Information Security Journal: A Global Perspective

ISSN: 1939-3555 (Print) 1939-3547 (Online) Journal homepage: https://www.tandfonline.com/loi/uiss20

Business Continuity Management: A Standards-

Based Approach

Rama Lingeswara Tammineedi

To cite this article: Rama Lingeswara Tammineedi (2010) Business Continuity Management: A
Standards-Based Approach, Information Security Journal: A Global Perspective, 19:1, 36-50, DOI:
10.1080/19393550903551843

To link to this article: https://doi.org/10.1080/19393550903551843

View supplementary material

Published online: 19 Mar 2010.

Submit your article to this journal

Article views: 1547

View related articles

Citing articles: 16 View citing articles

Full Terms & Conditions of access and use can be found at

https://www.tandfonline.com/action/journalInformation?journalCode=uiss20
Information Security Journal: A Global Perspective, 19:36–50, 2010
Copyright © Taylor & Francis Group, LLC
ISSN: 1939-3555 print / 1939-3547 online
DOI: 10.1080/19393550903551843

Business Continuity Management:

1939-3547 Security Journal: A Global Perspective
1939-3555
UISS
Information Perspective, Vol. 19, No. 1, Feb 2009: pp. 0–0

A Standards-Based Approach
Rama Lingeswara
Business
R. L. Tammineedi
Continuity Management

Tammineedi ABSTRACT Business enterprises are increasingly realizing the importance of

TCS Limited, Hyderabad, India business continuity management (BCM). Availability BS 25999 Standard has
facilitated a consistent methodology that organizations can follow in design-
ing their BCM System. This paper intends to provide a conceptual under-
standing of BCM right from BCM Policy to BCM maturity by describing the
steps involved in the implementation of BCM Standard – BS 25999 – to
ensure business continuity in the event of an outage. The key BCM tasks have
been categorized into three phases of business continuity – Pre-event Prepara-
tion, Event Management, and Post-event Continuity. This paper also high-
lights some of the challenges experienced by the author in carrying out Risk
Assessment and Business Impact Analysis. The Business Continuity Maturity
Model® of Virtual Corporation is provided (with their permission) as a tool to
strengthen business continuity maturity or organizations.

KEYWORDS contingency, crisis, disaster, event, incident, outage, Business Continuity

Management, BCMS, BS 25999, BCM maturity, Business Continuity Maturity Model, BCM
Policy, Business Impact Analysis, BIA, Business Process Risk Assessment, BPRA, Crisis
Management Team, CMT, Emergency Management Team, EMT, Failure Modes and Effects
Analysis, FMEA, Risk Priority Number, RPN, Risk Assessment

INTRODUCTION
Business enterprises increasingly realize the importance of business
continuity management (BCM). The objective of BCM is to ensure the
uninterrupted availability of all key business resources required to support
critical business activities in the event of business disruption and to
expedite a return to “business as usual.” BCM adopts a holistic view and
focuses on the concept of continuity of all key processes, whether manual
or information technology enabled. According to the BCM Survey con-
ducted in 2009 by the Chartered Management Institute, UK, in conjunc-
tion with the Civil Contingencies Secretariat in the Cabinet Office, the
following are the five important drivers pushing the BCM initiatives in
Address correspondence to Rama organizations:
Lingeswara Tammineedi, Information
Risk Management Advisory, TCS
Limited, 16-2-752/21/13, Triveni Nagar, • Corporate governance
Gaddi Annaram, Dilsukhnagar,
• Central government
Hyderabad–500060, India.
E-mail: [email protected] • Existing and potential customers

36
• Legislation
• Regulators
In the absence of an acceptable BCM standard, dif-
ferent organizations used to follow different BCM
approaches to ensure their business continuity. This
has often resulted in unreliable and ineffective busi-
ness continuity plans. The recent publication of BCM
Standard – BS 25999 – by the British Standards Insti-
tute greatly helps organizations adopt a holistic BCM
approach. BCM must be fully integrated into the orga-
nization as an embedded management process.
This paper intends to provide a conceptual under-
standing of BCM, from BCM policy to BCM matu-
rity, by describing the steps involved in the
implementation of BCM Standard – BS 25999 – to
ensure business continuity in the event of an outage.
KEY TERMS
A clear conceptual understanding of the following
key terms will be useful for people involved in busi-
ness continuity management.
• Event: An event is a planned occasion with
unplanned consequences. Typical examples are
meetings of the World Trade Organization (WTO),
the World Bank, International Monetary Fund
(IMF), SAARC, and Olympic Games.
• Incident: Incident is an occurrence (event) resulting
in loss. Typical examples are violent protests, kid-
nap, and hostage. BS 25999-2:2007 defines incident
as “situation that might be, or could lead to, a busi-
ness disruption, loss, emergency or crisis.”
• Contingency: Contingency is a specific system’s
failure or disruption of operations. Typical examples
are ATM system failure or on-line banking system
failure. These are typically short-term failures gov-
erned by problem and event management proce-
dures.
• Emergency: Emergency is an incident requiring an
immediate and significant response. An office fire
or bomb threat is a typical example of an emer-
gency. In some cases, a planned local event may
require advance preparation and elevated vigilance
to avoid an incident. For example, a major sporting
or championship event is typically followed by fan
violence.
37
• Disaster: Disaster is an unplanned event usually
causing denial of access to premises and resulting in
human casualties and great damage to property. Typ-
ical examples are flood and fire. A catastrophic failure
of information technology services can also repre-
sent a disaster. In the words of Brian V. Cummings,
an expert in the area of business continuity plan-
ning, “emergency is event relevant while disaster is
event agnostic.”
• Crisis: Crisis is an occurrence which threatens the
integrity, reputation, or survival of an individual or
organization. Typical examples are product recall or
secret tapes (e.g., Watergate).
• Outage: Outage is an event which causes a signifi-
cant disruption to, or loss of, key business processes.
The concept of an outage has both time dimension
and business process dimension. An outage is differ-
ent from other business interruptions such as the
one arising from a service or technology failure (e.g.,
systems downtime, communications link failure)
which needs to be restored with the help of a service
provider.
THE BCM STANDARD
The British Standard 25999 establishes the process,
principles and terminology of business continuity
management. The purpose of this Standard is to
provide a basis for understanding, developing, and
implementing business continuity within an organiza-
tion and to provide confidence in the organization’s
dealings with customers and other organizations.
BS 25999 is written in two parts:
Part 1, the Code of Practice, outlines the standard’s
overall objectives, guidance, and recommendations. It
is this part that replaced PAS56.
Part 2, the Specifications, details the requirements
for a BCM System (BCMS) and will be auditable,
enabling organizations to demonstrate compliance to
the standard. It is this part against which third party
certification will be available.
BS 25999-1 is organized into the following
sections:
• Scope and applicability
• Terms and definitions
• Overview of business continuity management
(BCM)
• The business continuity management policy
Business Continuity Management
 • BCM Program management
• Understanding the organization
• Determining business continuity strategy
• Developing and implementing a BCM response
• Exercising, maintaining, and reviewing BCM
arrangements
• Embedding BCM in the organization’s culture
BS 25999-2 is organized into the following sections:
• Scope
• Normative references
• Definitions/terms
• Planning a BCMS
• Implementing and operating the BCMS
• Monitoring and reviewing the BCMS
• Maintaining and improving the BCMS
The balance of the paper describes the steps involved
in the implementation of the BCM Standard.
BCM POLICY
The stage for implementation of BCM Standard
can be set by defining an organizational BCM policy.
The objective of a BCM policy is to provide a frame-
work for establishing and maintaining the business
continuity capability of an organization. A BCM pol-
icy is a high level statement of management intent
that describes the scope, objectives, and governance of
BCM in the organization, roles and responsibilities,
and the activities that are required to achieve the
objectives.
The following is a sample BCM policy:
The BCM program of <Company Name> covering the
entire organization shall be handled by a dedicated BCM team
which will develop, implement and maintain appropriate BC
Plan, procedures and arrangements to protect the organiza-
tion’s people, processes, information and supporting technol-
ogy duly adhering to the applicable standards and regulations.
All business and technology entities, including their critical
third-party vendors are required to support the BCM program
and develop and fund relevant business continuity plans and
capabilities.
The BCM policy should be appropriate to the
nature, scale, complexity, geography, and criticality of
the business and must reflect the organizational cul-
ture, mission, vision, and operating environment. The
BCM policy embeds BCM into the organizational
R. L. Tammineedi
culture by providing the framework for supporting the
need and requirement for cultural change. The BCM
policy and the strategy to implement it must be
approved by executive management. The policy
should be subjected to annual review along with other
BCM documentation.
BCM ORGANIZATION
BCM should be business owned and business
driven. A dedicated business continuity management
team is required to facilitate the continuation of busi-
ness operations efficiently in the event of business dis-
ruption. The team should consist of people who
understand the organization — its business, technology,
processes, and business risks. The team collectively
provides the expertise within the organization. Critical
business functions should collaborate with their IT
application support teams to prepare a comprehensive
and cohesive business continuity plan. The business
continuity management team should be hierarchical
in nature. It should be composed of people with
relevant experience and skills. Figure 1 describes a typ-
ical BCM organization for small and medium-size
enterprises.
The roles and responsibilities of the constituents of
the BCM organization are as follows.
Crisis Management Team (CMT)
The protection of personnel and assets and contin-
uation of critical functions of the organization are the
responsibility of senior management. Their support
and involvement are essential and critical for the suc-
cess of the business continuity management. Senior
management will act as the crisis management team
(CMT), also known as the emergency management
team (EMT). The role of a CMT in any disaster sce-
nario is to provide leadership in deciding and imple-
menting the business continuity plans, to ensure
damage control/containment due to the disaster
event, and to facilitate continuity for critical opera-
tions. Further, it has to coordinate effective recovery
so that the “normal” state of business can be restored
at the earliest.
The idea of a CMT transcends the BCM organiza-
tion and addresses business crises beyond business
continuity. Business continuity leverages the CMT for
38
 FIGURE 1 Typical BCM organization structure.
executive leadership and facilitation. As an example of
a non-BCM crisis, consider a major security breach at
a banking/financial company that compromises a
large number of customer records. The business is still
operating but faces a major crisis in terms of technol-
ogy, public relations, legal, and financial impact.
CMT comprises the heads of departments of business,
marketing, and support functions (e.g., service deliv-
ery, marketing, IT, risk and compliance, HR, adminis-
tration/security, finance).
Business Continuity Manager
The primary responsibility of the business continu-
ity (BC) manager is to oversee the development and
test of viable business continuity plans. The other
major responsibilities of a BC manager include:
• Ensure that the recovery team members are trained
adequately to handle their responsibilities in a disas-
ter scenario.
• Obtain and maintain contact lists of key employees,
BCM organization, vendors, partners, and public
authorities.
• Maintain copies of all appropriate vendor agree-
ments. Liaison with hardware vendors as per agree-
ments in force.
• Coordinate DR activities in the event of a disaster
and ensure high level adherence to the DR proce-
dures documented in the BC plan.
39
An organizations should designate a suitably qualified
senior employee as its BC manager and another senior
person as backup BC manager.
Media/PR Manager
Public relations function is critical during a disaster
event. The media can make or break even the best
efforts by an organization. Only a person with media/
journalistic experience should be allowed to act as an
official spokesperson. All other employees should be
instructed not to speak to the media or any other peo-
ple in the case of a disaster event. However, employees
with technical expertise can assist the official spokes-
person in dealing with the media. Media responsibili-
ties include the release of announcements to
employees on the status of the recovery effort and the
expectations of the enterprise in regard to employee
status reporting and assistance.
Damage Assessment and
Salvage Team
The damage assessment and salvage team is respon-
sible for determining the state of the original site, or
trying to salvage any equipment or data that might be
salvageable, and mitigating damage at the primary site.
This depends on prompt realization of what is salvage-
able and what is not. Repair and replacement orders
will be filled for what is not in operational condition.
The duties of this team include:
Business Continuity Management
• assisting in the immediate damage assessment/sal-
vage operation
• preparing inventory of damaged and undamaged
items
• salvaging equipment and supplies
• helping in settling property/insurance claims
This team is the first to arrive at the primary (disaster)
site. Team members provide preliminary damage
assessment information to the BC manager and CMT
to enable them to make a decision regarding invoca-
tion of the BC plan. This team then conducts a
detailed damage assessment and salvage operation and
documents the findings.
IT Recovery Team
The IT recovery team plays a major role in restoring
the network and IT services and possibly telephony.
All technical and logistical activities associated with
the restoration of needed network and IT service are
carried out by this team. This team ensures the avail-
ability and functionality of critical software and other
utilities in the restored system environment. At a min-
imum, IT has a fiduciary responsibility to restore all IT
services as soon as possible to a state of business as
usual. Beyond that, IT has a responsibility to support
the incremental continuity requirements of critical
business processes.
Communications Recovery Team
This team is responsible for restoring the voice
communications services, including telephone,
mobile, fax, and so forth. This team also works closely
with the IT recovery team to bring up data network
service at the DR site.
Support Team
The support team is responsible for ensuring the
availability of the support functions in a disaster sce-
nario. These functions include:
• Building management and facility support at the
DR site and repair and restoration of primary site
• Finance, funding, and procurement
• Human resources and personnel tracking
R. L. Tammineedi
• Travel arrangement for the personnel/food and
accommodation facility for relocated personnel
• Telephone forwarding /mail and delivery service
rerouting
Ideally, teams would be staffed with the personnel
responsible for the same or similar operations under
normal conditions.
APPROACH AND METHODOLOGY
Guided by the BCM policy, the BCM organization
strives to establish and maintain the business continu-
ity capability of an enterprise. The entire gamut of
BCM activities can be discussed in terms of three
phases. Figure 2 describes the three phases of business
continuity and the important activities of each phase.
The important activities of the above three phases
are as follows.
Pre-event Preparation
The following are the pre-event preparation activities.
Site Risk Assessment
Site risk assessment focuses on risks to the physical
locations (premises). Physical location is one of the
critical resources that facilitate execution of business
critical activities. There is a fiduciary responsibility to
assess and mitigate site physical and environmental
risks. However, risk assessments should not be per-
formed across all business processes but only for those
that have high criticality. As such, the BIA becomes a
focusing lens to prioritize and invest in business pro-
cess risk assessment in addition to higher availability
business continuity strategies and solutions.
The important areas that should be covered during
site risk assessment include:
• Building protection measures (e.g., perimeter, secu-
rity guards, CCTV, intruder detection system, build-
ing construction code, fire-rating of walls, running
water pipes, overhead water tank)
• Fire detection and suppression measures (e.g.,
smoke and fire detection systems, fire suppression
systems)
• Neighborhood (e.g., neighboring industries, military
areas, hotels, bus station, railway station, air port,
40
 FIGURE 2 The three phases of business continuity.
FIGURE 3 Key elements in a risk assessment.
dams, lakes, reservoirs, public access, highways,
overhead high power transmission lines)
Figure 3 describes the key elements in a risk assessment.
There are different methodologies to carry out risk
assessment. When failure modes and effects analysis
(FMEA) methodology is used for doing risk assessment, a
parameter called risk priority number (RPN) is com-
puted. It is a product of three attributes of risk — severity,
41
likelihood, and nondetectability — that are given equal
weight. If RPN alone is used to denote risk acceptance
criteria, it may result in a scenario of making unneces-
sary investment for low severity risks. To avoid this,
another parameter called “criticality,” a product of
severity and likelihood, is suggested. Table 1 illustrates
three risk scenarios with same RPN number.
Risk #2 in Table 1 is more critical than the other
two risks. When risks are prioritized for treatment, this
risk should be given higher priority than the other
two risks that have equal RPN values. Therefore, the
effective way of establishing risk acceptance criteria is
to use both RPN and criticality.
Carrying out building-wise risk assessment may not
be sustainable in the long run in some cases. For exam-
ple, some organizations may not have a single owner for
a building (such as a data center), where each team
takes care of its own systems; there will be common
TABLE 1 Illustration of three risk scenarios.
Risk # Severity x Likelihood x Nondetectability = RPN
1 1 5 5 = 25
2 5 5 1 = 25
3 5 1 5 = 25
Business Continuity Management
units/agencies providing facilities management (e.g.,
physical security, cleaning, cooling, heating). In such
cases, adopting a service/product based approach for
risk assessment is more effective and sustainable. This
will be in line with BS 25999 requirement of evaluat-
ing threats to critical activities. Activities support the
delivery of products/services within an organization.
Each team will carry out risk assessment for resources
such as people, premises, information technology, sup-
plies, and stakeholders. A central team such as business
continuity management organization can coordinate
the risk assessments, consolidate and analyze the
results, and facilitate selection, approval, and deploy-
ment of risk mitigation measures at organizational level.
Business Impact Analysis
Business impact analysis (BIA) is the foundation of
business continuity planning. The four key objectives
of BIA are as follows:
i. Determine the potential impact to the organiza-
tion in the event of an outage.
ii. Identify critical services/processes and their maxi-
mum tolerable period of disruption (MTPoD),
recovery time objectives (RTOs), and recovery
point objectives (RPOs).
iii. Determine the sequence of recovering business
functions and data in the event of an outage.
iv. Identify recovery strategies, minimum resources,
and vital records that are necessary for business
continuity.
The definition of MTPoD by BS 25999 is incomplete
and open to a variety of interpretations. In June 2009,
the BSI committee responsible for BS 25999 has
approved a “corrigendum” that clarifies the intended
meaning of this term by revising the definition of
MTPoD as follows:
Duration after which an organization’s viability will be irre-
vocably threatened because of the adverse impacts that would
arise as a result of not providing a product/service or perform-
ing an activity.
However, this definition does not seem to be rele-
vant for utility companies such as power generation/
distribution companies and organizations that control
all or most of the market for a product or service (e.g.,
monopoly, duopoly).
R. L. Tammineedi
In order to gain proper perspective on the relative
importance of individual business functions and pro-
cesses, the BIA should be conducted assuming a “worst
case scenario” that affects most or all of the business
functions at a critical business location. An approach
that focuses discretely on each business unit will likely
result in the identification of criticalities skewed to
high-availability, and high-cost, to the detriment of
the program and the organization. BIA is consequence
independent. It refocuses on the effect rather than the
event that caused the effect. The following are the
important activities in a BIA:
• The BIA should be performed at each enterprise
locations.
• Evaluate functional areas of the business or pro-
cesses to determine and measure potential implica-
tions/impacts arising from their unavailability.
• Identify the business processes performed by each
business unit, and rate the level of importance of
each business process based upon the impact of its
unavailability and its priority for recovery.
• Carry out a business process analysis to obtain a
detailed understanding of the workflow, interdepen-
dencies, day-to-day processing requirements, and
dependencies on external entities so that appropri-
ate recovery strategies could be developed. Another
key consideration is identification of the time sensi-
tivity of the business processes/applications by con-
ducting a business cycle analysis in order to gain an
understanding of the worst time for a disaster, best
time to make major business changes, and best time
to test and update plans.
• Identify the MTPoD for services/products and
determine the costs associated with downtime.
• Identify the MTPoD for critical processes and deter-
mine the costs associated with downtime.
• Define recovery time objectives (RTO) and recovery
point objectives (RPO) of all business processes. BS
25999-2:2007 defines RTO as “target time set for
resumption of product, service or activity delivery
after an incident.” The RTO has to be less than the
MTPoD. Otherwise, data recovery would not occur
in sufficient time to support the RTO. An RPO
specifies the point in time to which a system’s data
must be restored after an outage. In other words, an
RPO specifies in time (minutes, hours, days) how
much data loss can be tolerated. Generally, data loss
42
 tolerance and recovery time decrease with the need
for higher availability. That is, the higher the data
availability, the lower the RTO and RPO.
• Analyze the business continuity strategies of busi-
ness units, their strategy implementation, and
requirements of each key business process.
• Identify the resource requirements for those busi-
ness processes that are to be conducted at a business
recovery/alternate site.
• Identify the vital records/critical files needed for
recovery by each business unit.
• Validate the BIA results and information with
respective process owners.
• Obtain management approval for BIA results.
The traditional approach of interviewing business
managers of all functions is tedious and time consum-
ing. A faster alternative would be to consult key ser-
vice delivery heads and business process owners and
develop a process matrix to identify the criticality of
the services and processes and their corresponding
MTPoD values. These MTPoD values will be used to
derive RTOs of the business processes.
The two challenges one may encounter in conduct-
ing BIA are as follows:
1. Each business function is approached as a discrete
entity rather than as part of an enterprise. Everyone
will overstate the importance of their work. Man-
agement of individual business functions will give
an entirely different answer about their relative
importance in the context of a broader disaster
impact. This kind of approach will ultimately skew
all BIA findings to higher availability and higher
cost of strategies and solutions; and lead to a signif-
icant and consistent failure of BIA efforts. BIA has
to be approached in the context of a sitewide disas-
ter that affects all business functions at the site.
2. BS 25999 expects senior management to be actively
involved in BIA. In some organizations, senior
management may prefer to understand the ground
realities before committing any values for MTPoD/
RTO, as they are aware of the financial implications
of their decisions. In such cases, it makes sense to
break BIA into two parts, Part 1 and Part 2. Part 1 of
the BIA has to be conducted with senior manage-
ment to obtain MTPoD values for all services/
products and respective functions supporting the
43
delivery of the services/products. Part 2 of the BIA
has to be conducted in a more detailed way with
operational management at the department level to
identify department specific MTPoD values and
RTOs. The department specific MTPoD values
given by senior management should be treated as
preliminary values and need to be validated by
operational management of the respective depart-
ments. Any difference in MTPoD values of senior
management and operational management need to
be resolved by achieving consensus of opinion.
The challenge relating to RPOs and data recovery
is that most organizations overlook important
aspects that can lead to recovery delays. Issues
include backup process, backups managed by differ-
ent business units, availability of data backup, reli-
ability of backup media, data serialization, and
application processing capacity limitations. Failure to
address these can lead to critical failures in data
recovery and meeting RTOs. To give an example, in
one of the organizations I worked for, the backup
administrator could not notice on one day the
backup tool’s failure to back up critical data. When
the backup data was restored later (before the next
backup), the data of a few thousands subscribers
added during the period were lost.
Business Process Risk Assessment
Business process risk assessment (BPRA) cannot
be economically performed across the enterprise.
Driving from the BIA, the BPRA is performed for
critical and important business functions identified
during BIA. These business functions/processes that
support the products and services of an organization
are executed by or with the help of resources such as
people, premises, technology, information, supplies,
and stakeholders. While the site risk assessment
focuses on risks to premises, the BPRA evaluates the
risks to the other resources (e.g., people, technology,
information, supplies, stakeholders) and their impact
on the business functions/processes, identifying single
points of failure (SPOF) that could lead to a disrup-
tion of service. After identifying risks, appropriate
countermeasures should be identified, evaluated,
and implemented to lower the risks to acceptable
levels.
Business Continuity Management
Business Continuity Plan
The business continuity plan (BCP) document is
intended to serve as the centralized repository for the
business continuity information, roles and responsibil-
ities, tasks, and procedures tht will facilitate timely
response to a disaster interfering with the critical busi-
ness processes. The collection of BC plans should be
owned by the business continuity manager. Its copies
should be stored off site and at the residences of the
business continuity manager, emergency response
team, and business continuity teams. The contents of
a typical BCP are provided in Appendix A.
Vendor Agreements
It is essential to prepare and maintain a list of major
vendors of equipment and services that support the
organization. All the vendors in the list are considered
critical. The organization has to enter into arrange-
ments with its vendors based on RTOs and RPOs.
Appropriate service level agreements should be
entered into with these vendors. Organizations can
also incorporate in the SLAs their right to audit BCM
readiness of vendors to address supply chain risks. For
example, a leading supplier of networking equipment
periodically conducts BCM audits to assess the disas-
ter preparedness of its suppliers.
Awareness and Training
The content and the timing of BCM awareness and
training requirements vary depending upon the roles
different categories of employees play. An indicative
list of roles is as follows:
• Executive management and BCP steering committee
• Crisis management team
• Functional managers
• BCM implementation teams
• Internal auditors
• General employees
Testing and Exercising
Testing and exercising is a way to evaluate and con-
firm the soundness of policies and procedures through
in-depth discussions, training, and drills. Exercises are
conducted with the objective of reviewing the
R. L. Tammineedi
• risk profile of the facilities and business processes,
• adequacy of existing risk mitigating mechanisms,
• ability to meet the RTOs, and
• disaster recovery procedures.
It is important to conduct testing in a way that exer-
cises the defined business continuity plan. Avoid the ten-
dency to develop a separate and unique “testing” plan.
Exercises improve organizational disaster readiness by:
• providing a way to evaluate operations and plans,
• clarifying roles and responsibilities,
• developing individual performance, and reinforcing
teamwork, and
• improving inter-departmental coordination.
There are two types of exercises:
i. Discussion based: Discussion-based exercises
(e.g., tabletop exercise, workshop) are discussion
oriented and include simulations (e.g., games),
which focus on analysis of “what-if” scenarios.
ii. Operations based: Operations-based exercises
(e.g., drill, functional exercise, full-scale exercise)
are action-oriented requiring deployment of
resources and personnel.
Exercises should be conducted in a phased manner
starting with simple exercises and progressively adding
complexity. Exercises should be conducted at least
once a year. The exercise results should be docu-
mented and communicated to executive management.
Review and Maintenance
BCM arrangements should be reviewed by executive
management and internal or external auditors. The
BCM review process should be defined and docu-
mented in the BC plan. The purpose of the review is to
verify the organization’s BCM capability and to ensure
its continuing suitability, adequacy, and effectiveness.
The BCM maintenance process should be defined
and documented in the BC plan. The purpose of the
BCM maintenance process is to ensure that the orga-
nization’s BCM competence and capability remains
effective, reliable, and up to date. The maintenance
process should cover training and skills of the BCM
organization, risk management, and update of the BC
plan with organizational changes.
44
 Event Management
When disaster strikes, the following activities are
carried out to manage the disaster event:
Emergency Response
The main objectives of emergency response are
twofold:
i. to ensure safety of people and protection of assets
and
ii. to monitor and coordinate emergency response
efforts.
Emergency response activities include notification
and evacuation of building occupants, notifying pub-
lic safety authorities (e.g., police, fire), medical treat-
ment, and damage mitigation. These emergency
response activities are carried out with the help of a
Command Post and Emergency Operations Center
(EOC). A command post is set up at the disaster site
to provide overall direction and unify all emergency
response efforts at the disaster site. EOC is set up (in
case of major disasters) away from the disaster site to
monitor and coordinate emergency response efforts
at organizational level. EOC should be represented
by top management with the authority and experi-
ence necessary to facilitate flexible and innovative
decision making required in disaster scenarios. Emer-
gency response procedures/guidelines should be a
separate document that is maintained and readily
available on site in the case of an emergency. Business
continuity plans, on the other hand, are maintained
off site.
Coordination with Public Authorities
After initiating emergency response, public safety
authorities (e.g., police, fire, Emergency Management
Services) should be notified of the disaster. These
agencies take control of the command post once they
arrive at the disaster scene. A senior employee should
be tasked with the responsibility of coordinating with
the public authorities.
Damage Assessment
Damage assessment involves assessment of extent
of damage. It is typically carried out in two phases. In
45
the first phase, preliminary damage assessment is done
to determine what recovery options need to be acti-
vated and to facilitate the CMT decision with regard
to invocation of the BC plan. In the second phase, the
damage assessment activity is a comprehensive evalua-
tion of damage to equipment, facilities, and records.
The damage assessment activity is handled by the
damage assessment and salvage team. This team
should be multidisciplinary in nature and composed
of a mechanic, electrician, plumber, medical assistant,
and infrastructure/information technology personnel.
Salvage Operations at Primary Site
The insurance companies with which the organiza-
tion has policies must be notified of disaster and given
an opportunity to investigate the facilities before
beginning salvage operations at primary site. The sal-
vage operations deal with salvaging hardware, facili-
ties, and documentation and require specialized skills.
Different equipments require different salvage treat-
ments. Therefore, the salvage procedures should pro-
vide general guidelines. The damage assessment and
salvage team should have the contact information of
and access to salvage experts. Proper documentation
of salvage operations should be maintained to comply
with insurance and legal requirements, if any.
Operations from Secondary Site
While salvage operations at primary site are going
on, critical business operations should be resumed at
the secondary site by following the predefined disaster
recovery procedures. The following are the different
types of alternate secondary sites:
i. Cold site: Alternate site devoid of any resources,
but is equipped with air-conditioning, electrical
wiring, uninterruptible power supply (UPS), and
communication facilities.
ii. Warm site: Partially equipped alternate site.
iii. Hot site: Alternate site with equipment and
resources to recover the critical business functions
in case of a disaster.
Alternate secondary sites are available as a sub-
scribed service. An often overlooked continuity
requirement is the need to network the backup IT site
to a backup business site. Assure that your business
Business Continuity Management
continuity plan assumes that all functions at a loca-
tion are displaced. If corporate functions and IT oper-
ate normally from the same location, then IT must
network to the corporate recovery location. Reliance
on work area recovery locations may prove insuffi-
cient to meet the needs of the enterprise.
Public Relations
Public relations during disaster should be handled
from the disaster site by trained/experienced official
spokesperson in accordance with a predefined plan.
The official spokesperson should perform appropri-
ately for the media to prevent any media crisis.
Insurance Cost Tracking
Due care should be exercised by the damage assess-
ment and salvage team to comply with the insurance
companies’ requirements. The team should take pic-
tures of the disaster site and damaged equipment, facil-
ities, and documentation. The team should estimate
the repair costs. The team should be aware of what the
insurance policy requires in the event of loss, and what
types of records and documentation are required by
the insurance company. Otherwise, the organization
will not be able to adequately support its insurance
claims, which can result in delayed or smaller settle-
ments. If an enterprise is insured by an independent
insurance carrier, care should be taken to prepare a
thorough accounting of losses and salvaged assets.
Postevent Continuity
The following are the activities that are carried out
after the disaster event.
Restoration of Operations at Primary Site
After the disaster, and when the primary site stabi-
lizes, a return to normal notification (called stand
down) should be issued to all employees. Restoration
of operations at the primary site should start with the
least critical business functions in order to avoid any
impact on the critical business functions. The disaster
should be treated as over only when all business func-
tions are restored at the primary site. The stand down
can be prepositioned with employees to relieve the
requirement for specific notification. In this approach,
employees are advised in advance of a catastrophic
R. L. Tammineedi
disaster to stand down until further information is
communicated by management via the media, or until
designated recovery team members are activated.
Review
The business continuity plan should be reviewed peri-
odically to ensure it remains current, effective, reliable,
and consistent with management expectations. Reviews
can be internal audits or management reviews. The
review should take place whenever there are changes in
business, business strategy, contact lists, or IT environ-
ment. The sources of such changes include exercise
results, strategic business meetings, takeover/merger, and
change management meetings. Since senior management
has the insight into various organizational issues and can
correlate with operations and plans in the pipeline, it
should devote a few hours every quarter to review BCM
program and provide appropriate strategic direction.
Plan Update
The business continuity plan should be updated as
a result of changes identified during the review. The
areas typically updated include contact lists, employee
contact details in call trees/automated solutions, per-
sonnel and assigned recovery tasks, backup, and recov-
ery procedures. The typical triggers for BCP update are
either calendar or event based.
Calendar Triggers
BCP should be reviewed and updated once a year or as
defined in the business continuity management policy.
Event Triggers
BCP requires updating when certain events occur.
These events include but are not limited to:
• Organizational restructuring
• Business plan changes
• Policy/standard changes
• Legal/regulatory changes
• Equipment and system changes
• Location or facilities changes
• Product changes
• Procedure changes
• Vendor changes
• Audit observations
46
Insurance Settlement
The records and documentation that are generated
during the insurance cost tracking task of the event
management phase should be used to submit insur-
ance claims. The best time to do such a review is pre-
ceding a peak business period.
DISASTER RECOVERY STRATEGIES
The recovery time objectives (RTO) of the business
functions/processes identified during BIA should
guide the selection of alternative disaster recovery
strategies for recovering the business processes and
information technology within the stipulated RTOs
and continuing the organization’s critical business
functions. Disasters cannot be averted. However, orga-
nizations can adopt the following two-pronged busi-
ness continuity strategy approach to enhance their
resilience and ensure business continuity:
i. Treat the risks identified in risk assessment to
reduce the likelihood of a threat causing an inter-
ruption and mitigate the severity of an interrup-
tion should the threat materialize.
ii. Develop response processes including emergency
response and incident management to enable
management to react swiftly to an event, protect-
ing people and resources.
Table 2 describes the various alternative disaster recov-
ery options.
One or more of a combination of the above disaster
recovery options can be used by organizations
TABLE 2 Disaster recovery options.
Recovery options*
• Do nothing
• Degrade services or defer actions
• Process manually
• Provide alternative source of products
• Build a fortress
• Provide continuous processing
• Provide multiple processing site
• Provide alternate site, which may be cold, warm,
hot, mobile, mirrored or a combination of these
• Draw up quick re-supply contracts
*Source: Developing Recovery Strategy for Your Business Continuity Plan by Dr. Goh Moh Heng. 2005 (with permission)
47
depending on their line of business, complexity of
processes, and regulatory requirements. Organizations
need to weigh the pros and cons of alternative recov-
ery strategies and the costs involved before selecting a
recovery option for implementation.
BUSINESS CONTINUITY PLAN
CONTENTS
A business continuity plan should be designed
and developed based on an organization’s unique
requirements. However, any BCP should address cer-
tain key elements, including:
• Scope, objectives, and limitations of the plan
• BCM organization, roles, and responsibilities
• Escalation, notification, and plan activation
• Business functions and their MTPoDs, RTOs, and
RPOs
• Detailed recovery, resumption, and restoration
procedures
• Vital records and off-site storage program
• Vendor contact lists
• Review and update of the plan
The above key elements should provide detailed infor-
mation on who owns the BCM program; who exe-
cutes recovery actions; what is needed to recover,
resume, continue, or restore the business functions;
where are the alternate sites to resume the business
functions;, and how are the business functions recov-
ered, resumed, continued, and restored.
• Provide offsite storage
• Telecommute or work from home
• Structure reciprocal agreements
• Maintain buffer stock
• Provide replacement only
• Provide additional capacity
• Design and develop resilience
• Implement skill backup or cross training program
• Transfer risk via insurance arrangement or
contractual agreement
Business Continuity Management
 Call tree is a traditional emergency notification
mechanism and may not be effective when the
call tree is large. Newer, more effective alternatives
include Web-based systems that can reach multi-
ple employees simultaneously by phone and
SMS and that enable employees to log in and
declare their status and availability to support BCP
activities.
Appendix A provides an outline of a typical busi-
ness continuity plan.
BUSINESS CONTINUITY
MANAGEMENT MATURITY
Implementing BS 25999 Standard enables organiza-
tions achieve an effective BCM program. The thought
here is that a company is expected to execute normal
operations without failure; it is how the enterprise
responds to the unusual event that achieves differenti-
ation. However, organizations desirous of achieving a
competitive edge will be interested in objectively
benchmarking their BCM program against other orga-
nizations in their industry. This can be achieved using
a BCM measurement tool called the Business Conti-
nuity Maturity Model®. Figure 4 (used with permis-
sion from Virtual Corporation) describes six levels of
increasing business continuity competency maturity
FIGURE 4 Business Continuity Maturity Model®.
R. L. Tammineedi
levels and corresponding characteristic corporate
BCM competencies.
Legend:
• VL—Very low
• L—Low
• M—Mediums
• H—High
A brief description of the six Business Continuity
Management Maturity levels follows:
Level 1: Self-governed — BCM has not yet been
recognized as strategically important by senior manage-
ment. Individual business units manage business conti-
nuity of their critical functions on an ad-hoc basis.
Level 2: Supported Self-governed — At least one
business unit or corporate function has recognized the
strategic importance of business continuity and has
begun efforts to increase executive and enterprise-wide
BCM awareness with the support of an internal/exter-
nal BCM professional. The state of preparedness may
be moderate for participants but remains relatively
low across the enterprise.
Level 3: Centrally governed — Several business
units constituting a majority of the enterprise have
established a BCM program with tacit support from
the senior management. They have achieved a high
state of disaster preparedness. A business case for
48
enterprise-wide BCM program has been initiated for
senior management consideration.
Level 4: Enterprise awakening — Senior manage-
ment understands the strategic importance of enter-
prise-wide BCM program and is committed to it.
BCM policy, practices, and processes are being stan-
dardized across the enterprise. All critical business
functions have been identified, and continuity plans
for their protection have been developed, tested, and
maintained.
Level 5: Planned growth — All business functions
have been identified, and continuity plans for their
protection have been developed, tested, and main-
tained. Senior management has actively participated
in crisis management exercises. Regular communica-
tion and training programs exist to sustain a high level
of business continuity awareness. A multiyear plan has
been adopted to ensure organizational resilience and
mature BCM program across the enterprise.
Level 6: Synergistic — Sophisticated business
protection strategies are formulated and tested success-
fully by all business units. Cross-functional coordina-
tion has enabled the business units to develop and
successfully test upstream and downstream integration
of their business continuity plans. Scrupulous adher-
ence to company’s change control mechanisms and
continuous process improvements enable high state of
disaster preparedness, even though the business envi-
ronment continues to change radically and rapidly.
Levels one through three represent organizations
that have not yet completed the necessary program
49
basics (covering senior management commitment,
professional support, and governance) needed to
launch sustainable enterprise BCM program. Levels
four through six represent the evolutionary path of the
maturing enterprise BCM program. Organizations
need to maintain momentum of the BCM program to
ensure that they do not fall back from higher maturity
level to a lower maturity level.
Embedding BCM in the organization’s culture is a
key requirement of BS 25999. This enables BCM to
become part of the organization’s core values and
instills confidence in all stakeholders in the ability of
the organization to cope with disruptions. Achieving
higher BCM maturity levels will result in enhanced
BCM culture.
ACKNOWLEDGEMENTS
The author wishes to thank Brian V. Cummings
and P V S Murthy for comments and feedback on ear-
lier draft of this paper.
REFERENCES
Chartered Management Institute. UK’s 2009 business continuity
management survey. Available from: http://www.managers.org.uk/
download_1.aspx?id=10:2224&fid=10:2615&file=client_files/user_
files/Woodman_31/Research files/BCM09 Final Report 09
March.pdf
Heng, G.-M. (2005). Developing recovery strategy for your business
continuity plan.
Business Continuity Maturity Model of Virtual Corporation. (2003).
Available from: http://www.virtual-corp.net/
Business Continuity Management
 APPENDIX A: BUSINESS CONTINUITY PLAN OUTLINE
The following table describes the outline of a typical business continuity plan.

S. No. Name of Chapter Topics to Cover

01 Introduction • BCM policyScope

• Objectives
• Assumptions
• Limitations
• Organization of the document
• Distribution
• Review, ownership, and change/version control
02. BCM organization • Organization structure
• Roles and responsibilities
• Crisis management team
• BCM implementation teams
03. Notification and activation • Recognition and notification
• Escalation and emergency notification Mechanism (call tree/
automated solution)
• BCM implementation teams activation
• Assembly point
04. Disaster recovery procedures • Failure scenarios
• BCM implementation teams action plans
05. Plan maintenance and testing • Education and training
• Exercising the plan
• Reviewing the plan
• Internal audit
• Management review
• Maintaining the plan
06. Appendices • (Call tree/automated solution procedure)
• Contact lists
• Checklists
• Event log
• Media notification
• Templates
07. Acronyms and glossary • Acronyms
• Glossary

R. L. Tammineedi 50