An Executive’s Guide to NCEMA 7000: Business continuity management system requirements

Introduction

The stakes are high when it comes to business continuity, as organizations around the world register higher risk of serious disruption.

Businesses in the Middle East are no different, although they face a risk environment all their own. For instance, the Executive Perspectives on Top Risks for 2024 and a Decade Later survey, backed by NC State’s ERM Initiative, found that organizations in the Middle East rate adoption of digital technologies requiring new skills that are in short supply, cyber threats, legacy IT infrastructure unable to meet performance expectations, ability to attract, develop, and retain top talent, as well as third-party risks as the top threats they face in 2024.

What do these risks have in common? They can all be addressed by a robust business continuity management system (BCMS).

How to develop such a system? Traditionally, best-practice standards, whether international, national, regional, or industry-specific, have provided organizations guidance to establish and maintain an effective BCMS.

NCEMA 7000 is one such standard. Hewing close to the example of international standard ISO 22301, NCEMA 7000 is the national standard for business continuity management systems for organizations in the United Arab Emirates (UAE).

How does NCEMA 7000 vary from ISO 22301? And how does the former help organizations in the UAE develop best-practice business continuity management systems? We detail it all and more in the following Executive’s Guide to NCEMA 7000.

What’s the agency behind NCEMA 7000?

Working under the umbrella of the National Supreme Security Council, the National Emergency Crisis and Disasters Management Authority (NCEMA) is tasked with supervising and administering compliance with national policy regarding emergency, crisis, and disaster management procedures.

The agency counts high among its strategic objectives, the ability to achieve security and resilience. That objective directly intersects with business continuity management, the holistic management process that identifies potential threats to an organization and the impacts to business operations those threats may have.

For that reason, NCEMA also serves as the exporter and legislator of the NCEMA 7000 standard. The agency is responsible for monitoring that standard’s implementation at the federal and local level.

Modifications from NCEMA 7000:2015

Seeking to enhance the capacity of the UAE business community to cope with emergencies and crises, NCEMA 7000 is the national standard for business continuity management systems.

How does it work? The standard, which specifies requirements for an organization to establish a management system for business continuity, helps employees achieve comprehensive knowledge in business continuity management in accordance with the concept of vital functions in the organization.

Those requirements are consistent with specifications in ISO 22301 and ISO 31000 (risk management). And similarly to ISO standards, NCEMA 7000 has changed over the years.

How has it changed most recently? Modifications from the 2015 iteration include the following:

• Simplified language, structure, and content to make the standard more understandable and increase adoption
• Incorporation of local requirements
• Better alignment with international requirements of business continuity management system
• Clearer differentiation between management system requirements and BCMS operations requirements
• Introductory, guidance text to explain the purpose of each clause and use of cross-referencing to clarify requirements

Breaking down the sections of NCEMA 7000

What’s in the standard itself?

Introductory Sections

Besides simplified language and content, the introductory sections of the updated NCEMA 7000 standard bear strong similarities to previous editions. The initial sections provide an introduction, offer definitions, define governance and the context of the organization, as well as define policy, scope, and objectives of the BCMS.

The standard’s introduction, for instance, covers its scope. Which is? Requirements are meant to be relevant to all organizations, irrespective of type, size, and nature. And the extent of the requirements’ applicability is dependent on the organization's operating environment and complexity.

What’s more, the standard, as written, is applicable to all UAE entities. It tasks all organizations to continue essential operations within pre-defined minimum acceptable delivery levels of products and services.

The introductory section also lays out the benefits of compliance with the standard’s specifications. The benefits include:

• Establish and maintain business continuity
• Maintain an ability to continue essential operations at acceptable capacities
• Enhance resilience to disruptions
• Assess capability to meet business continuity needs and obligations
• Contribute to the UAE’s national security

The subsequent sections on governance and context of the organization recapitulate much of the same concepts as ISO 22301. The governance framework establishes that top management’s expectations are to be managed through accountabilities and demonstrable areas of commitment.

A subsection on management system planning instructs organizations to plan not only how they will implement their management system (in terms of work to be performed and people to do it) but also provides target dates by which the management system will be completed.

Unlike others of its kind, the context of the organization section defines exactly what context refers to, i.e., “the environment and circumstances of the organization, including its culture and diversity, its management style, the financial resources available, requirements of interested parties and other issues of relevance.”

Here, the standard further instructs organizations to:

• Create a process to determine their context
• Identify issues relevant to their purpose and strategic direction, as well as business continuity objectives
• Identify interested parties and determine their needs and expectations, including legal and regulatory requirements
• Have top management determine the level and type of risk that the organization will take and ensure that that risk criteria is developed and communicated to the organization and its interested party

Policy, Scope & Objective

The final of the introductory sections covers policy, scope, and objective.

According to NCEMA 7000, the business continuity policy sets out top management’s intention and direction for the management system and provides a framework for subsequent decision-making, including setting scope and objectives. Setting out the organization’s business continuity policy as well as its scope and objectives helps to ensure that staff, customers, and other interested parties understand top management’s intentions.

For that reason, the standard tells complying organizations to create and maintain a (documented) statement that sets out the organization’s business continuity policy, scope of the management system, and business continuity objectives. That statement should then be communicated to all people under the organization’s control as well as interested parties.

As for the scope of the BCMS, that’s meant to explain coverage to interested parties. Exclusions should, therefore, be explained and justified to provide assurance that they won’t undermine business continuity.

Following this logic, the organization should have a process for defining the scope of the management system in terms of the products and services to be included. That scope should be appropriate to the context of the organization and identify the boundaries and applicability of the management system.

Management System Support

The sixth section on management system support covers people (competence and awareness), other resources, and external providers, as well as communication relating to the management system and control over management system changes.

The section recapitulates what exactly makes management systems effective. The reasons include the fact that managements systems (particularly best-practice management systems):

• Are planned
• Have processes that are integrated with other business processes
• Have the commitment of top management
• Have the resources (i.e., budget allocation, information and data, facilities, technology equipment and systems, etc.) necessary to achieve business continuity objectives – if not from internal sources than from external help
• Provide effective communication with external providers
• Have people with the necessary competence performing key roles
• The workforce knows its role in what the organization is trying to achieve
• Changes are controlled
• Suitable documentation and records are retained

Communication with interested parties might seem like a no brainer. However, a process must be established, specifically with an eye to communication during disruptions.

Such a process includes:

• Identifying the internal parties with whom to communicate
• Identifying the external parties with whom to communicate
• Determining for each party the information, timing, methods, and person to be responsible for communication

The same goes for a process to communicate changes that affect the management system. That process should include:

• Identifying changes
• Evaluating the effect of the changes on the overall performance of the management system
• Determining the actions to be taken

Documented Information

The following section tackles documented information, the term used to describe records and procedures that need to be controlled and maintained. Such information must be locatable, accessible, identifiable, understandable, and readable. But it can be in any format or style that the organization deems acceptable.

However, organizations not only need a process for creating documented information that covers format and appropriate media but also a process for controlling and updating documented information that covers distribution, storage, updates, etc.

What sort of information needs to be documented? Documented information should include the following:

• Management system roles and responsibilities planning
• Issues, interested parties, and attitudes to risk
• Policy, scope, and objectives
• Management system support, including people, other resources, external providers, communication, and control over changes
• BCMS operations
• Monitoring and measuring effectiveness
• Compliance and audit
• Management review
• Identification of nonconformity and corrective action

BCMS Operations

Most reading NCEMA 7000 are keen to learn what operations are prescribed. Operations, here, refers to the overall process of putting business continuity in place so that the organization can deal with disruptions that might otherwise prevent it from meeting its business objectives.

Per the standard, necessary operations include:

• Understand the different impacts that would result from disrupting activities
• Identify activities whose disruption would increase damaging impacts
• Prioritize activities and focus efforts and resources on high-priority activities
• Evaluate the risks to high-priority activities and their dependencies
• Identify the resources that high-priority activities require for resumption
• Plan when and how to resume high-priority activities

Digging in, the standard counsels organizations to plan and implement the processes needed for BCMS operations and resources. Foremost among those is the business impact analysis (BIA), the purpose of which is to identify the organization’s high-priority activities.

Organizations should have the following process for analyzing the business impact of disrupting activities that support the delivery of products and services:

• Using impact categories and timeframes relevant to the organization’s context to analyze impacts resulting from disruption of activities
• Determining the time within which the impacts of not resuming activities would become unacceptable and setting Recovery Time Objectives (RTOs) within that time for their resumption
• Determining the capacity at which activities may need to be resumed
• Using this analysis results in identifying the organization’s “prioritized activities,” which will require business continuity strategies to be in place to ensure their resumption within the predefined RTO
• Identifying dependencies of prioritized activities, including people, other resources, external providers, and other activities relied on for delivery of products and services

Besides the BIA, an organization also needs to find ways to reduce the risk of disruptions. The risk assessment provides information that can be used to identify strategies for reducing the likelihood or impact of disruption.

To this end, the risk assessment process should identify, analyze, and evaluate the risk of the organization’s prioritized activities being disrupted. That process should include:

• Identification of risks from threats and vulnerabilities that are relevant to the organization’s context
• Analysis of risks based on consideration of potential causes and sources of risk and their likelihood and anticipated consequences
• Evaluation of risks to determine their significance to the organization

What’s more, having identified prioritized activities and dependencies, an organization needs to protect both. Yet, organizations, owing to the fact that disruptions are inevitable, also need to plan how best to respond and resume activities that have been disrupted.

An organization, therefore, needs to consider strategies for the following:

• Mitigating the risk of prioritized activities being disrupted
• Keeping disruption to a minimum
• Resuming essential operations within acceptable timeframes
• Ensuring effective communication during an incident

Planned Response

The BCMS operations’ section also tackles the issue of planned response in the event of a disruption. An organization needs to identify potential disruptions and respond accordingly.

The primary asset used to respond to a disruption will be the response team. To this end, an organization will need to create a suitable team structure consisting of people with the necessary responsibility, authority, and competence.

Going further, team members must have a pre-written structure that provides the information they require and the actions they need to take. And it’s up to management to choose titles for the structure (e.g. business continuity plan, incident response plan, media response plan, disaster recovery plan, etc.) and decide on the number, style, and level of detail, all of which need to be suitable for the organization and its workforce.

At a minimum, though, the response structure should address the following:

• Command and control, i.e., a central team with the capability and authority to make prompt and appropriate decisions and communicate them effectively
• Incident detection and immediate response
• Communication during disruptions
• Recovery of technology systems
• Resumption of prioritized activities
• Return to business as normal

Exercising and Testing

The final sub-section of NCEMA 7000 BCMS operations tackles exercising and testing. The standard, here, notes that exercising and testing is essential to provide assurance that strategies and response structure are effective.

How to get things started? A good place to kick things off is to conduct team walk-throughs of response structure and requirements.

Typically, exercises are effective in developing teamwork, competency, confidence, and knowledge of those involved.

Tests, on the other hand, are generally used to determine if a specific outcome is achievable.

Review and Evaluation

The penultimate section of NCEMA 7000 deals with review and evaluation of the BCMS. The best way to ensure that business continuity remains appropriate to the needs of the organization is to measure the performance of the management system and make sure that all processes have been implemented and remain effective.

To this end, the standard tasks organizations to have a process for evaluating the performance and effectiveness of the management system. Such a process should include:

• Identifying what needs to be monitored and measured
• Identifying ways to monitor and measure
• Specifying timing and frequency requirements with justification
• Analyzing, evaluating, and reporting the results of monitoring and measurement
• Analyzing the outcomes of disruptions

With regards to performance indicators to keep management informed of the effectiveness of the management system, the standard recommends measuring the degree of compliance with the following:

• Roles defined and responsibilities currently assigned to people
• Context of the organization (e.g., issues, interested parties, and attitude to risk) identified, documented, and signed off
• Statement of policy, scope, and objectives created, approved, and published
• Competencies defined, documented, and approved
• Participation of team members in training and workforce awareness
• Business impact analyses completed, documented, and approved
• Risk assessments completed, documented, and approved
• Business continuity strategies documented, selected, approved, and in place
• Team structure defined and positions filled
• Response structure created and approved
• Exercises and tests designed and planned
• Exercises conducted, post-exercise reports produced and approved
• Internal audit coverage of the management system
• Management review completed within past year
• Nonconformities with no approved corrective actions
• Corrective actions documented, approved, and completed

Continual Improvement

As with ISO 22301, NCEMA 7000 concludes with a final section on continual improvement, intended to take the BCMS to a higher level of efficiency and effectiveness. To do so, the organization must react to nonconformity and implement corrective actions accordingly.

To this end, the organization should have a process for identifying nonconformities and taking action to control and correct them. Such a process should include:

• Reviewing the nonconformity to determine its cause
• Determining if similar nonconformity exists or could occur
• Taking appropriate corrective actions
• Changing the management system as necessary
• Recording the results and reviewing the effectiveness of corrective action taken

The process is intended to address deficiencies in the management system and ensure that it functions as intended. As a result, an organization should also have a process for taking corrective action in a timely manner to eliminate the causes of nonconformity and to prevent its recurrence.

Business continuity management software to help conform to best-practice standards

If the requirements in NCEMA 7000 seem onerous, organizations considering compliance shouldn’t be too daunted. Indeed, conforming to best-practice standards can be simple with the right business continuity software.

Case in point: Noggin’s business continuity software helps you conform with ISO 22301, to which NCEMA 7000 is closely related. Beyond that, Noggin also enables organizations to be prepared for adverse events and disruptions while staying ahead of the curve

Here are some capabilities that help:

• Simplify business continuity with a unified workspace. Noggin simplifies business continuity by unifying all your activities and data from business impact analyses, dependency mapping, exercises, and recovery strategies into an integrated resilience workspace to enable streamlined and centralized management of your entire business continuity program.
• Engage stakeholders with business continuity planning. Noggin’s facilitates collaboration and engagement across your business continuity activities, empowering stakeholders with a better understanding of risks, the potential impact of disruption, and their roles and responsibilities, fostering a greater sense of ownership and accountability for the organization’s resilience.
• Gain real-time visibility into your readiness. Noggin provides real-time visibility into potential vulnerabilities, risks, and gaps to enable timely action to prevent or mitigate them. Stakeholders can test the effectiveness of the business continuity program through exercises and facilitate continuous improvement from lesson learned and insights to refine strategies and processes.
• Automate key continuity tasks to save time and effort. Noggin’s powerful workflow and automation platform simplifies business continuity by streamlining time- consuming approvals to enhance operational efficiency, automating real-time notifications to ensure effective coordination of your continuity efforts, and by automating recovery strategies to improve response times.

Finally, the risk of disruption is increasing for companies across the globe, with organizations in the Middle East facing a particularly fraught risk environment.

To prepare, organizations in the UAE, specifically, should take the systematic approach to securing business continuity during and after disruptive incidents proposed by NCEMA 7000. The standard, as written, helps organizations secure the flow of their functions and services until full recovery from an emergency, crises, or disaster is achieved.

Helping organizations comply with best-practice business continuity standards are software solutions like Noggin. Compliant with ISO 22301, with which NCEMA 7000 closely mirrors, Noggin’s streamlined, integrated, and automated business continuity management prepares organizations for adverse events and disruptions.

But don’t just take our word for it. Request a demonstration to see Noggin in action for yourself.