version of the document)

Purpose of this document The Business Continuity Management Plan sets out the objectives to be achieved within business continuity for the current financial year and a plan to deliver them.

Areas of the standard addressed This document is relevant to requirements in the following sections of the ISO22301 standard: 6.2 Business continuity objectives and plans to achieve them

General Guidance Prior to the certification audit you must ensure that the plan has been communicated to relevant staff, that they have understood it and that these facts are evidenced e.g. via meeting minutes. The inviting and answering of questions during such a meeting is likely to show evidence of understanding. We would also recommend that the document is made available via the intranet if you have one or any other appropriate means.

Review Frequency We would recommend that this document is created each year as part of an exercise which should include significant business involvement to ensure that changed requirements are captured and feedback obtained. It should then be reviewed at least quarterly as part of your management review cycle.

Toolkit Version Number ISO22301 Toolkit Version 4R1 ŠCertiKit.

Document Fields This document may contain fields which need to be updated with your own information, including a field for Organization Name that is linked to the custom document property “Organization Name�. To update this field (and any others that may exist in this document):

Version 1

Page 2 of 16

[Insert date]


Business Continuity Management Plan

1. Update the custom document property “Organization Name” by clicking File > Info > Properties > Advanced Properties > Custom > Organization Name 2. Press Ctrl a on the keyboard to select all text in the document (or use Select, Select All on the ribbon) 3. Press F9 on the keyboard to update all fields 4. When prompted, choose the option to just update TOC page numbers If you wish to permanently convert the fields in this document to text i.e. so that they are no longer updateable, then you will need to click into each occurrence of the field and press Ctrl Shift F9. If you would like to make all fields in the document visible then go to File > Options > Advanced > Show document content > Field shading and set this to “Always”. This can be useful to check that you have updated all fields correctly. Further detail on the above procedure can be found in the Toolkit Completion Instructions.

Copyright notice Except for any third party works included in this document, as identified in this document, this document has been authored by CertiKit, and is © copyright CertiKit except as stated below. CertiKit is a company registered in England and Wales with company number 6432088.

Licence terms This document is licensed on and subject to the standard licence terms of CertiKit, available on request, or by download from our website. All other rights are reserved. Unless you have purchased this product you only have an evaluation licence. If this product was purchased, a full licence is granted to the person identified as the licensee in the relevant purchase order. The standard licence terms include special terms relating to any third-party copyright included in this document.

Disclaimer Please Note: Your use of and reliance on this document template is at your sole risk. Document templates are intended to be used as a starting point only from which you will create your own document and to which you will apply all reasonable quality checks before use. Therefore please note that it is your responsibility to ensure that the content of any document you create that is based on our templates is correct and appropriate for your needs and complies with relevant laws in your

Version 1

Page 3 of 16

[Insert date]


Business Continuity Management Plan

country. You should take all reasonable and proper legal and other professional advice before using this document. CertiKit makes no claims, promises, or guarantees about the accuracy, completeness, or adequacy of our document templates, assumes no duty of care to any person with respect its document templates or their contents, and expressly excludes and disclaims liability for any cost, expense, loss or damage suffered or incurred in reliance on our document templates, or in expectation of our document templates meeting your needs, including (without limitation) as a result of misstatements, errors and omissions in their contents.

Version 1

Page 4 of 16

[Insert date]


Business Continuity Management Plan

[Replace with your logo]

Business Continuity Management Plan Financial Year YY/YY

Document Ref. Version: Dated: Document Author: Document Owner:

Version 1

Page 5 of 16

BCMS-DOC-06-1 1 [Insert date]

[Insert date]


Business Continuity Management Plan

Revision History Version Date

Revision Author

Summary of Changes

Distribution Name

Title

Approval Name

Version 1

Position

Signature

Page 6 of 16

Date

[Insert date]


Business Continuity Management Plan

Contents 1

INTRODUCTION ....................................................................................................................................... 8

2

BUSINESS CONTINUITY OBJECTIVES .............................................................................................. 9

3

PLAN TO ACHIEVE OBJECTIVES ..................................................................................................... 11

4

RESOURCES TO MANAGE AND IMPROVE THE BCMS ............................................................... 13 4.1 4.2 4.3 4.4

5

RISKS TO THE ACHIEVEMENT OF OBJECTIVES ........................................................................ 14 5.1

6

HUMAN RESOURCES .............................................................................................................................. 13 TECHNICAL RESOURCES ....................................................................................................................... 13 INFORMATION RESOURCES ................................................................................................................... 13 FINANCIAL RESOURCES ........................................................................................................................ 13

OPPORTUNITIES FOR THE BCMS.......................................................................................................... 15

CONCLUSION.......................................................................................................................................... 16

List of Tables TABLE 1 - BUSINESS CONTINUITY OBJECTIVES .......................................................................................................... 10 TABLE 2 - PLAN TO ACHIEVE OBJECTIVES................................................................................................................. 12 TABLE 3 - HUMAN RESOURCES REQUIRED TO RUN THE BCMS .................................................................................. 13 TABLE 4 - RISKS TO OBJECTIVES .............................................................................................................................. 14 TABLE 5 - OPPORTUNITIES FOR THE BCMS ............................................................................................................. 15

Version 1

Page 7 of 16

[Insert date]


Business Continuity Management Plan

1 Introduction [Organization Name] is committed to establishing effective business continuity plans to protect its key business activities and meet its obligations to its stakeholders. As part of this commitment the organisation has established a Business Continuity Management System (BCMS) which complies with the requirements of the ISO22301 international standard for business continuity and will be seeking certification to this standard in the near future. In line with the standard, it is essential that our business continuity objectives are consistent with our policies, measurable where practicable, communicated effectively within the organization (and outside where appropriate) and updated as part of the BCMS management review process. Objectives will be based on a clear understanding of our business continuity requirements, including those from interested parties, and will take into account the results of business impact and risk assessments carried out at various levels within the organization. This document sets out the organisation’s business continuity objectives and plans for the financial year YY/YY, including • • • • •

Who will be responsible What will be done What resources will be required When it will be completed How the results will be evaluated

This document should be read in conjunction with the following other components of the BCMS which give background information about the organization’s business continuity policy and requirements: • • •

BC Context, Requirements and Scope Business Continuity Policy Business Impact Analysis Tool

Version 1

Page 8 of 16

[Insert date]


Business Continuity Management Plan

2 Business Continuity Objectives In order to assess whether the BCMS is working as intended it is essential that clear objectives are defined, and a system of monitoring and measurement established to record progress against targets. High-level objectives for business continuity are described in the BCMS document BC Context, Requirements and Scope and the overall framework for setting lowerlevel objectives is defined in the Business Continuity Policy, also a key component of the BCMS. Methods for determining to what extent objectives are being met are set out in the document Process for Monitoring, Measurement, Analysis and Evaluation. As part of the BCMS management review process, objectives for business continuity are regularly set, reviewed and updated in the following major areas: • • • • • •

Quality – generally how well the organization’s business activities are protected by the BCMS Capability – the knowledge, skills and experience available, mainly internally but also to some extent externally to the organization Cost – financial resources required to maintain and improve the BCMS Resource utilisation – how effectively organizational resources are employed Risk reduction – the degree to which known risks are treated to within acceptable limits Other – appropriate objectives that don’t fall into any of the above areas

In discussion with the management team and based upon documented requirements, [Organization Name] has agreed specific objectives in the area of business continuity as shown in Table 1 below. Achievement against these objectives will be tracked as part of regular management reviews of the BCMS.

Version 1

Page 9 of 16

[Insert date]


Business Continuity Management Plan

Ref. Area

Objective

Tasks

1.

Ensure that all identified key business activities have a business continuity plan in place to protect them Ensure that all business continuity plans have been tested with the last 2 years Provide training in business continuity for key resources Reduce amount spent on business continuity

Hold workshops to define plans

Increase number of days provided by business teams for analysis and testing Reduce number of high priority risks on risk register

Agree allocation with top management

Quality

2.

3.

Capability

4.

Cost

5.

Resource utilisation

6.

Risk reduction

Measurement Method Percentage of key business activities with a plan

Target Timescale 80%

12 months

Person Responsible BC Manager

Agree testing schedule with top management

Percentage of plans tested within 2 years

75%

12 months

BC Manager

Identify courses; secure training budget

Number of people trained

5

6 months

Person A

Review budget to identify savings

Percentage reduction on last year’s budget Percentage increase over last year’s commitment Percentage reduction

5%

12 months

BC Manager

10%

12 months

Team leaders

10%

9 months

BC Manager

Increase focus on high priority risks; hold workshops to identify ideas

Table 1 - Business continuity objectives

Version 1

Page 10 of 16

[Insert date]


Business Continuity Management Plan

3 Plan to Achieve Objectives In order to achieve our objectives, it is essential that we have a clear plan that is adequately resourced and has the full support of top management. The success of this plan will determine whether [Organization Name] remains adequately protected against disruptive events and their potential impacts. The plan is shown in Table 2 below. The tasks required in order to achieve each objective are listed, together with the resources required, person responsible and completion timescale for each one. The method of evaluating the success of each task will vary according to the nature of the task, but an attempt to determine this is also shown. This plan will be managed in conjunction with background improvement activities, which may be driven by internal and external audit results, risk assessments and management reviews, amongst other sources. Additional, more detailed plans may also be created in order to control the activities required and take account of internal and external dependencies. Progress against the plan will be tracked by the Business Continuity Manager and reported to top management on a regular basis. In the event that a task is looking unlikely to be completed within the target timescale, the effect on the relevant business continuity objective should be evaluated. Depending on the conclusion, top management may decide whether or not to take action, such as increasing the resources available, to improve the expected completion time. In the event that business continuity objectives are changed, the associated plan will also need to be revised.

Version 1

Page 11 of 16

[Insert date]


Business Continuity Management Plan

Ref. Objective

Tasks

1.

All identified plans are in place

2.

All business continuity plans have been tested with the last 2 years Training in business continuity has been provided for all key resources

List plans Implement plans Verify plans Agree testing schedule Conduct tests Produce test reports Identify key resources Identify courses Attend courses Complete training records Review budget Identify savings Evaluate effect of reduction Agree allocation with top management Plan involvement Conduct activities Record days spent Hold workshops to identify ideas Implement ideas Reassess risks

3.

4.

Reduce amount spent on business continuity

5.

Increase number of days provided by business teams for business continuity activities Reduce number of high priority risks on risk register

6.

Resources Required Specialist IT team Internal audit Operational staff time

Person Responsible Business Continuity Manager Business Continuity Manager Training budget Business Time of Continuity attendees Manager

Completion Timescale 12 months

Evaluation Method

12 months

Business Continuity test reports

6 months

Training records

Finance Manager

Business Continuity Manager

12 months

Financial budget reports

Business teams

Chief Operations Officer

12 months

Timesheets of key personnel

Risk owners IT team

Business Continuity Manager

9 months

Risk register

Table 2 - Plan to achieve objectives

Version 1

Page 12 of 16

[Insert date]

List of signed off plans


Business Continuity Management Plan

4 Resources to Manage and Improve the BCMS In addition to the specific resources required to meet the objectives set out within this document, the following resources will be required on an ongoing basis to manage and improve the BCMS. 4.1

Human Resources

The human resources needed for the BCMS are shown in Table 3 below. For more details of the specific responsibilities and authorities of the roles described here, see the BCMS document Roles, Responsibilities and Authorities. BCMS Role Business Continuity Steering Group Business Continuity Manager Business Process Owners Department Managers

Resources required Comments 1 day per quarter for Assuming quarterly meetings each member 1 x Full Time Equivalent Assumed to be a full-time role

IT Technicians

No additional resource

IT Users

1 day per annum

1-3 days per quarter 2 days per annum

Depends upon nature and number of processes owned Mainly awareness activities and participation in exercises and testing Business continuity is already part of relevant roles Attendance at awareness events

Table 3 - Human resources required to run the BCMS

[Describe any additional human resources that may be required e.g. contractors or secondments] 4.2

Technical Resources

[set out any equipment and IT hardware and software that will be needed as part of running the BCMS] 4.3

Information Resources

[State what additional information you will need e.g. new reports from existing systems, access to external sources such as subscriptions to relevant organizations] 4.4

Financial Resources

[What additional budget, if any, is needed? When is it required and is it capital or revenue?]

Version 1

Page 13 of 16

[Insert date]


Business Continuity Management Plan

5 Risks to the Achievement of Objectives The following risks have been identified to the plans to achieve the objectives set out in this document. These will be managed and updated as part of regular management reviews of the BCMS.

Ref. Risk 1.

Resources may not be available to take on the proactive elements of business continuity that are not currently being carried out.

2.

Timescales to implement the improvements necessary to achieve ISO 22301 may not be long enough given the degree of change and show sufficient track record for the audit

3.

Staff fail to engage with the BCMS leading to issues with plan development and testing

4.

Management are not sufficiently involved in the creation of the new quality system to carry it forward once certification gained

Likelihood Impact

Score

Risk Rating

Treatment

Table 4 - Risks to objectives

Version 1

Page 14 of 16

[Insert date]


Business Continuity Management Plan

5.1

Opportunities for the BCMS

The following opportunities have been identified which may assist in preventing or reducing undesired effects or achieving continual improvement within the BCMS: Ref.

Opportunity

1.

Recent disruptive incidents at competitor organizations have raised the profile of business continuity in the industry Increased budget in key departments

2.

Opportunity Owner Business Continuity Manager Business Continuity Manager

Potential benefit

Actions

Timescale

May make it easier to convince management of the need for additional strategies and plans Some of this budget could be invested in additional business continuity protection

Identify strategies that may have prevented the incidents at competitors

6 months

Discuss with department heads

12 months

Table 5 - Opportunities for the BCMS

Version 1

Page 15 of 16

[Insert date]


Business Continuity Management Plan

6 Conclusion This business continuity management plan is an essential part of the continual improvement of the BCMS within [Organization Name]. The objectives set for the year under consideration and the plans made to achieve them are intended to be challenging but achievable and will go a long way to protecting the organisation from disruptive incidents that may occur both now and in the future.

Version 1

Page 16 of 16

[Insert date]


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.