PP1 Policy & Program Management Flashcards
What is a business continuity policy?
Key document that sets out purpose, context, scope, and governance of the BC programme.
The policy “provides intentions and direction of an
organization as formally expressed by its top management.” (Source: ISO 22301:2012)
When to use an interim structure and plan?
In large or complex organisation, where fully scoped BC programme may take months to complete, an interim response structure and plan may be sensible temporary measure.
General principles to be considered when
creating or revising BC policy (7):
- Provide STRATEGIC DIRECTION for BC programme
- Define way organisation will APPROACH BC and how programme will be structured and resourced.
- Supported, approved and owned by TOP MANAGEMENT.
- State how supports strategic objectives of organisation.
- Appropriate to size, complexity and type of organisation.
- Identify standards or guidelines used as benchmark
- COMMUNICATED and made available to all interested parties.
Steps required to develop effective BC policy are (10):
- Agree definition and objectives
- Agree scope of BC programme.
- Identify and agree on standards or guidelines
- Review and conduct gap analysis
- Draft new or revised policy.
- Review draft policy
- Circulate draft policy for consultation
- Amend draft policy
- Facilitate approval and signoff of policy
- Ensure approved policy is communicated
The business continuity policy should include (8):
- Definition of BC for use in organisation.
- Statement of governance and leadership commitment
- Defined objectives and scope for BC programme.
- Roles and responsibilities for BC programme including an incident response capability.
- References to relevant policies, standards,and legal and regulatory requirements.
- Identification of interested parties.
- Agreed methods and frequency for measurement and review of all stages of BC lifecycle.
- Agree methods for sign-off and communication of policy and all programme activities.
BC policy should be regularly reviewed at pre-agreed intervals or following significant changes, including (5):
- Change in organisation’s approach to risk
- Change in market conditions.
- An acquisition, merger, or disposal.
- Changes to products or services
- Changes to legal or regulatory requirements.
Reviewing or auditing BC policy, following should be demonstrated (6):
- Top management ensured policy is communicated
- Policy is effective.
- Policy clearly states what measurable deliverables of the BC programme are.
- Clear TOP MANAGEMENT commitment
- Clear and documented ongoing commitment to BC and continual improvement.
- Opportunities for adapting to change can be identified.
General principles to consider when determining scope of the BC programme (4):
- Definition of scope of programme ensures clear
understanding of which areas of organization are
included and excluded. - Understanding of organization’s strategy, objectives,culture, operating environment, and approach to risk.
- Understanding of outsourced activities and suppliers of products and services.
- Understanding of BC programme as ongoing process.
Process to determine scope of business continuity programme (4):
- Establish steering group
- Define and document relevant products and services
- Consider requirements for delivery
- Consider requirements of other related policies
Definition of Products and Services:
Beneficial outcomes provided by organization to
its customers, recipients and interested parties…” (Source: ISO 22301:2012)
Decisions on products and services to include in scope may be prompted by (4):
- Products which make significant contribution to the
organization’s reputation, income, or success. - Customer contractual requirement.
- Legal or regulatory requirement.
- Physical threats, eg. proximity to other industrial
premises such as a chemical manufacturing plant or hazards such as flooding.
Reasons product or service may be excluded from scope include (2):
- Nearing end of life (and would be terminated if disrupted).
- Low margins or low volumes (could be terminated or externally sourced if disrupted).
Deciding whether to exclude product or service, following issues should be considered (5):
- Financial loss.
- Interested parties who may be impacted by loss
- Reputational damage
- Impact on legal or regulatory requirements.
- Needs and expectations of customers and other interested parties.
Methods and techniques used to define scope of BC programme include (5):
- Cost beneft analysis.
- Strengths, Weaknesses, Opportunities and Threats (SWOT) analysis.
- Benchmarking against appropriate standards or guidelines.
- Market analysis techniques.
- Business impact analysis (BIA) and risk assessment (if already been conducted).
Governance for business continuity primarily focuses on (5):
- Providing oversight and support
- Ensuring BC programme aligns with organization’s objectives.
- Ensuring BC programme complies with policy and related legal and regulatory requirements.
- Monitoring and reviewing BC programme regularly to ensure requirements are being met.
- Supporting continual improvement
Establishing governance for BC requires the
following (6):
- Understanding of organizational structure,
- Clear definition of authority and accountabilities relating to BC
- Identification of key performance indicators
- Defined BC information to report
- Outline of type and frequency of reporting and communication.
- Alignment of governance of BC programme with
overall governance framework of organization.
Leadership and commitment to BC policy and programme can be achieved using the following methods (8):
- Recognising and communicating requirement for BC as key management discipline
- Ensuring that BC policy and programme is aligned to objectives of organization.
- Ensuring that BC programme delivers expected outcomes
- Maintaining support for BC policy and programme.
- Ensuring individuals undertake activities.
- Providing resources required to implement policy
- Directing and supporting continual improvement of BC
- Providing direction and guidance to embed BC
into business as usual routines.
In defining governance, organization’s top management should agree (5):
- What needs to be measured and monitored.
- How this should be achieved.
- Methods for monitoring, measuring, analysing,and
evaluating. - When monitoring and measuring should be performed
- When monitoring and measuring results should be analysed and evaluated
To do this, top management should:
- Act to address areas of weakness or gaps in BC programme objectives.
- Monitor effectiveness of programme.
- Ensure that relevant information is retained as evidence of results.
Purpose of assigning roles and responsibilities
Ensure tasks required to implement and maintain BC programme allocated to specific, competent
individuals whose performance can be evaluated and where further training requirements can be identified.
By assigning member top management overall
accountability for BC and effectiveness, organisation ensures that (3):
- BC recognised as key activity in organisation.
2 Implementation will be achieved through collaboration with other related disciplines. - Appropriate response roles and responsibilities will be defined based on competency
Skills and competencies required in roles identified as part of BC programme:
Top management
Provide leadership, commitment and resources as part of governance.
Skills and competencies required in roles identified as part of BC programme:
Steering group
Oversee, advise, and manage BC programme, making recommendations,and reporting to top management
Skills and competencies required in roles identified as part of BC programme:
Business continuity plan owner
Ensure BC plan adequately reflects organization’s BC
capability.
Skills and competencies required in roles identified as part of BC programme:
Business continuity professional
Develop and deliver effective BC programme. This includes facilitation and coordination of plans throughout the organisation.
