| In order to implement and continually improve a | | | | potential risk points are to be assessed for either |
| healthy Business Continuity Management Program, | | | | mitigation or acceptance. Acceptance of risk |
| the following program attributes and processes | | | | points should occur at the Senior Executive level. |
| are essential: | | | | Continuity Strategies |
| Structure & Policy | | | | Strategies should be developed which reflect the |
| All organizations should maintain a management | | | | requirements identified in the BIA's. Strategies are |
| structure that has clear and documented roles | | | | to be reviewed on an on-going basis to ensure |
| and responsibilities. The structure should support | | | | that they continue to remain effective in light of |
| the development of a program that is aligned to | | | | changing business requirements. |
| the organizations Business Continuity Management | | | | Business Continuity Plans |
| Policy. | | | | Plans are to be developed, documented and |
| A common structure includes a Sponsor, a | | | | maintained to ensure that business continuity |
| Business Continuity Manager, and a Crisis | | | | strategies can be readily actioned. The plans are |
| Management Team that consists of members of | | | | to enable the resumption of critical business |
| the organizations Senior Management. | | | | functions at an alternate location(s) within agreed |
| Business Impact Analysis (BIA's) | | | | time periods. |
| BIA's should be conducted on all of the | | | | Testing & Exercising, Maintenance and Audit |
| organizations business units or areas. This analysis | | | | Ongoing testing of the contingency capability |
| will determine the level of planning that is required | | | | should be carried out in order to prove its overall |
| for each identified critical function, as well as | | | | fitness for purpose as defined by the BIA |
| define the maximum period of time the | | | | process, as well as to identify errors and issues |
| organization can tolerate the critical function not | | | | with existing plans, documentation, and |
| being performed. The BIA will provide the cost / | | | | procedures. It is generally accepted that a BCP |
| impact justification necessary to support the | | | | should be tested at least annually. |
| implementation of the various continuity | | | | Activate and Execution |
| strategies. | | | | The recovery capability is to be maintained in a |
| Threat and Risk Assessment | | | | constant state of readiness so as to provide the |
| The organization should undergo formal risk | | | | best possible means of recovering from a |
| assessments of both Physical and Operational | | | | catastrophic incident affecting any of the |
| Risks on an on-going basis. Once identified, | | | | organizations locations. |