Introducing ISO 22317 – The Business Impact Analysis Standard

ISO 22317WHAT IS ISO 22317?

The International Organization for Standardization (ISO) Technical Committee (TC) 292, the committee responsible for writing security, resilience, and business continuity standards, is close to releasing its latest document: ISO 22317 – Societal Security – Business Continuity Management Systems – Business Impact Analysis, the first and only international standard solely addressing the business impact analysis (BIA).

ISO 22317 reached stage 60.00 (International Standard under publication) on July 13, 2015 and is expected to be published shortly.

There are a few important points to understand before reading ISO 22317: Continue reading

The Importance of Embedding Business Continuity: An Overview of BCI Professional Practice 2

BCI_GPGs_SeriesThe Business Continuity Institute (BCI) publishes the Good Practice Guidelines (GPGs), which is a compilation of six professional practices that provides guidance to business continuity practitioners on implementing and maintaining a business continuity program. While the BCI GPGs generally align with ISO 22301, which provides high-level guidance on establishing a business continuity management system, the Practices actually enhance ISO 22301 by answering the “why” and “how” of establishing a program.

As stated in the BCI Good Practices:

Management system standards, such as ISO 22301, provide an approved process, a set of principles and terminology for a specific subject area or discipline. They provide a technical specification approved by a recognized standardization body for the repeated or continuous application of a process against which an organization can be measured. They do not explain what an individual needs to learn to become a practitioner in the discipline, how they might go about applying their skills and knowledge, or how an organization might implement BC.

This article reviews GPG Professional Practice 2 (PP2): Embedding Business Continuity and explains why embedding business continuity into your organization is important for driving success, describes best practices for embedding business continuity into day-to-day activities, and provides a brief case study highlighting the benefits of this practice. Continue reading

Leading Response and Recovery Teams (Part 2)

LeadershipTeam leaders play a critical role in improving business continuity for their organizations but seldom receive the appropriate training to help them understand the differences between day-to-day leadership and crisis leadership following the onset of a disruptive incident.

This perspective is the second in a three-part series that addresses how to develop the skills necessary for being a successful leader in a crisis, including how a team leader can set the team’s purpose and bring order to the chaos that ensues following the onset of a disruption.  These two foundational team leader behaviors will help elicit the best possible performance of the team (as well as themselves). Continue reading

Chaos in Cleveland?

ClevelandSETTING THE STAGE

This morning was a non-eventful morning.  I was sitting in my office, sipping on my coffee, and working on my monthly reports. Then, the manager of our office building entered our lobby.

The Michael Brelo case is nearing an end. Closing arguments have been heard and a verdict is expected shortly. The question is, when?

Our building manager was concerned, and rightfully so.

Our office is located directly across the street from the justice center where the case is taking place. Just a couple weeks ago, we sat witness to the riots and devastation in Baltimore, and, from our ongoing monitoring of the situation and media this week, our team is aware that the City of Cleveland is actively bracing for the possible impact and chaos that could result when the verdict is announced. Continue reading

The Need to Establish Business Continuity Governance: An Overview of BCI Professional Practice 1

BCI_GPGs_SeriesThe Business Continuity Institute (BCI) publishes the Good Practice Guidelines (GPGs), which is a compilation of six professional practices that provides guidance to business continuity practitioners on implementing and maintaining a business continuity program.  While the BCI GPGs generally align with ISO 22301, which provides high-level guidance on establishing a business continuity management system, the Practices actually enhance ISO 22301 by answering the “why” and “how” of establishing a program. Continue reading

We Just Did a BIA and Gap Analysis… Now What?

Sketch successful businessman concept, idea light bulbHow to Perform an Effective Business Continuity Strategy Identification and Selection Effort

Reader Note: This article is a continuation from Avalution’s November 2014 article titled: We just did a BIA and Risk Assessment … Now What? How to Perform an Effective Business Continuity Gap AnalysisIf your organization just finished a business impact analysis (BIA) and risk assessment, but has not yet performed a gap analysis, it may be helpful to read about performing an effective gap analysis before continuing on to this article.

Once an organization understands gaps between business continuity requirements (as defined in the business impact and risk assessment) and current capabilities, management can determine which gaps they wish to address through strategy selection – either through risk mitigation or resource-specific recovery methods.  Determining methods to decrease the likelihood of a disruptive incident reduces the potential that a risk will materialize, while identifying methods to respond to and recover from a disruptive incident decreases downtime and protects the organizations’ brand and financial position (among other assets). Continue reading

Treating the Causes of Bad Business Continuity Training Programs

Faults & Fixes SeriesFaults & Fixes: Bad Training

As business continuity professionals, we tend to gravitate to the activities where we think we can deliver the most value. This often takes the form of the business impact analysis, helping management come up with strategies that minimize risk, and documenting these strategies into plans. Ensuring that a business continuity program employs effective training approaches and engages business process owners, unfortunately, often plays “second fiddle” to other activities. One only needs to browse any of the top business continuity and disaster recovery related publications to see this disparity. Searching for “business impact analysis” or “business continuity plan” yields substantially more results than “business continuity training.” Yet without effective training, all that hard work will likely either fail or not perform to desired standards during a real disruptive incident. Continue reading

FFIEC Updates Business Continuity Planning Booklet with Appendix J

FFIEC_Appendix_JAppendix J: Strengthening the Resilience of Outsourced Technology Services

The Federal Financial Institutions Examination Council (FFIEC) recently released an updated a version of its Business Continuity Booklet, which is one in the series of booklets that comprise the larger Information Technology (IT) Examination Handbook.

This article provides an overview of Appendix J and discusses the confirmed importance that continuity planning isn’t limited to just your organization; rather, it extends to all outsourced and supplier relationships as well. Continue reading

How-To: Effectively Scope Your Business Continuity Program

Program_ScopeEarly on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability.  Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource.  Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime.  Continue reading

Why Testing and Exercising is Essential for an Effective Business Continuity Program

BCAW 2015 LogoThis post is part of the Business Continuity Awareness Week (BCAW) 2015 flashblog. To learn more about The BCI and BCAW 2015, visit the website or follow the discussion on Twitter via #BCAW2015 and #TestingTimes.

Exercising. Whether you’re talking about hitting the gym or testing your business continuity strategies and plans, I’ve come to find that no one likes hearing this word. The typical reaction and excuses are similar, too: I don’t have the time; I have better things to do; I just don’t see the value.

Well, okay… the last one pertains a bit more to business continuity, but I’m sure you get my point. Continue reading