|
[Business continuity program] management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organization.
- British Standard, Business Continuity Management
– Part 1: Code of practice,
BS25999-1:2006, 2006, British Standards Institution,
p. 8.
Ongoing management
The cornerstone of effective ongoing management of business continuity in an entity is developing and implementing a robust governance framework. Entities that have done this well have integrated business continuity management into their existing governance framework. Governance aspects of the business continuity management program to consider include:
- sponsorship;
- ownership;
- custodianship;
- stakeholder relationships;
- planning;
- performance monitoring;
- evaluation and review; and
- enterprise information architecture.
Sponsorship
Executive leadership is crucial to the success of the business continuity capability. This sponsorship needs to manifest itself in both actions and words. In better practice entities, the executive:
- maintains an awareness of business continuity management, and receives business continuity management training;
- contributes to business continuity awareness raising in the entity;
- participates in business continuity testing and exercising;
- appropriately resources the business continuity function;
- endorses a business continuity management policy; and
- endorses key business continuity documents such as the business impact analysis and business continuity plan.
Ownership
In better practice entities, a person or committee with appropriate seniority is nominated as having direct responsibility for business continuity program execution and support.16 The accountable party provides overall direction and drive for the program, and their responsibilities may include establishing milestones and performance reporting requirements, authorising new versions of the business continuity plan, and approving the test and exercise schedule and scenarios.
Custodianship
Responsibility for the day-to-day implementation and coordination of business continuity management tasks needs to be assigned to one or more individuals. The custodian(s) tasks generally include updating documentation, promoting awareness across the entity, administering the test and exercise program, and coordinating reviews of the business impact analysis. It is important that the custodian(s) receive training on their specific role, as well as good practice in business continuity management generally. In smaller entities, the custodian typically also has a role in the business continuity plan such as the incident manager, or recovery coordinator.
An Audit Committee’s responsibilities, in relation to risk management, would generally be to review … whether a sound and effective approach has been followed in establishing the entity’s business continuity planning arrangements, including whether disaster recovery plans have been tested periodically.
- ANAO Better Practice Guide, Public Sector Audit Committees, 2005,
p. 10.
Stakeholder relationships
Business continuity management is not an isolated process. To develop a resilient entity, consideration needs to be given to involving internal stakeholders (for example security management, emergency response management, business process owners, and service owners) and external stakeholders (for example interdependent organisations, unions, and clients) at key stages of the program. This may include involving them in planning, testing and exercising, and awareness raising activities.
Planning
The business continuity plan should be subject to systematic review. Integrating the update of the business continuity plan into the entity’s annual planning cycle ensures this is done annually and creates efficiencies. Contact details should be updated more frequently. A schedule of testing and exercising should also be developed. Better practice agencies have developed a ‘universe’ to ensure comprehensive testing and exercising of all processes, and that test and exercise types occurs at regular intervals over several years.
The Workbook contains a checklist of governance questions for the executive to consider. Click Here
The Workbook contains a checklist of governance questions for the committee responsible for overseeing business continuity management to consider. Click Here
The Workbook contains an example of responsibilities for various business continuity roles. Click Here
16 Some larger agencies have developed an internal risk and business continuity governance committee. This committee then reports to the Executive and/or the Audit Committee.
|
