6 minute read
8 Operation
8.1 Operational planning and control
Manage what needs to be done to achieve your objectives and your risks by
Deciding how your processes should operate Controlling your processes Keeping appropriate records to show your processes are working
Make changes carefully and think about what to do when unexpected changes happen. If you get another organization to do things for you, make sure it's clear how that works.
8.2 Business impact analysis and risk assessment
8.2.1 General
Write down and use a process that allows you to decide how big a problem it would be if various events were to happen and how likely these are. Keep the business impact analysis and risk assessment up to date, especially when things change.
8.2.2 Business impact analysis
Create and implement a written process that works out what to recover first and to what extent.
Include
What kinds of impact need to be considered The activities that help to produce or deliver the products and services How much worse the situation gets over time How long we have to recover the activities before it becomes a real problem Targets for getting things working again Which activities to focus on first What we need to recover the activities Who and what else we need to recover these activities
8.2.3 Risk assessment
Create and implement a written process that works out which risks to your business activities are the ones to really worry about.
This needs to
Make a list of the risks that could lead to a disruption of anything that contributes to the important activities of the organization Decide how likely they are and what the impact would be if they happened Work out which ones need to have something done about them
8.3 Business continuity strategies and solutions
8.3.1 General
Once you’ve decided on a list of what could happen, how likely the risks are and what impact they would have, think about what approaches (or strategies) could be taken to provide business continuity before, during and after a bad event. Each approach will be made up of one or more parts (solutions).
8.3.2 Identification of strategies and solutions
Use the following criteria to decide whether the strategies and solutions are helpful. Do they:
Allow you to recover when and how you need to Apply to the most important activities Lessen the impact Shorten the impact Protect our products and services Have enough resources to work
8.3.3 Selection of strategies and solutions
Choose the strategies and solutions that:
Allow you to recover when and how you need to Are not too risky for your organization Are justified by the costs and benefits
8.3.4 Resource requirements
Once the strategies have been chosen, you need to think about what resources are needed to deliver them. These may include
People Information and data Buildings and other physical resources Facilities, equipment and consumables Computer systems Transport Money Third parties, e.g. suppliers
8.3.5 Implementation of solutions
When you’ve chosen your solutions, get them ready so they can be used when needed.
8.4 Business continuity plans and procedures
8.4.1 General
Create a defined approach to be used if a disruptive incident happens, that tells the right people about it as soon as possible. Plans and procedures will show which solutions to use to address the situation, and these plans should be based on which strategies and solutions were chosen as being potentially useful.
The procedures shall
Say what to do first Allow for changes in the situation Focus on the important activities first Use the right solutions to lessen the impact Say who should do what
8.4.2 Response structure
Define who will do what, in which teams, and who will report to whom when a disruptive event happens.
Together, the teams must be able to:
Assess how bad the disruption is, or could be See if the event is bad enough to kick off a formal response Start taking action Plan what needs to be done Assess what needs to be done first
Keep a good eye on what’s going on Use the solutions available Talk to the right people at the right times
Make sure each team is defined and capable of taking action, using written procedures.
8.4.3 Warning and communication
Create procedures for
How employees and other people with a relevant interest will talk to each other How to communicate with people outside your organization, including making use of any national or regional warning systems available How you will make sure communication is still possible even if your normal means is affected by the incident How you will deal with various authorities such as the emergency services How to talk to the media Recording who did what and when
You may also need to talk to people who have not yet been affected, and deal with more than one organization that is involved in helping. Make sure you test these procedures.
8.4.4 Business continuity plans
Write procedures that say how activities will be recovered within the time specified. They should be written to help teams do what they need to do.
These plans should include
What to do to: o Keep the important things going or get them started again when they need to be o Keep an eye on the impact and what’s being done about it When to activate the plans How to keep products and services being delivered to an agreed level What to do at first, so that people stay safe, things don’t get worse and the environment is not affected
Each plan shall define
What it is for and what it covers Who will do what What to do When it is to be activated and how
How the plan relates to others, both internal and external What resources are needed How to communicate How to stop recovery activities if they are no longer needed
Make sure the plans are available where and when they might be needed.
8.4.5 Recovery
There should be procedures covering how to return to normal working after a plan has been put into action.
8.5 Exercise programme
You need to exercise and test procedures to make sure they work. The tests should
Relate to the objectives set Be based on realistic situations and be clear about how to tell if they were successful Help people learn and get better at what they need to do Cover all areas over time Result in a written report that states what happened and what improvements can be made Be reviewed for improvement ideas Happen according to a defined schedule and when something major changes
Make sure you use the results of testing to improve the BCMS and the plans.
8.6 Evaluation of business continuity documentation and capabilities
You must:
Check that all of your plans, procedures, strategies and solutions, and the business impact analyses and risk assessments they are based on, are correct and work well Use a number of different ways to validate your business continuity Check the business continuity capabilities of your partners and suppliers Every now and then check that you’re still legal, using best practice and doing what you said you would in your policy Update your documentation as soon as you can
Plan these reviews regularly and when something big changes.
