JavaScript is required

Business Continuity Review

Report – October 2024 by Continuity Matters

On this page

Scope of engagement

Continuity Matters were engaged during 2024 to assist the department with its business continuity program.

Deliverables

The deliverables for the engagement were:

  • Assist the Department to review and update its business impact analysis and business continuity.
  • Facilitation of review of BIA’s and BCP’s with divisions and regions throughout the Department, under the direction of the central business continuity team.
  • Analysis of data collected and preparation of a short report recommending opportunities to enhance business continuity plans across the Department. The report should support the departments attestation in relation to compliance with the business continuity guidance note 7 under the Standing Directions.

This report is the final deliverable as per the above list.

1. Recommendations/Intro

Following on from our discussions on 23 October 2024, please find below a number of recommendations and observations that relate to the business continuity plan at DE.

2. Reducing the Size of the BCP

We have found that the size of the BCP document is inversely related to the likelihood that it will be opened and read. The BCP should only contain the information that is required to manage a disruption.

All other information should be located in an easy to access location. The information we suggest should be removed from the BCP includes:

  • Any information on BAU operation of the program e.g. testing, maintenance and approvals.
  • Roles and responsibilities, including a RACI.
  • Contact details of people who have responsibility for managing disruptions. These should be held in an electronic format and linked to the DE Active Directory and updated Use the title/role of the person as the link – not their name.
  • The BCM Framework.
  • Policy.
  • Glossary.
  • Any information on BAU operation of the program e.g. testing, maintenance and approvals.

The IFSG BCP is a good model.

Please see Appendix A for a Quick Access that functions as an alternative Table of Contents and provides an overview of all the documentation relevant to the BCP. Note each document listed should be linked to the storage location of the document.

3. Linking Prioritised Activities to Resources

With regards to the completion of the updating of the BIA, it is important to link each of the supporting Resources to each Prioritised Activity it supports.

The Maximum Tolerable Period of Disruption of each PA should set the Recovery Time Objective of the supporting IT system.

Business Continuity of DE Prioritised Activities

DE Prioritised Activities as described below
  • Download 'Business Continuity of DE Prioritised Activities'

The diagram below depicts the life of a disaster. Importantly, the Resources need to be recovered more quickly than the Prioritised Activities they support.

Timeline of a Crisis

Timeline of a crisis see detailed long description below
  • Download 'Timeline of a Crisis'

4. Reducing the Number of Prioritised Activities

As discussed previously, any PA’s with a recovery time of more than one or two weeks should be removed from the BIA.

5. Organising Documentation

The development of a business resilience Program results in the production of a lot of documentation. Developing, maintaining and distributing the documents can be an onerous task. In addition, ensuring that staff can access the documents during an incident is critical. It is strongly recommended that a current copy of the documents is stored in a location other than the BAU location.

Please refer Appendix B for a recommended approach to document cataloguing. The documents are organised into the following categories:

  • Development of the program
  • Operations and BAU Maintenance of the Program
  • Documents used during the management of a Crisis

Please note the list is exhaustive, so please feel free to remove any documents as applicable. Also, the numbering system is notional.

6. Documenting Recovery Procedures in BCP

The Recovery Procedures documented in the IFSG BCP provides a good template for the layout of the procedures. Note that the “Loss of Building” recovery procedures can be greatly simplified since we have learnt to work from home.

7. Crisis Management – is it a crisis or an incident?

DE should separately address the language used in the Business Continuity Plan with regards to the term “Incident Management Team”.

We understand that there is a need for an IMT at DE, but it is likely that most incidents do not become crises or impact business continuity. Conversely, DE may suffer a crisis that did not start life as an incident (e.g. financial fraud by an executive).

If DE intends to comply with the ISO standards, please find below a graphic that clearly outlines the use of the terms:

Figure 2 – Relationships and characteristic between an issue, incident and crisis

Infographic chart showing two circles aligned over graph, as described below

From page 5 of ISO 22361:2022

  • Download 'Figure 2 – Relationships and characteristic between an issue, incident and crisis'

Definition of terms as per the ISO standard:

Business continuity

Capability of an organization to continue the delivery of products and services within acceptable time frames at predefined capacity during a disruption.

Issue

Event or situation that does not currently present, but can develop into, a long-term or significant negative impact on the strategic objectives, reputation or viability of the organisation.

Incident

Event or situation that can be, or could lead to, a disruption, loss, emergency or crisis.

Crisis

Abnormal or extraordinary event or situation that threatens an organization or community and requires a strategic, adaptive and timely response in order to preserve its viability and integrity.

Business & the workplace

Updated

Back to top