Business Continuity from Preparedness to Recovery: A Standards-Based Approach

Business Continuity from Preparedness to Recovery

A Standards-Based Approach

Eugene Tucker

Table of Contents

Cover image

Title page

Copyright

Preface

Acknowledgments

Digital Assets

Introduction

Chapter 1. Business Continuity—A Definition and a Brief History

1.1. Introduction

1.2. History

1.3. Many Definitions

1.4. Review

Chapter 2. Understanding the Standards

2.1. Introduction

2.2. Process Approach

2.3. Plan, Do, Check, Act

2.4. Organization of Standards

2.5. Review

Chapter 3. Building a Business Continuity Capability

3.1. Introduction

3.2. Leadership

3.3. Business Continuity Manager

3.4. Scope of the BCMS

3.5. Policy

3.6. Business Continuity Objectives and Project Planning

3.7. Competence and Awareness

3.8. Document Control

3.9. Steering Committee

3.10. Review

Chapter 4. Emergency Management—Preparedness and Response

4.1. Introduction

4.2. Preparedness

4.3. Response

4.4. Review

Chapter 5. Business Impact Analysis

5.1. Introduction

5.2. Business Impact Analysis Process

5.3. Reanalysis

5.4. Confidentiality

5.5. Review

Chapter 6. Risk Assessment

6.1. Introduction

6.2. Understanding Risk

6.3. Risk Assessment

6.4. Risk Treatment

6.5. Risk Assessment Report

6.6. Review

Chapter 7. Mitigation and Business Continuity Strategy

7.1. Introduction

7.2. Mitigation

7.3. Business Continuity Strategy

7.4. Review

Chapter 8. Business Continuity Plans and Procedures

8.1. Introduction

8.2. Fundamental Attributes of the Plan

8.3. Plan Organization and Structure

8.4. Team Plans

8.5. Putting the Plan Together

8.6. Review

Chapter 9. Orientation, Exercising, and Testing

9.1. Introduction

9.2. Types of Exercises

9.3. Scheduling Exercises

9.4. Orientation

9.5. Exercise Program

9.6. Exercise Design

9.7. Review

Chapter 10. Continuous Improvement

10.1. Introduction

10.2. Program Maintenance

10.3. Performance Evaluation and Metrics

10.4. Evaluations and Internal Audit

10.5. Management Review

10.6. Nonconformity and Corrective Action

10.7. Review

Appendix A. Sample Competencies Suggested for Business Continuity Manager

Appendix B. Required Documents under ISO 22301

Appendix C. Emergency Plan Table of Contents

Appendix D. Sample Business Impact Analysis Questions

Appendix E. Sample Continuity Team Resource Tool Kit

Appendix F. Websites That Contain Hazard Information

Appendix G. Examples of Natural, Technological, and Man-made Hazards

Appendix H. Excerpt from Risk Assessment Report—Hazards

Appendix I. Full Scale Exercise Example

Index

Copyright

Acquiring Editor: Sara Scott

Editorial Project Manager: Marisa LaFleur

Project Manager: Punithavathy Govindaradjane

Designer: Mark Rogers

Butterworth-Heinemann is an imprint of Elsevier

The Boulevard, Langford Lane, Kidlington, Oxford OX5 1 GB, UK

225 Wyman Street, Waltham, MA 02451, USA

Copyright © 2015 Elsevier Inc. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or any information storage and retrieval system, without permission in writing from the publisher. Details on how to seek permission, further information about the Publisher’s permissions policies and our arrangements with organizations such as the Copyright Clearance Center and the Copyright Licensing Agency, can be found at our website: www.elsevier.com/permissions.

This book and the individual contributions contained in it are protected under copyright by the Publisher (other than as may be noted herein).

Notices

Knowledge and best practice in this field are constantly changing. As new research and experience broaden our understanding, changes in research methods, professional practices, or medical treatment may become necessary.

Practitioners and researchers must always rely on their own experience and knowledge in evaluating and using any information, methods, compounds, or experiments described herein. In using such information or methods they should be mindful of their own safety and the safety of others, including parties for whom they have a professional responsibility.

To the fullest extent of the law, neither the Publisher nor the authors, contributors, or editors, assume any liability for any injury and/or damage to persons or property as a matter of products liability, negligence or otherwise, or from any use or operation of any methods, products, instructions, or ideas contained in the material herein.

ISBN: 978-0-12-420063-0

British Library Cataloguing-in-Publication Data

A catalogue record for this book is available from the British Library

Library of Congress Cataloging-in-Publication Data

A catalogue record for this book is available from the Library of Congress

For information on all Butterworth-Heinemann publications visit our website at http://store.elsevier.com/

Preface

I remember as a child in Kindergarten climbing up the stairs to the slide in the playground when a 3.75 magnitude earthquake struck very close to the area of my school in Daly City, CA. Daly City was the closest town to the epicenter of the 1906 San Francisco earthquake. The teachers in the playground were yelling What was that, what was that? I do not know why at that age I knew it was an earthquake, but thought the teachers were pretty dumb for not recognizing the cause of the ground moving beneath their feet. An earthquake of that size, depending on the type and soil conditions, is noticeable, especially if close to the epicenter, but not enough to start pulling out your cache of emergency provisions.

In the days prior to the earthquake, my mother would walk with me to and from school, but on that day she started a new job and I was to make the trek solo. Just two blocks from home after Kindergarten let out for the day, the strongest earthquake to hit the Bay Area since 1906 registered 5.3 on the Richter scale. I was all alone. I could see the street turn into rolling waves coming toward me. I tried to run but remember going nowhere. I could not stand and fell down. Above the noise generated by the earth movement, my grandmother at home could hear me screaming a city block away. I was so traumatized, I did not return to school for the remainder of the term. I can honestly say that I flunked Kindergarten.

My interest in natural phenomena is likely an outgrowth of my early years. Educating and protecting people from the harm they can cause and helping organizations become resilient in the face of disasters so the economies that support the workers remain intact seems like the right thing to do.

As the former librarian for a major business continuity professional organization, I was amazed that the great majority of the books I reviewed did not give the reader a road map to put together an effective holistic business continuity program. My interests in emergency management, emergency response, data systems, and business management gave me, I believe, a unique perspective that was missed by most authors. When I was asked to write a book solely dedicated to business continuity, I struggled with the dilemma of what I could do that was different from my first book and different from the hundreds of other books on the same subject. The competing standards have value to the profession, but there are few publications on the market that adequately explain what is required in a manner that does not cause a great deal of confusion. I hope this publication cuts through the confusion and leads the Business Continuity Manager to a path that produces an effective management system that will hold up to the standards. Bear in mind that my intent is NOT to say Here is how you get certified under the standards. If you are looking for certification, buy a copy of the standards. My intent is to show how to develop a program (management system) built under the standards that will help ensure resilience when a disaster happens.

The standards are intended to tell you what you need for an auditable program but not how to develop and manage the program. The purpose of this publication is to allow the reader to design and implement an effective Business Continuity Management System according to the ISO 22301 Societal security—Business continuity management systems standard, the ASIS SPC.1-2009 Organizational Resilience: Security, Preparedness, and Continuity Management Systems standard, and to the NFPA 1600:2010 and 2013 Standard on Disaster/Emergency Management and Business Continuity Programs. It draws on many of the related ISO standards that include The Risk Management Standard and the Internal Auditing Guidance. While I have included information on all three standards, I have emphasized the ISO standard. When I refer to a standard in the text without qualification (i.e., ASIS or NFPA), I am referring to ISO 22301.

For my own use, and in preparation for this publication, I have attended a number of presentations, classes, and webinars and have sifted through piles of literature on the implementation of the standards. I have seen and heard a lot of confusion and misinformation about what to do with the Plan, Do, Check, Act of the Deming Cycle. At almost every class or webinar I attend, I make it a point to ask how business continuity managers are to incorporate PDCA into their planning and into their plans. I ask this in part to gauge the presenter’s knowledge of the standards. The answers I got were all over the spectrum — It is not needed at all to Forget everything before Clause 4 to The plan must be organized along the lines of PDCA and of the clauses in the standard. This reminds me of a number of years ago when the focus was on planning according to the Incident Command System (ICS). It seemed that none of the seminar presenters knew much about ICS or how to apply it to business continuity. Similarly, the presenters on the standards know a lot about business continuity (most seem to be sales people though) but fewer understand the standards or management systems in general.

Like James F. Broder and I did in Risk Analysis and the Security Survey, now in its fourth edition, where we listed specific procedures the reader could use when responding to a variety of emergency situations, I have included in this publication lists of Business Impact Analysis questions for the common functional areas of an organization. I have listed common business continuity strategies for these functions as well. Although we have placed them in the Appendix, I ask that they are reviewed in total to give the reader a better understanding of how to design Business Impact Questions and continuity strategies but mostly because important requirements under all of the standards are contained in the questions and strategies.

As I was finishing this manuscript, a 6.0 earthquake struck the lower Napa Valley of California at around 3:30 in the morning. This was the largest earthquake to hit the San Francisco Bay Area in the 25 years since the Loma Prieta Earthquake. Had the earthquake occurred later in the day, too many lives would have been lost. There were no immediate fatalities but a high degree of damage, including the loss of a major percentage of the inventory at some smaller wineries. The earthquake helped to remind me of the value of the standards, especially with their requirement for preparedness, mitigation, and response.

I did, however, go back to work the next day.

Acknowledgments

Acknowledgments on some levels are easy to give. Many start by making a point to thank their families and in particular their spouse for their support and understanding while writing the manuscript. I now know why. All of the beautiful summer weekends spent at home while I stared at a computer screen instead of sitting on the beach sharing a great sandwich and glass of wine was a sacrifice my family was willing to make. Thank you, Marci.

Gratitude is almost always given to the publishers. They really are a big help and in my case a source of motivation, encouragement, and good advice. Their suggestions were always on target and positive. They are true professionals and simply good people. Pam Chester of Elsevier, who roped me into this project and who I worked with as a co-author to Risk Analysis and the Security Survey, is the type of person whom you cannot thank enough. But I will keep trying. Pam has moved on to other endeavors, and Sara Scott and Marisa LaFleur have stepped up to lead the charge. Why should the reader care about the publishers? I suspect they do not get the recognition they are due and they truly are contributors to the value these publications bring to the profession. Thank you so much, ladies.

Thank you Joe Couch of the Texas A&M Engineering Extension Service (TEEX), a great instructor, for your help with permissions and to Dave Morgan, longtime President of the Business Recovery Managers Association, one of the respected and true Business Continuity Professionals. I should also thank Barry Cordoza, whose advice on the standards I should have sought with more regularity.

But the most difficult part of this book and with this acknowledgment, more so than the endless hours of research, last minute revisions due to newly published standards, typing until midnight, and trying to make sense of what was left after my laptop deleted entire paragraphs from the manuscript is how to thank someone who has enabled so many opportunities in my professional life. James F. Broder, one of the heavyweights in the Security and Investigations Profession, whom I have worked with and known for so many years, asked me many years ago to contribute a few chapters to the second edition of his book mentioned above. It was, as I recall, Butterworth–Heinemann’s top security publication that is now in its 4th edition and just translated into Chinese. Without that, I would not be writing this book. Broder is one of the kindest people, insightful beyond belief, and full of the type of experiences that one would find in a novel. To try to describe his positive attributes would take many pages. I am humbled in his presence. For this association, I am truly indebted. While I have always strived to attain his professional level and knowledge, the day that he called me friend will always be treasured. A good deal of his knowledge and influence is reflected in this publication.

Digital Assets

Thank you for selecting Butterworth Heinemann’s Business Continuity. To complement the learning experience, we have provided a number of online tools for instructors to accompany this edition.

Please consult your local sales representative with any additional questions.

For the Instructor

Qualified adopters and instructors need to register at the this link for access: http://textbooks.elsevier.com/web/manuals.aspx?isbn=978012400630.

• Test bank: Compose, customize, and deliver exams using an online assessment package in a free Windows-based authoring tool that makes it easy to build tests using the unique multiple choice and true or false questions created for Business Continuity. What is more, this authoring tool allows you to export customized exams directly to Blackboard, WebCT, eCollege, Angel, and other leading systems. All test bank files are also conveniently offered in Word format.

• PowerPoint lecture slides: Reinforce key topics with focused PowerPoints slides, which provide a perfect visual outline with which to augment your lecture. Each individual book chapter has its own dedicated slideshow.

• Instructor’s manual: Design your course around customized learning objectives, instructor’s notes, discussion questions, and research topics.

Introduction

Ask one experienced Business Continuity Manager what is the best thing in the last 10 years that has happened to improve the profession and he or she might reply a set of management standards. Ask another experienced Business Continuity Manager what is the worst thing in the last 10 years that has happened to his or her profession and the answer might be a set of management standards.

The requirements and organization of the standards can be confusing. The necessary elements to build a Business Continuity Management System are difficult to understand because of new terminology and the sequence in which instructions are found in the standards documents. For example, many business continuity professionals understand the term incident response to mean that when there is a fire, one should grab a fire extinguisher and put out the flames, but under the standards it also means the actions of a business continuity or disaster recovery team to execute the instructions listed in their plans (an incident is defined in ISO 22301 as a situation that might be, or could lead to, a disruption, loss, emergency or crisis). ISO 22301 and ASIS SPC.1-2009 say that the order in which the organization conducts the Risk Assessment and Business Impact Analysis is dependent on the method of analysis used, but it mentions completing the Business Impact Analysis first. This is how we presented these concepts in this publication, although many would argue that the ordering should be the opposite, completing the Risk Assessment first. Others would say that the order is not significantly important since the two are generally combined into a single effort and combined report.

The standards, as far as business continuity practices are concerned, do not introduce anything that is really new to a mature, well-managed Business Continuity program. But since the standards are so closely related to the world of Quality Management, they speak in terms of process and management systems. The introduction to ISO 22301 says that like any other management system a Business Continuity Management System is comprised of policy, responsibility, management processes that include management review and continuous improvement. It provides the requirements it believes are necessary to set up and manage such a system. What may be new to most managers, and a task that most believe is onerous, is the degree of auditable documentation required for its compliance with its provisions.

For the seasoned professional manager, the standards do not require too many tasks that he or she would normally do to set up and manage a business continuity program. They may embrace or reject the requirement for a steering committee or the demand for a higher level of documentation, but the greatest difference they may find with the implementation of the standards is one of a different mind-set. The standards are set up to provide audit evidence that is used to compare against audit criteria for certification. Unless experienced in certification to a set of standards, the expectations of auditors may be quite foreign to the manager. Auditors will not only want to see that every I is dotted and every T is crossed as the saying goes, but they will also want to know where they are dotted and crossed, who crossed them, and how management has enabled a culture that supports the dotting and crossing. While I might be proud that I dotted and crossed everything, and of the belief that I have met my audit mandate, along will come an auditor who will want to also discuss the concept of dotting and crossing before my management system is certified.

In addition to the emphasis on continual improvement, the standards take us away from the old and still active notion that the emphasis is to have a plan in place instead of a dynamic management system. The standards place a high emphasis, and rightfully so, on Enterprise Risk Management, not only in the identification of risk to the prioritized business functions, but on the processes themselves. The level of Top Management support required by the standards may be considered by some business continuity professionals as fantasy, but organizations are increasingly recognizing the value of their active participation and the integration of business continuity into all facets of their strategic and operational planning. Business continuity is increasingly driven by customer requirements. This is a strong motivator for their involvement.

Business Continuity Program Development

My first boss in my first full-time job dedicated to business continuity was fond of saying Business continuity is not rocket science. In many respects, he is correct. At a higher level, business continuity consists of a strategy to continue the operation of data functions if the original capability is diminished or destroyed and finding alternate workspace for people to connect to the data if their normal workspace is not available. In fact, the DRI International’s (DRII) Professional Practices lists 10 major steps (subject areas) necessary to develop a Business Continuity Management System:

• Program Initiation and Management Support

• Risk Evaluation and Control

• Business Impact Analysis

• Business Continuity Strategies

• Emergency Response and Operations

• Business Continuity Plans

• Awareness and Training Programs

• Business Continuity Plan Exercise, Audit, and Maintenance

• Crisis Communications

• Coordination with External Agencies

The reality is that these 10 subject areas contain many subordinate steps that combine to create a Business Continuity Program resulting in an organization that is resilient to the effects of catastrophic risk. Well, almost.

Program Initiation and Management Support begins with the justification of the program assuming that it is not mandated by and supported by upper management. When the idea for the program is conceived by a lower level manager, it could become Sisyphean labor to get management to devote the necessary resources to establish a Business Continuity Management System. Justifications for the program often include:

• Cost of downtime can be tremendous to certain types of organizations

• Loss of competitive advantage

• Minimize devaluation of the organization

• Fulfill requirements by financial auditors or by potential customers

• Capitalize on the lack of planning by competitors

• Uphold fiscal responsibility

• Avoid stockholder liability

• Fulfill regulatory and contractual requirements

• Retain key employees (who may leave the company if furloughed)

• Prevent the loss of key research

• Help ensure the safety of employees

• Preserve customer confidence and prevent the loss of customers

• Assist in the economic recovery of the community in the case of a regional disaster

• Pressure on cash flow and the need to borrow funds

• Prevent brand name damage

While these reasons may seem compelling, they should be supported with risk and impact data. This is most effectively provided by the results of the Risk Assessment and Business Impact Analysis. These are usually not completed until the program is approved, so many managers will ask for funding to conduct the Risk Assessment and Business Impact Analysis outside of the program. This is why it is often suggested that a Top-Management (i.e., executive-level) sponsor is recruited to help shepherd the commitment for the program. Once the program is approved and funded, a person to lead the program is selected and policy and procedure is developed. The structure and methodologies of the business continuity function are established.

A Risk Assessment (used to be a Risk Analysis) is conducted to identify hazards that can affect the mission of the organization. The risks are evaluated and appropriate cost-effective controls are put in place to eliminate or mitigate their effects. Coupled with the Business Impact Analysis, the organization will develop a picture of which of its functions are the most critical and will understand how resources and strategies are best applied to continue their operation during and after a catastrophic event, or during and after an incident of lesser magnitude that may have an impact on the financial, operational, or regulatory requirements of the organization.

Emergency situations that include fires, floods, the effects of earthquakes and other natural and man-made hazards must be prepared for, stabilized, and controlled before they become a crisis or disaster. The organization must develop a capability to respond to emergencies during a time when the dependence on normal emergency response agencies may be severely limited if not nonexistent.

The implementation of the business continuity and recovery strategies developed though the Risk Assessment and Business Impact Analysis processes are written into plans for teams of employees and others to execute at the time of a disaster. The resources necessary to support the strategies are included in the plans. The structure of the business continuity organization, how communication is enabled internally and externally to the organization, and where the functions are to relocate and connect to any relocated Information Technology resources are explained.

Those employees with responsibilities under the plans are trained in the expectations of the program and in what their tasks may require when the plans are activated (invoked in the terminology of the standards). Ideally, this training will include awareness of the steps they should take to be prepared for disasters at home and in the workplace. From the safety, operational efficiency, and liability potential, emergency responders are trained in the protocols they will need to use to control foreseeable emergencies.

Although related, Business Continuity Plan Exercise, Audit, and Maintenance are processes of such importance that they should be considered as separate steps. The plans (and as we will discuss, the program) are exercised and tested at increasing levels of complexity to validate that they will meet the objectives of the Business Continuity Management System. Exercises carry a component of training and continual improvement through the identification of corrective actions. Outdated information in the plans is useless if not detrimental to its implementation so the plans must be maintained and updated on a regular basis. An audit process is a new convention created by the standards and adds to the component of continuous improvement.

Crisis Communications combines responsibilities of the Public Relations function, Marketing Communications, and other functions that need to communicate continuity information to the outside world in a manner that prevents misconception and controls damage to the organization’s reputation.

The Coordination with External Agencies involves the interface with responding agencies in an emergency (understanding the Incident Command System (ICS), inviting the fire department to tour the site), complying with regulations, and full-scale exercises. It touches on the concept of Public–Private Partnerships.

Planning according to the standards will take these steps to a higher level.

Planning According to the Standards

So why, in the face of added difficulty, would an organization wish to set up their Business Continuity Program according to the standards? An obvious reason is PS-Prep certification or third-party certification to the standards. Certification sends a powerful message to customers and regulators that the business continuity program has stood the test of an independent assessment of the organization’s ability to survive a disastrous situation. Consider that planning according to the standards has the following advantages to the organization:

• Certification by a third party or at a minimum by internal first-party audit of a standards-based management system (including NFPA 1600, which is not a management system standard) is a marketing tool that will say to a customer that the organization has minimized risk and can continue to deliver products or services even in the face of a disaster.

• Roughly 80% of standards are purchased by lawyers, according to a source in the Health and Safety profession. Standards are used in litigation as a benchmark for organizations to compare themselves to, or to be compared against. A program built according to the standards may help indemnify the organization against stockholder or other third-party liability.

• Third-party certification, and to some extent first-party (internal) audit certification, will likely reduce the number of requests for an audit of your program by customers.

• The standards force a more holistic approach to business continuity by incorporating risk management, the elements of Emergency Management, and continuous improvement.

• Will add credibility to the program and better motivate internal interest and participation.

• Guides an inexperienced Business Continuity Manager toward developing an effective program.

Certification Process

The standards provide a process that is auditable for certification by a third party. The organization must understand the requirements of the standard it wishes to be certified against, including any related standards and guidance, decide what portion of the organization will be included in the certification (i.e., scope), and ensure it is as ready for audit.

For the ISO standards, certification is a three-year process that includes an optional preaudit that identifies gaps in documentation or conformance with the standard. The preaudit has the advantage of preparing those involved with the audit process. It begins with a Stage-1 audit that reviews the active commitment of Top Management to the program, requirements necessary for a management system, the Business Impact Analysis, and other documentation. It determines the organization’s readiness for the Stage-2 audit.

The Stage-2 audit, the real audit, examines the entire management system and looks at compliance with all of the standard’s requirements. It will also evaluate the effectiveness of the management system. Based on the results and seriousness of the nonconformities found, it will determine if certification is recommended. The Stage-2 audit is typically conducted at least 30 but no more than 90 days after the Stage-1 audit.

All identified nonconformities must be corrected before certification is granted. There are two levels of nonconformities: major and minor. Both levels must include the identification and documentation of the cause of the nonconformity, and corrective actions to fix the issue, but a major nonconformity will require a root cause analysis. A deadline for the implementation of any corrective actions is agreed to by the organization and the auditor and verified upon completion.

Certification is good for a three-year period, during which the organization’s management system will be reviewed (the term they use is Surveillance) 12 months after the completion of the Stage-2 audit and again 12 months later. Recertification is required after the three years but the recertification process that generally requires less time than the original must be completed before its expiration.

Choosing the Correct Standard

These three standards currently qualify for certification under PS-Prep (see Chapter 1). The one best suited for use depends on many factors that include the type of organization and the background of the person who will manage the program — someone coming out of the Information Technology world may best choose ISO 22301, someone from the Emergency Management world may choose NFPA 1600. The standards seem to be coming closer together in their requirements, but they still retain their own flavor.

ISO 22301 is an international standard and probably the best standard to use if the organization conducts overseas operations or has critical suppliers located in different countries. The ISO standards are better recognized in the business world and are known as quality standards, especially in the high-technology arena. It is the most widely used business continuity standard worldwide for nongovernmental organizations. It may also be the easiest for an organization to certify against. Both ISO 22301 and ASIS SPC.1-2009 are management standards, NFPA is not. This allows for easier integration with other ISO or ANSI standards in use within the organization.

Although both standards have a strong focus on risk management, the ASIS standard frames its requirements more from the integration of risk into its processes. Its Organizational Resilience title and greater emphasis on security may appeal to an organization that deals with critical infrastructure and asset protection if not required to use NFPA. The ASIS standard is a bit more straightforward in its implementation and comes with a very good set of reference guidance. Its Risk Assessment scheme is more aligned with the methods used by the United States Department of Homeland Security and also looks at the impacts of the organization’s operations on the environment, including endangered species.

NFPA 1600 is not the most business friendly of the standards, partly because it emphasizes the use of the ICS (the 2013 version does not directly mention the ICS but does discuss the use of an Incident Action Plan and Management by Objectives, both components of ICS. Its requirements for resource usage are very ICS-esque). It more directly mandates the use of the elements of emergency management and an all hazards planning approach (a good thing) but unless the organization already operates under the ICS, the manager may have difficulty adapting it to a nongovernmental agency. It also emphasizes controls for financial issues that will make the response and recovery to an incident more effective and it also requires a resource needs assessment. The 2013 version still requires the organization to develop a strategy to affect legislation and industry practices. Legislation is, however, increasingly mandating its use for certain organizations, including public hospitals. The 2013 version also requires the organization to develop a strategy for employee assistance and support for the temporary or long-term housing, feeding, and care of those displaced by an incident. According to its guidance, employee assistance should also apply to family and significant others.

The How and What of the Standards

Many business continuity professionals say that the requirements of the standards are too high-level, leaving little direction on how to accomplish what that the standards require. This was done by the designers of the standards so that they can apply to large or small organizations in a number of different environments. While we cannot predict exactly what an auditor will look for (as we mentioned above, some auditors view the requirements very literally and some focus on a more broad-based, conceptual application of the standards—or both), we hope to show how to establish a comprehensive Business Continuity Management System that will position your organization to survive a catastrophic event.

References

International Standard ISO 22301:2012 Societal security—business continuity management systems—Requirements.

NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs, 2013 edition.

Organizational Resilience: Security, preparedness, and continuity management systems—requirements with guidance for Use, ASIS SPC.1–2009 American National Standard, (ASIS International).

Chapter 1

Business Continuity—A Definition and a Brief History

Chapter Summary

Business continuity is the management of a sustainable process that identifies the critical functions of an organization and develops strategies to continue these functions without interruption or to minimize the effects of an outage or loss of service provided by these functions. The history of business continuity management brings with it the perspectives and skills of each of the disciplines that contributed to its present-day form. The two major perspectives, one from the militaristic, emergency management side of the house with strict adherence to the dogmas of disaster management, and the other from the data center, which focused solely on the internal recovery of information technology, combined to bring business continuity planning to its present state. This chapter will help the reader to understand these perspectives and allow the business continuity manager to evaluate new ideas as truly representing progress and more effectively move programs forward when working with those who hold these different outlooks. Today, with the help of the new standards, the profession has matured into a management process that helps ensure the resilience of all essential business functions.

Key terms

ASIS SPC.1-2009; Certification; Emergency management; ISO 22301; NFPA 1600; PS-Prep; Regulations; Risk management; Social science; Standards

Key Points

• Backgrounds and the point of view from varied professions influenced the development of business continuity management

• Business continuity planning evolved from a project focus to a sustainable management process

• Competing standards define programs

• Emergency management and business continuity planning defined

• Understand how the term business continuity is used today

1.1. Introduction

The concept of formal business continuity planning (BCP) is a relatively recent invention that owes its development to the increased dependency of business and government (actually, virtually everything and everyone) on the explosion of technology. The impact on business is well documented when data systems or production is disrupted, causing losses to stockholders, employees, and the community. The social dependencies of technology are illustrated by the computer outages of three major air carriers in 2012–2013 that resulted in the cancellation of close to 2250 flights. Apart from the financial losses to the carriers and their dependent partners (hotels, car rentals, etc.), many travelers were at the very least inconvenienced by delayed or cancelled vacations, missed appointments and meetings, or an uncomfortable night sleeping at the airport. The outage of a social network for more than a few hours becomes an international headline. These are just a few examples of why the continuity or recovery of information technology (IT) is a vital part of business continuity management.

Despite its youth, an understanding of the evolution of business continuity management and the influences that have brought it to its present state is important for developing a perspective that moves the profession forward and allows planners to best manage their programs. These influences emerge from the doctrines brought by those entering the profession from information technology, the fire service and emergency management, security and law enforcement, risk and insurance management, and post-September 11 political appointees. Business continuity management has embraced many of their ideas, but some professionals believe their practices, including a number found in the standards, could take the profession backward.

This chapter will not chronicle events and disasters from the past except where results produced relevant effects on business continuity management. For example, it is useful to know that after the San Fernando California earthquake of 1971, seismic safety building codes were greatly improved (as they and other lessons learned are refined after each new disaster). One lesson learned, however, is that the building standards and practices do not always meet the requirements of the codes. Shortcuts, poor construction practices, and the use of substandard materials were responsible for the collapse of many structures in Greece after a moderate earthquake—a country with strict modern building codes. Even in the United States (US), major damage to a warehouse in the Silicon Valley after the Loma Prieta earthquake was traced to substandard construction.

The formal definition of business continuity has metamorphosed over time with no agreement within the industry on a single meaning, although the contents of the business continuity Glossary published by the Disaster Recovery Journal were accepted by many professionals as the most appropriate definition. Each of the standards (International Organization for Standardization (ISO), American Society for Industrial Security (ASIS), and National Fire Protection Association (NFPA)) describe it in similar but somewhat significantly different ways.

1.2. History

1.2.1. Emergency Management

A history of business continuity management is not complete without a basic understanding of the evolution of emergency management. Emergency managers entering the field of business continuity management have needed to enable businesses to position their functions for resilience and sustainability by heavily influencing planning methodologies in both positive ways such as the focus on mitigation and negative ways such as continuity planning under an incident command system (ICS) structure. ICS is a field tactical response concept that many planners had difficulty adapting to business continuity management in an effective and meaningful manner, apart from the response phase that we will describe in another chapter.

Emergency management is the managerial function charged with creating the framework within which communities reduce vulnerability to hazards and cope with disasters (Dr B. Wayne Blanchard, CEM, FEMA Emergency Management Institute). It is also defined as an interdisciplinary field dealing with the strategic organizational management processes used to protect critical assets of an organization from hazard risks that can cause events such as disasters or catastrophes and to ensure the resiliency of the organization within their planned lifetime (Haddow and Bullock, 2003).

Emergency management, from the governmental perspective of planning and responding to disasters on a macro level (i.e., regional and not focused on an individual business), deals with situations such as earthquakes, hurricanes, and floods that cause business outages. It is a process in which qualified persons plan and prepare for identified hazards and risks to the community, and coordinate the response and recovery once they occur.

Just over 25  years after the signing of the US Constitution, legislation was passed to provide federal funding for disaster relief. Today, separate legislation is no longer necessary thanks to the Robert T. Stafford Disaster Relief and Assistance of 1974 (Stafford Act), which combined similar prior acts (such as the Disaster Relief Act of 1950) that gave the federal government the authority to provide assistance without going to Congress after each disaster. Of the many significant achievements of the Stafford Act,