1. Introduction
1.1 Objective
The objective of this document is to set out procedures in the area of Business Continuity Management (BCM) for adoption by Hirett.
1.2 Scope
This document provides details on how Hirett policies for Business Continuity Management (BCM) can be achieved. This document defines the Business Continuity Management (BCM) lifecycle to be followed by all departments to ensure our business continuity capability is fit for purpose and up-to date.
1.3 Background
The Importance of operational resilience cannot be overstated in these uncertain times. Over the decade. Over the last decade many events have touched companies with numerous interruptions caused by extreme weather, earthquakes, industrial disputes, terrorism, cyber-attacks etc. There has also been a number of incidents where critical infrastructure (e.g. power, cooling, water) fails and impacts ability for companies to continue business as usual.
As a result, it is increasingly important to ensure that Hirett is prepared as possible for any future events, and to ensure that the business can quickly return to normal operations with minimal disruption. A robust Business Continuity Management (BCM) strategy will help us to:
• Ensure safety of staff and mitigate risk
• Maintain client relationships which would otherwise drift away quickly in the event of a prolonged Hirett specific outage
• Address regulatory requirements
• Protect the company’s reputation
• Ensure we can answer questions from staff and clients as to our BCM practices.
2. BCM Operating Principles
2.1 Scenario-Driven Planning and Exercising
As part of the establishment of a standard process model for Business Continuity Management, this document sets outs common sets out a common set of definitions for three areas of the process model:
1. The Interruption Scenarios that all staff must take into account in the BCM planning process;
2. The BCM Responses that should be used in response to these interruption scenarios; and
3. The BCM Exercises that should be undertaken to prove that the BCM responses are up-to- date and fit-for purpose
Figure 1- Interruption Scenarios, BCM Responses and BCM Exercises
For the purpose of this document, we assume the BCM planning is performed at a department level. As a result, this document will refer to departmental-level activities e.g. BCM Strategies for a department, BCM Plans for a department.
3. BCM Framework – Overview
Through and comprehensive planning is critical to the development and implementation of resilient and effective BCM strategies and responses. The BCM Framework sets out the lifecycle of activities relating to BCM that all departments should follow to ensure consistent determination of business impact, development/ implementation of business continuity strategies, responses and plans, and on-going maintenance of BCM Solutions.
There are five key phases to the this BCM guideline implementation framework as summarise below. Each phase is discussed in more detail in the subsequent sections of the document.
Figure 2- The BCM Framework
4. BCM Framework- BCM Programme
This section is covered in the BCM Target Operating Model and addresses the following areas;
• Assigning Responsibilities for BCM
• Establishing BCM Governance
• Implementing BCM
• Ongoing Management of the BCM Programme
5. BCM Framework- Understand the Business
The Understand the Business is essential to identify the impact (both tangible and intangible) of an unplanned business interruption and the mission critical business processes/activities that must be protected. This phrase requires every department to undertake a Business Impact Analysis at least annually and within the last twelve calendar months, or following significant business change.
5.1 Business Impact Analysis
Hirett has adopted a standard Business Impact Analysis (BIA) for application across all parts of the Business. The BIA process must be flexible enough to allow BIAs to conducted for complex departments down to smaller, less complex departments. The BIA questions are asked at department level and cover the following areas;
• General Information covering department information (e.g., location, hour of operation, process/functions, critical periods, deadlines, FTEs, etc.)
• Impacts in a number of Impact Areas of an interruption to normal business
• Priorities where the Maximum Disruption Time for the department and the underlying processes/functions are set. Also identifies concentration risk for each process/function
• Dependencies covering Internal (upstream/downstream, external and IT Service Dependencies). Not required for departments with a Maximum Disruption time of Future (> 30 days).
In the context of the BIA, criticality is defined by the Maximum Disruption Time for the department. The Maximum Disruption Time is essentially the amount of time a department can cease to operate before the impact to Hirett Online becomes unacceptable. “Critical “and “Non-Critical” departments are defined by the standard of time used to define Maximum Disruption Time is shown in Figure 3 below.
Maximum Disruption Time | Criticality |
IMMEDIATE (<1HR) | CRITICAL |
SAME DAY (1-5HRS) | |
NEXT DAYS (5-24HRS) | |
SAME WEEK (1-6 DAYS) | NON-CRITICAL |
NEXT WEEK (7-14DAYS) | |
THIS MONTH (15-30 DAYS) | |
FUTURE (>30 DAYS) |
Figure 3- BIA Maximum Disruption Time Periods
The standard approach also adopts a threshold approach, where thresholds are set for each of the impact areas and the impact questions determine how quickly these thresholds are reached. Section 5.1.2 BIA Thresholds describes the threshold in more detail.
5.1.1 BIA Overview
The BIA compromises the following sections:
1. General Information
1.1. BIA Information- provides summary information on the business area and the assignees/approvers for the BIA
1.2. Department/ Team Overview- provides an overview of the team including location, description of activities and operating hours
1.3. Processes and functions- list the processes/functions performed by the department, with the summary FTE information.
2. Impacts
2.1. Business Impact: Profile Over Time- assessment of how the impact of a business interruption develops over the Maximum Disruption Time Periods (Figure 3 above) in the following areas: Regulatory, Financial, Customer Service, Reputational and Operational
2.2. Regulatory Deadlines- summarises any regulatory requirements the department must comply with.
3. Priorities
3.1. Business Impact: Threshold Analysis- displays the time periods for which the impact threshold has been breached, indicating an unacceptable level of impact
3.2. Department Recovery Requirements – captures the Maximum Disruption Time for the department, with a recommendation based on the threshold analysis
3.3. Process/Function Recovery Requirements -captures the Maximum Disruption Time(s) for the department Process(es).
4. Dependencies
4.1. Internal Dependencies – Upstream- captures information on any internal departments upon which the department completing the BIA is dependent
4.2. Internal Dependencies – Downstream-captures information on any internal departments which are dependent on the department completing the BIA
4.3. External Third-Party Dependencies-captures the information on any external third parties (e.g. service providers or other companies) upon which the department completing the BIA is dependent.
4.4. IT Service Dependencies- captures information on any IT Service upon which the department completing the BIA is dependent
4.5. End User Computing (EUC) Dependencies- captures information on any End User Computing applications upon which the department completing the BIA is dependent.
5.1.2 BIA Thresholds
The key output of the BIA is the Maximum Disruption Time for the department. This is based on answers given for each of the impact areas shown out in Figure 4 below:
The key steps are as follows:
1. Threshold for all BIAs – the impact threshold for each impact area has been set as “C. MEDIUM” for all BIAS across the Company.
2. Use answers to Impact questions to determine first threshold breach – since the impact questions capture the impact over the standard interruption time periods, this information can be used to determine if and how quickly the “C. MEDIUM” impact threshold in any of the impact areas is reached
3. Set Maximum Disruption Time for department and underlying processes/functions – the interruption time period where the first impact area threshold is reached is then suggested as the Maximum Disruption Time for the department. The department completing the BIA then selects Maximum Disruption Time for the department. This may be different to the suggested Maximum Disruption Time, although justification must be provided. The department completing the BIA then must specify the maximum downtime for each of the processes/functions identified in the BIA. This process-level Maximum Disruption Time can be different to the department Maximum Disruption Time, but cannot be shorter, so if for example the department-level Maximum Disruption Time of “SAME DAY (1-5HRS)” or longer, but cannot be “IMMEDIATE (<1 HR).” Also, at least one process must have the same Maximum Disruption Time as the department Maximum Disruption Time.
5.1.3 BIA Weighting and Scoring
Since the Maximum Disruption Time for a department is based on when thresholds are reached, it is not an absolute definition of criticality. An absolute value of the criticality of a department, which
will allow comparison across different businesses, can be determined from a consistent weighting/scoring approach.
The standard approach to BIA provides an overall “score” for each BIA, based on the responses to the impact questions. This allows departments to be compared against one another so that (e.g.) a priority order can be determined for a location as an input into any Major Incident Management decisions. The scoring is flexible enough to allow different weightings to be applied to different impact area questions, answers and interruption time periods, as shown in Figure 5 below:
Figure 5 – BIA Weighting Definition
6. BCM Framework – Develop the Strategy
Having identified the most critical processes and set a timeframe for their continuation, the BCM strategy for the department should now be developed. In the context of department-level planning, the BCM Strategy comprises one or more BCM Responses, which allow the department to recover from a range of Interruption Scenarios.
The Interruption Scenarios to be planned for are described in 6.1 BCM Interruption Scenarios. The BCM Responses to these scenarios are described in section 6.2 BCM Responses. There are numerous BCM Responses available to a department, each offering a different level of resilience and associated cost. Departments must plan for an interruption lasting up to one month or longer.
There are important organisational & technology factors to consider in the definition of BCM strategies (see sections 6.4 General Considerations and 6.5 Technology Considerations). Also, there may be local Regulatory and Compliance requirements that must be met.
Business areas may choose to define a “joined-up” BCM Strategy that applies across a number of departments or locations. For the purpose of this BCM Procedures document, we shall consider BCM Strategy and BCM Responses as they apply to a single department.
6.1 BCM Interruption Scenarios
The common list of interruption scenarios to be considered for all BCM planning activities is referred to as the Master Interruption Scenario List. This represents the minimum standard of scenarios that must be considered, although it is possible for departments to add Interruption Scenarios based on specific business need or regulatory requirement. The table below shows the Master Interruption
Scenario List, along with example causes. Note, these interruption scenarios are not mutually exclusive, and a single threat scenario (e.g. Terrorist bomb) may result in more than one interruption scenario being realised (e.g. Unavailability of Premises, Unavailability of Staff, etc.).
Optional Interruption Scenario (see Notes)
NOTES:
1. Optional scenario, applicable for locations identified as requiring partial-loss planning (e.g. iconic buildings, large call centres, etc.)
2. Applicable subject to requirement and agreement with BCM Governance
3. Standard telephony will be considered as an IT Service – the “Loss of Telephony” interruption scenario should consider the impact on telephony (e.g. Customer Service)
Figure 6 – Master Interruption Scenario List
6.2 BCM Responses
The BCM Strategy for a department comprises one or more BCM Responses – a department will typically have a range of BCM Responses available to it:
• Workload Resilience – where workload is either balanced across locations in BAU, or can be transferred to alternative locations during an interruption. This does not involve relocation of any staff.
• Staff Relocation – where staff are relocated to an alternate site (e.g. a Work Area Recovery site), typically within easy travelling distance of the main location.
• Home Working – where staff use remote access infrastructure to work from home
• Key Dependency Responses – where responses specific to a loss of a key dependency are invoked (e.g. alternate Supplier strategy, IT Service manual workaround, etc.)
The Generic BCM Response List does not include response strategies/plans for specific, high- likelihood threats that must also be planned for where appropriate (e.g. Hurricane Preparedness Plans, Earthquake Response Plans, Pandemic Readiness Plans, etc.). The Generic BCM Response List is shown in Figure 7 below.
Figure 7 – Generic BCM Response List
6.3 BCM Responses and Activation Times
The BCM Responses available to allow a department to recover from specific Interruption Scenarios are shown in Figure 9 below. This also sets out the appropriate Minimum BCM Response Activation Times for each response.
The Response Activation Time is the timeframe within which a BCM Response selected by a department must be available during an incident. GBRT calculates the Response Activation Time as the shortest Maximum Disruption Time for all the processes using that BCM Response.
The table Figure 8 in shows “Home Working” as a BCM Response suitable for all Response Activation
Times. However, the following conditions apply:
Figure 8 – Home Working Responses
Selection of Home Working as a BCM Response will of course depend also on the ability of a department to conduct work from home (often there are technology limitations) and whether home work is permitted from a regulatory/compliance perspective.
Once BCM Responses have been selected, requirements specific to that response (e.g. number of seats in a Work Area Recovery location, anticipated volumes for a Workload Shifting response, etc.) must be gathered.
6.4 General Considerations
6.4.1 Staff Relocation – Work Area Recovery Sites and Displacement Locations
A Work Area Recovery site or Displacement Location is key to support many of the Staff Relocation BCM Responses. Whilst there are many local factors that should be considered, key considerations include that a Work Area Recovery site or a Displacement Location should:
• Be located as far away as possible from the primary location, whilst allowing resumption of activities within Maximum Disruption Times;
• Ideally situated outside the metro-area where transportation & parking is adequate for extended (e.g. one month) use
• Be located on separate utility and telecom grids to the primary location
• Not share the same environmental risks (e.g. not on the same flood plain)
• Have sufficient seating capacity to allow continuity of business activities for an impacted location within Maximum Disruption Times
• Have ‘call redirection’ phone arrangements from the primary site where available/appropriate (e.g. personal extensions for critical areas, where services available, or limited to 800/main listed numbers, again where services exist and are cost-effective)
• Provide access to all critical IT services and market data
• Be as inconspicuous as possible without office branding where feasible
• Support dual-site working between primary and business resumption sites (e.g. pre-emptive measure for critical departments during or transportation disruption, severe weather, etc.)
• Utilise Virtual Desktop Infrastructure (VDI) where possible to simplify provision of user desktops which, if not utilised in BAU operations, should be verified at least quarterly
• Provide solutions to address any risks identified with control of information (e.g. Chinese Walls).
6.4.2 Workload Resilience
The majority of BCM Strategies in place today are of the Staff Relocation type and utilise BCM Responses depending on business resumption sites. Opportunities to utilise Workload Resilience BCM Responses, where workload – not staff – is moved between locations, should be actively considered and become an increasingly significant part of the BCM Strategies utilised by businesses.
There are different types of Workload Resilience BCM Response that can be considered:
• BAU active – active split across one or more locations (WR1, WR2, WR3) or workload shifting during an interruption (WR4, WR5, WR6)
• Distance between locations e.g. Same City (WR1, WR4), Different Cities (WR2, WR5) or Same Country/Regions (WR3, WR6)
For these responses to work when needed, the two locations would need the same business process/products, use standardised technology.
It is also important to note that any Workload Resilience solution will always involve business trade- offs because few locations would have the bandwidth to support another site and continue its own business at pre-interruption levels. Careful capacity and prioritisation planning are required in for such solutions.
Care should also be taken to ensure the Legal, Regulatory Compliance and Tax issues inherent in any cross-border solutions are considered appropriately.
6.4.3 Split-site operating models
Where offshoring is not practical, it may still be possible to decentralise staff to reduce concentration risks. For example, opportunities to move Support & IT staff to back-up sites or other in-country locations or establish split-site support services are realistic alternatives to consider.
6.4.4 Home Working
Working from home is a viable BCM response to consider for some departments, however it is not typically appropriate for many critical or customer -facing (e.g., customer service, IT Support) functions because of the problem it poses for remote business supervision and control.
The BCM Strategy cannot rely solely on Home Working BCM Responses and must also consider either Staff Relocation or Workload.
6.5 Technology Considerations
The technology that supports the vast majority of our business must be available at all times and accessible from any location.
6.6 Third Party management and BCM
Where a business/function is dependent on a Third Party for the supply of critical services, then care must be taken to ensure that the Third Party has satisfactory BCM strategies in place to support the business. The contractual arrangements with the suppliers should clearly address our BCM requirements. Hirett will be utilizing AWS Database and Cloud Services. Hirett entire infrastructure will be hosted on AWS, no other third-party services will be utilised. Hirett AWS instance will be hosted across multiple AWS regions to ensure resilience and business continuity.
AWS relationships will be managed and governed by AWS terms and policy. See link for details. https://aws.amazon.com/agreement/
6.7 Pandemic Response Strategies
Globally countries continue to be exposed to the risk of an influenza virus which is typically H1N1 for seasonal flu and H5N1 for avian flu. We continue to see very same cases in humans of avian flu and any potential pandemic here is very small, however there remains a risk of pandemic outbreaks.
Existing planning covers a severe pandemic and this would progressively be confirmed by the World Health Organisation leading potentially to a level 6 outbreak. As with the 2009 swine flu attack this could be relatively mild in its direct impact on humans and our operations and as such the three responses set out in Figure 9 below should be followed.
Figure 9 – Pandemic Response Phases
6.1 Records Management
Essential Records are business records without which the business would be unable to operate. They are either irreplaceable, time consuming or costly to replace. Depending on operational requirements, Essential Records can be both Primary and Secondary Records. Once Essential Records are identified, appropriate actions should be taken to ensure their availability in the event of major incident.
Essential Records must be detailed in the Business Continuity Plan. Details must be recorded of what these records are, how they are managed, (whether in paper or electronic), how they can be obtained and the timeframe that they are required during an incident.
7. BCM Framework
7.1 Plan Review and Update
All Business Impact Analysis and Business Continuity Plans must be reviewed and updated at least annually and within the last twelve calendar months or follows significant business change. Plans for critical areas may be reviewed more regularly (e.g. contacts section for a large plan may be reviewed quarterly), particularly where there is a large turn-over of staff.
Where new departments are created in the business or new strategies are adopted for existing departments, the following time-scales for the initial creation of plans and exercising of responses must be followed.
New Departments:
- Business Impact Analysis completed and approved within 3 months of creation of the department
- BC Plan completed and approved within 3 months of approval of the BIA for departments with a MDT of Immediate (<1HR), Same Day (1-5HRS) or Next Day (5-24HRS)
- BC Plan completed and approved within 6 months of approval of the BIA for departments with a MDT of Same Week (1-6 days) or longer
- BCM Responses, all responses must be exercised within 3 months of approval of the BC Plan New BCM Responses for existing BC Plans:
- All new BCM Responses must be exercised within 3 months of approval of the BC Plan
7.2 Training & Awareness
All staff should be familiar with their BC Plans. To ensure this, training & awareness programs should be provided when staff first join Hirett Online and at least annually thereafter and within the last twelve calendar months. Mandatory on-line BCM Training has also been developed in conjunction with Learning & Development and is mandatory for all staff on an annual basis. All new joiners will have to undergo this mandatory training as part of the “Discovery” programme.
Other recommendations to promote training and awareness include:
- Ensuring that BCM materials and, where possible, plans are viewable on the intranet
- Providing relevant staff with “wallet” cards of key contact numbers to use in case of plan invocation
- Establishing ‘Business Continuity’ emergency phone lines as an alternative method of communicating important messages should an event occur
- Ensuring that all relevant staff visit the Work Area Recovery or Displacement site periodically so that they are familiar with the location and seating arrangements
- Conducting individual briefing/induction and regular awareness training for business continuity co-ordinators.
Appendix A – Business Continuity Management (BCM) Definitions
1. Business Continuity Management
A strategic and tactical capability of the organisation to plan for and respond to incidents and/or business disruptions in order to continue business operations at an acceptable predefined level.
2. Business Continuity Planning
The process of developing prior arrangements and procedures that enable an organisation, businesses or departments to respond to an incident in a manner that critical business activities can continue within planned levels of disruption resulting in the creation of a Business Continuity Plan (BCP).
3. Business Impact Analysis (BIA)
The process of analysing the activities of business functions and the effect that a business disruption might have upon them. This should identify key dependencies and recovery time frames to minimise financial loss and any reputational damage.
4. Business Resilience
The combination of planning whether by businesses, IT, Corporate Real Estate, Human Resources or Service Delivery in ensuring the ability exists to maintain operations in the face of man-made or natural disaster events. This represents a collective effort against a wide range of threats.
5 Business Continuity Plan (BC Plan)
A plan to deal with a specific set of adverse circumstances. The plans need to be flexible in their creation given the variety and complexity of events which could impact a business(s).
6. Major Incident
A major incident is any disruptive event that is likely to have a significant effect on the organisation, locally, regionally where it is likely to result in significant financial loss, regulatory impact, adverse publicity, resource impact (people, buildings or systems), or any combination of the former.
7. Maximum Disruption Time
The duration after which the viability of a business will be significantly threatened because a product, service or operation cannot be resumed.
8. Recovery Time Objective (RTO)
A target set for the status and availability of data (electronic and paper) at the start of a recovery process. It is a point on time at which data or capacity of a process is in a known valid state and can be safely restored from.
9. Exercising
An activity that is performed to evaluate the effectiveness or capability of a, business continuity or incident management plan, or a service relative to specified time frames, measurements or scenarios in recovering impacted functions.