Business Continuity Management (BCM) aims to analyse and minimise risks to the company and their effects and to implement effective countermeasures before they occur - to have a "Plan B".
BCM increases the company's resilience, improves its image and ensures its continued existence - in the most effective and efficient way possible.
Our Business Continuity process model is based on our many years of project experience, the best practice models in the industry, namely GPG (BCI) and current international standards.
The initiation stage of a BCM project is a very important component of the project’s implementation and subsequent process establishment. In this stage it is a matter of clearly defining the purposes and budgets. As result of this stage a BC Policy and a BC Manual is generated.
Analysis and Concept
"Analysis and Concept" is about defining the goals and solution options for business continuity planning. This is necessary to deploy the scarce financial and human resources for the right business processes, organizations and infrastructures.
Business Impact Analysis / Threat Analysis
The first task of the project team is to perform a Business Impact Analysis (BIA). The BIA delivers as a result an overview of the processes and systems which are critical for the survival of the enterprise, and their recovery point objective (RPO) and recovery time objective (RTO).
The Threat Analysis - as a following process - determines the risks and their probability for the critical processes and systems.
Business Continuity Solution Concept
The insights gained from the BIA allow the definition of an appropriate business continuity concept, with an optimal ratio of risk minimization and cost / benefit of the proposed options.
After the "Analysis and Concept" phase is fixed, the implementation phase deals with the organisational structure and execution of the prevention and response measures.
For emergency situations an independent organisational structure (shadow organisation) should be established . The purpose of this organisational form is to enable unequivocal, quick decision-making in critical situations by reducing organisational hierarchy. Further an independent escalation procedure is defined for this incident response organisation.
Management processes need to be defined, so as to be able to hand over the day-to-day tasks into controlled operations after conclusion of the project. These contain, for instance, clearly defined interfaces with the Change Management or with the Staff Department (Awareness).
Prevention / Precaution
This area brings about the implementation of risk reductive measures. This can include necessary organisational changes, and also concrete investments in the infrastructure. On the one hand, events causing damage or loss should be avoided (prevention) with pre-emptive risk reducing measures; on the other hand, precautions should also be implemented for the time after an emergency (e.g., construction of a satellite location, emergency delivery agreements….).
The development of Business continuity plans is one of the most important tasks of the establishment of Business Continuity Management. An essential purpose of the BCM processes are functioning plans which we distinguish as follows:
The strategic plans provide support for the Crisis Management Team during a crisis. These plans include:
Crisis Organization Manual
Crisis Response Plan
Crisis communication plan
The tactical plans coordinate the recovery activities and other activities at the Situation Center level.
The Business Continuity Plans (BCP) describe the necessary bridging measures in case of failure of a business process and the necessary measures to start the emergency operation.
The test strategy defines the test depth (test class), the test components, and the test structure. The test planning defines a concrete timetable for the execution of the tests. A test concept is created from the "Functional Test" test class onwards.
Successful completion of a lower test class (e.g. basic test) is a prerequisite for performing a test of a higher test class (e.g. application test). We distinguish between the following test classes:
Process Chain Tests
These tests are the simplest and most frequently performed tests. The author and the emergency teams named in the plan check the contents and the topicality of the contents at the "desk".
This test class checks individual continuity plans and/or fallback resources. During such a test, the defined procedures for restart and emergency operation are to be tested. This also includes checking the technical infrastructure at the alternative location and compliance with restart times.
Process Chain Tests
During process chain tests, the emergency measures for a business process are checked end-to-end. The existing mutual dependencies between the emergency measures of the relevant IT components and the requirements for their chronological sequence within the process chain are also taken into account and reviewed accordingly.
For this exercise class, scripts are written from which the chronological sequence and the simulated crisis situation emerge. Depending on the simulated event, these exercises may take a few hours or days. A simulation exercise is usually performed for the strategic and tactical plans.
Exercises in this class include all emergency teams, including crisis teams and situation centres. The life exercises are intended to demonstrate that both technical and organisational emergency processes function under realistic conditions.
Before you can transfer the BCM project into day-to-day operations, a first “Initial Test” should be conducted. The defined test strategy (scenario tests, workaround tests and alternate site tests, infrastructure tests, communication tests…) determine the scale of the test. It is important for the initial test that all planning activities are carried out in coordination with the test:
Test purposes are defined
Test preparations are planned
Test execution is planned
Test analysis and test evaluation is planned