The ten most important skills of BCM. Recently I was asked what roles there are within BCM and what the responsibilities are. I cannot plainly answer this question without extensive review of a mass of BCPs etc. but a number of roles are reserved for a number of teams. Each organization must express its own wisdom on that. But a number of things have been described by the great ones of BCM. | In this contribution I write my own opinion, not that of any organization Inspired by an article by Gregg Jacobsen and Sue Kerr: “Crisis Management, Emergency Management, BCM, DR: What’s the Difference and How do They Fit Together?” |
There are two major visions of BCM: this one from America and this one from Great Britain. In the USA the DRII (Disaster Recovery Institute International) came into being and in England The BCI (Business Continuity Institute) came into being. These two institutes have converged in the sense that they have agreed on what are the ten skills of BCM for a 100% full-fledged Business continuity expert. In The BCI this person, after extensive proof of his abilities, can even carry the title “Fellow of the BCI” for that. And with that, we suddenly know what BCM is all about.
In this contribution I describe these ten skills of BCM and then in it are “hidden” some responsibilities for the teams of BCM. Afterwards, this contribution indicates the responsibilities and how the teams can interact.
Contents
- The ten skills:
- Program initiation and management
- Risk evaluation and control
- Business Impact Analysis
- Business Continuity Strategies
- Emergency and disaster planning and emergency and disaster operations (Emergency Response and Operations)
- Business Continuity Plans
- Awareness and Training programs
- BCP exercise, audit, and maintenance
- Crisis Communications
- Coordination with external agencies/parties
- The teams
The ten skills:
The ten skills of BCM are:
Program initiation and management
This skill of the ten skills of BCM is the one that defines the scope of each component to include in the program. It starts here. For example, one asks if the top management has included all locations, who will run the program? Who will sponsor it? What are the objectives of the program? What is the time frame in which the BC Manager must carry it out and implement it? How does one give the whole thing what structure?
Risk evaluation and control
While it is important to subject the organization to an approach that incorporates all approaches, it is also important to know in detail the risks the organization faces. During this phase, one evaluates risks based on events or the environment that could negatively impact the organization. This also includes people, facilities, and technologies. The Crisis Management Team (CMT), the Emergency Response Team (ERT), the Business Continuity Teams (BCTs), and the Disaster Recovery Team (DRT). Involve them all in the process of identifying the potential risks, identifying both the likelihood, impact, in taking new actions and existing ones.
Business Impact Analysis
This is an effective method each group must use to determine the impacts and dependencies for the organization to which they belong. They determine the RTO (Recovery time objectives) for both the business and the technologies it uses. Emergency response teams use this information to determine how to handle certain incidents. The BCTs need this information to understand dependencies and how to provide support for others, as well as to determine strategies for ensuring business continuity at a predetermined level. The DRT uses this information to determine how quickly they can get the necessary technology back into use by the business. The CMT uses this information to prioritize business processes within the overarching recovery.
Business Continuity Strategies
Using the BIA and Risk Assessment as a basis, they develop the strategies to enable the recovery phase. The emergency teams must implement these strategies to enable safe and secure evacuation of personnel and may have to assist the Business in implementing their continuity and recovery strategy. The BCTs and the DRT must develop and implement those strategies that will enable the Business to function again within a short period of time at a predetermined level. The CMT should define and implement the overall overarching recovery strategies. This includes any automated notification systems, disaster plan coordination and communication strategies (among others). An important part of the basis for these strategies are the RTOs and RPOs of the organization’s time-critical processes.
Emergency and disaster planning and emergency and disaster operations (Emergency Response and Operations)
Disaster planning and accompanying operations ensure that the organization is ready for an immediate threat or incident. Local authorities will assist as soon as they are ready and to the extent possible. However, each organization must be capable of providing internal response to an emergency until the authorities are ready for their intervention. These activities involve all the aforementioned groups of the organization.
Business Continuity Plans
This includes the design, development, and implementation of plans to support the business, including DRPs. The ERTs must be familiar with what the business will do in response to a disaster so that it can better support them. These plans provide a blueprint for the BCTs and the DRT for an overall recovery. These plans also provide the CMT with an overview of time-critical processes as well as a timing for startup so the CMT can better coordinate and communicate.
Awareness and Training programs
If a developed plan lies gathering dust in a closet and no one knows about it, then BCM is a waste of money, time and resources. Each area/team should start and maintain an awareness program for their own plans. In terms of awareness, many levels are required, including a general awareness for white-collar employees who do not need to respond, as well as those who are on the front lines.
BCP exercise, audit, and maintenance
Test all plans to ensure that the organization is resilient at the time of a disaster. Many practices exist for this purpose. Among them are desk-top training, walk-through training, simulations, sandbox exercises,… The type of exercise depends on the objectives of the exercise and the maturity of the plans. But also on the organization and its various teams as mentioned above. Each team should conduct its business and lessons identified should indicate where to adjust plans. Audits help to ensure the testing of each of the plans. This way they stay within the organization’s policies.
Crisis Communications
This should include paying attention to clerks, customers, buyers, suppliers, executives, regulators, the community and the media. Whenever possible, prepare a script in advance before an incident occurs to provide direction for communication. As well as readiness internally and externally. Although accountability for crisis communications lies with the CMT, all teams require communication, which is present. As a result, they share responsibility. During a crisis, communication is paramount and everyone needs to know where and where not to communicate.
Coordination with external agencies/parties
No organization is an island. During an emergency, it is not the time to introduce yourself to authorities and close neighbors. By then it is too late for that. Whenever possible, involve them in your exercises to establish a better understanding of mutual expectations. Assure them that you have a good grasp of the ground rules, which will lead to a positive report and enhance the chances for recovery.
These were the ten skills of BCM. We now describe some teams.
The teams
Crisis Management: the overarching coordination of an organization’s response to a crisis, in an effective and timely manner, with the goal of preventing or minimizing damage to service, reputation, and ability to function.
Crisis Communications: it operates in tandem with Crisis Management, but handles its internal and external communications. The Crisis Communication Team (CCT) plans communications for senior management, the Emergency Response Team (ERT), the Disaster Recovery Team (DRT) and the Business Continuity Teams (BCTs) in advance. But also for their families so that they are aware of the course of events in the crisis.
Emergency Management: this is the set of efforts made to ensure preparedness for when an event causes damage to property, processes, people. You can define Emergency preparedness as the capability that enables an organization or community to respond to an emergency in a coordinated, timely and effective manner. It does this to prevent loss of life and to minimize damage to health, processes and patrimony. To this end, it considers a range of threats in an initial assessment, which may be real, and the nature of the damage that may result.
Contingency planning team: this is the team behind process of developing advanced arrangements and procedures that enable the organization to respond to an undesirable event that negatively impacts the organization.
BCM extends these actions to include preparations for what to do after an event has actually occurred. Therefore, a good BCP will specify how teams evaluate the damage suffered. (They then act as damage assessment teams.) They also prioritize resource allocations for recovery.
Disaster Recovery: this is the technical aspect of BCM. The collection of resources and activities for restoring or reinstalling IT services (including components such as the infrastructure, telecommunications, systems, applications and data) at an alternate location, following a disruption of IT services.
One possible way of interacting/reporting between these teams could then be as follows: