Rather than being simply about a project or developing a “plan”, Agilient understands that Business Continuity Management (BCM) is an ongoing management process requiring competent people working with appropriate support and structures that will perform when it is most needed.
Agilient offers a range of services associated with BCM. Our assignments in this area usually involve an initial gap assessment against best practice and peer organisations. Because Agilient works with a wide array of organisations in improving their Business Continuity Management process, we have established a large database of peer organisations to draw upon. Once the gap assessment is complete we draw up a plan to help organisations transition to a more robust and efficient approach to BCM.
Key features of Agilient’s approach to Business Continuity Management
(consistent with best practice as defined in ISO 22301:2012, Societal security – Business continuity management systems – Requirements)
- Context – Agilient helps organisations understand their context. This first step involves getting to know the organisation’s internal and external needs, as well as setting clear boundaries for the scope of the management system. This requires the organisation to understand the requirements of relevant interested parties, such as regulators, customers and staff. It must understand the applicable legal and regulatory requirements. This enables it to determine the scope of the Business Continuity Management System (BCMS).
- Leadership – Agilient places emphasis on the need for appropriate leadership of BCM. This is so that top management ensures appropriate resources are provided, establishes policy and appoints people to implement and maintain the BCMS.
- Planning – Agilient assists the organisation to identify risks to the implementation of the management system and sets clear objectives and criteria that can be used to measure its success.
- Support – Agilient helps the organisation consider the important concept of competence. For business continuity to be successful, people with the appropriate knowledge, skills and experience must be in place to both contribute to the BCMS and to respond to incidents when they occur. It is also important that all staff are aware of their own role in responding to incidents and this clause deals with these areas. The need for communication about the BCMS – for instance in telling customers that the organisation has appropriate BCM in place – and preparedness to communicate following an incident (when normal channels may be disrupted) is also covered here.
- Operations – Agilient helps the organisation undertake business impact analysis to understand how its business is affected by disruption and how this changes over time. Risk assessment seeks to understand the risks to the business in a structured way and these inform the development of business continuity strategy. Steps to avoid or reduce the likelihood of incidents are developed alongside steps to be taken when incidents occur. As it is impossible to completely predict and prevent all incidents, the approach of balancing risk reduction and planning for all eventualities is complementary. It might be said to, “hope for the best and plan for the worst”.
- Evaluation – Agilient evaluates BCM performance against the plan. To do this Agilient helps the organisation select and measure itself against appropriate performance metrics. Internal audits must be conducted and there is a requirement that management review the BCMS and act on these reviews.
- Improvement – No management system is perfect at the outset, and organisations and their operating environments are constantly changing. Agilient helps to define actions to take to improve the BCMS over time and ensure that corrective actions arising from audits, reviews, exercises and so on are appropriately addressed.
In undertaking this work Agilient uses the following standards:
- AS 3745, Planning for emergencies in facilities;
- ISO 31000, Risk management – Principles and guidelines;
- ISO 22320, Societal security – Emergency management – Requirements for incident response;
- ISO 22325, provides guidelines for an organization in assessing its emergency management capability;
- ISO 22323, Organizational resilience management systems – Requirements with guidance for use;
- ISO 22301 Societal security – Business continuity management systems – Requirements;
- ISO 22325, Societal security – Guidelines for emergency capability assessment for organizations;
- ISO 22351, Societal security – Emergency management – Shared situation awareness;
- ISO 22397, Societal security – Public Private Partnership – Guidelines to set up partnership agreements;
- ISO 22315, Societal security – Mass evacuation; and
- ISO/IEC 27031, Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity.