Managing business continuity | Protective Security Requirements

GOV012

Business continuity is the capability of an organisation to continue delivery of products or services at acceptable pre-defined levels following a disruptive incident (ISO 22301: 2012).

A disruption is anything that interrupts your business as usual operations. Disruptions can occur at any time, for any reason, and their impact varies.

Causes of disruptions include natural events such as earthquakes or severe weather, loss of a key resource such as a power failure or supply chain disruption, and security threats such as cyber-attacks.

Why managing business continuity is important

A programme for managing business continuity helps you to manage the impact of disruptions, regardless of cause. A successful programme includes:

continual planning and improvement
carrying out activities to ensure you’re prepared for disruptive incidents
embedding business continuity into your organisation’s culture and practice.

Business continuity management follows an ongoing cycle to:

confirm the scope and approach of your programme
identify and prioritise critical functions
consider the resources and requirements needed to maintain critical functions
identify and apply solutions to ensure you can meet the requirements you’ve identified
document plans for business continuity and processes for responding to incidents
confirm that your plans and processes work through regular exercises and reviews.

How business continuity planning strengthens your security

The information you gather for your organisation’s business continuity programme strengthens your physical and information security programmes by identifying what you need to protect.

When people from other protective disciplines in your organisation are involved with identifying potential threats and proactive measures, you can work together to improve your organisation’s resilience.

Set the scope of your business continuity programme
Identify your critical functions and their requirements
Develop plans to maintain your critical functions
Set up teams to manage business continuity in a disruption
Maintain your business continuity programme
Legal requirements, ISO standards, and best practice for business continuity management

Implementing a business continuity programme

Set the scope of your business continuity programme

GOV013

The first stage in implementing a business continuity programme is confirming the scope with senior management.

Define the scope of your programme

The scope defines at a high level the priority areas your programme will cover — not everything your organisation does as ‘business as usual’ can or should be maintained during a disruption. The scope of your programme should take into account your organisation’s:

legislative responsibilities
overall strategy
objectives

When you’re setting the scope, make sure it includes anything your priority areas depend on, such as supporting functions and resources.

Once you’ve established a business continuity programme, review its scope regularly so it continues to reflect your organisation’s responsibilities, objectives, and functions.

Develop a policy for managing business continuity

Develop a policy that outlines the intent and coverage of your business continuity programme. Senior management should approve the policy.

A policy for managing business continuity should include:

a definition of business continuity management
reference to any standards and guidelines you follow
what your programme covers
how your programme will be structured and run
links with other policies, processes, and disciplines within your organisation (for example, risk management).

Identify capable people and assign responsibility

You need people from all levels of the organisation to carry out business continuity management. Identify capable people to authorise, manage, and implement your programme. Roles you should cover include:

a governance team
a senior manager to sponsor the programme
a team to lead the programme’s implementation
departmental leads, plan owners, and subject matter experts
incident response teams.

Coordinate your response across disciplines

Your business continuity programme should provide the framework for integrated incident management for your organisation. Where other functions — like security, privacy, and information technology — have incident management procedures, make sure each team knows about the others’ response structures, triggers, and escalation paths.

To ensure an organisation-wide, holistic response to all incidents, your various incident management procedures and associated plans should be able to operate independently or together.

Identify your critical functions and their requirements

GOV014

Identify your organisations’ critical functions, and what’s needed to keep them running or restore them promptly.

Your organisation’s critical functions are the ones you most need to maintain in a disruption. When you’re identifying your critical functions, consider the scope of your business continuity programme, and evaluate the impact over time of a disruption to these functions.

Consider your resources and requirements

Which resources and requirements are essential for maintaining your critical functions? Think about:

people and their capabilities
facilities
supplies and equipment
information
technology (systems, applications)
suppliers of goods and services.

Conduct a business impact analysis

Business continuity professionals use a technique called business impact analysis to identify business continuity requirements.

A business impact analysis can capture varying levels of detail. Consider your organisation’s needs, and the stage you are at in implementing your programme.

In your business impact analysis:

Identify the requirements necessary to deliver the function
Assess the impact of a disruption to the function and related timeframes
- At what point would the impact be unacceptable (the maximum tolerable period of disruption)?
- When do you aim to recover this function by (your recovery time objective)?
- At what point do you need the identified requirements, so you can achieve the recovery time objective?
Identify any other internal or external people, services, or suppliers that the function depends on
Determine how critical the function is over time.

Carry out a risk assessment

A business impact analysis should include a risk assessment to identify and quantify the risk of disruption to the function, including risks to the requirements the function needs. Collaborate with the people in your organisation who are responsible for risk management to carry out the risk assessment. Remember to consider risks that your organisation has already identified, and any measures for reducing them that are already in place.

Take a wide view

Collate and review the information from your business impact analysis, taking an organisation-wide perspective. You can then consider:

interdependencies between functions
shared requirements across your organisation.

Develop plans for maintaining your critical functions

GOV015

Follow a process to plan how you will maintain your critical functions. Then document and validate your plans.

Design and implement solutions

Once you’ve identified the requirements for each critical function, you can plan how to maintain or resume these functions if they are disrupted.

Consider the range of solutions you can apply to each resource requirement, implement the preferred strategy, and address any gaps you identify.

Solutions include:

diversifying (for example, having separate premises where the same activity occurs in parallel)
replicating (for example, having people in another location who are trained and able to carry out a critical process, but don’t do it as ‘business as usual’)
using standby options (for example, maintaining an alternate facility that can be made operational within the recovery timeframe)
acquiring a resource or service after an incident
outsourcing the function to a third party
having insurance
using manual workarounds
doing nothing.

To implement solutions, you may need supporting expertise or resources, such as information technology. Consider your organisation's context. You may need to perform a cost-benefit analysis to help you decide which solutions to pursue.

Remember to apply your chosen solutions to all the resources that support business continuity — people, facilities, supplies and equipment, information, technology, and suppliers.

Document your plans and processes

Create a business continuity plan to document your organisations’ procedures for responding to a disruption of any kind.

The structure of your business continuity plans depends on your organisation.

Small organisations may have all the information in one plan.

Larger organisations may have separate plans that cover different requirements or business functions. For example, a large organisation may have an overall plan which describes the business continuity scope and response procedures, and separate plans for business units, service locations, or specific functions.

Your organisation’s plans should cover:

processes for notification, activation, and escalation
roles, responsibilities, and authority for invoking the plan and responding to disruptions
leadership continuity
structures and processes for responding to disruptions
details of critical functions:
- requirements and timeframes
- processes for maintaining the function, including where detailed operational procedures or plans can be found
communication procedures (internal, external)
any links to other plans and processes within the organisation.

Plans should be simple, fit for purpose, and easy to use under the pressure of a response situation. Use templates and checklists to make plans easy to use.

Run exercises to test your plans and prepare for disruptions

Systematically train for handling disruptions by running exercises. Test, assess, practice, and improve your organisation’s plans for ensuring business continuity.

Exercises allow you to validate assumptions you made during the planning process, and identify issues or gaps in planning. Exercises also build the capability of your response teams.

Run regular exercises as part of a continuous improvement process, so that you can gradually build capacity and capability over time.

The type of exercises you choose to use will depend on your exercise objectives. Each type of exercise requires a different amount of time to prepare and facilitate, and carries a different level of risk and cost.

Exercise	Description
Discussion exercise	A discussion where participants 'walk through' plans, or focus on a particular area for improvement.
Scenario exercise	A discussion exercise with a scenario and timeframe. Participants demonstrate their response plans as the situation unfolds.
Simulation exercise	An exercise with a more elaborate scenario, with information introduced as the situation unfolds, simulating a real incident. Participants rehearse their roles.
Live exercise	A real-time rehearsal of part or all of a response.
Test	Testing of technology, equipment, or procedures, resulting in a pass or fail.

Set up teams to manage business continuity in a disruption

GOV016

Create an organisation-wide structure for managing and responding to a range of incidents and disruptions. Assign key roles and responsibilities and ensure the right processes are in place.

Your structure for business continuity should:

integrate with other response structures within your organisation (for example, security or information technology)
be flexible and scalable, so it can handle incidents of varying scale and impact
be documented in an organisation-wide plan.

If you have responsibilities under the Civil Defence Emergency Management Act 2002, ensure your arrangements align with New Zealand’s Coordinated Incident Management System (CIMS)(external link).

Put processes in place

Ensure your response processes include:

who will fulfil key roles in a response (strategic oversight, tactical, and operational roles)
response priorities
who is authorised to activate and manage a response, and who that responsibility may be delegated to
notification, activation, and escalation.

Create teams to manage strategy, tactics, and operations

Your organisation will need to consider your response structure at the strategic, tactical, and operational level.

For some organisations, one response team may manage all levels. In large organisations you may need to create separate teams to manage these responsibilities.

Hold regular exercises to ensure your people know what to do, arrangements are fit for purpose, and you identify any gaps.

Strategic response team — your crisis management team

Your strategic response team focuses on the issues from an organisation-wide perspective. The team is usually led by top management and is often called a crisis management team. This type of team needs to be flexible, and involve experienced managers with the authority to apply the organisation’s full resources to the response.

Tactical response team — the coordinators

The tactical response team manages and coordinates the processes required to deliver your critical functions and to ensure resources are appropriately allocated.

Operational response team — enabling continuity or recovery

Your operational response team keeps critical functions running, or does the work to recover them.

Review plans regularly to ensure effectiveness

Whenever you activate response plans (either in an exercise or in real-life incidents), review their effectiveness to ensure they remain fit for purpose.

Maintain your business continuity programme

GOV017

Actively maintain your business continuity programme. Make sure it remains current and continues to reflect your organisation’s responsibilities, objectives, and functions.

Changes to your programme may be required due to:

changes in your organisation, such as a change in organisational structure
new functions, or changes to existing functions, such as a change in the way a function is delivered
changes to the requirements that support your functions, such as a new IT system introduced
lessons learnt from an exercise or incident
findings from an assessment or review.

Review your business continuity management programme

Reviews help you to evaluate your policy, plans, and processes to ensure they remain appropriate and effective, and to identify areas for improvement. Types of review include:

audit
self-assessment
quality assurance activities
supplier performance review
management review
appraisal of performance against business continuity roles and responsibilities.

Your recommendations from the review process should focus on improving resilience.

Integrate your business continuity plans

Business continuity is not just about having a plan. It’s a process with practical steps for becoming more resilient, and proactively minimising the impact of any disruption, regardless of cause.

To be successful, business continuity management can’t occur in isolation. You must integrate your programme with the response processes of the other teams that protect your organisation’s operations — such as security, health and safety, emergency management, information management, and risk management. If you integrate these functions, you’ll enhance your organisation’s resilience.

For example, your business continuity programme can identify potential threats and proactive measures for security. And adopting risk management principles supports you to assess the risks of disruptions to critical functions.

Train your people

Training, education, and awareness are important. Ensure your business continuity processes are well understood. Make them part of your business practice and your organisation’s culture.

Select people for your response teams who have the right skills and competencies, and train them appropriately. Select and train back-up people for these critical roles. Where possible, make sure that people with critical roles do not have competing responsibilities.

Legal requirements, ISO standards, and best practice for business continuity management

GOV018

Government organisations are required by law to protect their operations against disruption. The International Standards Organisation (ISO) sets standards for business continuity.

Your chief executive has overall responsibility for ensuring your organisation has arrangements in place for business continuity management.

Legal requirements for business continuity

Under the Civil Defence Emergency Management (CDEM) Act 2002(external link), your organisation must have preparations in place to handle disruptions to your business. You must:

undertake activities to ensure you can function to the fullest extent (even though this may be at a reduced level) during and after an emergency
undertake business continuity planning activity to:
- ensure you can carry out your response and recovery roles under the CDEM Act
- mitigate risks to business disruption
- put plans and strategies in place for continuing critical business processes.

Two other sources of requirements for business continuity and disaster recovery processes you must follow are:

ISO standards for business continuity management

The standard relating to the requirements outlined in these webpages is ISO 22301:2012 Societal security - Business continuity management systems - Requirements(external link)

Supporting standards cover specific components of the business continuity management programme:

ISO22300:2018 - Security and resilience -- Vocabulary
ISO 22313:2012 BCMS — Guidance
ISO 22316:2017 Organisational resilience — principles and attributes
ISO 22317:2015 BCMS — Guidelines for business impact analysis
ISO 22318:2015 BCMS — Guidelines for supply chain continuity
ISO 22330:2018 BCMS — Guidelines for people aspects of business continuity
ISO 22331 (under development) BCMS — Guidelines for business continuity strategy
ISO 22398:2013 — Guidelines for exercises.

Good practice guidelines

The Business Continuity Institute publishes guidelines, available to members.

Good Practice Guidelines (2018 edition)(external link)

The ‘lite’ edition of the guidelines is freely available.

Good Practice Guidelines 2018 Lite Edition(external link)