Business Continuity Software Capabilities to Help Implement BC Good Practice Guidelines

The BCI Horizon Scan 2023 charts an uptick in the number of organizations certified to ISO 22301, the gold standard for benchmarking business continuity practices. What’s more, the number of organizations making use of the standard as a framework, although not certified to it, has also increased.

Given the fact that ISO 22301 certification levels dropped during the pandemic, these trends are salutary. However, the standard itself, much to its credit, is not overly prescriptive. As a result, organizations looking for stricter good practice guidelines in business continuity will have to keep looking for more in-depth guidance.

Fortunately, they won’t have to look far.

The BCI has recently come out with its own set of good practice guidelines, The global guide to good practice in business continuity. The subsequent article outlines some of the practices listed as well as lays out the business continuity software capabilities needed to implement those practices in your organizations.

Good practice guidelines for business continuity

So, what’s The global guide to good practice in business continuity all about? In its seventh edition, The Good Practice Guidelines are go-to’s for establishing, implementing, maintaining, and continually improving a comprehensive business continuity management system (BCMS).

The revisions are felicitous. Organizations have been through a lot recently. And underpinning all these momentous changes in the risk environment has been increasing dependence on ICT that’s changing the way organizations do business.

To help, BC professionals under the auspices of BCI came together to offer the six professional practices that help limit the adverse impacts of the complex challenges businesses face. The practices include:

1. Establishing a BCMS
2. Embracing Business Continuity
3. Analysis
4. Solution Design
5. Enabling Solutions
6. Validation

The revised set of practices are, therefore, meant to form a holistic management system providing more scalability and flexibility to BC professionals while aligning more effectively with the modern operational structures of global organizations.

It’s not the purpose of this article to recap all practices but we’ll lay out a few of the most important, beginning with establishing a BCMS system.

Establishing a Business Continuity Management System

As expected, the chapter on establishing a BCMS outlines how such a system should be designed and implemented as a program as well as the policies and governance processes needed to maintain a BCMS through an ongoing cycle of activities.

So, what’s involved? Well, establishing a BCMS involves coordinating a series of interrelated activities to:

• Define the scope of the BCMS
• Establish a BC policy
• Establish high-level governance of the BCMS
• Determine the objectives of the BCMS
• Determine how the objectives of the BCMS will be met
• Develop detailed operational processes and associated roles and responsibilities
• Validate the BCMS
• Ensure the organization has a culture that supports the BCMS
• Establish how the BCMS will be monitored, reviewed, and continually improved over time

As described, none of these activities are one-time undertakings. And their outcomes are far from static, as establishing and operating a BCMS itself should be an iterative process.

For those establishing a BCMS for the first time, it’s important to note that your organization may first need to develop and implement an interim crisis management plan. This plan, which will be consolidated into the BCMS after later review, should be supported by SMEs with sufficient knowledge to manage a crisis effectively prior to the development of the full BCMS.

Analysis contains the business impact analysis (BIA)

The eventual BCMS uses two organizational analysis techniques, the business impact analysis (BIA) and the risk assessment (RA). The BIA, which this section will focus on, defines the impacts of disruption over time to determine the organization’s response, recovery priorities, and resource requirements. Meanwhile, the RA identifies the disruption risks to the organization’s prioritized activities and required resources.

The outcomes of the BIA process – those activities that determine prioritized activities and recovery timeframes and resource requirements – are dependent on the organization’s understanding of both its external and internal operating environments. The latter is inclusive of its business processes, activities, and resources, as well as the potential impacts caused by disruptions to the delivery of products and services.

So, what steps are specifically involved in the BIA? For a product and services BIA, one of three types of BIAs, the process looks like the following:

1. Collecting the information necessary to perform the product and services BIA for interested parties, such as top management or product owners. Such information may include:
   1. Mission, objectives, and strategic direction of the organization
   2. BCMS scope
   3. Legal and regulatory requirements to which the organization or specific products and services are subject, as well as an assessment of the impact of breaching each requirement
   4. Contractual requirements, including penalties for failure to deliver products and services
   5. Expectations of customers and other interested parties
   6. Assessment of the impacts of failure to deliver
   7. Lessons learnt from past disruptions and exercises
   8. Potential impact of significant developments within the organization or its operating environment
2. Defining timeframes based on impact types, criteria, and agreed methodology, estimate the MTPD and RTO for each product or service group
3. Listing the products and services sorted by priority and their continuity requirements
4. Obtaining top management approval and sign-off on the list of prioritized products and services

Of note, information collected for the BIA should include all-in scope products and services, processes, and activities which are to be prioritized by determining the MTPD and RTO. Factors that should be considered when estimating the MTPD and RTO include:

• Loss of financial value or viability
• Damage to reputation or interested-party confidence
• Breach of legal or regulatory obligations
• Failure to meet the business objectives of the organization
• Loss or impact to people/personnel or management efforts

Developing and managing plans

The contents of the BIA will eventually get fed into the BC plan, which documents information that guides an organization to respond to a disruption and resume, recover, and restore the delivery of products and services consistent with its business continuity objectives.

The plan itself, as a general principle, is intended to be used in high-pressure, time-limited situations. That means the plan should be user-friendly, concise, and easy to read.

Often forgotten, though, the plan itself should include activation criteria. Plan activation and team mobilization procedures will likely include details of meeting locations as well as response team roles and responsibilities.

Plan types to consider include the following:

• Strategic. Defines how strategic issues resulting from an incident should be addressed and managed.
• Tactical. Facilities the coordination of response activities when several operational teams are involved.
• Processes for returning to BAU. Outlines possible options and processes for returning to BAU.
• Scenario. Deals with specific situations, e.g., cyber incident, disease outbreak, or product recall.  

Digital technology to implement business continuity best practices

While the best-practice guidance is common sense, adoption isn’t universal. Often, the issue is lack of engagement across an entire organization, and part of the problem there might be the methods, forms, and processes used by BC professionals.

To that end, Noggin has created integrated resilience management software with business continuity capabilities to streamline the adoption of best-practice guidance and facilitate collaboration.

Specific capabilities that best serve to implement guidance include the following:

Business impact analysis (BIA)

Simplify your BIA process and drive engagement across

your organization using Noggin’s built-in BIA tool that guides you through the process step-by-step, ensuring your BIAs are rich with insightful data to help you truly understand how your business works.

Dependency mapping

Quickly identify dependencies between business activities

and supporting assets or vendors and stay informed when one is at risk. Visualize and track dependencies to make informed decisions and take appropriate actions to mitigate risks effectively.

Recovery strategies

Use a consistent recovery strategy across your organization, that allows you to define your strategies, response plans, roles and responsibilities, and pre-assigned checklists. Deploy these in seconds when disruption hits, to ensure the best response.

Business continuity plans

Replace paper-based, static business continuity plans with dynamic, digitized business continuity plans that ensure your plans are always up-to-date and quickly available for all your users, on any device.

Exercises and scenario testing

Don’t wait for a real-world crisis to test your organization’s readiness. With Noggin’s exercise management solution, you can be confident that teams are prepared to handle any situation that comes their way.

Of course, these capabilities only scratch the surface of what Noggin Resilience can do to help you be confident with your business continuity capability. To learn what else Noggin can do for you, request a demonstration today.