Business Continuity is one of many disciplines that helps organizations to become more resilient – that is, to increase an organization’s capacity to adapt to evolving circumstances and survive (or even thrive) during periods of disruption or change. Other related disciplines – such as Information Security, IT Disaster Recovery, Emergency Management, Enterprise Risk Management, and Physical Security –ultimately have the same strategic purpose. The goals and objectives of the individual disciplines may be more focused, but if we, as practitioners of these disciplines, force ourselves to look outside the artificial walls we sometimes build around our responsibilities, we should find that we are striving for something bigger than we can deliver on our own. Continue reading
The business impact analysis (BIA) establishes the foundation of an organization’s business continuity program by establishing business continuity requirements. As a result, a significant part of Avalution’s work involves helping organizations design and execute the BIA process. Furthermore, a well-executed BIA can deliver so much more than just a list of recovery time objectives (RTOs) and recovery point objectives (RPOs)! Continue reading
This article provides an overview of GPG Professional Practice 3 (PP3) – Analysis, which is the professional practice that “reviews and assesses an organization in terms of what its objectives are, how it functions, and the constraints of the environment in which it operates”.
PP3 introduces and addresses the business impact analysis (BIA) as a primary means of analysis, leading to appropriate business continuity requirements. PP3 identifies the following beneficial outcomes from the BIA: Continue reading
Early on in the development of a business continuity program, careful, pragmatic scoping can be the difference between quick and appropriate wins and a never-ending planning effort with little capability. Organizations typically build programs due to customer and/or regulatory requirements; however, instead of taking the time to carefully scope and prioritize the business continuity effort (and provide resources accordingly), organizations often take an “all or nothing” approach to planning – plan for every “box on the org chart”, every facility, every application, and every resource. Many organizations do not realize that business continuity can, and often should, initially address an organization’s most critical/time-sensitive products and services, expanding to other parts of the organization overtime. Continue reading
Business continuity planning is inherently cross-functional with a necessity to address risks to an organization’s product and service offerings, as well as the resources necessary to meet obligations. As organizations increasingly rely on a global network of suppliers and service providers, business continuity practitioners have the responsibility to understand and analyze these relationships and lead strategy identification efforts to protect their organization when faced with a third-party disruption.
Developing and implementing business continuity strategies and risk treatment options related to third parties can be a difficult endeavor because strategies may seemingly contradict an organization’s strategic efforts to leverage single-source suppliers, make supply chains “lean”, and reduce stored inventory levels. However, business continuity practitioners must provide top management with the information needed to balance strategic initiatives with the need to reduce single points of failure and protect an organization should a resource become unavailable.
This perspective discusses the tools available to identify and document third-party resources and methods by which risks can be presented to top management for review and action. Continue reading
This perspective is the eighth in a series to discuss key elements of the ISO 22301 business continuity management system, including value-adding elements of the standard or requirements that could “trip up” an organization during the certification process.
Today we’re going to take a look at ISO 22301’s requirements regarding corrective actions.