BCM OVERVIEW

1
Abamwesiga Beneth
BSc. Electronics and Communication Sciences (
MBA Information Systems and Financial Institutions
Certified ISO22301 BCM Lead Implementer

3+ years in ICT Consulting

15+ Years in BCM Management
8+ Years in Occupational Healthy and Safety
2
 Agenda

 What is Business Continuity

 Business Continuity Management Systems
 ISO 22301 - BCMS
 BCM Organization Context
 Leadership and Management Support
 BCP Policy
 BIA and Risk Assessment
 BCP Procedures

3
 Defining Business Continuity…

Business-driven process that establishes a fit-for-purpose

strategic and tactical framework that;
❑ Proactively improves an organization’s resilience against
the disruption of its ability to achieve its key objectives
❑ Provide a rehearsed method to restore the ability of
supplying the key products/services in case of disruption
❑ Delivers a proven capability to manage a business
disruption and protect the organization’s reputation and
brand
 Defining Business Continuity…

Capability of the organization to

continue delivery of products or services
at acceptable predefined levels following
disruptive incident

Business Continuity Management Systems - ISO 22301 Clause 3.3

Business Continuity Management

 The holistic Management process

 That identifies potential threats to an organization
 And identifies impacts to business operations of those
threats
 And provides a framework for building organizational
resilience
 With capability to provides for effective responses
 Safeguards the interests of key stakeholders,
reputation, brand and value creating activities
ISO 22301 Clause 3.4
Business Continuity Management

The management system that includes

organizational structure, policies,
planning activities, responsibilities,
practices, procedures, processes and
resources
ISO 22301 General Requirement
The organization shall establish, implement, maintain, and
improve a BCMS in accordance with the needs and the
requirements of the interest parties

1. Understand the 2. Determine needs and 3. Implement and

organization and its requirements manage a BCMS
context

ISO 22301 Clause 4.4

Context of the Organization

1. Understand the ▪ The organization’s activities, functions, services, products,

organization and its partnerships, supply chains, relationships with interested parties
context ▪ Links between the business continuity policy and the
organization’s objectives and other polices
▪ The organization’s risk appetite

2. Understanding the ▪ The interested parties needs that are relevant to the BCMS
needs and ▪ The requirements of these parties
expectations of ▪ Legal and regulatory requirements
interested parties

3. Determining the scope ▪ The organization shall determine the boundaries and applicability
of the BCMS of the BCMS to establish its scope
▪ When determining this scope, the organization shall consider the
external and internal issues and the requirements

ISO 22301 Clause 4.4

Leadership and Management
Strategic orientation Strategic orientation

▪ Management shall ensure that the BCMS is
compatible with the strategic orientation of
the organization
▪ Management shall integrate the BCMS
requirements into the organization’s business
processes
▪ Management shall communicate the
importance of effective Business Continuity
Management and conformance to the BCMS
processes

Make resources available

▪ Management shall determine and provide the

necessary resources for the BCMS

ISO 22301 Clause 5.1 & 5.2

Leadership and Management Support
Resources
The organization shall determine and provide the
resources needed for the BCMS
Awareness
Persons doing work under the organization’s
control shall be aware of the BC policy, their roles
in the BCMS and the requirements for the
organization

Competence Communication

The organization shall ensure to have competent The organization shall establish, implement and
persons to perform tasks related to the BCMS maintain arrangements for communicating with
relevant external and internal interested parties

Documentation
The organization’s BCMS shall include documented information required by ISO22301
and records to demonstrate the effectiveness of the BCMS.

ISO 22301 Clause 7

Business Continuity Policy

Top Management shall establish a business continuity policy that

a. Is appropriate to the purpose of the organization
b. Provides a framework for setting business continuity objectives
c. Includes a commitment to satisfy applicable requirements
d. Includes a commitment to continual improvement of the BCMS

BCMS Policy shall

▪ Be available as documented information
▪ Be communicated within the organization
▪ Be available to interested parties, as appropriate
▪ Be reviewed for continuing suitability at defined intervals and when
significant changes occurs

ISO 22301 Clause 5.3

BIA and Risk Assessment

Overall process of
Process of
the risk
analyzing
identification, risk
business Business
Impact Risk analysis and risk
functions and the Assessment
Analysis evaluation
effects that the
business
disruption might
have upon them
…………………………..
…………………………..

ISO 22301 Clause 3.8, 3.5 & 8.2

BIA and Risk Assessment

The organization shall establish, implement and maintain a formal and

documented process for business impact analysis and risk assessment that
a. Establishes the context of the assessment, define criteria and evaluates
the potential impact of a disruptive incident
b. Takes into account legal and other requirements to which the
organization subscribe
c. Includes systematic analysis, prioritization of risk treatments, and their
related costs,
d. Defines the required output from the business impact analysis and risk
assessment, and
e. Specifies the requirements for this information to be kept up-to-date
and confidential.
ISO 22301 Clause 8.2
Establish and Implement BCP Procedures
The organization shall document procedures (including necessary arrangements) to ensure continuity of
activities and management of a disruptive incident

Emergency Response and Contingency

Crisis Management
Recovery and restoration
The organization shall
establish, implement and
maintain business continuity
procedures to manage a
Protection and disruptive incident and
mitigation continue its activities
identified in the business
impact analysis

Training and awareness

ISO 22301 Clause 8.4

Establish and Implement BCP Procedures

The procedure shall

a. Establishes an appropriate internal and external communication protocol
b. Be specific regarding the immediate steps that are to be taken during a
disruption
c. Be flexible to respond to unanticipated threats and changing internal
and external conditions
d. Focus on the impact of events that could potentially disrupt operations
e. Be developed based on stated assumptions and an analysis of
interpendencies, and
f. Be effective in minimizing consequences through implementation of
appropriate mitigation strategies

ISO 22301 Clause 8.2

Thank you for listening
?

17