PP1 | Policy & Programme Management Flashcards
The policy should:
- provide the strategic direction from which the business continuity programme is delivered.
- define the way in which the organisation will approach business continuity and how the programme will be structured and resourced.
- be supported, approved, and owned by top management to provide effective governance and leadership.
- state how it supports the strategic objectives of the organisation and other relevant policies.
- be appropriate to the size, complexity, and type of organisation and aligned to its culture and operating environment.
- identify any standards or guidelines that are used as a benchmark for the business continuity programme.
- be communicated, and made available to all interested parties.
Establishing the Business Continuity Policy - General Principles
- Agree the definition and objectives for business continuity within the organisation.
- Agree the scope of the business continuity programme.
- Identify and agree on the standards or guidelines that will be used as a benchmark for the organisation’s business continuity programme.
- Review and conduct a gap analysis of the organisation’s current policy against any new requirements where appropriate.
- Draft the new or revised policy.
- Review the draft policy against the organisation’s current standards or policies addressing related management disciplines.
- Identify any duplication and seek opportunities to collaborate as appropriate.
- Circulate the draft policy for consultation with top management and other relevant interested parties.
- Amend the draft policy, as appropriate, based on consultation feedback.
- Facilitate the approval and sign off of the policy by top management.
- Ensure the approved policy is communicated to all interested parties.
Establishing the Business Continuity Policy - Process
- A definition of business continuity for use in the organisation.
- A statement of governance and leadership commitment to the policy.
- Defined objectives and scope for the business continuity programme.
- Roles and responsibilities for the business continuity programme including an incident response capability.
- References to relevant policies, standards, and legal and regulatory requirements.
- Identification of interested parties.
- Agreed methods and frequency for measurement and review of all stages of the business continuity lifecycle.
- Agreed methods for sign off and communication of the policy and all programme activities.
- A change in the organisation’s approach to risk which can be prompted by an incident or change.
- A change in market conditions.
- An acquisition, merger, or disposal.
- Changes to products or services (including those that are outsourced).
- Changes to legal or regulatory requirements.
- Top management has ensured that the policy is communicated throughout the organisation.
- The policy is effective.
- The policy clearly states what the measurable deliverables of the business continuity programme are.
- There is clear top management commitment to satisfy all applicable internal and external requirements within the scope of the programme.
- There is clear and documented on-going commitment to business continuity and continual improvement.
- Opportunities for adapting to change can be identified.
Establishing the Business Continuity Policy - Outcomes
- A definition of the scope of the programme ensures a clear understanding of which areas of the organisation are to be included and which are excluded.
- This focuses the business continuity programme and associated activities on the organisation’s priorities and ensures the programme makes best use of available resources, for example, available budget.
- An understanding of the organisation’s strategy, objectives, culture, operating environment, and approach to risk is essential when considering the scope of the programme.
- Early engagement with other relevant departments or professionals such as Corporate Governance, Enterprise Risk, and security, at this stage is important and should also help to avoid overlap or conflict.
- Taking this organisation-wide view and collaborating with others at this stage will be key to successful implementation of the business continuity policy and programme and the overall resilience of the organisation.
- An understanding of the outsourced activities and suppliers of products and services.
- An understanding of the business continuity programme as an ongoing process. The programme can be implemented in stages, by focusing on some parts of the organisation and extending it to other parts later.
- This staged implementation approach has the benefit of reducing complexity, cost, and scale.
- Limiting the initial scope of the business continuity programme allows for a staged approach for implementation and helps to manage risk across the organisation.
Defining the Scope of the Business Continuity Programme - General Principles
- Establish a steering group or team to oversee, advise and make recommendations to top management.
- Define and document the relevant products and services in an appropriate level of detail.
- Consider the requirements for delivery of the organisation’s products and services and related activities against its strategy, objectives, culture, and legal and regulatory constraints (which should include those provided by outsourced service providers where appropriate).
- Consider the requirements of other related policies, for example, information security and health and safety.
Defining the Scope of the Business Continuity Programme - Process
- Cost benefit analysis.
- Strengths, Weaknesses, Opportunities, and Threats (SWOT) analysis.
- Benchmarking against appropriate standards or guidelines.
- Market analysis techniques.
- Business Impact Analysis (BIA) and Risk Assessment (if these have already been conducted).
Defining the Scope of the Business Continuity Programme - Methods & Techniques
The outcome is a clearly-defined scope for the business continuity programme, which can be validated to ensure that the objectives of the business continuity policy are being met.
Defining the Scope of the Business Continuity Programme - Outcomes
Governance activities should include monitoring and measuring progress against key performance indicators (KPI) to confirm that the business continuity policy and programme is being implemented effectively and is aligned with organisational objectives and strategy.
There are several sources of guidance for business continuity professionals on how to develop, manage, implement, and review a business continuity programme.
The international standard for business continuity management ISO 22301:2012, identifies management and governance processes for operating, monitoring, reviewing and continually improving a business continuity management system.
Requirements for governance of business continuity are also provided in national or international standards, legislation, regulations, or industry sector specific guidelines.
Regulations in some sectors may require formal demonstration of effective business continuity management to the organisation’s top management.
Establishing Governance - General Principles
An understanding of the organisational structure, requirements, roles and responsibilities, and reporting lines to support the implementation and ongoing management of the business continuity policy and programme.
A clear definition of the authority and accountabilities relating to business continuity:
- Top management oversight and responsibilities.
- Ownership of business continuity management.
- Identification of KPIs for validation of the business continuity programme.
Examples of high-level metrics are:
- Annual organisation-wide exercising as part of the organisation’s exercise programme.
- Annual reviews of the business continuity plans.
- An annual management review (validation of the business continuity programme is covered in Validation).
- Definition of the types of decisions, risks, events, investments, and other significant business continuity management-related matters that should be reported to top management.
- An outline of the type and frequency of reporting and communication to top management required.
Establishing Governance - Process
The organisation’s top management should agree:
- What needs to be measured and monitored.
- How this should be achieved.
- The methods for monitoring, measuring, analysing, and evaluating.
- When monitoring and measuring should be performed.
- When monitoring and measuring results should be analysed and evaluated.
To do this, top management should:
- Act to address any areas of weakness or gaps in the business continuity programme objectives.
- Monitor the effectiveness of the programme.
- Ensure that the relevant information is retained as evidence of the results.
Establishing Governance - Outcomes
The purpose of assigning roles and responsibilities is to ensure that the tasks required to implement and maintain the business continuity programme are allocated to specific, competent individuals whose performance can be evaluated and where further training requirements can be identified.
The training and competency requirements for the business continuity professional and wider programme are covered in Embedding Business Continuity.
Top management should assign accountability, responsibility, and authority to designated teams or individuals to ensure that appropriate procedures are adopted and properly implemented in accordance with the requirements of the policy.
Top management should also ensure that these roles are communicated to the relevant interested parties.
Top management should ensure individuals carry out their roles as appropriate within the organisation.
Where the individuals are assigned business continuity responsibilities in addition to their existing role, the new responsibility should be added to their job description and communicated to all interested parties.
The performance of these individuals should be measured as part of the Validation stage of the business continuity management lifecycle on an ongoing basis.
Assigning Roles & Responsibilities - General Principles
A competent individual should be identified and appointed to manage the implementation of the business continuity policy and programme.
Depending on the size of the organisation, this may be a full or part time role.
Additional individuals or teams may be assigned to assist with the ongoing management and delivery of the business continuity programme.
These could include:
A business continuity steering group to give advice, guidance, and oversight.
Teams that will respond to an incident and that can contribute towards developing the incident response plans.
Assigning Roles & Responsibilities - Process
The outcome of assigning roles and responsibilities as part of business continuity policy and programme management are:
- Clearly-defined roles and responsibilities assigned to competent individuals and teams.
- Appropriate authority assigned as relevant to the role.
- Roles and responsibilities, and authorities documented in the business continuity policy.
- Alternates for each role identified.
- Responsibilities included in the individual’s job description and communicated to interested parties.
Assigning Roles & Responsibilities - Outcomes
The business continuity programme is an ongoing process, which adapts in response to the changing nature of an organisation’s internal and external operating environment.
Implementing a programme for the first time should involve undertaking all activities detailed in the business continuity management lifecycle, however revisions to the programme will likely involve less activity if there is no significant change in the organisation’s requirements.
During the initial implementation, sufficient time should be allocated to undertake the activities in each stage of the business continuity management lifecycle.
A flexible and comprehensive programme that is actively managed should be in place to ensure the organisation maintains its business continuity capability and continues to develop and enhance organisational resilience.
The Business Continuity Programme - General Principles
Implementing and managing the programme involves managing many interrelated tasks to achieve the objectives stated in the policy.
The business continuity professional or team, in consultation with top management should:
- Develop the business continuity management programme.
- Identify the appropriate activities for the programme based on each stage of the business continuity management lifecycle.
- Coordinate the appropriate activities within the organisation (adjusting projects within the programme as necessary).
- Manage change and coordinate with other areas of the organisation as appropriate.
- Promote the benefits of the programme through communication and create awareness both inside and outside of the organisation. Creating awareness is covered in PP2.
- Manage the programme budget.
- Maintain and manage all programme documentation.
- Ensure the relevant legal and regulatory requirements identified in the policy have been taken into consideration.
- Report to top management on a regular basis, highlighting any issues identified.
The Business Continuity Programme - Process
