Business Continuity Management & ISO 22301 - Complete Guide | Hassham Idris | Skillshare

Playback Speed


  • 0.5x
  • 1x (Normal)
  • 1.25x
  • 1.5x
  • 2x

Business Continuity Management & ISO 22301 - Complete Guide

teacher avatar Hassham Idris, Advisor, auditor and trainer

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Watch this class and thousands more

Get unlimited access to every class
Taught by industry leaders & working professionals
Topics include illustration, design, photography, and more

Lessons in This Class

41 Lessons (1h 51m)
    • 1. Intro - Why Business Continuity Management is essential?

      3:53
    • 2. 1.1 What You Will Learn in This Course?

      8:45
    • 3. 1.2 Common Myths and Misconceptions About Business Continuity

      3:50
    • 4. 1.3 Understand the Difference - Crisis, Incident, Business Continuity & IT Disaster Recovery

      5:39
    • 5. 2.1 What is ISO 22301?

      2:23
    • 6. 2.2 The PDCA (Plan-Do-Check-Act) Cycle

      2:11
    • 7. 2.3 Benefits of a Business Continuity Management System

      2:37
    • 8. 2.4 ISO 22301 Standard Clauses (1-3)

      1:12
    • 9. 2.5 ISO 22301 Standard Clause 4: Context

      1:43
    • 10. 2.6 ISO 22301 Standard Clause 5: Leadership

      1:02
    • 11. 2.7 ISO 22301 Standard Clause 6: Planning

      1:42
    • 12. 2.8 ISO 22301 Standard Clauses 7: Support

      1:18
    • 13. 2.9 ISO 22301 Standard Clause 8: Operations

      2:26
    • 14. 2.10 ISO 22301 Standard Clause 9: Performance Evaluation

      1:20
    • 15. 2.11 ISO 22301 Standard Clause 10: Improvement

      1:08
    • 16. 3.1 Ownership and Accountability

      3:15
    • 17. 3.2 Business Continuity Policy

      1:51
    • 18. 3.3 Business Continuity Management Framework (BCMF)

      3:14
    • 19. 4.1 Business Continuity Risk Management

      1:45
    • 20. 4.2 & 4.3 Risk Management vs BCM

      3:22
    • 21. 5.1 What is Business Impact Analysis (BIA)?

      1:13
    • 22. 5.2 & 5.3 Recover Objectives and RTO vs RPO

      3:54
    • 23. 5.4 Performing the Business Impact Analysis – Part 1

      1:43
    • 24. 5.5 Performing the Business Impact Analysis – Part 2

      1:42
    • 25. 5.6 Performing the Business Impact Analysis – Part 3

      1:43
    • 26. 6.1 Business Continuity Planning and Strategies

      4:14
    • 27. 6.2 Development of Business Continuity Plan – Part 1

      2:35
    • 28. 6.3 Development of Business Continuity Plan – Part 2

      2:56
    • 29. 6.4 & 6.5 Development of Business Continuity Plan – Part 3 & Storing BCP Copies

      5:03
    • 30. 7.1 IT Disaster Recovery Plan

      3:50
    • 31. 7.2 Linkage with IT Disaster Recovery and Related Plans

      1:42
    • 32. 8.1 Business Continuity Training and Awareness

      2:50
    • 33. 8.2 Embedding the BCM in Organizational Culture

      2:05
    • 34. 9.1 Tests and Exercises

      1:32
    • 35. 9.2 & 9.3 Business Continuity Testing Methods – Part 1 & 2

      6:34
    • 36. 9.4 Business Continuity Testing Methods – Part 3

      1:24
    • 37. 9.5 Post BCP exercise review

      1:03
    • 38. 10.1 Maintenance of Business Continuity Plans

      1:21
    • 39. 10.2 Monitoring and Assurance of Business Continuity Plans

      2:05
    • 40. 11.1 Wrap up

      5:33
    • 41. 11.2 Final Thoughts and Next steps

      1:29
  • --
  • Beginner level
  • Intermediate level
  • Advanced level
  • All levels
  • Beg/Int level
  • Int/Adv level

Community Generated

The level is determined by a majority opinion of students who have reviewed this class. The teacher's recommendation is shown until at least 5 student responses are collected.

44

Students

--

Projects

About This Class

Learn business continuity management from organizational resilience, risk management & business management perspectives!

What you'll learn:

  • Understand what Business Continuity Management is and what it's not
  • Understand why effective Business Continuity Management is Key to Success of Any Business 
  • Learn and differentiate between related organizational resilience concepts - including Emergency Response, Crisis Management, Incident Management and IT Disaster Recovery
  • Implement ISO 22301:2019 Business Continuity Managements System (BCMS)
  • Understand governance of business continuity management
  • Perform Business Impact Analysis (BIA) and Business Continuity Risk Management as per ISO 31000
  • Develop Business Continuity Strategies and Plans
  • Understand what IT Disaster Recovery planning is and how it links with Business Continuity 
  • Understand the importance of Human Factor and Training & Awareness
  • Perform Business Continuity Exercises
  • Be able to Monitor, Maintain and Perform Assurance of the Business Continuity Management System

Requirement:

  • No experience required, just a willingness to learn about business continuity
  • Familiarity with business continuity concepts is helpful

Who this course is for:

  • People interested in learning about business continuity and organizational resilience
  • Business continuity managers and professionals
  • Business leaders and managers
  • Information Technology professionals and managers
  • Risk Management professionals
  • Business owners
  • Aspiring managers

 

Description:

 Welcome to one of the most comprehensive business continuity management course available online.  This course will enable you to develop not only a highly in demand skill of today but also to help organizations survive and become more resilient.  

We will start this course by understanding the fundamental organizational resilience and Business Continuity Management (BCM) concepts. What BCM is and what’s it’s not. I’ll clarify the misconceptions and confusions about Business Continuity and explain what benefits it brings to an organization from different perspective such as benefits from business, financial, internal processes and stakeholder perspectives. We’ll also look at the global Business Continuity Management standard i.e. ISO 22301: 2019 and its requirements. Once we have understood the key concepts and elements of the BCMS, we will dive deep in each of these main areas of the business continuity:

 - Introduction and Key Business Resilience Concepts

  • Understand some common myths and misconceptionsabout Business Continuity
  • Learn key aspects of broader business resilience i.e. Emergency Response, Crisis Management, Incident Management, Business Continuity Planning and IT Disaster Recovery
  • Understand how these plans and processes link to each other in a very easy to understand disruption timeline

 - ISO 22301:2019 – Business Continuity Management System

  • Understand what ISO 22301 standardis
  • Learn what is ISO’s PDCA (Plan Do Check Act)lifecycle.
  • Learn about the requirements of 10 ISO 22301 clauses
  • Understand the key benefits of implementing and maintaining a Business Continuity Management System (BCMS)from different perspectives, such as benefits from business perspective, financial perspective, internal processes perspective and stakeholders perspective.

 

- Governance

  • Understand the importance of having clear accountability, ownership and responsibilities. 
  • Learn why a Business Continuity Policyis required and what should it include
  • Be able to understand the key aspects of a Business Continuity Management Framework

 

- Risk Management

  • Understand why an effective risk managementis important for the BCMS
  • Understand the difference between enterprise risk management(such as ISO 31000) and business continuity management
  • Learn what some of the common risk treatment options are that can be applied to the business continuity risks.

 - Business Impact Analysis

  • Study what Business Impact Analysis (BIA)is. Why do we do this analysis, and how BIA helps you understand your organization better.
  • Learn what recovery objectives are, the key terms of Recovery Time Objectives (RTO) and Recovery Point Objective (RPO)
  • Learn the 6 steps of performing the Business Impact Analysis.

 - Business Continuity Planning

  • Understand what Business Continuity Planning is, why it’s important
  • Learn the requirements and strategies of business continuity planning
  • Learn how to develop a Business Continuity Plan(BCP) considering various aspects such as people, communication, facilities, systems and applications, telecommunications, internal and external dependencies, special requirements and related content to be included in the BCPs.

 - Linkage with IT Disaster Recovery and Related Plans

  • Learn what IT Disaster Recovery Plan (IT DRP) is and what are the components for developing an IT DR Plan.
  • Understand that BCP is not a standalone document rather how it needs to connect seamlessly with the related plans such as Emergency Response, Crisis Management, Incident Management and IT Disaster Recovery

 - Human Factor

  • Learn why training and awareness is one of the most crucial aspect for the BCP to be useable and effective.
  • Understand the key education and awareness elements within the BCMS.
  • Learn how business continuity can be embedded in the organizational culture.

 - Business Continuity Exercises

  • Study the importance of performing Business Continuity Tests and Exercises
  • Be able to ensure that the plans are able to meet the required objectives (RTO and RPO)
  • Learn several business continuity tests and exercise methods and which one will be suitable in different scenarios.
  • Learn why performing debriefing sessions are important and how they should be conducted.

 - Maintenance, Monitoring and Assurance

  • Learn how BCPs and the BCMS should be maintained and kept up to date
  • Understand what are the main aspects of performing the periodic monitoring and assurance of the BCSMS.

Finally in the conclusion section we will have a brief re-cap of what we have learned and discuss the next steps.

I’ve also included quizzes, assignments, articles and downloadable material in this course that will help you practice and get additional guidance throughout your journey.

 Remember, I have worked on these approaches for a number of my clients across different continents, so the strategies we are going to learn, work in practice, not just on paper!

Meet Your Teacher

Teacher Profile Image

Hassham Idris

Advisor, auditor and trainer

Teacher

Hello, I'm Hassham.

Senior manager in a well-known fortune 100 advisory firm. Have over 15 years of experience in evaluating and implementing cyber security and organizational resilience related risks, identifying deficiencies and potential opportunities for improvement, and developing innovative solutions for improving cyber security, risk management, technology operations, and business continuity capabilities.

I hold an MBA and BS (Computer Science) degrees along with some of industry best certifications and qualifications, including PMP, ISO 27001 Lead Auditor, ISO 31000 Lead Implementer, COBIT 5 Foundation, SAFe Agilist, ISO 22301 Implementer, CMMI ATM, Microsoft Certified Professional etc.

I have strong knowledge and implementation experience of international s... See full profile

Class Ratings

Expectations Met?
  • Exceeded!
    0%
  • Yes
    0%
  • Somewhat
    0%
  • Not really
    0%
Reviews Archive

In October 2018, we updated our review system to improve the way we collect feedback. Below are the reviews written before that update.

Why Join Skillshare?

Take award-winning Skillshare Original Classes

Each class has short lessons, hands-on projects

Your membership supports Skillshare teachers

Learn From Anywhere

Take classes on the go with the Skillshare app. Stream or download to watch on the plane, the subway, or wherever you learn best.

Transcripts

1. Intro - Why Business Continuity Management is essential?: Hello and welcome to one of the best business continuity management course. This goes will enable you not to only develop a highly in-demand skill of today, but also to help organizations survive and become more resilient. I'm Hassham Idris and I'm part of the senior leadership team in a Fortune 100 advisory form. Over the past 15 years, I've helped more than 50 organizations, but therefore respond to and emerge stronger from major disruptions. Globally, organizations are facing countless threats of potential disruptive events and they're operating environment. Including pandemics such as Kuwait 19, natural disasters. Whether cyberattacks, long-term power outage, unavailability of key suppliers, et cetera. Recently we have started seeing significant increase in the number of disruptions. In fact, 2020 can be called an air of disruption. Either its covert 19 Australian bush fire, hurricane Sandy, tornadoes in Oklahoma, or recent cyber-attacks in New Zealand. Next, stocks change. Companies that proactively consider how to respond to these events are the first to get back to business, often at the expense of the comparators. If you look at the top business risk trends in 20202021, business resilience limited risk will be right up there. For example, three out of the KPMG top ten global business risks to, out of the top five Forbes business risk, and three out of the top five threats as BUT aligns risk barometer, including the top two threads, are all related to business resilience. The next crisis that could threaten your organization may already be taking shape. And with so much at stake, organizations can simply not afford to not have a plan. Just ask yourself or your organization a couple of simple questions. Do you think you're ready to face a new crisis? Are you able to timely recover your key functions? If your answer is no or not sure, don't worry, you're off to a good start because you're here with me, aware of the risk and ready to learn will start this course by understanding the fundamental organisation resilience and business continuity concepts. What business continuity management is and what it's not. I'll clarify the common misconceptions and confusions about business continuity and explain what benefits it brings to an organization from different perspectives. Will also look at the global business continuity mightn't standard, that is ISO W3 0-1 and its requirements. Once we have understood the key concepts and the elements off the BC MS, we'll dive deep in each of the main areas of business continuity. Now this course assumes no business continuity experience. So if you're a complete beginner, that's not a problem. We all begin somewhere. I'll be with you every step of the way as I'll take you through the fundamental business continuity concepts, all the way to some of the more intermediate and advanced approaches. But all I need from you is a strong desire to learn in case you're one of the few people who are experienced in this area. This will still be a very good refresh. I have worked on these approaches for a number of clients across different continents. So remember, the strategies we are going to study, work, and practice, not just on paper. There's a lot to learn and practice. So let's begin our journey and I look forward to having you on this course. 2. 1.1 What You Will Learn in This Course?: Hello and welcome to this business continuity management goes. In this course, you're going to discover what business continuity really is and what it's not. Why business continuity is key to survival for any organization today. And what are the fundamental concepts and key elements of the complete business continuity management lifecycle and some practical approaches to implement them. This will enable you to develop a highly in-demand skill of today and to help any organizations survive and become more resilient. I am hotshot midrise, and I'm part of the senior leadership team of a well-known Fortune 100 advice reform. Over the past 15 years. I've helped several organizations across different countries are prepared to respond and emerge stronger from the major disruptions. Specifically from a business continuity and technology recovery perspective. Let me briefly introduce you to the structure of this course. I have broken this course down into 11 sections and over 40 high-quality lectures. There is a brief overview of what we'll cover in each section. We'll start off with busting some common myths and misconceptions about business continuity management. Then we'll go through the key aspects of broader business resilience. The differences between the related plants, such as emergency response, crisis management, incident management, business continuity planning, and IT disaster recovery. And understand how they relate with each other in a very easy to understand way. In the next chapter, we'll look at what ISO W3C standard is and what is ISOs PDCA, plan, do check, act, life-cycle. Will then look at the ten ISO clauses, what they mean and what are some of the key benefits of implementing and maintaining a business continuity management system from different perspectives, such as benefits from business perspective, Financial Perspective, Internal processes perspective, and stakeholder's perspective. Then we'll move on to the governance chapter. We'll, we'll start off with discussing the importance of having a clear accountability, ownership and responsibility. Recover the policy and business continuity management framework aspects and discuss why having a policy and framework is vital for the governance of the business continuity management system. In risk management, we'll study how an effective risk management is important for the business continuity management system. What is the difference between enterprise risk management and business continuity management? And what some of the common risk treatment options are that can be applied to the business continuity risks. In the next chapter, we'll look at what ISO W2 three 0-1 standard is and what is ISOs, PDCA or plan do check, act lifecycle is will then look at the ten ISO clauses, what they mean and what are some of the benefits of implementing and maintaining a business continuity management system? From various perspectives, such as benefit. In risk management, we will study how an effective risk management is important for the business continuity management system. What is the difference between enterprise risk management and business continuity management? And what some of the common risk treatment options are that can be applied to the business continuity risk. Then we will study what Business Impact Analysis or BIA is. Why do we do this analysis? And how BIA helps you understand your organization better? We learn what recovery objectives are. And the key terms of audio, that is recovery time objectives and ARPU, that is recovery point objectives. Once we understand these basics, will then look at the six steps of performing a business impact analysis. After business impact analysis, we look at developing the business continuity plan. Will study would be Cp is why it's important and what are the requirements and strategies for business continuity planning. Then we look in detail of how we can develop a PCP considering various aspects such as people, communication, facilities, systems and applications, telecommunications, internal and external dependencies, special requirements and related content to be included in the business continuity plans. In next section is the linkage with the IT disaster recovery and the related plants will start with studying about the IT DR plan in more detail including Y IT disaster recovery planning is required. And what are the components for developing an ITD, our plan. Then we'll discuss why it is essential that the business continuity plan is not a standalone document. Rather, how we can connect it seamlessly with the related plants such as crisis management, emergency response, incident management, and IT DR plan. In the human factor chapter, we will study why training and awareness is one of the most crucial aspect for the PCPs to be usable and effective. We learn what some of the key education and awareness elements are within the business continuity management system will also discussed how business continuity and be imbedded in the organizational culture with the help of an ongoing process and involvement from the senior leadership team. The next chapter is business continuity exercises, where we will study the importance of performing the BC tests and exercises to ensure the plans work in practice and not just on paper. And if they are able to meet the required objectives. We'll look at several tests and exercise types and which one will be suitable and different scenarios. We'll also cover the importance of debriefing sessions and how they should be conducted. Then we'll look at how business continuity plans and the business continuity management system should be maintained and kept up to date. And what are the main aspects of performing the periodic monitoring and assurance. Finally, in the conclusion section, will have a brief recap of what we have learned and discuss the next steps. Please keep in mind that most of these areas such as governance, performing the BIA, developing the PCP, and the exercises are very detailed subjects within themselves. And this goes, we'll cover each of these in a reasonable level of detail so you understand the essentials of all these elements and able to start your business continuity journey. The complete course curriculum is available for you to download as well. I've also included quizzes, assignments, articles, and downloadable material in this course that will help you practice and get additional guidance throughout this journey. By the end of this course, you'll be able to learn how resilient organisations bounced back quickly from disruption. Maintaining an even growing their comparative advantage. Learn, develop and implement the proven business continuity strategies and understand that resilience is more than just having a plan. Therefore, learning these skills will not only increase your market stability, but also open doors for a carrier and business continuity management. There's a lot to learn and practice. So let's begin our journey and let's get started. 3. 1.2 Common Myths and Misconceptions About Business Continuity: Business continuity planning is one of the most important aspect of any recovery strategy. Unfortunately, a lot of organizations are not proactive in developing their continuity strategies and plans. Based on my experience, a key factor of organizations not being prepared is because of some common myths and misconceptions about business continuity. Here are a few of those. We have a small team didn't know what to do during a major disruption. As a matter of fact, even the best employees cannot be expected to know what to do when disaster strikes. Leaving each employee to the spawn in his or her own way only adds to the confusion during an event. So having a well thought out and documented business continuity plan in advance and cleaning your employees to follow it gets everyone much better prepared to respond to an event. The next one is business continuity, is same as ID disaster recovery planning. It is important to understand this difference. As the name suggests, a business continuity plan is a business centric process which ensures businesses are able to continue operating in the event of a major disruption or if a workplace becomes inaccessible. The TCP provides detail steps to be taken before, during and after a disruption to maintain the financial viability of an organization. On the other hand, I did disaster recovery plan or IT DRP comes into play when your organization loses access, twist IT systems and technology infrastructure. So IT DRP focuses on response and recovery of IT systems and assets from a significant outage or failure. Sometimes it gives off a major disruption. Would the bcb and the IT DR. B. Can be activated together. However, depending on the event, only one can also be activated. For example, if an organization hosts a number of its system on a datacenter and there's a significant outage on that datacenter, then only an ID DOB needs to be activated and not the ABCP. Therefore, although different but bought the bcb and the ID DARP, are vital for helping an organization insured and organized, safe, and timely recovery. The next one is, it takes a long time to develop a business continuity plan. To some extent it does. However, we must realize that the dime spent developing and maintaining the business continuity plans is an investment in your company. If a major disruption happens, your fixed cost will continue. Even if you are open for business or not. The faster you can return to business as usual, what we call BAU, the more likely and quickly you will recover from the dad disruption. We have seen several examples recently, either score with 19 pandemic Australian bush fire or tornadoes in Oklahoma. Companies that proactively consider how to respond to disruptions are the first one to get back to business. Often at the expense of the competitors. But saw muttered stick, your organization cannot afford to follow any of these misconceptions and not have a plan. 4. 1.3 Understand the Difference - Crisis, Incident, Business Continuity & IT Disaster Recovery: It is important for us to understand that business resilience is a broader concept. And it's not a technology, an isolated system, or a single process. It is a program that requires coordination of people, processes, facilities, and technology with an effective governance system to sustain it and effectively manage critical system during a major disruption. Effectively managing critical moments during a major disruption means bringing together a range of separate capabilities and disciplines to help the executives make decisions and manage their issue. These capabilities include emergency response and crisis management, incident management, business continuity management, and technology recovery, or IT disaster recovery. And before we dive deep in this course, it is important to understand the basics of these concepts and how these capabilities map in a business disruption timeframe. If we map these in a business disruption dime lane, here's how it looks like. We have four main phases of this timeline. For beer, respond, recover, and restore. Rebellious or phase where you are running as BAU, that is business as usual. This is where planning needs to take place and all related plans should be developed. Let's see. Your business is going as usual and then an incident strikes. Your business now needs to respond. Depending on the type of incident. The first thing that may be activated is your emergency response. Emergency response focuses on the immediate action to an incident to manage dime critical threats to life and safety of individual. The production of assets under threat, and the risk of broader environmental impacts. For instance, if there's a fire in the building, the immediate action is to evacuate the building. How this evacuation will take place is part of the emergency response. Within this response and recovery phases. The other component that is important is your crisis management. And crisis management focuses on the management of a strategic impacts of incidents, such as severe financial losses, reputational damage, or compromise to the organization's ability to achieve its strategic objectives or fulfilling its mission. For instance, all the internal and external communication management during a crisis, such as communication with employees, customers, media, regulatory authorities, suppliers, and stakeholders plays a vital role in crisis management. Ramirez incident management focuses on the escalation and management of events which fall outside the existing processes or systems or are considered by the organization as warranting spatial management attention. For example, if there's a cybercrime related incident, the Incident Management deme would analyze the situation, determined the bread of the compromise, and we'll take corrective and preventive actions. Usually business continuity comes in the recovery, restore, freeze. Business continuity management focuses on the capability of the organization to continue delivery of products or services and acceptable predefined levels despite disruptive incidence. And to recover these services through our business as usual position. We will be going through several examples of this throughout this course. Technology recovery, or IT, disaster recovery, as the name suggests, is part of the recovery phase and focuses on the response and recovery of IT systems and assets from significant outages, failures, or service disruptions. For example, one of your business critical system in a primary datacenter is down and you or your cloud service provider activates the ID DR. bland, to resume the services from a secondary data center. So it is important to understand that an effective resilience program must include an integrated and coordinated approach between all aspects of the recovery event timeline. Since this course is focused on business continuity, we will dive deeper into complete business continuity management lifecycle aspects to get your business back up and running after a significant event. However, I think it's quite important to understand these differences first, as I've seen, a lot of people confuse these dumps or use them interchangeably. As Dennis readily said, expect the best land for the worse and prepared to be surprised. So in the next lectures, let's discuss how we can prepare and plan for business continuity. 5. 2.1 What is ISO 22301?: Iso W2 301 is the internationally renowned standard for business continuity management. Iso W3 0-1 specifies the requirements for a management system to protect against, reduce the likelihood of an insure, your business recovers disruptive incidence. Iso double 23012019 is the most recent publication. Iso W3 0-1 is applicable to all organizations regardless of their size, industry, or nature of the business. And based on ISOs high-level structure, it aligns with many other internationally-recognized management system and a standards such as ISO 9,001, that is Quality Management System, ISO 27,001, that is information security management system, and ISO 14,001, that is environmental management system. As such, it is designed to be integrated into an organization's existing management processes. It's a certifiable standard. Means similar to standards like eight or 9,001 and ISO 27,001. Once you meet the requirements for the standard, you can go for and an independent ordered from acidification body and get your organization certified on ISO W3 0-1, a BC MS, or a business continuity management system. Like any other management system, includes the following components. A policy, and people would defined responsibilities, usually within a defined framework. Management system or management processes relating to policy, planning, implementation, and operations. Performance assessment, management drew you and continual improvement. Any business continuity processes relevant to the organization, such as how to perform a business impact assessment, and documented information supporting them, condition, and providing auditable evidence. 6. 2.2 The PDCA (Plan-Do-Check-Act) Cycle : Similar to other ISO standards, ISO W3 0-1 also applies the PDCA cycle. We will study these phases in more detail in the later chapters. But to give you an overall concept of the PDCA cycle, in His word, it means P is for plan or establish. This is where we set up the organizational context, defined scope, develop a policy, perform Business Impact Analysis, and document the business continuity plan. D is for do or implement and operate. This is where we implement the policy and business continuity strategies documented in the business continuity plans. For example, PCP talks about having an alternative site. We finalize the location and if required, go on and establish a contract with them. Or we procured that acquired systems, devices that we lead when the PCPs activated or establish a process of how they will be procured. C is for check or monitor and review. This is where we perform the test drills or exercises as documented in the business continuity plan, do check up the plan works. And if the expected recovery objectives have been met or not is for Act or maintain and improve. After these tests are performed, to identify any issues or areas needing improvements and update the plans accordingly. Things like performing assurance or audits, taking corrective and preventive actions, and continually improving the complete business continuity management system is also part of this phase. Therefore, the PDCA cycle ensures to establish, implement, maintain, and continually improve the effectiveness of the organization's business continuity management system. 7. 2.3 Benefits of a Business Continuity Management System: There can be several benefits of managing an organization's overall ability to continue to operate during disruptions. These may include, from a business perspective, because the organization can assess potential impacts of operational disruptions, deploy effective business continuity plans, and minimize oral impact. It helps organization in a number of ways, such as supporting its strategic objectives, creating a competitive advantage, protecting and enhancing its reputation and credibility, and contributing to organizational resilience. From a financial perspective. Having the continuity of critical services ensures protection of income and assets and reducing the risk of further losses from the business disruption event. It also helps in reducing legal and financial exposure and reducing direct and indirect cost of disruptions. Also, having better insights into the impacts enables more effective evaluation of the insurance options. From the perspective of intrusted bodies. It improves the confidence of all stakeholders. Example, customers in decile employees, stakeholders, et cetera, in organizations, their ability to respond and mundane business operations in an event of a business disruption. Having an overall robust resilience program also helps in protecting life, property, and environment. Then sullying the expectations of all interested parties and providing a level of assurance in the organization's ability to succeed. From an internal processes perspective. It provides a platform for dusting and updating the business continuity plans. Utilizing capabilities and contingencies together with the business needs and identify inefficiencies based on the events. It also helps in improving the capability to remain effective during disruptions. Demonstrating proactive control of risks effectively and efficiently, as well as addressing or Princeton or liabilities. So the list is long, but these are some of the key benefits and effective business continuity management system brings to your organization and to the stakeholders. 8. 2.4 ISO 22301 Standard Clauses (1-3): The international standard of ISO W2 3012019 is divided into ten clauses. Let's see what they are. And the key requirements in all of these clauses. The first three clauses are very brief and standard ISO clauses. So you'll find the same three clauses in other ISO standards such as nine thousand, one hundred twenty seven thousand one, et cetera. Scope specifies that this standard is applicable to all types and sizes of organizations. Number two, normative references refers to related documents. In this case, it's only iso W2 300. That is about security and resilience vocabulary. Third is terms and definitions. It explains some of the standard terms and definitions such as definition of business continuity, recovery time objective, that is RTO, management system, et cetera. 9. 2.5 ISO 22301 Standard Clause 4: Context: Glosses four to ten or more detailed and include specific requirements to establish and maintain a busy MS. That is, business continuity management system. In context clause, there are four main requirements. First is understanding the organization and its context. It includes determining internal and external issues and organizations overall objectives. Then, understanding the needs and expectations of interested parties in trusted parties means both internal and external parties. And also what are the legal and regulatory requirements? Determining the scope of business continuity Management System? Scope of the GCMS includes two main things. One, what parts of the organization to be included in the BC MS, taking into account its location, size, nature, and complexity. And secondly, what are the products and services will be included in the scope of BI CMS. Any exclusions should also be clearly documented and explained here. Port is business continuity management system. This is where the PDCA cycle, that is plan, do, check, act that we discussed in the previous lecture comes in. The organization shall establish, implement, maintain, and continually improve a BC MS. 10. 2.6 ISO 22301 Standard Clause 5: Leadership: Gloss number five is leadership. Leadership clause. There are three main requirements that need to be fulfilled by the top management. Leadership and commitment requires debt management shall demonstrate leadership and commitment with respect to the business continuity management system. This is usually done by setting up accountability, defining objectives, setting up, and monitoring the key performance indicators, also called the KPIs. Then policy management should establish a business continuity policy. The third requirement is about roles and responsibilities and authorities. And that requires that management shall ensure that the responsibilities and authorities for relevant roles and assigned and communicated within the organization. 11. 2.7 ISO 22301 Standard Clause 6: Planning: Applause Number six is planning. And the main requirements for this clause include, number one, actions to address risks and opportunities. This is where we determine what the risks and opportunities are related to business continuity Management System and how we address them. We have a complete section coming up on breast management that we will study. Number two, this discontinuity management objectives and planning. To achieve them. The organization shall first establish the BCM as objectives. And a tip on a side note is whenever you set any objectives, tried to make sure these objectives are smart. That is, SME ART S means specific. M0 is measurable. It is for achievable, R For Realistic and D4 time-bound. So try to set smart objectives. These objectives should also link with the business continuity policy. Once objectives are established, you should develop a plan to determine how these objectives will be met. Next is planning changes to business continuity management system. When the organization determines the need for changes to the BC MS, that changes shall be carried out in a planned manner. For instance, knowing the impact of a change on business continuity plans, its allocation of resources, et cetera. 12. 2.8 ISO 22301 Standard Clauses 7: Support: Clause seven is support. And the main requirements for this clause include, number one, resources. The organization shall determine and provide the resources needed for the establishment, implementation, maintenance, and continual improvement of the business continuity management system. The second one is competence. Determine if you have the necessary competence of persons doing work. Do they have the training and experience needed? The next one is awareness. Persons doing work shall be aware of the business continuity management system, policy and their roles and responsibilities. Will discuss it in more detail in the human factor section. Next one is communication. The organization shall determine and control the internal and external communications relevant to the BCM S. And the last but not the least, is documented information. The organization shall maintain the relevant documentation related to the business continuity management system. With document control. 13. 2.9 ISO 22301 Standard Clause 8: Operations: Close, it is operations that includes some of the core requirements for business continuity management. The first one is operational planning and control. Means the organization should plan, implement, and control the processes needed to meet the requirements of ISO double 2301 and to implement the actions. Next is Business Impact Analysis. Risk assessment. It improves performing a BIA, that is business impact analysis. And performing risk assessment. We will study both the BIA and the risk assessment in more detail later in this course. Next is business continuity strategies and solutions. Based on the outputs from the business impact analysis and risk assessment. Though, message essential, identify and select business continuity strategies to meet the recovery objectives. Then it business continuity plans and procedures. Well, musician should develop plans and procedures to manage the organization during a disruption. The plans and procedures should be used when required to activate business continuity solutions. We will study in more detail in the business continuity planning section of this course. Next one is exercise program. Organization should implement and maintain a program of exercising and testing to validate over time their effectiveness offers business continuity strategies and solutions. We will study this in more detail in the business continuity planning exercises section of this course. The next one is evaluation of business continuity documentation and capabilities. This is where you evaluate the suitability, adequacy, and effectiveness of its business impact analysis, risk assessment strategies, solutions, plans, and the procedures that you have documented. Just a tip over here is when you're doing that, don't forget to conduct the business continuity evaluation of relevant partners and your suppliers. 14. 2.10 ISO 22301 Standard Clause 9: Performance Evaluation: Clause nine is about performance evaluation. Let's look at the key requirements of this clause. Number one is monitoring, measurement, analysis and evaluation. This is about determining what needs to be monitored and how do you monitor and analyze it. We discussed about it during objectives and KPI setting, that is key performance indicators. And we will have a complete chapter coming up that is monitoring, maintenance and assurance. We are, we will discuss this in more detail. Next is internal audit. The organization shall plan and implement an audit program to assess the effectiveness of the complete business continuity management system. There are also a number of audit requirements that need to be followed, including definition, audit criteria, selection of auditors, et cetera. Next is punishment to view. Top management shall review the organization's business continuity management system at Plan intervals to ensure its continuing suitability, adequacy, and effectiveness. 15. 2.11 ISO 22301 Standard Clause 10: Improvement: Clause number ten is improvement. And there are two main requirements in this clause. Number one is non-conformity and corrective actions. The organization shall determine opportunities for improvement and implement necessary actions to achieve the intended outcomes of the business continuity management system. An example of this can be when you conduct a PCP exercise. Usually there are a lot of lessons learned where corrective actions can be applied. We will study this in more detail later in the course. The next one is continual improvement. So based on various outputs such as exercises, in turn, audit management to views, the organization should continually improve the effectiveness of the business continuity management system. The idea is, as the business continuity management system is getting older, it should be getting better. 16. 3.1 Ownership and Accountability: When we talk about governance of business continuity management, the first one of the most important things is to have dark management's buy-in and clear ownership that aligns with the current organizational structure. It may sound surprising, but in reality, have seen a number of organizations struggle with this. Although they do have few things in place. But no clarity on who from the executive team or top management wants the business continuity program or management system in the organization. I'm also calling it business continuity program because in case you don't have a business continuity management system in place, setting it up is a big project or a program. Once it is established, then it becomes part of the operations. Therefore, setting up ownership is vital because with ownership comes responsibilities and accountability. Once you have ownership established, the next thing that needs to be considered is the resourcing and budgeting of the whole business continuity program. Lack of resources and budget is likely to result in an ineffective business continuity program. Particularly because the staff needs to address the business continuity related tasks on top of their business as usual responsibilities. This can also result in it's taking an extended amount of time to implement effective resilience processes. Also, by not having dedicated resources to manage the business continuity management system is likely to result in senior, more experienced staff performing administrative tasks that are of little value compared to the subject matter expertise. Once the ownership and the sources are sorted, it is important to establish governance over the business continuity Management Program. At n chose regular reporting to the executive team and escalation of any concerns. This can be done in different ways. For example, by creating a governance committee with representation from different business groups or business continuity related agenda can be included as part of any related existing governance committee. Like we discussed. This should be central point of accountability for implementation and continuous reporting and monitoring of the GCMS. I cannot emphasize this enough. This should ensure oversight and provision of adequate resources. Also, depending on the size and nature of the organization, concentration can be given to hiring a full-time senior subject matter expert to establish and manage the business continuity management system. If there's not one already. 17. 3.2 Business Continuity Policy: After setting up the initial governance and organization should develop a formal business continuity policy. The policy should be based on industry standards and good practice guidance such as ISO double 2301 or BCI could practice guide. At a minimum, the policy should include the following. The aim and objectives for business continuity management in the organization. Business continuity management scope means which part of the organization business continuity management is required. Example, are critical business functions, critical assets or plants, he sites or locations, etc. And the exclusions from the scope should also be mentioned here. Accountabilities and responsibilities includes ownership within the organization, responsibilities of groups, teams, roles within the organization. The high level framework such as plan, do check, act, by which business continuity management will be implemented and managed. And finally, key requirements such as performing business impact analysis, developing business continuity plans, testing and maintenance of the plans, training and awareness, and also considering any applicable legal or regulatory requirements. So it is important for organisations to establish and maintain a business continuity management policy. Because without this, there will be a lack of clarity on the strategic direction and governance of the business continuity management system. 18. 3.3 Business Continuity Management Framework (BCMF) : As a policy, is a high level document that sets up their direction and defines key principles of business continuity management framework is a much more detailed document, or it can be a set of documents that provides the specific details and processes to govern, plan, manage, and continually improve the business continuity management system. The BCM framework usually includes the following sections. Overview includes aspects such as requirements and end obligations, methodology and the standards and guidelines used in the framework. Governance and management includes roles and responsibilities, monitoring and reporting, training and education, and how you can embed the business continuity expectations and requirements in the organization. Business impact analysis includes requirements to perform a BIA methodology, process and templates for performing the business group business impact analysis and how the business group BIA is consolidate and roll up to form an enterprise view. Business continuity planning includes requirements, methodology, process templates for documenting the business continuity plans. The implementation section. Once PCPs are developed, they need to be implemented and maintained along with a suite of other documentation or supporting arrangements. This section explains what ongoing activities are required to ensure that plans are functional and can be used on the day that they are required. Next section is usually validation section that includes details of how business continuity tests or exercises should be performed to ensure effectiveness of the business continuity plans. Also, what different type of exercises that we will study in the later chapter can be performed and how post-exercise reviews or debrief sessions should be conducted for continual improvement. Moreover, requirements related to business continuity Management System Audit or assurance is also included in this section or this can be both. The internal audit you should perform periodically or the external certification or surveillance audits if your organization is planning to go for the ISO double 2301 certification or already has a certification and wants to maintain it. Therefore, a well-documented and maintained BCM framework guides and governs the business continuity management lifecycle, both at the business group and at the organization level. 19. 4.1 Business Continuity Risk Management: As part of the business continuity management, risk assessment should be conducted to identify the range of potential disruption scenarios. Risks sources will lead abilities, gaps in current preparedness plans, and the level of risk Post is also important to identify what organizations risk appetite is. For those of you who do not understand the concept of risk appetite. According to ISO 31 thousand, that is a global risk management standard. Risk appetite is the amount of risks an organization is prepared to take. In other words, it's the level of risk that is considered acceptable for the business. A proven way to achieve this is to develop a formal risk management process that outlines the steps for identifying, assessing, and evaluating risks of business disruption. Deciding how to manage an accept risk. This is where the risk appetite comes in. And identifying risk mitigation strategies that take into account business continuity objectives and risk appetite. So if the risk assessment is not performed, there is no clarity around what business continuity risk processes are trying to address. And therefore, the organization may be prepared for only a narrow range of disruptions. Whereas they could be crater vulnerabilities then realized, or could be missing gaps in business continuity processes which are currently being relied on. 20. 4.2 & 4.3 Risk Management vs BCM: Although risk management and business continuity management are closely related to each other, the difference is that risk management addresses the risk of conducting business, whereas business continuity management addresses risks to the business continuing to function due to disruption. So for example, the risk management, maybe looking at the enterprise level risks such as lack of skilled resources, a cyber-attack, or a regulatory noncompliance. Whereas business continuity management, maybe looking at the risks related to the possible disruption scenarios or gaps and unavailability of the key systems and resources. Therefore, although both partially overlap and are related, yet they are different from each other. If you want to learn more about organizational risk management, these refer to ISO 311000 standard that provides details on how to establish and maintain risk management system. As we have studied in the previous lecture, your organization should introduce a risk management process and controls. Who first identified related risks. And secondly, applied relevant treatment options on mitigation strategies. These options usually include that you either avoid, mitigate, transfer, or except the effects of key threats and vulnerabilities. Once a risk is identified, depending on the organizational risk appetite. And we have studied in the previous lecture what risk appetite is. There are four main risk treatment options that can be applied. Treat or reduce the risk mean, applying relevant controls to reduce the effect of risks. For example, if the data is not backed up, you implement a backup solution to mitigate or reduce the risk of data loss. Second is told rate or accept. This is used when the level of risk is identified within the organization risk appetite. For example, if there's a risks related to one of the many office buildings become unavailable, the risk may be accepted if it's within organizations, risk appetite. The third is terminate or avoid, means you eliminate that threat source. For example, if a critical system has a risk of malware infection through internet, you decide connect debt system from the internet means you have terminated or avoided the risk. The transfer or shading of risks is usually performed when you outsource or transfer the risk to a third party, for example, obtaining insurance. Therefore, a risk assessment should be conducted to identify a range of potential scenarios and threats related to business continuity. So you are able to decide on the appropriate treatment options and mitigations. 21. 5.1 What is Business Impact Analysis (BIA)?: Business Impact Analysis, or BIA, is the first step in your business continuity planning. So what is BIA? Business Impact Analysis, or BIA is a process of analyzing the impact of a time of disruption. Basically, BIA is an examination of your business as usual activities. It compartmentalizes information to allow for a deeper understanding and helps business continuity planning. Why do we need to perform a BIA? This is because BIA helps you understand your business. It predicts the consequences of disruption of a business function and processes and gathers information needed to develop recovery strategies. If a BIA is not performed, continuity plans will not be adequately informed on resources, requirements or impact to the business of not achieving the recovery time objective, that is RTO, and recovery point objective, that is arpeggio. We will look at these terms in the next lecture. 22. 5.2 & 5.3 Recover Objectives and RTO vs RPO: Before we start performing the business impact analysis, it is important to understand some key terms and the difference. The first one is RTO or recovery time objective. It's a target. You said that how quickly you need to recover your services or systems following a major disruption. In simple terms, you can also think that our DIO means how long your business can survive falling a disaster before operations are restored to normal. For example, if your audio is 24 hours, it means you have determined at the business can maintain operations for that amount of time without having its normal data and infrastructure available. If data and infrastructure are not recovered within 24 hours, the business could suffer irreparable harm. The next term that is important to understand is arpeggio or recovery point objective. Arpu is about the amount of data that is lost following a failure event. Arpu majors back in time to when your data was last preserved in a usable format. Usually the most recent backup. It can also be called an organization's data loss tolerance. Depending on the type of services, they may be some services we are ARPU or data recovery is not relevant and you're only concerned about RTO. That is recovery time objective. So arpeggio is how much data you can afford to lose. The next term is empty PD, or maximum tolerable period of disruption. Some organizations and standards such as ISO W3 0-1 also require having another calculation called smtp d. That means identifying the timeframe within which the impacts of not resuming activities would become unacceptable to the organization. Where you have defined the empty PD, RTO, that is recovery time objective set privatized timeframe within the empty PD for resuming disruptive activities at a specified minimum acceptable capacity. So just to clarify, as an example, if you're empty PD of your organization is supply chain system is seven days. The RTO can be within that seven days as three days period. We have studied the definitions of RTO, that is recovery time objective, and arpeggio, that is recovery point objective. In the previous lecture. Both are key concepts for maintaining business continuity. And the function as business matrix for calculating how often your business needs to perform data backups and how quickly you need things back up and running. As you can see from this diagram, ARPU is going back in time to assess the amount of data loss acceptable from the time a disaster hits. Whereas RTO, recovery time objective, representing the time it takes for a system to go from loss to recovery. And what must be done to return the business to its pre-disaster or business as usual. Bau state. 23. 5.4 Performing the Business Impact Analysis – Part 1: Business impact analysis is usually performed in a few steps. The first one is identify key services at a business group or departmental level. Identify the key services or activities your business group provides. For example, if it's a finance business group, you may have key services such as payroll, supply, payments, experiements, etcetera. But this step, you should also identify which team or individuals perform these services. The next one is identify the recovery time objectives, like we discussed in the previous lectures. Imagine if you could not deliver the service, what would the consequences be ordered over a period of time? Based on this impact? Identify the empty PD and his maximum tolerable period of disruption. Rto, recovery time objective, and if applicable, arpeggio recovery point objective for each of those services. For example, for payroll, empty PD, maybe 48 hours, and RTO is 24 hours. The next one is identified related resources. For each service. List down the resources you use in your business group. Think about key personnel, vendors, any special equipment, sites, transport, etc. 24. 5.5 Performing the Business Impact Analysis – Part 2: Step number four is identify key systems and recovery point objectives. For each service. Identify what are the key systems and applications. And for each application, identify the recovery point objective. For a reminder about the arpeggio. Imagine that the application has just crashed, thinking backwards from the crash, when should the last data backup have been performed? Provide your answer in hours. So ARPU is about your tolerance of data loss. Also considered the volume criticality and speed of data entry for deciding this ARPU. The next step is list key stakeholders and documents. Again, for each service, list, any key stakeholders such as customers, staff, board of directors. It's a government related service, can be ministers, et cetera. Also list any key documents that I used to inform or drive the service, such as policies, processes are Records, and where those documents are stored. The next and the sixth step is summarize the business impact analysis. Once you have performed and documented all the analysis in the above five steps, analyze, prioritize, and categorize all the services of your business group. 25. 5.6 Performing the Business Impact Analysis – Part 3: By the end of this business impact analysis exercise, you should be able to prioritize the list of services based on their recovery objectives. That is RTO and ARPU, meaning the service that needs to be backed up and running the quickest, maybe your highest privatized service and so on. Also document all the key dependencies related to people, processes, and technology. The resources that are the shortstop was for one or more of your services, such as computers, internet, people who know the system and processes, KID applications, and related stakeholders such as vendors, suppliers, and customers. Once you have developed the BIA is at the functional or business group level. You should also consolidate the BIA at an organization level to provide an enterprise level view on your critical services and objectives. Therefore, Business Impact Analysis to ensure all critical business functions, processes, interdependencies, risks, and resource requirements are accurately identified and documented. Once you have completed the BIA exercise, you have gathered the key information you need for your business continuity planning. And you can be assured that the PCP and ID DR plan will be created with an accurate understanding of the business requirements. 26. 6.1 Business Continuity Planning and Strategies: In this section, we will discuss how to develop business continuity plans. But let's first understand the purpose of the PCP. The bcb focuses on sustaining an organization's business functions during and after a disruption. Example of a business function may be an organization's payroll process or customer support process, et cetera. A PCP may be developed for a specific business group, or it may address all the business processes within the organization. Systems and applications are usually considered in the PCP in terms of their support to the business processes. Because you have already performed the BIA, you have the data and information required to work on your recovery strategies. These are some of the requirements and key consideration for the recovery strategies. We will discuss these in more detail in the next lectures. When we talk about the development of the PCP. This is where I will answer some of the questions that we are discussing here. Contact details. How can you protect your staff and other key stakeholders? Do you have a call tree? How are the contact details kept up to date? For facilities where we'll staff and business operations relate to from our facilities perspective, in what timeframe and how long can the temporary arrangement be accommodated? If this is not known in advance, cost could be significant. Although sometimes an appropriate insurance can help cover some of the cost. Technology and telecommunication. What technology needs to be recovered and when, what communication methods are to be used, and what are the alternatives if needed. From a people perspective, who initiates contacting staff for checking their wellbeing and safety and provides status updates. How is this reporting back to the business? What roles are critical? And what is the recovery process rule? What resources can be deployed elsewhere? What rules can be transferred to other staff and locations? All these things are part of the peoples aspect. Then we also look at the suppliers aspect. What alternative options can, can you employ if a key supplier is impacted? What effect does this have on your supply chain? We also consider interdependencies. What dependencies internal and external are critical to the recovery? How are these teams or individuals to be contacted and managed during recovery? And what alternatives are in place if needed. What internal and external parties need to be notified of the incident, in what timeframe and who manages this. All these things are considered as part of the interdependencies. We also have some other requirements, such as escalation process and protocol. Roles and responsibilities included delegations and alternative rule owners. Therefore, in order to make your PCPs realistic and pragmatic, it is vital that recovery options for key processes are assessed and that recovery strategies determined based on the results of the BIA. These strategies should address all the people, facilities, resources, and supply or aspects of the recovery. Once recovery strategies are developed, they should be approved by the senior management and then implemented. 27. 6.2 Development of Business Continuity Plan – Part 1: As we now have worked on the BIA and recovery strategies, it's time to develop or finalize your business continuity plan that focuses on sustaining the organization's business functions during and after disruption. As you would have understood by now, comprehensive continuity documentation would increase your ability to perform critical business functions in the event of a disaster or disruption. In documenting the PCP, you should identify the likely disruption scenarios and consider including all relevant information that you have considered during the BIA and identifying recovery strategies, plus a few related components for business continuity planning. Let's have a look at them one by one. From a people's perspective. Call tree where staff contact information is available. Then we need to look at staff well-being and safety conformation and the report back process. Identify key staff required for recovery timeframe and requirements for sourcing additional resources if required. We also need to look at the staff briefing protocols. Process for relocation. If possible. That is, can the process be allocated to another team or location? And we also look at the escalation process and protocols for people. The next thing that we need to consider is communications, roles and responsibilities for communicating key messages both internally and externally. We look at the notifications to key stakeholders. And we also consider a regular update on timeframes. Apart from the escalation post-process and protocols are related to communication. From our facilities perspective, we look at the impact to business. If site is unavailable. We consider recovery locations, including equipment and idea availability, transportation, and access to cite beans, point of contact, keys, alarms and codes if the RIME, et cetera. We also look at the conformation of arrival of staff at recovery location and obviously escalation process and protocols related to facilities. 28. 6.3 Development of Business Continuity Plan – Part 2: When developing a business continuity plan, we also look at the applications and system aspects. This includes impact to business if application or system is not available by required timeframe. Example, backlogs, processing delays, et cetera, any critical cut-off time, example, B-roll processing, any manual workarounds available. We look at any demote, recovery possibility, any deemed developed templates, checklist, or processes required for the gallery. For example, excellent templates, recovery processes, et cetera, and any backups, restoration if possible, and escalation processes and protocols related to systems and applications. You also consider telecommunications. That includes impact to business if telecommunication is unavailable. Form or fax numbers three directed any manual work arounds for telecommunications, notification to key stakeholders. Voicemail messages updated, also if required, email signatures. Any alternative communication methods, example, personal forms, email communication, any social media messages, et cetera, and escalation processes and protocols related to telecommunication. Also in turbulent dependencies. The impact to business if internal dependencies or teams such as IT is an available, may be due to a backlog or processing delays, et cetera. Any manual work around if available, notifications to key stakeholders. Can any process be deferred, transferred to another team or location? And also we look at and consider the escalation processes and protocols or internal dependencies. From a supplier's perspective, the impact to business if supplier is unavailable. Example, supply chain impact, flow on to customers, critical cut-off times, et cetera, any work-around if available, or any alternative suppliers and escalation processes and protocols related to suppliers. All the above aspects that we have discussed are usually included in the business continuity plan in the form of possible disruption scenarios. For example, if you're building is inaccessible due to any reason for a number of days. How all these aspects that we have discussed come into play. 29. 6.4 & 6.5 Development of Business Continuity Plan – Part 3 & Storing BCP Copies: There are some special requirements to be considered in developing the bcb. These include remote access requirements, example, VPN tokens, any segregation, security or Chinese Role requirements to be considered at recovery locations. If there's any special equipment. They can also they can also be things like checkbox, credit cards or bank access tokens. Also, network drives or storage required. You need to consider male redirections for. So you may need to redirect your physical meals. Bcb get that includes a copy of the business continuity plan, things like safety gloves, water torch, blanket, first-aid, kid, et cetera. There's some other content to be included in the BGP as well. Thanks. Like bcb Activision criteria, how is a PCP activated? Who's responsible or has authority to activate the bcb? Evacuation recovery location points. What are the evacuation points? And recovery location sites? Also, what are the evacuation protocols? Who are the fire wardens or first aid offices? Key contact numbers for all staff to be aware of. That is, in addition to the emergency services, things like staff information line. If you have an employee assistance program called EAP, landlord security company, et cetera, checklist for recovery locations, setting up at recovery location and for leaving recovery location. Also checklist for returning to primary location or for setting up a new primary location. Once you have documented the business continuity plan, keep in mind that the execution of these usually takes place in three phases. Continuity phase, where you mentioned the minimum number of resources needed immediately to continue to the essential services when a disruption occurs and the BGP is activated. So for example, remote working arrangements are established for key stuff. Once continuity is ensured, you move to the recovery. You recover all the important services to an acceptable level. And the assumption is where you resume back to the normal operations. That is to business as usual. Remember, if a bcb is not properly documented, there are no clear actions for staff to follow during and after a disruption. This may result in a failure to restore key functions in a timeline considered acceptable by the business. The communication between senior management and key stakeholders, including staff, will also be delayed due to lack of preparation. Once business continuity plans are finalized and approved, distribute the PCPs to all key personnel and business groups, ensuring they are available in the event of a disaster, including loss of IT systems with adequate virgin control. I've seen cases where BCPL was only available on the organization's intranet site. That site became inaccessible during a disruption. And so was the bcb. Also make sure a copy of the PCP is accessible outside of the office. Update this copy as the PCP is updated throughout the business continuity management lifecycle. I've seen this a number of times for various clients. Sometimes they do a good job in keeping the PCP offsite and on an easily accessible location, such as the GAR home or on an alternative location. But often these copies are not the latest or most up-to-date. So make sure you have discovered as part of the PCP change process. To wrap up this chapter, we now understand how a predefined business continuity plan maximizes the chance of a successful recovery by eliminating hasty decision-making under stressful conditions. You also understand what some of the key components of a VSEPR. So take a moment here and jot down, what are some of your key learnings from this chapter? And what are some of the main aspects you would consider when developing a business continuity plan. 30. 7.1 IT Disaster Recovery Plan: Let's look at the IT disaster recovery plan or IT DR plan in a little more detail. As it's very closely related with the PCP. It disaster recovery can be referred as the technical aspect of PCP. The DRP should comprise of consistent actions to be undertaken prior to, during and subsequent to a disaster. De ERPs are developed using a comprehensive planning process based on the PCPs agreed maximum tolerable outage times, RTOs and arpeggios. The organization risk management framework and involvement from all business units. And IT DR plan should cover aspects such as definition of a disaster. When it will be called a disaster. Activation of DRP outlines the process for activating the DRP. Depending on the type of incident. The DRP can be activated alone or together with the bcb. Roles and responsibilities, defines the roles and responsibilities of the disaster recovery teams. Critical services and components. It should include components such as desktops and portable systems and devices, servers, Local Area Networks, wide area networks, distributed systems, websites, et cetera. This tradition of IT functionality, the failover processes to restore IT functionality, including utilization of supporting documentation such as SOPs are a standard operating procedures and things like server as Bill documentation that can be used for restoration, recovery objectives. That is, the audios and the arpeggios, making sure that it's tradition is as per the recovery objectives defined in the PCPs, internal and external dependencies such as vendor's cloud services, dependencies on internal systems and processes, etc. It is important to ensure that external ID service provider dependencies have also been identified and documented. And strategies for continuity of these services have been identified. Goal tree includes a disaster recovery call tree. Communication during a disaster. He deals the processes for communicating during a disaster, including with staff, vendors, media authorities, and customers. Testing and maintenance outlines the IT disaster recovery plan, testing and maintenance requirements. Accessibility, and sure the plan is accessible in a disaster, including, as we discussed earlier in the BGP when the IT environment is not available. And lastly, but very importantly, integration with PCP. The DRP should integrate into the organization's wider business continuity framework and plants. Therefore, it is important to have a well-documented and maintain IT DRP. Because not having a comprehensive DRP will result in IT systems and components not being restored in a timeframe considered acceptable to the business and defined in the PCPs. 31. 7.2 Linkage with IT Disaster Recovery and Related Plans: For an effective business continuity management program, it is essential that it's not a standalone document. Rather, it connect seamlessly with all related plans and procedures such as crisis management plan. As we studied in the first chapter, crisis management focuses on the management of strategic impact of the incident, such as severe financial losses, reputational damage, or compromise to the organization's ability to achieve its objectives. Internal and external communication plays a vital role in crisis management. No business continuity program is complete without a total and effective crisis communication plan that ensures you can quickly communicate with employees, customers, and other stakeholders. Emergency response, as we had studied, focuses on the immediate actions to an incident. And incident management is about the escalation and management of the events and incidents. Also, we looked at ideas disaster recovery plan that focuses on the response and recovery of IT systems and assets from significant outages, videos, or service disruptions. All these plans need to be coordinated and linked together. Usually this is done at the governance level, such as if an organization has a BCM or organisational resilience governance committee that ensures that these plants are well-integrated and referenced within each other. 32. 8.1 Business Continuity Training and Awareness: What business continuity plans to be usable and effective? The most crucial and important aspect is the human factor. People need to be ready to respond to disruptive events. Improving your people's capability to respond to disruptions is a key element of the business continuity management system. The key education and awareness elements within the CMS, our engagement and involvement of business groups and individuals in continuity planning and exercises. The more they will be involved, the better their understanding will become. Next is induction and handled briefings for new people as well as leaders during onboarding. Risk awareness. Training sessions that consider general aspects of business continuity should be provided as part of the induction process for all staff, as well as during the handover process. And responsibilities and accountabilities are changed. Next is periodic training sessions. This should be periodic or ongoing BCPL Training and Awareness sessions. A good time to do it is after the periodic bcb exercises, make sure you record that tendency of these sessions. Next one, especially streaming. Apart from the broader training and awareness sessions, some detail and specific sessions should be held for individuals involved with business continuity planning or execution. For example, conducting a detail session on how to perform Business Impact Analysis. Dean briefings on changes and modifications. So whenever business continuity plans are updated or modified, debriefing sessions should be conducted. According to ISO W2 3-0. One person's doing work shall be aware of one. The business continuity policy. Do their contribution to the effectiveness of the BC MS, including the benefits of improved business continuity performance. Three, the implications of not conforming the business continuity Management System Requirements. And fought their own rules and responsibilities before, during and after disruptions. 33. 8.2 Embedding the BCM in Organizational Culture: Embedding business continuity management into the organization's culture is not a one-off activity, but an ongoing process. This integration will continue to be improved as people become more familiar with business continuity concepts through participation in planning and exercises. And as business continuity practices are included within the business as usual activities. Dock management has a vital role to play here for achieving this cultural integration. The top management should continually encourage all people and leaders to look for opportunities to strengthen organizational resilience to disruptions by incorporating continuity arrangements into business as usual activities such as job descriptions, supply contracts, commercial strategies, or business planning. So managing the human factor is key to success for your business continuity management system. Without managing the people's aspect. Staff will not have an adequate understanding of their roles in maintaining the BCS MS or what to do in the event of a disruption. Also, without a well-thought-out training program, they may not be sufficient visibility as to whether people have the required skills and competencies to support the PCP and processes. Therefore, organizations need to make sure they have a formal training program, especially for key people involved in the business continuity planning and response activities. Also develop a culture of organizational resilience, not only as an ongoing process, but also as part of the induction and handover processes. 34. 9.1 Tests and Exercises: Tests and exercises are essential in ensuring PCPs are effective. Means they can walk in practice, not just on paper. Fit for purpose. To understand. If we're any adjustments are needed in the business continuity plans and able to meet the objectives. Means, are we able to achieve that recovery objectives or not? If regular testing of business continuity plans and related IT DR. components are not performed. Staff may be more anxious and nervous during a disruption as they will be forced to think on their feet. With stress and uncertainty heightened. As a consequence, the organization does not have the assurance that they will be able to recover the services and business processes in a timeframe that is acceptable to the wider organization. These exercises are also vital educational events, providing excellent opportunities for leaders to practice decision-making under crisis conditions and preparing themselves or similar scenarios. More operational and time critical areas may wish to conduct more frequent and rigorous exercises to ensure their ability to respond to interruptions. 35. 9.2 & 9.3 Business Continuity Testing Methods – Part 1 & 2: Testing methods vary from minimum preparation and resources to the most complex. Each base its own characteristics, objectives, and benefits. The type of testing employed by the organization will be determined within the business continuity planning based on resources, size, complexity, cost, and nature of test objectives. There are several types of exercise methodologies that may be used to validate the team's knowledge and the use of respective plans. I've mentioned the four most common testing methods here. Starting from structured walk through. That is more of a discussion-based exercise all the way to the full-scale test. That is the most comprehensive type of tests performed. And as you can see, the frequency, cost, time, and effort vary based on the type of exercise you select. In the next lectures, we will discuss the differences and what happens in each of these testing methods in more detail. Is structured. Walkthroughs are discussion-based exercises. Discussions are about how the business continuity plan is executed in a conference room or a small group setting. Focus is on individual and team training. And critical plan elements are clarified or highlighted. The primary purpose of performing a structured walk through is to validate completeness process and to educate the interdependent recovery team members on test steps, tasks, and timeframes. Participants explore relevant issues and walked through business continuity plan in a loose, no pressure environment. Since it's a very low-cost and quick exercise, it can usually be performed multiple times in an air. Next is a tabletop exercise. A tabletop exercise is somewhat more involved than a walk-through exercise because the participants choose a specific event scenario and apply the PCP to it. Components of a tabletop exercise may include practice and validation of specific functional response capability. Focus on demonstration of knowledge and skills, as well as team interaction and decision-making capability. Role-playing with simulated response at alternate locations or facilities to act out critical steps, recognize difficulties, and resolve problems in a non-threatening environment. Mobilization of all or some of the Crisis Management or response team to practice proper coordination. These are the things that are usually involved in a tabletop exercise. Functional testing is the first type of test that involves the actual mobilization of personnel at other sites in an attempt to establish communication and coordination as set forth in the business continuity plans. The functional or operational test is conducted on one or more components of the plan and the actual operating conditions. Components of functional operational test include demonstration of business continuity management capabilities of several groups. Are the spitting a series of interactive functions, such as in-house activation in different business groups, coordination with vendors, dealing with external stakeholders, etc. Actual or simulated response to alternative locations or facilities using actual communications capabilities and reading degree of actual As opposed to simulate it, notifications and resource mobilization. In function simulated event, participants are expected to be familiar with the plans being exercised and are required to demonstrate how these plans work as the scenario unfolds. Full-scale testing is the most comprehensive type of test. In an integrated full-scale test, the organization implements all or portion of its business continuity plan by processing data and transactions using backup media at an alternative recovery site. Typically under simulated operating conditions. Components of a full-scale integrated tests involve similar to function test, demonstration of knowledge and skills, as well as management response and decision-making capability, validation of crisis response functions. But it also includes on the scene execution of coordination and decision-making roles. Actual As opposed to simulated notifications, mobilization of resources, and communication of decisions. Activities conducted at actual response locations or facilities. Enterprise wide participation and interaction of internal and external management response teams. With full involvement of external organizations. Actual processing of data utilizing backup media means full data restoration needs to take place. The full-scale exercises generally extend over a longer period of time to allow issues fully evolve as they vote in a crisis and allow realistic role-play of all involved parties and groups. 36. 9.4 Business Continuity Testing Methods – Part 3: Therefore, it is important to identify which exercises work best for your business group or organization and then perform these on a regular basis. Because if no exercises or tests are performed, the actual timeline to recover all systems and business processes cannot be assured. And there's not a clear understanding that the CCP would work in line with the expectations. Based on my experience. A very effective way to approach this is to develop an exercise plan. The schedule of exercises, ensure that exercises are not a onetime activity. And they are a series of events that allow your organization to gradually improve over time. In developing this exercise plan, consider a variety of exercise methods like these that we have discussed. Structured walkthroughs, tabletop exercises, functional test, and full-scale test. Typically, a business continuity exercise starts with a structured walk through and progresses to a functional and full-scale test as the business continuity management system matures or a period of time. 37. 9.5 Post BCP exercise review: After the bcb exercises, debriefing sessions are an important part of improving resilience to business interruptions. They allow teams to celebrate success and identify areas for improvement. At debrief session should be held as soon as practically possible following the end of an exercise or response operation. These session to capture what worked well, areas for improvement and what didn't go as planned and individual learnings. These topics should be recorded in a short form report and distributed to those involved in the session. Improvements or corrective actions should each have a specified honor and it should be tracked to ensure that they are completed in a timely manner. 38. 10.1 Maintenance of Business Continuity Plans: The objective of this stage is to establish the fundamental requirements necessary to perform an invalidate business continuity plan maintenance and to measure the maturity of the GC-MS and individual business continuity plans. Maintenance of the PCPs should be performed after a significant change to our business process, function or system. In this case, a business impact analysis will also required to be performed for the business process function or system. And plants will need to be updated accordingly. After each business continuity test. Land will be modified, approved, and required to be read distributed on a timely basis. Periodically, at least annually. Business continuity management system and PCPs should be reviewed. There may be changes in contact details, changes in roles, et cetera, with changes in employment. And remember to follow the change control procedures for any business continuity plan updates. 39. 10.2 Monitoring and Assurance of Business Continuity Plans: The objective of this stage is to scrutinize adherence to the policy, standards and procedures that have been established by the business continuity management system. Self-assessments are good. However, an impartial or independent review under the direction of, let say, internal audit is often very effective. Monitoring and assurance includes monitoring against the GCMS objectives set in the policy or business continuity management framework. Measured dime since last exercise and number of unresolved issues. And measure dime since last business impact analysis was performed, an EMI business process or application changes happened since then. And review of completeness of plans and exercise documentation. Also the view plans for inclusion or elimination of new or obsolete business processes or application changes. These audits may be periodically undertaken to assess individual plans or the business continuity management framework at an enterprise level. An effective way to perform this, like we discussed, is through independent audits. What assessments that can be conducted periodically to assess these and the maturity of the BCM framework and individual business continuity plans. Therefore, these business continuity monitoring and assurance activities in to ensure and validate that the organization is resilient to disruptions and can resume critical services and the store full operations in a timeframe and manner acceptable to the business. 40. 11.1 Wrap up: We have now come to the conclusion of this course. For a quick recap, we have studied several fundamental concepts and key topics related to business continuity management throughout this course that included key differences between various organizational resilience aspects and plants such as crisis management, emergency response, incident management, IT, DR. et cetera. In ISO W2 3012019, business continuity Management System chapter, we looked at what I saw W3 0-1 standard is we looked at the PDCA Plan-Do-Check-Act lifecycle. What are the den ISO clauses? What they mean, and what are some of the key benefits of implementing and maintaining a BC MS from different perspectives, such as benefits from business perspective, Financial Perspective, Internal Process perspectives, and stakeholder perspectives. Then we looked at the governance chapter, where we discussed about the importance of having clear accountability, ownership, and responsibilities. And why having a policy and framework is important for the governance of a BCM.'s in risk management. Where we studied how an effective risk management is important for the GC-MS. What are the differences between enterprise risk management and business resilience? And what are some of the common risk treatment options that can be applied to the business continuity religious. Next, we looked at the business impact analysis, or BIA. We talked about what BIA is. Why do we perform the BIA? And how BIA helps you understand your organization better. Be studied what recovery objectives are. The key concepts of RTO, recovery time objectives and arpeggio recovery point objective. Then we looked at the six steps of performing a BIA. After BIA, we looked at the details of business continuity planning. We studied what PCP is, what are the requirements of business continuity strategies, and how we can develop the PCP considering various aspects such as people, communication, facilities, systems, dependencies, et cetera. And what are the content that needs to be included in the business continuity plan? After be Cp, we looked at the linkage that IT disaster recovery and related plants in linkage with IT DR and related plans we studied about the IT DR. Plan in more detail, including Y IT DR. planning is required. And what are the components of the IT DR. Plan? Then we discussed why it is essential that business continuity plan is not a standalone document. Rather, it connect seamlessly with the related plans such as emergency response, Crisis Management, Incident Management, et cetera. The next chapter that we studied was the human factor. This is where we studied why training in a Venus is most crucial aspect for the business continuity plans to be usable and effective. We looked at what some of the key education and awareness elements should be within the BC MS. We also discussed why BCM can be embedded and how it can be imbedded in the organizational culture with the help of an ongoing process and involvement from the top management. We then looked at the PCP exercises. In the bcb exercises chapter, we studied the importance of performing the bcb tests and exercises in order to ensure that the plants work in practice and not just on paper. And if they are able to be the required objectives. We looked at several test and exercise methods and which one will be suitable on different scenarios. Also, the importance of conducting the debriefing sessions and how they should be conducted. Then we moved on to the maintenance monitoring and assurance chapter where we looked at how PCPs the B CMS should be maintained and kept up to date. And what are the main aspects of performing the periodic monitoring and assurance. Therefore, with all these strategies, plans, exercises, awareness and assurance. All we're trying to achieve is when an incident strikes your organization and the employees are not ban act like deer Blended by a headlight. And instead they are ready and trained like Arts who prepare for the rainy day. 41. 11.2 Final Thoughts and Next steps: I hope you enjoyed this course and have learned some very important concepts related to business continuity management. I would really encourage you to follow these guidelines and implement a BC MS, or develop a PCP that will enable you to ensure your organization is resilient to disruptions and can resume critical services, restore full operations within an acceptable timeframe. Even if you currently do not have this role in your organization or are not working dissimilar and organization, you know well and tried to apply these concepts on it. The member BCM is not a once and done exercise. Insuring business continuity and organizational resilience requires a constant eye on new and evolving threats and ensuring you are aware and managing the risk. The code I shared with you earlier from Dennis greatly sums up discourse quite nicely. Expect the best, plan for the worst, and prepare to be surprised. Thank you so very much for joining me on this journey. I've enjoyed teaching what I've been doing for several years. And I hope to see you on my next course. Have a great day.