This module provides an introductory understanding of Business Continuity Management, its alignment with business strategy, and an overview of risk management.

1. Introduction to Business Continuity Management

• Overview of Business Continuity Management and its strategic integration.
• Brief overview of risk management.

1.1 The Need for Business Continuity Management

Explanation of the necessity for Business Continuity Management:

• 1.1.1 When and why Business Continuity Management is essential.
• 1.1.2 Utilizing Business Continuity Management within the organization.
• 1.1.3 Importance of a Business Continuity Management System (BCMS).
• 1.1.4 Utilizing Business Continuity Management standards and relevant international standards.

1.2 The Context of Business Continuity Management in the Business

Understanding the significance of Business Continuity Management within the organizational context:

• 1.2.1 Recognizing the importance of Business Continuity Management for organizations.
• 1.2.2 Identifying benefits derived from effective Business Continuity Management.
• 1.2.3 Understanding the consequences of neglecting Business Continuity Management.
• 1.2.4 Assessing the potential impact of both internal and external factors.
• 1.2.5 Addressing legal and regulatory requirements.

1.3 Leadership and Senior Management Commitment to Business Continuity

Describing the leadership’s role in ensuring effective Business Continuity Management:

• 1.3.1 Aligning the BCMS with the organization’s strategic direction.
• 1.3.2 Integrating BCMS requirements into business processes.
• 1.3.3 Communicating the significance of Business Continuity Management to a wider audience.

1.4 Review of Risk Management Fundamentals

Exploring fundamental concepts of risk management:

• 1.4.1 Defining threats and hazards.
• 1.4.2 Understanding vulnerabilities.
• 1.4.3 Recognizing impact or consequences.
• 1.4.4 Assessing likelihood or probability.
• 1.4.5 Exploring principles of business impact analyses.
• 1.4.6 Understanding principles of risk assessment.
• 1.4.7 Explaining risk acceptance, avoidance, transfer, sharing, and reduction.

1.5 The Business Continuity Institute’s Lifecycle

Understanding the stages of the Business Continuity Institute’s Lifecycle:

• 1.5.1 Policy and Programme Management (PP1).
• 1.5.2 Embedding Business Continuity (PP2).
• 1.5.3 Analysis (PP3).
• 1.5.4 Design (PP4).
• 1.5.5 Implementation (PP5).
• 1.5.6 Validation (PP6).

This section delves into both the initial stages and ongoing management requirements of the Business Continuity Management program.

2.1 Initial Activities

Candidates should be able to describe the requirements for the initial stages of the Business Continuity Management program:

• 2.1.1 Setting the Business Continuity policy.
• 2.1.2 Determining the Business Continuity program objectives.
• 2.1.3 Defining the scope of the Business Continuity program.
• 2.1.4 Establishing governance.
• 2.1.5 Establishing accountability for the overall Business Continuity program.
• 2.1.6 Delegating responsibility for implementing individual components of the Business Continuity program.
• 2.1.7 Defining roles and responsibilities within the Business Continuity program.

2.2 Implementing the Business Continuity Program

Candidates should be able to describe the requirements for implementing the ongoing Business Continuity Management program:

• 2.2.1 Defining a set of well-defined Business Continuity Management objectives.
• 2.2.2 Addressing risks identified within the Business Continuity Management program.
• 2.2.3 Determining the resource requirements for the Business Continuity Management program.
• 2.2.4 Assessing the competence of individuals involved in executing the Business Continuity Management program, including training requirements.
• 2.2.5 Establishing a formal system of operation and control for the Business Continuity Management program.
• 2.2.6 Effectively communicating the Business Continuity Management program to stakeholders.
• 2.2.7 Conducting regular reviews, testing, and exercises to enhance Business Continuity capability.
• 2.2.8 Providing formal reports on the status and capability of the Business Continuity Management program.

2.3 Supply Chain Continuity

Understanding the importance of ensuring continuity within the supply chain:

• 2.3.1 Establishing Business Continuity capability for key suppliers.
• 2.3.2 Leveraging key suppliers to enhance the organization’s Business Continuity capability.
• 2.3.3 Utilizing Business Continuity program information to aid insurance loss adjusters.
• 2.3.4 Preserving and utilizing evidence in cases of criminal damage leading to business interruption.
• 2.3.5 Considering the incorporation of outsourced activities within the Business Continuity Management program.

2.4 Documentation

Candidates should be able to explain the essential documentation requirements for the Business Continuity Management program:

• 2.4.1 Creating a clear and agreed-upon Business Continuity Management policy.
• 2.4.2 Defining the terms of reference for the Business Continuity Management program.
• 2.4.3 Documenting thorough business impact analyses.
• 2.4.4 Recording risk assessments comprehensively.
• 2.4.5 Documenting effective Business Continuity strategies.
• 2.4.6 Establishing a structured Business Continuity training and awareness program.
• 2.4.7 Developing documentation for incident management, Business Continuity, disaster recovery, and business resumption plans.
• 2.4.8 Designing a well-structured Business Continuity testing and exercise schedule.
• 2.4.9 Outlining Business Continuity service level agreements and contracts.
• 2.4.10 Ensuring secure off-site/dual site storage of vital information and materials.

This section explains how the Business Continuity manager comprehends the organization and launches the Business Continuity Management program.

3.1 Identification of Business-Critical Areas

Exploring the method for identifying mission-critical areas of the business:

• 3.1.1 Identifying critical departments (Sales and Marketing, Finance, Production, Human Resources).
• 3.1.2 Recognizing critical products or services (mainstream versus legacy products).
• 3.1.3 Identifying support capabilities (supply chain, energy, distribution).

3.2 Terminology

Understanding essential terms in Business Continuity Management:

• 3.2.1 Maximum Tolerable Period of Disruption (MTPD) or Maximum Acceptable Outage (MAO).
• 3.2.2 Recovery Time Objective (RTO).
• 3.2.3 Maximum Tolerable Data Loss (MTDL).
• 3.2.4 Recovery Point Objective (RPO).
• 3.2.5 Minimum Business Continuity Objective (MBCO).

3.3 Business Impact Analysis

Explaining the process of conducting a Business Impact Analysis:

• 3.3.1 Assessing financial impacts (revenue streams, cash flow, litigation).
• 3.3.2 Evaluating non-financial losses (brand, share value, customer confidence).
• 3.3.3 Considering other impacts (legal and regulatory).

3.4 Continuity Requirements Analysis

Describing how a Business Continuity plan should consider various aspects:

• 3.4.1 Analyzing staff continuity requirements.
• 3.4.2 Evaluating premises continuity requirements.
• 3.4.3 Identifying supporting technology needs.
• 3.4.4 Assessing information continuity requirements.
• 3.4.5 Considering external services and supplies.

3.5 Threat and Vulnerability Assessments

Exploring the process of assessing threats, hazards, and vulnerabilities:

• 3.5.1 Identifying potential threats, hazards, and vulnerabilities.
• 3.5.2 Analyzing the identified threats, hazards, and vulnerabilities.
• 3.5.3 Evaluating the severity of threats, hazards, and vulnerabilities.

3.6 Horizon Scanning

Understanding the benefits of horizon scanning for early warning:

• 3.6.1 Identifying potential threats (e.g., virus attacks, disaffected staff).
• 3.6.2 Recognizing potential hazards (e.g., severe weather, pandemics).

3.7 Risk Assessment

Explaining the process of risk assessment:

• 3.7.1 Assessing the likelihood or probability of risks.
• 3.7.2 Evaluating the potential impact levels of risks.
• 3.7.3 Conducting quantitative risk assessments.
• 3.7.4 Conducting qualitative risk assessments.
• 3.7.5 Evaluating the proximity of risks.
• 3.7.6 Identifying single points of failure in premises, systems, and people.
• 3.7.7 Using risk matrices for assessment.

3.8 Evaluation of Options

Exploring the categorization of risks and options:

• 3.8.1 Assessing risks in terms of acceptance or tolerance.
• 3.8.2 Evaluating risks for avoidance or termination.
• 3.8.3 Considering risks for transfer or sharing.
• 3.8.4 Analyzing risks for reduction or modification.
• 3.8.5 Describing the need for cost/benefit analysis when costs and potential losses are comparable.

3.9 Business Cases and Programme Sign-Off

Describing the key components of a business case and obtaining senior management approval:

• 3.9.1 Summarizing the management perspective.
• 3.9.2 Presenting the impact statement (business impact analysis).
• 3.9.3 Including the risk assessment in the business case.
• 3.9.4 Outlining options and recommendations.
• 3.9.5 Providing supporting details, including costs and timelines.
• 3.9.6 Conducting a formal presentation of the business case for senior management approval.

This section outlines the process of developing an all-encompassing Business Continuity strategy.

4.1 Strategic Options

Exploring the strategic options in Business Continuity planning:

• 4.1.1 Identifying the option to avoid or terminate a risk.
• 4.1.2 Recognizing the option to share or transfer a risk.
• 4.1.3 Understanding the option to reduce or modify a risk.
• 4.1.4 Evaluating the option to accept or tolerate a risk.
• 4.1.5 Balancing costs versus benefits in Business Continuity strategy implementation.
• 4.1.6 Considering the consequences of inaction based on business impact analysis.
• 4.1.7 Recognizing the benefits of emergency packs.
• 4.1.8 Emphasizing the importance of accurate asset inventories.
• 4.1.9 Addressing local, regional, national, and industry-specific legislation.

4.2 People

Explaining the people-related considerations in Business Continuity planning:

• 4.2.1 Highlighting the benefits of multi-skill training for both permanent and contract staff.
• 4.2.2 Recognizing the advantages of physically separating staff with core skills.
• 4.2.3 Assessing the pros and cons of using third-party staff.
• 4.2.4 Understanding the necessity of succession planning.
• 4.2.5 Emphasizing the importance of knowledge retention and management.
• 4.2.6 Identifying different team types (response, recovery, public relations, welfare).
• 4.2.7 Addressing staff welfare during and after incidents, including stress and trauma counseling.

4.3 Premises

Explaining premises-related considerations in Business Continuity planning:

• 4.3.1 Recognizing the benefits of using alternative premises owned by the organization and other entities.
• 4.3.2 Evaluating the benefits of home or teleworking and remote premises work.
• 4.3.3 Identifying the benefits of relocating workloads to existing alternative premises.

4.4 Processes and Procedures

Explaining the need for documenting and storing critical processes and procedures:

• 4.4.1 Documenting and storing mission-critical processes and procedures.
• 4.4.2 Understanding the legal implications and potential losses.

4.5 Technology

Explaining technology-related considerations in Business Continuity planning:

• 4.5.1 Recognizing how geographical separation of technology enhances resilience.
• 4.5.2 Retaining previously-used equipment for disaster recovery purposes.
• 4.5.3 Accounting for lead times in technology recovery planning.
• 4.5.4 Addressing the impact of distance between main and standby premises.
• 4.5.5 Considering remote access options.
• 4.5.6 Exploring “hot,” “warm,” and “cold” sites, both manned and unmanned.
• 4.5.7 Provisioning robust telecommunications facilities.
• 4.5.8 Distinguishing between resilience, redundancy, and separacy.
• 4.5.9 Understanding mechanisms for achieving failover to standby premises.
• 4.5.10 Considering connectivity to third parties.
• 4.5.11 Linking with information security strategies.

4.6 Information

Highlighting the importance of information security and management:

• 4.6.1 Ensuring confidentiality.
• 4.6.2 Maintaining integrity.
• 4.6.3 Ensuring availability.
• 4.6.4 Verifying authentication.
• 4.6.5 Ensuring non-repudiation.
• 4.6.6 Describing the concept of currency of information.
• 4.6.7 Explaining methods of information storage.
• 4.6.8 Addressing efficient backup, off-site storage, and retrieval, considering RTO and RPO.

4.7 Supply Chain

Discussing supply chain considerations in Business Continuity planning:

• 4.7.1 Recognizing the benefits of storing supplies at alternative locations.
• 4.7.2 Evaluating supplier arrangements for short-notice ordering and delivery.
• 4.7.3 Diverting just-in-time deliveries to alternative locations.
• 4.7.4 Transferring operations to locations with supplies.
• 4.7.5 Identifying potential alternative suppliers and materials.
• 4.7.6 Emphasizing the advantages of multiple suppliers.
• 4.7.7 Ensuring key suppliers have appropriate Business Continuity plans.

4.8 Stakeholders

Addressing the consideration of key stakeholders in Business Continuity planning:

• 4.8.1 Considering parent organizations.
• 4.8.2 Recognizing the role of shareholders.
• 4.8.3 Addressing customer needs.
• 4.8.4 Evaluating supplier and business partner relationships.
• 4.8.5 Acknowledging the role of contractors.
• 4.8.6 Understanding the relationship with industry regulators.

4.9 Civil Emergencies

Explaining the importance of considering civil emergencies in Business Continuity planning:

• 4.9.1 Recognizing the awareness of civil contingency requirements.
• 4.9.2 Addressing the potential need for on-site or off-site emergency plans.
• 4.9.3 Communicating civil emergency information to staff.
• 4.9.4 Understanding recovery arrangements following a civil emergency.
• 4.9.5 Integrating and inter-dependency of organizational plans with other emergency responders.

This section outlines the process of developing and implementing a comprehensive Business Continuity response.

5.1 Overall Incident Response Structure

Describing the development of a formal incident response structure:

• 5.1.1 Confirming the nature and extent of the incident.
• 5.1.2 Taking control of the situation and determining the most appropriate response.
• 5.1.3 Containing and managing the incident.
• 5.1.4 Communicating with internal and external stakeholders.

5.2 Types of Plan

Describing various types of plans:

• 5.2.1 Incident response and management plans.
• 5.2.2 Business Continuity plans (technical, business, individual employee instructions).
• 5.2.3 Disaster recovery plans.
• 5.2.4 Business resumption plans.
• 5.2.5 Generic plan content (purpose, roles, invocation, contact details, version history, references).
• 5.2.6 Involving key departments in plan verification.
• 5.2.7 Establishing links between departmental and organizational plans.
• 5.2.8 Involving third parties in disaster recovery and Business Continuity plans.
• 5.2.9 Using service level and contingency agreements to activate plans.
• 5.2.10 Utilizing disaster recovery companies and their services.
• 5.2.11 Off-site storage of plans and multiple media types.
• 5.2.12 Benefits of a pre-equipped emergency operations center.
• 5.2.13 Planning for resource renewal and stress effects on response teams.
• 5.2.14 Planning for escalation of issues requiring senior management decisions.
• 5.2.15 Considering different durations of disruption.

5.3 Incident Management Plans

Describing additional contents of an incident management plan:

• 5.3.1 Task and action lists.
• 5.3.2 Emergency contact details and incident management location.
• 5.3.3 Activities (people, process, technology).
• 5.3.4 Communications (internal, media, responders, stakeholders).
• 5.3.5 Annexes (photographs, maps, charts, third-party documentation, site access, insurance claims).

5.4 Business Continuity Plans

Describing additional contents of a Business Continuity plan:

• 5.4.1 Task and action lists (invocation, key people, resources, recovery procedures).
• 5.4.2 Resource requirements (people, premises, processes, technology, information, supply chain, stakeholders).
• 5.4.3 Responsible person(s) for response and recovery operations.
• 5.4.4 Checklists, forms, and annexes (activity log form).

5.5 Disaster Recovery Plans

Describing additional contents of a disaster recovery plan:

• 5.5.1 Task and action lists.
• 5.5.2 Emergency contact details and incident management location.
• 5.5.3 Activities (people, process, technology).
• 5.5.4 Communications (internal, stakeholders).
• 5.5.5 Annexes (third-party contacts, invocation procedures, site access).

5.6 Business Resumption Plans

Describing additional contents of a business resumption plan:

• 5.6.1 Task and action lists.
• 5.6.2 Ownership and management of the business resumption process.
• 5.6.3 High-level options for longer-term replacement (staff, premises, systems, services, equipment, machinery).
• 5.6.4 Salvage and recovery of assets from affected premises.
• 5.6.5 Insurance claims for lost or destroyed assets.
• 5.6.6 Communications (internal, stakeholders).
• 5.6.7 Subsequent impact of an incident on cashflow, staff, customers, insurance premiums.

This section focuses on the Business Continuity exercising, maintenance, and review program.

6.1 Exercising and Testing of Plans

Explaining the concept of Business Continuity exercising, maintenance, and review:

• 6.1.1 Different types of tests and exercises (communications, documentation walkthrough, table-top simulation, partial test, full failover test, building evacuation/redeployment test).
• 6.1.2 Developing an exercise program.
• 6.1.3 Developing a specific exercise.
• 6.1.4 Post-exercise reviews and audit.
• 6.1.5 Implementing improvements from post-exercise reviews or audits.
• 6.1.6 Training and education program for involved staff (existing and new).
• 6.1.7 Timing considerations for testing/exercising plans.
• 6.1.8 Importance of change control for plans.

6.2 Maintenance of Plans

Describing the need for regular updates to plans:

• 6.2.1 Updating names of key individuals.
• 6.2.2 Keeping contact details current.
• 6.2.3 Including photographs, maps, and charts.
• 6.2.4 Updating third-party response documentation.
• 6.2.5 Maintaining site access information.
• 6.2.6 Updating insurance claim procedures.
• 6.2.7 Ensuring updated communication procedures.
• 6.2.8 Integrating plans into the organization’s change management process.

6.3 Review of Plans

Discussing the importance of regular plan reviews:

• 6.3.1 Reviewing mission-critical activities.
• 6.3.2 Regularly updating impact analyses.
• 6.3.3 Addressing vulnerabilities.
• 6.3.4 Assessing threats and hazards.
• 6.3.5 Revisiting the overall Business Continuity strategy.
• 6.3.6 Aligning with the organization’s risk appetite.
• 6.3.7 Evaluating the organization’s Business Continuity capability.
• 6.3.8 Ensuring ongoing appropriateness of Business Continuity solutions.
• 6.3.9 Monitoring progress in testing, exercising, and training.
• 6.3.10 Conducting independent audits of Business Continuity plans.

This section highlights the methods to integrate Business Continuity awareness throughout the organization.

7.1 Overall Awareness

Explaining the approach to achieve Business Continuity awareness:

• 7.1.1 Consulting with key departments within the organization.
• 7.1.2 Aligning awareness initiatives with the organizational culture.
• 7.1.3 Utilizing various communication channels: articles in newsletters, briefings, intranet pages, and induction programs.
• 7.1.4 Conducting Business Continuity Management workshops that analyze real-life incidents for learning.
• 7.1.5 Incorporating Business Continuity into team and project meetings.
• 7.1.6 Involving stand-in staff in tests and exercises.
• 7.1.7 Providing structured guidance to all staff for incident response.
• 7.1.8 Establishing and maintaining an ongoing awareness campaign.

7.2 Skills Training

Explaining the importance of training for key staff:

• 7.2.1 Training for Business Continuity program management.
• 7.2.2 Training for business impact analyses and risk assessments.
• 7.2.3 Training for developing and implementing Business Continuity plans.
• 7.2.4 Training for participation in and leading Business Continuity tests and exercises.
• 7.2.5 Training for effective media communication during incidents.
• 7.2.6 Establishing a comprehensive training program.