This chapter provides orientation on the Continuity module, an on-demand solution integrated with the system that allows business continuity efforts to be managed, including business impact analyses, strategies, and continuity/recovery plans.
Business continuity is an on-going process that is used to:
• Identify critical processes that support the organization's business.
• Estimate and assess the impact that an interruption in one of these business components might have on the organization.
• Determine strategies and manage risks related to these critical business components to prevent incidents from occurring that would cause them to enter contingency mode or require recovery efforts.
• Develop plans to ensure continuity of these business components, plans to manage incidents related to these business components that impact their continuity, as well as plans to recover operations in the event of a disaster. Plans to prevent and adequately respond to incidents and disasters are prepared and tested to help ensure that any business components affected and their associated activities are recovered within a certain timeframe and at previously determined levels.
One of the fundamental concerns of a business continuity process is assessing the impact that an interruption of one or more business components might have on the organization.
According to ISO 15999-1, business continuity is defined as a process in the organization that establishes an adequate strategic and operational structure to proactively improve the organization's resilience against possible interruptions in its capacity to reach its main objectives; establishes a practice to reinstate the organization's capacity to provide its main products and services at a previously determined level and within a previously determined timeframe after an interruption; and allows the organization to obtain recognized capacity to manage an interruption to the business in order to protect its reputation and brand.
A second definition for business continuity is available in the introduction to ASIS/BSI BCM.01-2010:
A business continuity management system (BCMS) is an organization-wide process that establishes a fit-for-purpose, strategic, and operational framework that upon implementation by the organization's leadership:
•Improves an organization's ability to withstand disruptive events that may jeopardize the achievement of its purpose, mission, and strategic objectives.
•Delivers a demonstrable capability to manage a disruption and protect stakeholder interests.
•Provides a structured and rehearsed method of restoring an organization's productive ability within a planned timeframe after a disruption.
•Enables an organization to return to its normal state more quickly and safely than would otherwise be possible.
•Supports maintenance and continuous improvement of the organization's BCMS.
•Promotes the safety and security of internal and external stakeholders.
Thus, business continuity is a management process wide in scope and executed in cyclical phases, all of which requires a structured approach. In summary, business continuity as modeled in the system consists of the following:
1) Preparing a business continuity policy and distributing it throughout the organization.
2) Performing business impact analyses to identify critical business components.
3) Preparing strategies to minimize the impact or probability of an incident disrupting a business component.
4) Preparing plans to ensure continuity in the event that a business component or one of the assets supporting it is disrupted.
5) Testing and updating plans and strategies.
6) Monitoring and managing incidents that may impact critical processes.
It's important to understand that business continuity is a cyclical process which, once implemented, must be kept updated over time. This not only includes updating and revising business component data and their associated plans and strategies, but also the business continuity process as a whole to ensure that both the organization's and stakeholder's needs are met.