Business Continuity

Business Continuity
Planning
www.blueoceanacademy.com
What is business continuity?
 Business continuity planning means implementing
procedures so your organization can continue to
operate as close to normal as possible during and after
a disaster. These disasters could range from floods or
fires to cyber-attacks and network errors.
 The purpose of a business continuity plan is to
document procedures for responding to incidents. This
includes how you’ll manage and contain incidents, and
continue operations while services are disrupted. For
instance, if a cyber-attack disrupts your network and
forces operations offline, you must consider how you’ll
continue providing your services.
www.blueoceanacademy.com 2
Business continuity planning
 Business continuity planning involves conducting a

complete analysis of your organization and all
procedures, with clear guidelines on what to do during
an incident. It also means implementing preventative
measures to avoid incidents, including:
• Cloud backup – Back up your business-critical data to
the cloud, so you can access important information and
continue to operate during an outage
Business continuity planning
• Business impact analysis – Determine the consequences of
various disasters on your business’ ability to function. Consider who
and what could be affected, and how drastic these effects are to
your business.
• Business continuity plan development – Conduct a full
assessment of your organization's procedures and develop a plan
for how to respond to a disaster, including alternative arrangements
to continue business operations.
• Business continuity plan implementation – Assess the
effectiveness of your business continuity plan by running practice
drills and incident response training in different scenarios.
• Business continuity staff training – Train your staff to understand
the different threats to your organization, including how they should
respond during an incident.
Business continuity management
 You should consider a business continuity plan as a
work in progress. Although it’s essential to have a set
plan, you must regularly review, test, and update it.
 Implementing a business continuity plan is as much
about communicating responsibilities, running practice
drills, and evaluating procedures, as it is about action
plans in crisis. As such, you should arrange for ongoing
business continuity management, reviewing and
updating policies following a real or practice incident,
and when new threats emerge.
Understanding the Business Continuity
Management Framework
 In the ever-evolving landscape of modern business,
organizations face many risks that can disrupt
operations and threaten continuity. Enterprises must
have a structured approach to mitigate and manage
these risks.
 One such approach is implementing a BCM framework.
A well-structured BCM framework provides a systematic
and strategic approach to ensuring business resilience
and recovery during adverse events.
Understanding the Business Continuity
Management Framework
 A Business Continuity Management Framework is a
comprehensive structure that guides organizations in
identifying potential threats, assessing their impact on
critical business functions, and formulating strategies
to minimize disruption and facilitate a swift recovery.
 The framework incorporates interrelated processes,
methodologies, and standards to enhance an
organization's resilience and responsiveness to
disruptions.
Steps for building a business continuity
plan
Starting a business continuity plan can be daunting with so much to
cover. So, we’ve put together a step-by-step guide to help you.
1. Determine objectives and goals
 First, get clear on the aim of your business continuity plan. Consider
what you want to achieve—for instance, protecting critical team
functions core to business operations. That way, it’s easier to focus
on what’s needed in your plan.
2. Identify responsibilities
 Determine which stakeholders to involve, especially those
responsible for writing the document, deciding upon incident
responses, or running staff training. It’s a good idea to nominate a
business continuity team.
3. Identify critical functions
 Review your entire business workflow and determine
which functions are critical. These are any functions that,
if compromised, would severely impact business
operations. As such, your business continuity plan
should primarily focus on these areas.
4. Conduct business impact analysis
 Assess the impact of disasters on your business to help
you prepare for what could happen. Organize results by
severity to help you prioritize plans for alternative
procedures.
5. Create an operations plan
 Outline your operations plan with clear responsibilities. This should
include prevention strategies, incident responses, and recovery
procedures.
6. Identify plan limits
 Although your plan should include detailed incident response
procedures, it’s not always possible to plan for everything. Be
realistic about what you can and can’t plan for, leaving room for key
personnel to make decisions as incidents occur.
7. Test the plan
 Assess the effectiveness of your plan by running practice drills and
ongoing staff training. Update procedures as necessary, being sure
to communicate any changes.
Why is business continuity
management critical?
 Would you know what to do if a hacker accessed your
network? What about if your business premises were
set on fire? How would you respond? That’s why having
a business continuity plan is essential. Should anything
go wrong, you’ll already have an action plan for the
‘what if’ incidents, reducing unplanned downtime and
subsequent financial and business risks.
 Aside from mitigating disruptions, business continuity
plans have many other benefits:
Why is business continuity
management critical?
 Save money – With plans, less money is spent
recovering assets and information. Plus, alternative
working arrangements mean you can continue business
operations during incidents and avoid further financial
risks.
 Save time – Less time is needed to decide on the action
to take during a disaster, since everything is pre-
determined. In addition, you can immediately activate
your business continuity plans, ensuring incidents are
managed quickly and effectively.
 Identify vulnerabilities – Business continuity plans
allow you to identify potential risks and vulnerabilities, so
you can take action before incidents occur. For instance,
organising cloud backup of data, rather than storing it in
an unsecured location.
 Maintain reputation – Preparing your organisation’s
continuity plans helps you maintain your reputation in the
event of a disaster, ensuring you can continue to provide
customers with the service they expect.
 Enhance security – Planning for disruptions also
means preventing them by encouraging businesses to
step up their security practices. For instance, using
additional cybersecurity measures to prevent data leaks.
Definition of organizational resilience
 Organizational resilience is an organization's ability to

anticipate issues ahead of time and develop a plan for
handling identified problems. The organizational
resilience methodology can be summed up as the
following:
• Foresight (anticipate problems)
• Insight (interpret the situation and respond accordingly)
• Oversight (assess the action that has been taken)
• Hindsight (learn from the experience)
Why is organizational resilience
important?
 If an organization can anticipate and plan for an adverse situation,
the eventual outcome will likely be more favorable than if the
organization was taken by surprise.
 Business continuity planning (BCP) and disaster recovery
planning (DRP) are both subcomponents of organizational
resilience. Organizational resilience is like BCP in that they both
seek to help an organization survive a harmful event.
Organizational resilience and DRP differ in that the former
enables organizations to cope with both sudden disasters and
slow incremental changes that might adversely affect the
business, while DRP focuses on issues primarily caused by
immediate failures.
5 steps to build organizational
resilience
 Make reliability a priority. One of the keys to building organizational
resilience is to encourage employees to think about things that could
potentially go wrong and to find ways to address these potential
problems.
 Dig deeper. When adverse events occur, there is often a temptation
to think that the simplest explanation is most likely to be the correct
one. However, an adverse event in business likely stems from another
event, which might have even been triggered by yet another event.
Resilient organizations often find that by examining an adverse event
in depth, they can identify otherwise hidden causes. This puts the
organization in a better position to recognize such an event in its
earliest stages in the future, giving the organization more time to
respond and adapt.
 Decisions matter. Business leaders must understand
that the decisions that they make in times of crisis can
decisively determine the eventual outcome. As such, it is
far better for those in charge to be able to follow a well-
thought-out plan that already exists as a part of an
organizational resilience framework than to make hasty
guesses.
 Work to solve problems. In any business, things can
go wrong. Resilient organizations accept the idea that
not every problem is preventable. However, with enough
preplanning, it is possible to reduce the impact of most
adverse events.
 Trust experts. In most large organizations, there is a
major disconnect between the business leaders and
frontline workers. If an organization is to become
resilient, its leaders must emphasize collaboration and
trust employees who have expertise in an area that is
relevant to the crisis.
UAE NCEMA 7000:2015
1.Overview of UAE NCEMA 7000:2015:

1. UAE NCEMA 7000:2015, issued by the National Emergency
Crisis and Disaster Management Authority (NCEMA), is the
national standard for Business Continuity Management (BCM) in
the United Arab Emirates (UAE).
2. It provides guidelines and requirements for organizations to
develop, implement, and maintain effective BCM programs.
3. Compliance with UAE NCEMA 7000:2015 demonstrates an
organization's commitment to resilience and preparedness,
helping to protect against financial losses, maintain stakeholder
confidence, and comply with regulatory requirements.
UAE NCEMA 7000:2015
Key Requirements of UAE NCEMA 7000:2015:

Key requirements of UAE NCEMA 7000:2015 include risk
assessment, business impact analysis (BIA), business continuity
planning (BCP), testing and exercising, maintenance and review,
integration with organizational processes, and compliance and
certification.
These requirements form the foundation of a comprehensive BCM
program that enables organizations to identify risks, assess
impacts, develop response strategies, and maintain operational
continuity during disruptions.
UAE NCEMA 7000:2015
Business Impact Analysis (BIA):
BIA is a critical component of BCM that assesses the potential impact of
disruptions on the organization's critical functions, resources, and
dependencies.
It identifies the time-sensitive processes, resources, and dependencies
that are essential for maintaining operational continuity.
BIA helps organizations prioritize their response efforts, allocate resources
effectively, and develop targeted recovery strategies.
Business Continuity Planning:
Business Continuity Planning (BCP) involves developing comprehensive
plans and procedures to ensure the organization can continue operating
during and after disruptions.
BCP includes recovery strategies, action plans, communication protocols,
and resource allocation strategies.
Effective BCPs enable organizations to minimize downtime, maintain
service levels, and protect critical functions and assets.
UAE NCEMA 7000:2015
Testing and Exercising:
Testing and exercising BCPs is essential to ensure they are effective and
actionable.
Different types of testing/exercising methods include tabletop exercises,
functional exercises, and full-scale simulations.
Testing and exercising help identify gaps and weaknesses in BCPs, validate
response strategies, and build confidence in the organization's ability to
respond to disruptions.
Maintenance and Review:
Regular maintenance and review of BCM plans and procedures are
essential to ensure they remain current and effective.
This includes updating risk assessments, BIA findings, and response
strategies based on changing threats and organizational priorities.
Continuous improvement is key to enhancing organizational resilience and
preparedness.
UAE NCEMA 7000:2015
Integration with Organizational Processes:

Integrating BCM with other organizational processes, such as risk
management, IT security, and emergency response, enhances
overall resilience and preparedness.
This ensures alignment with organizational objectives and priorities
and facilitates coordination and communication during disruptions.
Compliance and Certification:
Compliance with UAE NCEMA 7000:2015 demonstrates an
organization's commitment to BCM best practices and regulatory
requirements.
Achieving certification or compliance with the standard can
enhance organizational credibility, improve stakeholder confidence,
and provide a competitive advantage in the marketplace.
UAE NCEMA 7000:2015
 Case Studies and Examples:

 Real-world examples and case studies illustrate how
organizations have successfully implemented BCM
programs based on UAE NCEMA 7000:2015.
 These examples highlight the benefits of BCM,
challenges faced, lessons learned, and best practices for
implementation.
 Case studies provide valuable insights and practical
guidance for organizations seeking to enhance their
resilience and preparedness.
Business Continuity Institute (BCI) Good
Practice Guidelines (GPG) 2018
 The Business Continuity Institute (BCI) is a global organization
that helps companies plan for emergencies. They make sure that
businesses have the right plans in place to keep running
smoothly during tough times, like natural disasters or computer
problems.
 The BCI created the Good Practice Guidelines (GPG) in 2018.
These guidelines are a set of rules that tell businesses how to
make their emergency plans better. They show companies what
they should do to make sure they can keep going even when
things get rough.
 The BCI's goal is to make sure that businesses are prepared for
any problem that might come up. They help companies learn how
to make strong plans, train their employees, and stay safe during
emergencies.
Key Principles
The key principles outlined in the Business Continuity Institute (BCI) Good
Practice Guidelines (GPG) 2018 provide a comprehensive framework for
effective business continuity management (BCM). Here are the key principles:
1. Risk Assessment and Management:
Identify and assess potential threats and vulnerabilities to the
organization's operations, assets, and stakeholders.
Evaluate the likelihood and impact of risks to prioritize them for mitigation
and response planning.
2. Business Impact Analysis (BIA):
Conduct a thorough analysis of the organization's critical functions,
resources, and dependencies.
Determine the potential consequences of disruptions on these critical
elements and prioritize recovery objectives accordingly.
Key Principles
3. Business Continuity Planning (BCP):

Develop comprehensive business continuity plans (BCPs) to
ensure continuity of critical functions during disruptions.
Define recovery strategies, action plans, and communication
protocols to guide response efforts and minimize downtime.
4. Testing and Exercising:
Regularly test and exercise BCPs to evaluate their effectiveness
and identify areas for improvement.
Conduct different types of exercises, such as tabletop exercises or
full-scale simulations, to simulate emergency scenarios and assess
response capabilities.
Key Principles
5. Program Management and Governance:

Establish effective program management and governance
structures to oversee BCM initiatives and ensure alignment with
organizational objectives.
Define roles, responsibilities, and accountability measures to
facilitate coordination and communication among stakeholders.
6. Integration with Organizational Processes:
Integrate BCM with other organizational processes, such as risk
management, IT security, and emergency response, to enhance
overall resilience.
Ensure that BCM activities are aligned with business objectives
and integrated into day-to-day operations.
Key Principles
7. Continuous Improvement:
Foster a culture of continuous improvement to enhance
organizational resilience and adaptability.
Regularly review and update BCM plans and procedures based on
lessons learned from exercises, incidents, and changes in the
business environment.
 These key principles serve as a foundation for effective
BCM and provide organizations with guidance on how to
plan, prepare, and respond to disruptions in a systematic
and proactive manner. By adhering to these principles,
organizations can enhance their resilience, minimize the
impact of disruptions, and maintain continuity of critical
functions.
Framework for BCM Best Practices
The framework for Business Continuity Management

(BCM) best practices provides a structured approach for
organizations to develop, implement, and maintain
effective BCM programs. Here are the key components of
the framework:
1. Risk Assessment and Management:
Identify and assess potential threats, hazards, and vulnerabilities
that could impact the organization's operations.
Analyze the likelihood and potential impact of these risks to
prioritize them for mitigation and response planning.
Develop risk management strategies to reduce exposure and build
resilience against identified threats.
2. Business Impact Analysis (BIA):
Conduct a thorough analysis of the organization's critical functions,
processes, resources, and dependencies.
Determine the potential consequences of disruptions on these critical
elements, including financial, operational, and reputational impacts.
Prioritize recovery objectives based on the findings of the BIA to ensure
continuity of essential services and minimize downtime.
3. Business Continuity Planning (BCP):
Develop comprehensive business continuity plans (BCPs) to ensure
continuity of critical functions and operations during disruptions.
Define recovery strategies, action plans, and response procedures to guide
the organization's response efforts.
Establish communication protocols, escalation procedures, and
coordination mechanisms to facilitate effective crisis management and
decision-making.
4. Testing and Exercising:
Regularly test and exercise BCPs to evaluate their effectiveness and
identify areas for improvement.
Conduct different types of exercises, such as tabletop exercises, functional
exercises, and full-scale simulations, to simulate emergency scenarios and
assess response capabilities.
Capture lessons learned from exercises and incidents to enhance the
organization's preparedness and response capabilities.
5. Program Management and Governance:
Establish program management and governance structures to oversee
BCM initiatives and ensure alignment with organizational objectives.
Define roles, responsibilities, and accountability measures to facilitate
coordination and communication among stakeholders.
Implement performance metrics, reporting mechanisms, and audit
procedures to monitor and evaluate the effectiveness of BCM programs.
6. Integration with Organizational Processes:

a. Integrate BCM with other organizational processes, such as
risk management, IT security, and emergency response, to
enhance overall resilience.
b. Ensure that BCM activities are aligned with business objectives
and integrated into day-to-day operations.
c. Foster collaboration and communication across departments
and functional areas to promote a culture of preparedness and
resilience.
7. Continuous Improvement:
A. Foster a culture of continuous improvement to enhance
organizational resilience and adaptability.
B. Regularly review and update BCM plans and procedures
based on lessons learned from exercises, incidents, and
changes in the business environment.
C. Encourage feedback from stakeholders and incorporate best
practices and emerging trends into BCM programs to stay
ahead of evolving threats and risks.
 By incorporating these components into their BCM
programs, organizations can enhance their resilience,
minimize the impact of disruptions, and ensure continuity
of critical functions and operations.
ISO 22301:2019 Societal Security; Business
Continuity Management
 What is ISO 22301?
 ISO 22301 is the international standard for Business
Continuity Management Systems (BCMS). It provides
a framework for organizations to plan, establish,
implement, operate, monitor, review, maintain, and
continually improve a documented management
system to protect against, reduce the likelihood of,
and ensure recovery from disruptive incidents.
ISO 22301:2019 Societal Security; Business
Continuity Management
 Why is ISO 22301 important?
 This standard is crucial for organizations to enhance
their resilience against various unforeseen disruptions,
ensuring continuity of operations and services. It helps
in identifying risks, preparing for emergencies, and
improving recovery time.
Why do companies need ISO 22301
 In a world where cyberattacks, data breaches and

natural disasters can interrupt business continuity and
quickly damage reputation, organizations and
businesses need to implement, maintain and keep
refining their business continuity management system
(BCMS). ISO 22301 certification of their continuity
management ensures they are doing so.
 ISO 22301 helps organizations identify and prioritize
threats. It allows them to implement their business
continuity management system effectively, so they are
ready to respond to and recover from incidents with the
least disruption to business.
Why do companies need ISO 22301
 Studies have shown that almost 1 in 5 organizations

experience significant business disruptions every year.
Therefore, a robust and resilient organization is one that
can change with the times, understands where its
vulnerabilities are and have plans in place to mitigate
risk as well as respond if it needs to do so. Compliance
or certification to ISO 22301 business continuity
management allows your organization to achieve all of
the above in a straightforward and structured manner.
The latest version of the standard
 On October 31, 2019, the latest version of the ISO

22301 standard was published – ISO 22301:2019. This
is a revised version of ISO 22301:2012. It aims to make
the standard “more streamlined and practical”, according
to the ISO. According to the United Kingdom
Accreditation Service (UKAS), companies will be able to
transition from ISO 22301:2012 to ISO 22301:2019 up
until 30 April 2023. The deadline was, as an exception,
extended due to the Covid-19 situation. The 2019
version has been generally well received and transitions
from old to new versions of the standard are seen as a
not overly onerous value adding exercise.
The benefits of ISO 22301
 There are many advantages of ISO 22301, including

returning the organization to ‘business as usual’ with
minimal disruption from any crisis.
 Operational resilience
 Having the ability to continue business operations
regardless of any minor or major incident taking place is
becoming increasingly important to businesses in all
sectors. A Business Continuity Management System
(BCMS) allows a company to plan for these incidents.
This leads to greater competitiveness and decreases the
amount of operational down time a business will have,
should the unexpected occur.
 Emergency preparedness
 ISO 22301 gives businesses and organizations the
ability to respond appropriately in the event of disruptive
incidents and avoid waste or unnecessary loss. Through
proactively assessing the effect of the disruption,
business continuity management recognizes the
products and services that are essential to the
organization's survival. It seeks to determine what
solutions and contingency planning will be required if an
incident was to occur.
 Corporate governance
 Compliance with ISO 22301 helps with meet the requirements of corporate
governance. Essentially the standard can provide evidence that the
organization has taken the necessary steps to comply with regulatory
requirements that call for an effective business continuity management
program.
 Crisis management
 Crisis Management (CM) refers to the overall coordination of an
organization's response to a crisis, in an effective, timely manner. For those
responsible for handling crisis management, the goal is to avoid or at least
minimize damage to the organization's profitability, reputation, or ability to
operate. Meeting the ISO 22301 standard confirms the appropriate
measures are in place for this to happen.
 Disaster recovery
 Disaster recovery activities concentrate on returning the
organization to “business as usual” after a traumatic
event and putting it on track towards complete recovery.
It’s important to recognise that this is different from
business continuity management, which is about
ensuring that the enterprise can continue to reduce the
likelihood of natural disasters and function during a
crisis.
 Protection of reputation in a crisis
 ISO 22301 certification shows stakeholders that your business
continuity capability is appropriate for the scale and scope of your
organization. Like ISO 27001, it engenders more trust, especially
when certified by an independent certification body. It aids your
understanding of business needs by identifying potential failures
and risks. Businesses can then demonstrate to stakeholders,
consumers, vendors and regulators, that they have a robust
business continuity management system and processes in place.
ISO 22301 will also increase stakeholder trust in the organization's
ability to respond to disruptive incidents and events, and to sustain
critical business processes should a catastrophe occur.
 Preparation for technology failures
 From telecommunications breakdown to loss of access to stored
data, technology failures can be hugely damaging to an
organization's profitability and reputation. ISO 22301 ensure all
measurements are in place to mitigate such disruption and ensure
all departments are prepared for the worst-case scenario.
 Reduce business interruption insurance costs

 With a BCMS in place that conforms with ISO 22301, an
organization has more meaningful insights into the impacts of a
potential disaster. This enables the business to better evaluate the
type and value of insurance cover it requires, potentially reducing
costs in the long term.
How does ISO 22301 work?
 ISO 22301 works by setting out how to build a management system
that helps an organization to plan for any type of incident that might
affect its ability to operate effectively.
 This standard provides a framework for an organization to define
responsibilities and makes it possible to assess and review
business continuity performance over time. With ISO 22301 you can
create the documents necessary to provide auditable evidence of
contingency capabilities, as part of ongoing compliance
requirements.
 Performance assessment, audits and continual improvement are
central to the management system standard set out by ISO
22301:2012 and ISO 22301:2019.
How to Implement ISO 22301?
 When you implement ISO 22301 business continuity management,
the first simple step is to think about addressing the primary
requirements of the standard. This starting point will encourage you
to take a strategic approach (hence why leadership is so important)
and set the context, the scope, as well as develop a stated business
continuity policy and objectives of the business continuity
management systems.
 Developing a business continuity policy will help identify your areas
of risk and opportunity. From here, you can consider the impacts of
those risks and what it might mean for consequences and the time
to failure, recovery etc. Doing so will help you discover any holes or
shortcomings in your current ISO management systems standards
requirements. You will also identify and provide practical
suggestions for improving them. ISO describes this as business
continuity strategies and solutions.
The BC Policy requirements
 The business continuity policy is a crucial document that

provides guidance and direction for the organization's
business continuity management (BCM) activities. While
specific requirements may vary based on organizational
needs and industry standards, here are some common
elements typically included in business continuity policy
requirements:
 Policy Statement:
 A clear and concise statement outlining the
organization's commitment to ensuring the continuity of
critical functions and operations during disruptions.
 Scope and Applicability:
 Definition of the scope of the policy, including the functions,
processes, and activities covered by the BCM program.
 Identification of the stakeholders and entities to which the policy
applies, such as employees, suppliers, customers, and partners.
 Roles and Responsibilities:
 Assignment of roles and responsibilities for BCM activities, including
the designation of individuals or teams responsible for developing,
implementing, and maintaining the BCM program.
 Clarification of the roles of senior management, BCM coordinators,
department heads, and other stakeholders in supporting and
implementing the policy.
 Policy Objectives:
 Statement of the objectives and goals of the BCM program, such as
ensuring the continuity of critical functions, minimizing disruptions,
and protecting the organization's reputation and assets.
 Compliance and Standards:
 Reference to relevant regulatory requirements, industry standards,
and best practices that the organization must adhere to in
developing and implementing its BCM program.
 Commitment to compliance with applicable laws, regulations, and
contractual obligations related to business continuity.
 Risk Management Approach:
 Description of the organization's approach to risk management,
including the identification, assessment, and mitigation of risks that
could impact business operations.
 Requirement for regular risk assessments and reviews to identify
emerging threats and vulnerabilities.
 Business Impact Analysis (BIA):
 Requirement for conducting business impact analysis (BIA) to
identify critical functions, processes, resources, and dependencies.
 Commitment to using BIA findings to prioritize recovery efforts and
allocate resources effectively.
 Business Continuity Planning (BCP):
 Requirement for developing and maintaining comprehensive
business continuity plans (BCPs) to ensure continuity of critical
functions and operations during disruptions.
 Specification of the components of BCPs, including recovery
strategies, action plans, communication protocols, and resource
requirements.
 Testing and Exercising:
 Requirement for regularly testing and exercising BCPs to evaluate
their effectiveness and identify areas for improvement.
 Commitment to conducting different types of exercises, such as
tabletop exercises, functional exercises, and full-scale simulations.
 Documentation and Review:

 Requirement for documenting all BCM activities,
including risk assessments, BIA findings, BCPs, test
results, and incident reports.
 Commitment to conducting regular reviews and updates
of the BCM program to ensure its relevance and
effectiveness.
 By including these requirements in the business
continuity policy, organizations can establish a clear
framework for BCM activities and demonstrate their
commitment to ensuring operational resilience and
continuity in the face of disruptions.
Why do we need a Competency Framework?
 The Business Continuity Institute (BCI) has introduced
the BCI Competency Framework, which serves as a
valuable tool for several purposes:
 Professional Standards: The framework defines the

professional standards required to be an effective
business continuity practitioner at every career stage. It
outlines the essential competencies needed for success
in this field.
 Individual Advancement: For individuals, the
Competency Framework helps advance their
professional development. By identifying the necessary
technical, management, and leadership proficiencies, it
guides practitioners toward a progressive career in
business continuity and resilience.
 Workforce Planning and Development: Employers can
use the framework to develop resilience capability within
their organizations. It assists in workforce planning and
ensures that employees possess the relevant skills and
knowledge to handle business continuity challenges.
 Confidence in the Profession: The Competency

Framework instills confidence in the resilience
profession. By adhering to these standards, practitioners
demonstrate their expertise and commitment to their
roles.
Analysis: Business Impact Analysis (BIA)
 A business impact analysis helps you predict the consequences of
disruptions to business processes, so you have the data you need
to proactively create recovery strategies. For example, a
manufacturing company could create a BIA to measure how losing
a key supplier would affect company operations and revenue.
 Simply put, a BIA identifies the operational and financial impacts of
disruptions—like what would happen if your servers crashed, or a
global pandemic changed the market landscape. The data you
collect during a business impact analysis helps you understand and
prepare for these potential obstacles, so you can act quickly and
face challenges head-on when they arise. For example, you could
use the insights from your BIA to create a business continuity plan,
which outlines how your team will respond to unexpected business
changes.
Example business disruptions
• Data security breaches or cyberattacks
• Scheduling delays
• Natural disasters
• Power outages or utility outages
• Equipment malfunctions
• Loss of key employees
• Loss of key suppliers
Example business impacts
• Lost sales or revenue due to production downtime
• Delayed sales or revenue (like payment delays)
• Unforeseen expenses (like overtime pay or outsourcing
costs)
• Regulatory fines or contractual penalties
• Delayed business plans due to business disruptions
• Lost customers
Business impact analysis vs. risk assessment
 A risk assessment analyzes potential threats and the
likelihood of them happening. A business impact analysis
measures the severity of those threats and how they
would affect business operations and finances. In other
words, a business impact analysis is essentially an
extension of a risk assessment report—a BIA identifies
potential risks and then also measures their impact.
Business impact analysis vs. project risk
management
 Project risk management is the process of identifying, analyzing,
and responding to potential project risks. In this case, a risk is
anything that could cause project failure by delaying the project
timeline, overloading your project budget, or reducing performance.
 While project risk management is focused on predicting and

responding to roadblocks within a specific project, a business
impact analysis is broader in scope. A BIA doesn’t focus on a single
project but rather on overarching business functions and processes.
For example, you would use project risk management for a cross-
functional initiative to redesign your company app, but create a BIA
to investigate how disruptions to your staffing may impact
production for your company app.
Why is a business impact analysis important?
 Disruptions happen, and it’s important to be prepared so you can
get back on track and minimize profit loss. A business impact
analysis helps you gather the data you need to plan for and handle
roadblocks when they inevitably occur.
 In particular, the BIA process helps you:
 Identify essential business activities and resources. A BIA helps you

understand which processes are necessary to deliver your most
important products and services—so you know which activities must
be performed, regardless of the circumstances.
Why is a business impact analysis important?
 Analyze the financial impacts of business disruptions. When you

understand how potential roadblocks could impact company
finances, you can proactively strategize and allocate funds to tackle
unexpected disruptions when they occur. With a BIA, you can
understand resource requirements, justify budget requests, and
pitch your business continuity plan (BCP) to leadership.
 Collect the data you need to create a business continuity plan. A
business continuity plan lays out strategies to prevent and respond
to business disruptions. But in order to plan your response, you first
need to understand how those disruptions will impact your
business.
Roles and responsibilities of BC Champions and
Team Leaders
 The formation of a business continuity team is a strategic step any
organization can take that could significantly enhance the
effectiveness of their business continuity plan. BC team plays a
pivotal role in ensuring swift and efficient responses to crises,
managing emergencies, and developing business continuity
strategies.
 It's best to gain a comprehensive understanding of the various
activities involved in business continuity management, along with
the key roles essential for handling these challenging tasks.
 As these roles and responsibilities are assigned with careful
consideration, organizations can significantly improve their
readiness and capability to succeed in achieving their objectives in
the event of unforeseen disruptions.
Team Leaders
 Direct Roles Within a Business Continuity Team
 The direct roles are primarily focused on the planning,
implementation, testing, and management of business continuity
and crisis response. They are actively involved in the core activities
of business continuity management.
 Business Continuity Manager/Operational Resilience Manager: This
role involves overseeing the development and implementation of
business continuity plans. A business continuity manager ensures
operational resilience by preparing for, responding to, and
recovering from disruptions. They focus on minimizing impact on
operations, customer service, and reputation.
Team Leaders
 Business Impact Analysis (BIA) Coordinator: This role involves
coordinating the business impact analysis process within an
organization. The BIA Coordinator identifies critical business
functions, assesses the potential impact of disruptions, and helps in
determining the necessary steps to maintain business continuity
and minimize risks.
 Business Continuity Strategy Development Specialist: A specialist in
this area focuses on developing strategies to ensure business
continuity. They analyze risks and potential impacts, design
comprehensive continuity plans, and work on integrating these
strategies into the organization's overall operational framework.
Team Leaders
 Business Continuity Consultant: A consultant works with
organizations to develop and refine their business continuity
strategies. They offer expert advice, assess risks, and provide
solutions to ensure the organization is prepared for unexpected
disruptions.
 Business Continuity Specialist: Specialists are responsible for
specific tasks within the business continuity framework. They may
focus on analyzing risks, implementing continuity plans, training
staff, or maintaining and updating plans as business needs and
environments change.
 Business Continuity Test Manager: This role focuses on testing and
validating business continuity plans. The test manager organizes
simulations and drills to ensure plans are effective and staff are
prepared. They also analyze test results to identify areas for
improvement.
Team Leaders
 Business Continuity Officer: BC officers typically have a hands-on role in
implementing and maintaining business continuity plans. They work closely
with different departments to ensure continuity strategies are integrated into
daily operations and that staff are aware of and trained in these procedures.
 Crisis and Incident Manager: This role involves managing the organization's
response to crises and incidents. They coordinate efforts to address and
mitigate the impact of unexpected events, ensuring a swift and effective
response to minimize disruptions to business operations.
 Crisis Response Support Worker: Support workers assist in the
implementation of crisis response plans. They provide logistical and
administrative support, ensure resources are available and deployed
effectively, and assist in communication efforts during a crisis.
Team Leaders
 Crisis Intervention Specialist: Specialists in crisis intervention
provide immediate support and strategic guidance during crises.
They are skilled in de-escalating situations, providing counselling,
and implementing strategies to navigate through critical incidents
effectively.
 Crisis Recovery Worker: Focused on post-crisis recovery, these
workers assist in restoring normal operations and services following
a crisis. They work on rehabilitation efforts and support the
transition back to regular business activities.
 IT Disaster Recovery Manager: This role is crucial in ensuring that
IT systems can be quickly restored after a disruption. They develop,
maintain, and oversee disaster recovery plans for IT infrastructure,
ensuring minimal downtime and data loss in the event of a disaster.
Team Leaders
 IT Recovery Technician: Technicians are hands-on
professionals who implement disaster recovery plans for
IT systems. They perform tasks like data restoration,
system repairs, and other technical activities necessary
to recover IT operations after a disruption.
 Backup and Recovery Engineer: Engineers in this role
design and maintain systems for data backup and
recovery. They ensure that data is securely backed up,
easily retrievable, and protected against loss due to
system failures or other disasters.
Supporting Roles to a Business Continuity Team
 Supporting Roles to a Business Continuity Team
 The supporting roles, while not directly involved in the creation or
execution of business continuity plans, provide essential support
and resources that enable the business continuity team to function
effectively. They ensure that the business continuity plans are
comprehensive, compliant, and well-integrated into the broader
organizational framework.
 Risk Management Analyst: This role involves identifying, analyzing,
and managing risks that could impact the organization. The Risk
Management Analyst evaluates potential threats, suggests
mitigation strategies, and works to minimize the likelihood and
impact of adverse events on the organization's operations.
Supporting Roles to a Business Continuity Team
 Supply Chain Officer/Coordinator: This role is crucial in managing
and ensuring the resilience of the supply chain during disruptions.
They identify potential supply chain risks, develop contingency
plans, and coordinate with suppliers to ensure the continuity of
goods and services essential for the organization's operations. Their
work supports the broader objectives of the business continuity
team by maintaining the flow of resources and materials, which is
essential for operational sustainability during crises.
 Human Resources: In the context of BC, HR plays a critical role in
ensuring staff are prepared for and can respond to disruptions. They
are involved in training employees on business continuity plans,
managing communication during a crisis, and supporting staff
welfare during and after incidents.
Best Practices For Building A Business
Continuity Team
 Prioritise leadership: Select a senior leader to spearhead the business
continuity efforts. This individual should possess the necessary expertise,
experience, and authority for critical decision-making during crises.
 Embrace cross-functional teams: Construct teams that bring together

diverse skill sets and perspectives. This approach breaks down silos and
ensures a more comprehensive handling of business continuity challenges.
 Define roles clearly: Assign specific tasks and responsibilities to each team
member, avoiding role overlap and covering all aspects of the business
continuity plan.
 Implement succession planning: Equip all team members with the
training needed to fill different roles if necessary. This ensures
continuity in operations, even if key personnel are unavailable
during a crisis.
 Establish communication protocols: Set up clear communication

channels for efficient coordination and incident reporting during
disruptions.
 Maintain comprehensive documentation: Keep detailed records of

roles, responsibilities, and procedures, and ensure they are
accessible to key personnel for quick reference and guidance.
The purpose of exercising and testing
 One of the main differences between information security and
business continuity is that smaller incidents related to security of
information do happen, and once they do, they offer an excellent
opportunity to learn where the system was lacking and how to react
better the next time. Luckily, disruptive incidents do not happen so
often, but sadly, this means there is usually no opportunity for
improving the business continuity.
 What does this mean? This means your business continuity plans
are wrong – no matter how well you try to write them, it is simply
impossible to foresee everything up front. This is why a way around
had to be found, and this is where exercising and testing fills this
gap: the primary reason is to simulate a (more or less) realistic
situation in order to find what doesn’t work in your business
continuity. In other words, when you lack real incidents, you create
simulated ones to be able to improve your plans.
Ways of performing exercising and testing
 If you thought that your testing must include the unannounced
shutdown of power, you were wrong – this is only one of the
methods available, and certainly not the first one to be performed.
 Essentially, these are the methods that can be used for exercising
and testing (starting from simpler to more complex):
 Orientation seminar – basically, this is more of a training where the

details of the plans are explained to all participants; conducted with
all necessary employees, suppliers, and the moderator.
Ways of performing exercising and testing
 Desk check – checking the plans by means of auditing, validation, and

verification techniques; conducted with plan author and moderator.
 Plan walkthrough – checking the plans by means of team interaction;
conducted with the main plan participants and the moderator, whose
interaction is tested in a joint meeting.
 Functional testing – testing all interrelated plans for selected activities
(including supplier procedures) with real resources in a controlled
(announced) exercise; all necessary employees, suppliers, the moderator
and observers take part.
 Full testing – all activities are relocated from the original site to the
alternative site (announced or unannounced); all necessary employees,
suppliers, the moderator, observers, and auditors take part.
BCM Steering Committees and Terms of
Reference (ToR’s)
 BCM Steering Committees and their Terms of Reference
(ToR) play a crucial role in overseeing and guiding
business continuity management (BCM) activities within
an organization. Here's an overview of BCM Steering
Committees and their typical Terms of Reference:
BCM Steering Committee
Purpose:
 The BCM Steering Committee serves as the governing body
responsible for providing oversight, strategic direction, and
leadership for the organization's BCM program.
Composition:
 The committee typically comprises senior executives, department
heads, and key stakeholders representing various functional areas
within the organization.
 Members may include the Chief Executive Officer (CEO), Chief
Operating Officer (COO), Chief Risk Officer (CRO), Chief
Information Officer (CIO), and other senior leaders.
BCM Steering Committee
 Provide strategic direction and leadership for the organization's BCM
program, ensuring alignment with business objectives and priorities.
 Review and approve the BCM policy, framework, strategies, and initiatives
to ensure they meet regulatory requirements and industry standards.
 Oversee the development, implementation, and maintenance of BCM plans,
procedures, and capabilities to ensure organizational resilience.
 Monitor and evaluate the effectiveness of the BCM program through regular
performance reviews, audits, and reporting mechanisms.
 Escalate significant BCM issues, challenges, and risks to senior
management and the board of directors for appropriate action.
 Champion BCM awareness, training, and communication initiatives to
promote a culture of preparedness and resilience across the organization.
Terms of Reference (ToR) for BCM Steering
Committee:
 Objective:
 Define the purpose and objectives of the BCM Steering Committee,
including its role in providing oversight and strategic direction for the
organization's BCM program.
 Composition:
 Specify the composition of the committee, including the names and
titles of members, their roles and responsibilities, and the frequency
of meetings.
 Authority and Decision-Making:
 Clarify the authority and decision-making powers of the BCM
Steering Committee, including its ability to approve policies,
strategies, and budget allocations related to BCM.
Committee:
 Meetings and Reporting:
 Outline the frequency and format of committee meetings, including the
agenda, meeting minutes, and reporting requirements.
 Define the process for escalating significant BCM issues, challenges, and
risks to senior management and the board of directors.
 Detail the roles and responsibilities of committee members, including their
accountability for overseeing specific aspects of the BCM program and
reporting on progress and outcomes.
 Review and Evaluation:
 Establish procedures for conducting regular reviews and evaluations of the
BCM program's effectiveness, including performance metrics, audits, and
compliance assessments.
Committee:
 Communication and Engagement:
 Define communication channels and engagement strategies for
promoting BCM awareness, training, and collaboration across the
organization.
 Amendments and Updates:
 Specify the process for amending and updating the Terms of
Reference as needed to reflect changes in organizational priorities,
regulatory requirements, or industry standards.
 By establishing clear Terms of Reference for the BCM Steering
Committee, organizations can ensure effective governance,
oversight, and leadership for their BCM programs, ultimately
enhancing their resilience and preparedness in the face of
disruptions.
How to Audit your BC plan
 Auditing a Business Continuity Plan (BCP) is critical to ensure the
plan is effective and aligns with the organization’s objectives.
 Review the BCP Documentation: Start by examining the current
BCP documents. Ensure they are comprehensive and include all
critical components, such as risk assessments, business impact
analyses, recovery strategies, and communication plans. Assess
whether the plan addresses all potential threats and business
functions. (TechTarget)
 Evaluate the Scope and Objectives: Confirm that the scope and
objectives of the BCP are clearly defined and aligned with the
organization’s goals. The BCP should cover all essential aspects of
the business.
 Assess Risk Assessment and Business Impact Analysis (BIA):

Check if the BCP is based on a thorough risk assessment and BIA.
The BIA should prioritize critical business functions and processes
and the impact of their disruption.
 Check Compliance with Standards and Regulations: Ensure the
BCP complies with relevant industry standards, best practices, and
legal or regulatory requirements.
 Verify Roles and Responsibilities: Review the defined roles and
responsibilities for the business continuity team and other
stakeholders. Confirm that everyone understands their tasks and
responsibilities.
 Examine Training and Awareness Programs: Look at the

training programs for staff involved in the BCP.
Determine if these programs are adequate and if staff
are aware of their roles in an emergency.
 Test the Plan: Evaluate the testing and exercise

schedule. Check if tests are conducted regularly and
lessons learned are documented and incorporated into
the BCP.
 Review Communication Plans: Assess the effectiveness

of communication plans, both internal and external.
Ensure that contact lists are current and communication
channels are established.
 Inspect Data Backup and Recovery Procedures: Confirm
that data backup and recovery procedures are in place,
regularly tested, and capable of restoring systems within
the required timeframes.
 Analyze Third-Party Dependencies: If the BCP relies on
third-party services, verify that these providers also have
effective continuity plans and that their obligations are
clearly documented.
 Consider Alternate Arrangements: Ensure there are alternate arrangements
for critical operations, such as secondary locations, in case primary sites
are inaccessible.
 Evaluate Incident Response: Assess how the BCP addresses the

immediate incident response to ensure safety, asset protection, and the
initiation of the continuity plan.
 Review Recovery Strategies: Ensure the recovery strategies are realistic,
practical, and capable of achieving each critical function’s recovery time
objectives (RTOs) and recovery point objectives (RPOs).
 Check Plan Accessibility: The BCP should be easily accessible to all

relevant personnel, both in electronic and physical formats, if necessary.
 Examine Maintenance and Updating Processes: Review the processes in
place for maintaining and updating the BCP. The plan should be a living
document that is regularly reviewed and updated to reflect changes in the
business environment, technology, and personnel.
 Document Audit Findings: Throughout the audit, document any

weaknesses, gaps, or areas for improvement. Also, note any strengths and
best practices that can be leveraged.
 Provide Recommendations: Based on the audit findings, provide clear and

actionable recommendations to address any issues identified.
Recommendations should prioritize critical areas that impact the
organization’s ability to recover from a disruption.
 Create an Audit Report: Compile all findings and recommendations
into a structured audit report. This report should be presented to
senior management and other stakeholders, outlining the
effectiveness of the BCP and the necessary actions to enhance it.
 Follow-Up: Ensure that there is a follow-up process to track the

implementation of audit recommendations. This might involve
setting deadlines, assigning responsibilities, and monitoring
progress.
 Continuous Improvement: Promote a culture of continuous

improvement where feedback from BCP tests, actual incidents, and
audits contribute to the ongoing enhancement of the business
continuity planning process.
Thank you
www.blueoceanacademy.com

Business Continuity

Uploaded by

Copyright:

Available Formats

Business Continuity

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Business Continuity

Uploaded by

Copyright:

Available Formats

Business Continuity

 Business continuity planning involves conducting a

 Organizational resilience is an organization's ability to

1.Overview of UAE NCEMA 7000:2015:

Key Requirements of UAE NCEMA 7000:2015:

Integration with Organizational Processes:

 Case Studies and Examples:

3. Business Continuity Planning (BCP):

5. Program Management and Governance:

The framework for Business Continuity Management

6. Integration with Organizational Processes:

 In a world where cyberattacks, data breaches and

 Studies have shown that almost 1 in 5 organizations

 On October 31, 2019, the latest version of the ISO

 There are many advantages of ISO 22301, including

 Reduce business interruption insurance costs

 The business continuity policy is a crucial document that

 Documentation and Review:

 Professional Standards: The framework defines the

 Confidence in the Profession: The Competency

 While project risk management is focused on predicting and

 In particular, the BIA process helps you:

 Identify essential business activities and resources. A BIA helps you

 Analyze the financial impacts of business disruptions. When you

 Embrace cross-functional teams: Construct teams that bring together

 Establish communication protocols: Set up clear communication

 Maintain comprehensive documentation: Keep detailed records of

 Orientation seminar – basically, this is more of a training where the

 Desk check – checking the plans by means of auditing, validation, and

 Assess Risk Assessment and Business Impact Analysis (BIA):

 Examine Training and Awareness Programs: Look at the

 Test the Plan: Evaluate the testing and exercise

 Review Communication Plans: Assess the effectiveness

 Evaluate Incident Response: Assess how the BCP addresses the

 Check Plan Accessibility: The BCP should be easily accessible to all

 Document Audit Findings: Throughout the audit, document any

 Provide Recommendations: Based on the audit findings, provide clear and

 Follow-Up: Ensure that there is a follow-up process to track the

 Continuous Improvement: Promote a culture of continuous

You might also like