17_Chapter_6_Business_Continuity_Management,_Cabinet_Office_–.pdf

Full Transcript

Chapter 6 Business Continuity
Management
Revision to Emergency Preparedness

Civil Contingencies Act Enhancement Programme
March 2012
V3: Last updated 09/12/2010 PAGE 1
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Chapter 6 (Business Continuity Management) of Emergency
Preparedness, Revised Version

Summary

The Act requires Category 1 responders to maintain plans to ensure that they

can continue to exercise their functions in the event of an emergency so far

as is reasonably practicable. The duty relates to all functions, not just their

emergency response functions (paragraphs 6.1 – 6.13).

Category 1 responders must have regard to assessments of both internal and

external risks when developing and reviewing business continuity plans (BCPs)

(paragraphs 6.14 - 6.16).

Business continuity plans may take the form of generic plans - which set out the

core of a Category 1 responder’s response to any BCM event - or specific plans

dealing with particular risks, sites or services (paragraphs 6.17 - 6.19).

There must be a clear procedure for invoking the business continuity plan

(paragraphs 6.20).

BCPs must include arrangements for exercises for the purpose of ensuring the plan

is effective, and arrangements for the provision of training to those involved in

implementing the plan. Plans must be reviewed and kept up to date (paragraphs

6.21 - 6.28).

PAGE 2
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Category 1 responders are required to publish aspects of their BCPs insofar as making

this information available is necessary or desirable for the purposes of dealing

with emergencies (paragraph 6.29 - 6.31).

The British Standard for Business Continuity (BS25999) is widely acknowledged as

industry best practice. It provides a generic framework that is applicable across the

public, private and voluntary sectors. (paragraphs 6.43 - 6.107).

WHAT THE ACT AND THE REGULATIONS REQUIRE

Scope of the duty

6.1. The Act requires Category 1 responders to maintain plans to ensure that they

can continue to perform their functions in the event of an emergency, so far as is
1
reasonably practicable.

6.2. The duty to maintain plans relates to all the functions of a Category 1 responder,

not just its civil protection functions. For Category 1 responders to help others

in the event of an emergency, they first need to be able to keep their own crisis

response capabilities going. However, Category 1 responders also need to be

able to continue to deliver critical aspects of their day-to-day functions (e.g. law

enforcement, looking after vulnerable people, attending minor fires) in the event

of an emergency, if the impact on the community is to be kept to a minimum.

1 s.2(1)(c)
PAGE 3
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.3. It may, therefore, be helpful to think of the business continuity management

(BCM) duty in the Act as being separated into two strands. In practice, the Act

requires Category 1 responders to maintain plans to ensure that they can:

o continue to exercise their civil protection functions: The legislation

requires Category 1 responders to maintain plans to deal with

emergencies (see Chapter 5) and put in place arrangements to warn

and inform the public in the event of an emergency (see Chapter 7).

The BCM duty requires Category 1 responders to maintain plans to

ensure that they can deliver these capabilities when they are required.

o continue to perform their ordinary functions: Category 1

responders perform a range of functions that are important to the

human welfare and security of the community and its environment (e.g.

provision of health care, detection of crime, fighting fires). This is

particularly true in an emergency situation, where operational

demands often increase and the operating environment can

become more challenging. The legislation requires Category 1

responders to make provision for ensuring that their ordinary

functions can be continued to the extent required.

6.4. Organisations should not only look at the resilience of internal structures and

processes, but also those of organisations they rely on, or deliver services through.

6.5. The Act requires Category 1 responders to put in place plans to ensure that
2
they can continue their functions in the event of an emergency. This requires

them to ensure that those organisations delivering services on their behalf (e.g.

contracted-out services) or capabilities which underpin service provision (e.g.

information technology and telecommunications providers) can deliver to the

extent required in the event of an emergency. This is because services remain part
2 s.2(1)(c)
PAGE 4
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

of an organisation’s functions even if they do not directly provide them.

Limits of the duty

Definition of emergency

6.6. BCM is a flexible framework designed to help organisations to continue operating in the

face of a wide range of different types of disruptions right the way along the spectrum of

severity. BCM does not however embrace all dimensions of an organisation’s resilience,

and one important distinction is between BCM and crisis management. The Publicly

Available Specification on Crisis Management (PAS200) identifies crisis management as

wider ranging and inherently strategic in nature. BCM in turn is a more operationally-

focused activity to ensure that service disruptions are managed, potentially cascading

impacts are mitigated and services are maintained. For further details and for guidance

on developing a crisis management capability see http://epcollege.com/epc/news/

pas200-crisis-management---new-guidance-for-crisis/ (including link to the BSI website).

6.7. The BCM duty, however, is determined by the definition of emergency in the Act. The Act

therefore imposes a duty on Category 1 responders to put in place plans to ensure that

they can continue to exercise their functions in the event of a much narrower range of

disruptive challenges.3

6.8. The duty applies only to those events or situations defined as an emergency in section

1 of the Act - events or situations that threaten serious damage to the human welfare,

environment or security of a place in the United Kingdom. This should be read in

conjunction with section 2(2) of the Act, which provides that an event or situation is

only an emergency when it overwhelms existing response arrangements, and cannot

be dealt with within existing resources or procedures (see Chapter 1 for an in-depth

description of the definition of “emergency” underpinning Part 1 of the Act).
3 s.2(1)(c) and s.2(2)
PAGE 5
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.9. While the duty focuses on the most challenging situations, it is likely that plans

put in place to fulfil their duty under the Act will help Category 1 responders to

prepare for a much wider range of day-to-day (i.e. non-emergency) interruptions.

By putting in place plans to keep themselves going in the event of an emergency,

Category 1 responders will build resilience to a wider range of less serious events.

Practicability

6.10. Ideally, Category 1 responders would be able to continue all of their functions

at ordinary service levels in the event of an emergency. In practice, this may not

prove possible, and therefore the duty is qualified.

6.11. The Act requires Category 1 responders to put in place arrangements to ensure

that they continue to exercise their functions in the event of an emergency so far
4
as is reasonably practicable.

6.12. The qualification “so far as is reasonably practicable” has three elements to it:

o Criticality: Category 1 responders should focus on ensuring that

they can deliver critical functions. Which of its functions are critical is a

matter that can be determined only by the organisation itself, and may

depend on the nature of the emergency in question. Category 1

responders should not lose sight of the common supporting

infrastructure underpinning these functions. The following guiding

principles should be used when deciding whether or not a service

or activity is critical. It is not intended to be a definitive list, but

rather a series of useful indicators:

4 s.2(1)(c)
PAGE 6
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Emergency management/civil protection: Functions that

underpin the Category 1 responder’s capability to respond

to the emergency itself, and take effective action to reduce,

control or mitigate the effects of the emergency.

Impact on human welfare, the environment and security: The

significance of services to the effective functioning of the

community in the event of an emergency, or an adverse effect

on the environment.

Legal implications: Statutory requirements on Category 1

responders and the threat of litigation if a service is

not delivered, or is delivered inadequately.

Financial implications: Loss of revenue and payment

of compensation.

Reputation: Functions that impact on the credibility

and public perception of a Category 1 responder.

o Service levels: The Act does not require Category 1 responders to

continue to deliver their functions at ordinary levels in the event of

an emergency. Some critical functions may need to be scaled up,

while others (which are non-critical) may need to be scaled down or

suspended. Acceptable levels of service in the event of an emergency

are a matter for the Category 1 responder itself to determine in the

light of its capabilities, constraints and the needs of the community.

o Balance of investments: No organisation will be in a position to

commit unlimited resources to BCM. It is the role of the Category 1

responder itself to decide the level of protection sought.

PAGE 7
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.13. Category 1 responders must therefore put in place a process for effectively

managing the prioritisation of services - and getting high-level endorsement

for these decisions - prior to an emergency occurring. The business impact

analysis (BIA) process described later in this chapter gives a methodology for

undertaking this work.

Risk assessment

6.14. It is important that Category 1 responders identify the significant risks

threatening the performance of critical functions in the event of an emergency

or disruption, as this will enable them to focus resources in the right areas, and

develop appropriate continuity strategies. 5

6.15. In this context, there are two strands to risk assessment, relating to external

threats (i.e. risk of an emergency occurring) and internal risks (i.e. business

risks) that could cause loss or disruption of critical services required to control,

reduce or mitigate the effects of an emergency or disruption.

6.16. The Act requires Category 1 responders to identify and assess significant risks
6
of an emergency occurring in their area - in accordance with their particular

functions - as a basis for performing their other civil protection duties (see

Chapter 4). The Regulations require Category 1 responders to have regard to

assessments of risk maintained pursuant to the Act when developing BCPs.7

The Act requires Category 1 responders to consider whether a risk assessment

makes it necessary or desirable to review a BCP. 8 It is good practice, in any

instance, to review BCPs in conjunction with risk registers and vice versa.

5 regulation 21
6 s.2(1)(a)
7 regulation 19
8 s.2(1)(e)
PAGE 8
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Generic and specific plans

6.17. As with emergency plans, the Regulations provide that Category 1 responders may

use generic plans, specific plans, or a combination of the two in business continuity

planning. A generic plan is a core plan which enables a Category 1 responder to

respond to a wide range of possible impacts, setting out the common elements of

the response to these (e.g. invocation procedure, command and control, access to

financial resources).

6.18. Specific plans may be required in relation to specific risks, sites or services. Specific

plans provide a detailed set of arrangements designed to go beyond the generic

arrangements when these are unlikely to prove sufficient.

6.19. Specific plans will usually operate within the framework established by the generic

plan. It is a matter for Category 1 responders themselves to decide - in the light of

assessments of risk - what, if any, specific plans are required.

Plan invocation

6.20. The Regulations specifically require Category 1 responders to establish a

procedure for determining when an emergency has occurred which affects its

ability to continue to perform its functions.9 In other words, there must be a

clear procedure for invoking the plan. Where continuity of critical functions is

threatened in the event of an emergency, there should be a clearly laid out

escalation procedure. This should be identified, agreed and documented within

the plan. The Regulations specifically require this procedure to:

9 regulation 24
PAGE 9
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o identify the person who should determine whether such an

emergency has occurred;

o specify the procedure that person should adopt in taking

that decision;

o specify the persons who should be consulted before such a

decision is taken; and

o specify the persons who should be informed once a decision has

been taken.

Exercising BCPs

6.21. Exercises provide demonstrable evidence of a business continuity and incident

management competence and capability. A BCP cannot be considered reliable

until it is exercised and has proved to be workable. As part of the BC process

there is a continual need to prove plans and strategies by testing. No matter how

well designed and thought-out a BCM strategy or BCP appears to be, a series of

robust and realistic exercises will identify areas that require amendment.

6.22. The Regulations require Category 1 responders to put in place arrangements for

exercising BCPs in order to ensure that they are effective.10 These arrangements

should encompass the three principal purposes of exercising:

o validating plans - to verify that the plan works;

o rehearsing key staff - to familiarise key staff with what is expected

of them in a crisis and preparing them for crisis conditions; and

o testing systems - to ensure that systems relied upon to deliver

resilience (e.g. uninterrupted power supply) function correctly and

offer the degree of protection expected.

10 regulation 25(a)
PAGE 10
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.23. As a simple rule, if it has not been tested it does not work. Exercising must be

maintained to hold credibility and encourage ownership across the organisation.

Tests should build on the organisation’s past experience. The exercising

programme should be flexible, and the focus and frequency of exercises should

be responsive to:

o the rate of change - where the pace of change (e.g. to the

organisation or risk profile) is particularly rapid, exercises may need

to be more frequent; and

o outcomes of previous exercises - the identification of particular

weaknesses and subsequent changes to plans may necessitate

further exercising.

Training key staff

6.24. It is important to ensure that relevant people across the Category 1 responder

- and in other organisations where appropriate - are confident and competent

concerning the plan. It is particularly important that staff receive appropriate

training prior to exercising. This will ensure that they are adequately prepared

for what can be a challenging experience.

6.25. The Regulations require Category 1 responders to put in place a training

programme for those directly involved in the execution of the BCP should it be
11
invoked. This should be reflected in plans. This should cover:

o the contents of the plan - how is the plan invoked? What are

the key decision-making processes? Who else needs to be involved?

11 regulation 25(b)
PAGE 11
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o their role in implementing the plan - what is expected of them? How

do they fit into the wider picture?

o key skills and knowledge required in crisis response.

Reviewing and maintaining BCPs

6.26. The Act specifically requires Category 1 responders to maintain business

continuity plans to ensure that they can continue to deliver key services in the

event of an emergency.12 This means that Category 1 responders must not only

put plans in place, but ensure that they are reviewed and kept up to date.

6.27. Category 1 responders exist in a dynamic environment - organisations themselves

and the environment they operate in are subject to change. BCPs need to be

reviewed and updated to ensure that they remain valid. The following aspects

of plans should be reviewed:

o personnel - staff turnover means that contact details will need

constant updating;

o the responsibilities of the Category 1 responder - where a Category 1

responder takes on new functions or delivers new services, this

should be reflected;

o organisational structures - where responders have experienced

restructuring this may need to be reflected in plans;

o suppliers or contractors - ensuring that the details of suppliers and

contractors are kept up to date;

o risk assessments - the Act requires Category 1 responders

to review plans in the light of changes to risk assessments; 13 and

o business objectives/processes.

12 s.2(1)(c)
13 s.2(1)(e)

PAGE 12
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.28. The frequency of plan review will depend on the rate of change within the

organisation and the environment it operates within. Plan maintenance should

take place on an ongoing basis, but all business continuity plans should be

comprehensively reviewed at appropriate intervals.

Publication of BCPs

6.29. Communication with customers or service users - who may need information

about service continuity in the event of an emergency - is important to community

resilience. Emergencies cause serious disruption to people’s lives and increase

reliance on public sector bodies - provision of information about what they can

and cannot expect from Category 1 responders in the event of an emergency, may

help to minimise this disruption.

6.30. The Act requires the publication of aspects of BCM plans in so far as this is

necessary or desirable for the purposes of preventing, controlling or mitigating
14
the effects of an emergency or otherwise responding to the emergency.

6.31. Category 1 responders need only publish information where there is a positive

benefit in doing so. For example, a Category 1 responder need not publish

internal management information which would be of little relevance or interest

to the public. Furthermore, the Regulations prohibit the publication of sensitive

information (e.g. commercially confidential information, personal data) where

consent has not been received from the originator of the information, or

where the public interest in disclosure fails to outweigh the interests of the

organisation or individual concerned.

14 s.2(1)(f)

PAGE 13
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Box 6.0: Further advice and information

Also included in this chapter is further advice about BCM and information

that is not supported directly by the Act, but responders may find it useful in

fulfilling their duties under the Act. These sections of text are distinguished

by inclusion in a text box like this one.

How the Act and Regulations apply in Scotland, Wales and Northern Ireland

6.32. The Act and the Regulations apply in Scotland to bodies outside devolved competence

in the same way as they apply in England.

6.33. The Regulations made by the Scottish Ministers make provision as to how Category

1 responders in Scotland that fall within devolved competence, should exercise their

duty under the Act to maintain business continuity plans.

Wales

6.34. The Act and the Regulations apply in Wales in the same way as they apply in England.

Northern Ireland

6.35. The Act and the Regulations apply to Category 1 responders exercising functions in

Northern Ireland in the same way as they apply in England, but see information in

Chapter 12 in relation to the Police Service of Northern Ireland.

PAGE 14
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

HOW THE REQUIREMENTS OF THE ACT AND THE
REGULATIONS MAY BE CARRIED OUT

6.36. This section provides practical guidance on taking forward a BCM programme within

a Category 1 responder organisation. It describes the discipline of BCM and outlines

a methodology for implementing it. Category 1 responders must have regard to

this material and may find it useful in fulfilling their duties under the Act. While the

Government considers this to be a sound approach, Category 1 responders may use

other models to deliver statutory requirements where there are compelling reasons

for doing so.

6.37. The Government is keen to give Category 1 responders the flexibility to make

the best use of the resources and expertise available to them. The Regulations

permit Category 1 responders to enter into collaborative arrangements in order

to fulfil the BCM duty.15 Category 1 responders may:

o deliver the duty separately;

o deliver the duty jointly (e.g. by forming a joint BCM unit or resource);

o agree that one Category 1 responder will facilitate the delivery of

a BCM programme on behalf of a number of other Category 1

responders; or

o enter into collaborative arrangements in which one or more

Category 1 responder gives assistance to others in fulfilling their

BCM duties (e.g. managing the overarching programme, developing

framework plans).

15 regulations 8 and 9
PAGE 15
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.38. However, BCM must be owned and driven within the organisation itself - and engage

the expertise and resources of its staff - in order to be effective. While collaborative

arrangements can be used to make use of BCM expertise or resources in other

Category 1 responders, responsibility for the robustness of BCM arrangements must

remain within the organisation.

What is business continuity and business continuity management?

6.39. Business continuity 16 is the strategic and tactical capability of the organisation to

plan for and respond to incidents and business disruptions in order to continue

business operations at an acceptable predefined level.

6.40. Business continuity management provides the strategic framework for improving

an organisation’s resilience to interruption. Its purpose is to facilitate the recovery

of key business systems and processes within agreed time frames, while maintaining

the delivery of the Category 1 responder’s identified critical functions. It assists

organisations to anticipate, prepare for, prevent, respond to and recover from

disruptions, whatever their source and whatever aspect of the business they affect.

6.41. BCM is a holistic management process that identifies potential threats to an

organisation and the impacts to business operations that those threats, if realised,

might cause. It also provides a framework for building organisational resilience

with the capability for an effective response that safeguards the interests of its key

stakeholders, reputation, brand and core business activities. Business continuity

management involves managing the recovery or continuation of activities in the

event of a disruption, and management of the overall programme through training,

exercises and reviews, to ensure business continuity plans stay current and up-to-date.

16 BS25999 definition of business continuity
PAGE 16
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.42. BCM is valid across the public, private and voluntary sectors. It is about maintaining

the essential business deliverables of an organisation in an emergency. The primary

‘business’ of private sector organisations is the generation of profit, a process that

BCM seeks to protect. Category 1 responders provide services to the public, and it is

equally important that these are protected and resilient.

BCM methodology

6.43. The British Standard for business continuity (BS25999) works on a six-stage process

widely acknowledged as best practice. This model provides a generic framework

that is applicable across the public, private and voluntary sectors. This standard, or

its equivalent in the water industry, the Security and Emergency Measures Direction

(SEMD), provide a good basis for BCM.

6.44. Figure 6.1 illustrates this approach. The rest of the chapter describes this

process, and supports Category 1 responders in using this framework to fulfil

their duties under the Act.

Figure 6.1: The business continuity management lifecycle

BS 25999-1:2006 BRITISH STANDARD business continuity management Part 1: Code of Practice 17

17 Permission
to reproduce extracts from BS25999 is granted by BSI. British Standards can be obtained in PDF or hard copy formats from the BSI online shop:
www.bsigroup.com/Shop or by contacting BSI Customer Services for hardcopies only: Tel: +44 (0)20 8996 9001, Email: [email protected].
PAGE 17
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.45. As Figure 6.1 shows, the six stages of the process are:

o Stage 1: BCM programme management: Programme management

is at the heart of the process. It requires the participation of senior

management and establishes the organisation’s approach to

business continuity.

o Stage 2: Understanding the organisation: This element assists in the

understanding of the organisation through the identification of its

key products and services and the critical activities and resources that

support them. This element ensures that the BCM programme is

aligned to the organisation’s objectives, obligations and

statutory duties.

o Stage 3: Determining business continuity strategy: This element

allows the organisation to select its strategies in order to meet

its objectives.

o Stage 4: Developing and implementing a BCM response: This stage

looks at the need for Category 1 responders to develop and implement

plans and arrangements to ensure continuity of critical activities,

and the management of an incident.

o Stage 5: Exercising, maintaining and reviewing BCM arrangements:

An organisation’s arrangements cannot be considered reliable

until exercised. This element ensures that an organisation’s BCM

arrangements are validated by exercise and review and that

they are kept up-to-date.

o Stage 6: Embedding BCM in the organisation’s culture: Business

continuity must become part of the way an organisation is managed

to be effective. This stage provides the overarching element that

ensures that opportunities are used at the various stages of the

BCM process.

PAGE 18
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Delivering BCM arrangements

Stage 1: BCM programme management

6.46. In order to be successful, BCM must be regarded as an integral part of a

Category 1 responder’s normal management processes.

6.47. Achieving top-level buy-in is vital to developing robust BCM arrangements.

Engaging senior officers is crucial to the success of any major programme

because of the influence they have over resource allocation and the culture

of an organisation. However, the commitment of the top level is particularly

important in relation to BCM because:

o it requires the leverage they exert across the organisation

in order to be effective;

o it requires decisions about attitudes to risk and service

prioritisation that can only be taken at the top level; and

o the top team is responsible for ensuring that effective

governance arrangements are in place.

Leadership

6.48. Experience has shown that there is merit in giving a member of the executive

management board overall responsibility for the BCM process by being appointed

as the champion within the organisation. This will ensure that the profile of BCM

issues is increased and decisions are made at the appropriate level.

PAGE 19
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.49. BCM is an ongoing process and it is important to gain the support and

endorsement of the board at the end of each stage of the cycle. Critically, it should

be the responsibility of senior management to provide the assurance that BCM

arrangements are robust and meet the requirements of the Act.

BCM co-ordinator

6.50. Governance is about accountability, responsibility and control. A person with

the appropriate seniority and authority should be identified as accountable

for BCM policy, implementation and operation.

6.51. Implementation planning should include arranging appropriate training for

staff and exercising the capability; this stage is best carried out using a project

management method to ensure that the implementation is effectively managed.

6.52. Ongoing management of your BCM arrangements will contribute to business

continuity becoming embedded within the organisation. Regular review,

exercise and updating plans will ensure this happens. A review must take

place of arrangements after change in the organisation; such as operating

procedures, environment personnel, technology, and after an incident or

exercise. If the change is significant to the organisation then a review of the

Business Impact Analysis is also advised.

Stage 2: Understanding the organisation

6.53. An accurate assessment of the Category 1 responder’s organisation and its

business is critical, as it will provide the basis upon which all subsequent BCM

policies and processes are based.

PAGE 20
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.54. An understanding of the organisation comes from:

o the organisation’s objectives, obligations, statutory duties and

operating environment;

o the activities, assets and resources that support the delivery of key

products and services;

o assessing the impact and consequences of failure of these

activities; and

o identifying and evaluating the threats that could disrupt these.

6.55. Category 1 responders should carry out a business impact analysis that assesses

over time the impacts if the activity was disrupted; and establish the maximum

tolerable period of disruption (MTPD) of each. MTPDs can be worked out by

looking at the:

o time period after disruption that the activity must be resumed;

o minimum level needed upon resumption; and

o time period for achieving normal levels of operation.

Key to this is identifying interdependencies (assets, infrastructure, and

resources) to be maintained.

6.56. Category 1 responders should consider the following when assessing impacts:

o the impact on staff or public wellbeing;

o the impact of damage to, or loss of, premises, technology

or information;

o the impact of breaches of statutory duties or regulatory requirements;

PAGE 21
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o reputation damage;

o damage to financial viability;

o deterioration of product or service quality; environmental

damage; and

o external services and suppliers.

Category 1 responders should document this process (approach, findings

and conclusions).

6.57. Identification of critical activities is essential to prioritise the areas that need to be

focused on. In basic terms, an organisation’s critical activities are those that would

have the greatest impact in the shortest time.

6.58. Risk assessment is vital in evaluating threats, and risk should be understood

in respect of the organisation’s critical activities. By utilising recognised risk

techniques, a scoring can be achieved. Guidance on conducting risk assessments

can be found in Chapter 4 of this guidance. Annex 4F sets out a risk matrix that

can be used to score impacts.

6.59. Having identified those areas where the Category 1 responder is most at risk,

a decision has to be made as to what approach is to be taken to protect

the operation. This decision along with a documented list of key products

and services, the business impact analysis and the risk assessment should be

signed off by top management to ensure that the work is a true reflection of

the organisation.

PAGE 22
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.60. As Annex 4F explains, the nature of the risk - defined in terms of its likelihood

and impact - will determine which business continuity strategy is appropriate and

what, if any, action is required. At one end of the spectrum, disruptions that are

low likelihood and low impact may require no specific action, and may merely be

dealt with through generic arrangements. Risks that are high impact and high

probability, on the other hand, may point to the development of specific plans

and risk mitigation strategies.

6.61. A number of the strategies that could be adopted are given below:

o do nothing - in some instances top-level management may consider

the risk to be acceptable;

o change, transfer or end the process - such decisions to alter business

process must be taken with regard to the organisation’s key

objectives and statutory responsibilities;

o insure - may provide some financial recompense or support but will

not aid the organisation’s response and will not meet all losses

(e.g. reputation and other non-financial impacts, human consequences);

o mitigate loss - tangible procedures to eliminate or reduce risk within

the business; and

o plan for business continuity - an approach that seeks to improve

the Category 1 and 2 responders’ resilience to interruption, allowing

for the recovery of key business and systems processes within the

recovery time frame objective, while maintaining their critical functions.

PAGE 23
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.62. Any strategy must recognise the internal and external dependencies of the

organisation and must have general acceptance by the management functions

involved. The continuity strategies adopted here will shape the ability of a Category

1 responder to perform its critical functions in the event of an emergency, and it

is important that these decisions are taken by the appropriate officers in the full

light of the facts.

6.63. The Act requires Category 1 responders to assess the risk of emergencies occurring

(“emergency risk assessment”) and use these assessments to inform emergency
18
planning and business continuity planning (see Chapter 4). The development

of community risk registers will mean that Category 1 responders have access

to up-to-date information about risks in their area. Contingencies that seriously

disrupt the activities of the community may also limit the ability to respond to

them effectively.

Stage 3: Determining business continuity strategy

6.64. Category 1 responders should look at strategic options for its critical activities,

while bearing in mind the most appropriate strategy will depend on factors such as:

the maximum tolerable period of disruption, cost, and consequences of inaction.

6.65. Strategies should be considered for the following areas:

o people - e.g. multi-skill training; separation of core skills; use of

third parties; succession planning; and knowledge retention

and management;

o premises - e.g. alternative premises/locations; working from

home and remote sites;

o technology - e.g. geographical spread; holding emergency
18 s.2(1)(a),(b) and (e)
PAGE 24
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

replacement, such as old equipment and spares, additional risk

mitigation for unique or long lead-time equipment; remote access;

third-party;

o information - e.g. confidentiality; integrity; availability; and currency;

o supplies - e.g.: storage of contingency stock at additional

location; third part arrangements; assessing the BC capability of your

suppliers; dual sourcing and; contractual and service level

agreements; and

o stakeholders - e.g. protect the interests of key suppliers and

good relationship management.

6.66. Senior managers should sign off documented strategies.

Stage 4: Developing and implementing a BCM response

6.67. Business continuity planning is at the heart of the BCM process. The business

continuity plans provide the framework in which the Category 1 responder

mobilises its response to a BCM challenge in the event of an emergency. Plans

normally consist of an Incident Management Plan, a Business Continuity Plan and

a Business Recovery Plan.

6.68. In developing all plans, consideration should be given to:

o keeping it short, simple and user-friendly - it will need to be

read and understood in challenging and pressured circumstances;

o ensuring the assumptions contained are realistic – e.g. numbers of

staff directly affected by the incident, the effect of the ‘backlog trap’

(i.e. the impact of the accumulation of tasks left uncompleted

on recovery);

PAGE 25
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o references to other sources of information and supporting

documentation – e.g. guidance, databases, lists of key contacts,

resources and suppliers;

o action plans and checklists – what should be provided

o ownership of key tasks - these should be reflected in

job descriptions;

o pro-formas - giving templates and model documentation;

o version control - the need to implement document management

procedures, including a list of all plan holders, which has to be

maintained, together with a distribution and change control

process; and

o communications - effective communication with stakeholders

and, where appropriate, the media is crucial to an effective response

6.69. The structure, content and detail of the BCPs will depend on the nature of

the Category 1 responder, the risk and the environment in which it operates.

In particularly large or complex organisations, it may be necessary to have

departmental plans which integrate into one high-level plan. Further advice on

plan presentation can be found in Chapter 5.

6.70. The method by which an incident management, business continuity or business

recovery plan is invoked should be clearly documented. As part of this, the

individual(s) that have the authority to invoke them should be recorded along with:

how to mobilise the team(s); rendezvous points; and command centre locations.

6.71. Each incident management plan, business continuity plan and business recovery

plan should set out prioritised objectives in terms of: the critical activities to be

recovered; the timescales in which they are to be recovered; and the recovery levels

for each critical activity.

PAGE 26
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.72. The purpose of a business continuity plan is to enable an organisation to recover

or maintain its activities in the event of disruption. Invocation supports the

critical activities of an organisation; plans may be invoked in whole or part and

at any stage.

6.73. An Incident Management Plan is a clearly defined and documented plan-of-

action for use at the time of an incident. It should typically cover: task and

action lists; emergency contacts; people activities; media response; stakeholder

management; and locations. Other useful information to consider: contacts;

mobilisation details for relevant agencies; log templates; maps, charts, plans

and photographs.

6.74. A Business Continuity Plan will typically contain: action plans and task lists, for

example: how the BCP is invoked, who is responsible, the procedure, who does

what when and where, services available, communications; resource requirements,

for example: people, premises, technology, information and supplies; responsible

person(s) and; forms, templates and annexes.

6.75. A Business Recovery Plan aims to support the recovery and resumption of

operations to a “normal” state. However, with some incidents it may not be

possible to define what “normal” looks like until some time after an incident.

Category 1 responders might, therefore, wish to ensure that BCPs are capable of

extended operation, giving time for the development of recovery plans.

6.76. The below diagram provides an illustration of how these three sorts of plan will

come into play during a disruption.

PAGE 27
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Figure 6.2: Incident Timeline

BS 25999:2006 BRITISH STANDARD Business Continuity Management Part 1: Code of Practice 19

Stage 5: Exercising, maintaining and reviewing BCM arrangements

6.77. The Regulations require Category 1 responders to put in place arrangements
20
to exercise BCPs to ensure they are effective. An organisation’s business

continuity and incident management arrangements cannot be considered

reliable until exercised. Exercising is essential to developing teamwork,

competence, confidence and knowledge, which is vital at the time of an

incident. Arrangements should be verified through exercising, and a process of

audit and self-assessment, to ensure that they are fit for purpose.

6.78. When developing a BCM exercise programme, Category 1 responders will need

to consider the:

o focus of the programme;

o types of exercise to be used

19 Permission to reproduce extracts from [Name of Standard] is granted by BSI. British Standards can be obtained in PDF or hard copy formats from the BSI
online shop: www.bsigroup.com/Shop or by contacting BSI Customer Services for hardcopies only: Tel: +44 (0)20 8996 9001, Email: [email protected].
20 regulation 25(a)

PAGE 28
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o involvement of senior management in developing, executing and

quality-assuring the programme;

o process for delivering exercises; and

o relationship between the BCM exercise programme and the exercising

of emergency plans.

6.79. Exercises should focus on impacts and test capabilities. While there is an infinite

number of scenarios and possible responses, the list of impacts and capabilities

is limited.

Figure 6.3: Types and Methods of Exercising BCM Strategies 21

Complexity Exercise Process Variants Good Practice
Frequency ¹
Simple Desk check Review/ Update/validation At least annually
amendment of Audit/verification Annually
content Challenge
content of BCP

Medium Walk- Challenge content Include Annually
through of BCP interaction
of plan and validate Annually or twice
Use ‘artificial’ participants’ roles yearly
Simulation situation to
validate that the Incorporate Annually or less
Exercise BCP(s) contain associated plans
critical both necessary
activities and sufficient Defined
information to operations from
enable a successful alternative site
recovery for a
fixed time
Invocation in
a controlled
situation that does
not jeopardise
business as usual
operation

21 Regulation 4(4)(b), 4(7)
PAGE 29
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Complexity Exercise Process Variants Good Practice
Frequency
Complex Exercise full Building-/ campus-/ Annually or less
BCP including exclusion zone-
incident wide exercise
management
The frequency of exercises should depend upon both the organisation’s needs, the
environment in which it operates, and stakeholder requirements. However, the
exercising programme should be flexible, taking into account the rate of change
within the organisation and the outcome of previous exercises. The above exercise
methods can be employed for individual plan components, and single and
multiple plans.

6.80. Exercising can take various forms, from a test of the communications plan, a desk-

top walk-through, to a live exercise (See Figure 6.3 above). In all cases though,

exercises should be realistic, carefully planned, and agreed with stakeholders, so

that there is a minimum risk of disruption to business processes.

6.81. The exercise programme should have the full support of the executive lead for

business continuity issues. But the involvement of senior management should

not be limited to defining the structure of the programme. In addition to taking

part in exercises, senior management should be involved in quality-assuring the

exercise programme and endorsing the outcomes.

PAGE 30
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.82. Figure 6.4 suggests a process for carrying out an exercise programme. Exercising

is not about ‘passing’ or ‘failing’, it is all about learning lessons. There should be a

debrief after each exercise in order to capture the experience of all the participants.

What is important is that the captured data is recorded and considered as part of

the post-exercise analysis.

Figure 6.4: Exercising your BCP – the learning cycle

Business Exercise Debrief Post- ‘Lessons
Continuity Exercise Learned’
Plan Analysis Report

This can be a test There should be a This post-exercise report
of a part or the debrief after each should collate the output
whole of a plan exercise in order to of all debriefs with the
Review capture the experience post-exercise analysis of
of all the participants the exercise outcomes
Plan

Changes must be clearly
understood and embraced by
the service areas upon which
they impact

Implement Post- Audit BCP
changes Exercise
Report

Having made changes to Approval and This report closes the The BCP should be
the BCP, it is important to acceptance of exercise programme and audited against the
review the plan in its recommendations by outlines the full outcome LLR and necessary
entirety before business continuity of the programme. It changes identified
disseminating the ‘current strategic lead with makes recommendations
version’ organisation for changes to BCP

6.83. Every exercise should have clearly defined aims and objectives. A post-exercise

debriefing and analysis should be undertaken which considers the achievement

against these.

6.84. The post-exercise analysis is usually undertaken individually by the exercise manager

or as a meeting of the exercise-planning group. A post-exercise report should be

produced that contains recommendations and a timetable for implementation.

PAGE 31
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.85. This report must be submitted to the executive lead for business continuity within the

Category 1 responder organisation for approval of the recommendations.

6.86. Once approval has been obtained, the changes to the BCP can be implemented. This

should drive changes to the BCM and will be tested as part of any future exercising

programme by the business continuity managers. This process provides the audit trail

of BCP maintenance and testing.

6.87. When exercising a specific part of a plan it may be more appropriate for the output

to be a simple memorandum detailing the part tested. For example, for a call-out

cascade exercise that tests the contacts listed within the plan for activation, a memo to

the organisation’s executive lead for business continuity that the test took place, was

completed satisfactorily, and that all the contacts listed in the BCP are correct, would

be sufficient to create the audit trail of that aspect of plan testing.

6.88. It is important that business continuity planning and exercising are not done in

isolation from wider emergency planning work. In part, BCPs are in place to ensure

that Category 1 responders are able to deliver their emergency response function

in the event of an emergency. Category 1 responders should not forget the close

synergies between emergency plans and BCPs when learning the lessons of exercises

and making changes as a result. Post exercise reports may have implications for both.

6.89. The purpose of this exercise programme is to test the robustness of BCPs in the event

of an emergency - will it enable the Category 1 responder to cope effectively with

disruptions to the provision of critical services? One such critical function must be the

emergency response function itself.

PAGE 32
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.90. The Act specifically requires Category 1 responders to maintain BCM plans to

ensure that they can continue to deliver key services in the event of an emergency.

It is essential that Category 1 responders must not only put plans in place, but

also ensure that they are regularly reviewed and kept up-to-date.

6.91. Plan maintenance should therefore be an ongoing process. It is good practice to

undertake a comprehensive review of the state of the plan periodically.

6.92. A process should be established whereby the BCM team is informed of relevant

changes and developments, and that these are incorporated into the plan. Effective

version control procedures should be implemented to ensure that relevant members

of staff are working from the correct edition of the plan.

Stage 6: Embedding BCM in the organisation’s culture

6.93. Documenting the BCP is one element of developing a BCM strategy. Its success, however,

depends upon:

o implementation of the recommendations made, across the

entire organisation;

o a programme of training for those directly involved in the execution

of the plan; and

o an education and awareness programme to ensure understanding and

adoption of the plan in relevant parts of the organisation - this applies

to both internal and external stakeholders (e.g. employees

and suppliers).

PAGE 33
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.94. Category 1 responders should deliver a programme of training and awareness to

ensure that the relevant parts of the organisation are confident and competent

concerning the plan. All parties must appreciate the importance of BCM to

the operation’s survival and their role in this process. This means that business

continuity should be ‘mainstreamed’ in emergency management and should be a

core element of the emergency planning culture the Act establishes.

6.95. As the first part of this chapter notes, the Regulations require Category 1

responders to give appropriate training to those involved in implementing

BCPs.23 This section of the chapter also sets out the objectives of such training

programmes and what they should cover.

6.96. Training will need to be done on a rolling basis to cover staff turnover. BCM

co-ordinators should establish a training database to monitor the take-up of

training opportunities.

6.97. It is also important to ensure that awareness of BCM issues is raised throughout the

organisation, to ensure that all relevant staff have confidence in its ability to manage

in a crisis, and know how they should respond in the event of a disruption. For example,

some organisations distribute ‘z-cards’ to all staff, setting out what they should do in

the event of a range of contingencies (e.g. details of secondary sites or evacuation

points). The box overleaf sets out some of the key messages and the means of getting

them across.

23 regulation 25(b)
PAGE 34
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

Box 6.1: The Business Case for BCM

Part of embedding a ‘continuity culture’ within an organisation is to convince

senior staff of the business case for BCM. It makes sense to put in place BCM

arrangements because they help to:

o protect the reputation of the Category 1 responder. The

community expects continuity of critical services, even in

the most challenging of circumstances. They expect you to be

fully in control, and to be seen to be in control - your

organisation’s reputation is at risk if you are not.

Maintaining the reputation of statutory services in an

emergency is a vital element for public reassurance;

o produce clear cost benefits. Identifying, preventing and

managing disruptions in advance can reduce the costs to an

organisation in terms of financial expenditure and management

time. The demands of the insurance market have also

increasingly become an important driver;

o protect the organisation, ensuring that Category 1 responders

can help others in an emergency. For Category 1 responders to

help others, they first have to be able to keep themselves going

in the face of a disruption. BCM will help ensure that they can

mobilise the capabilities they need to deal with the emergency.

It will also help ensure that the impact of the emergency on the

day-to-day functions of the Category 1 responder is kept to a

minimum, and that disruptions to vital services do not

deepen the impact of the emergency on the wider community;

PAGE 35
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o ensure compliance and corporate governance. Category 1

responders are - to varying degrees - subject to performance

standards, corporate governance requirements and, in some

cases, specific requirements to do BCM (e.g. NHS Trusts).

Establishing BCM arrangements pursuant to the requirements

of the Act will help ensure compliance with this wider

framework of responsibilities and expectations; and

o develop a clearer understanding of how the organisation

works. To ensure the continuity of an organisation, you first

have to understand how it works. The process of analysing the

business can yield sources of increased operational effectiveness

and efficiency.

6.98. To be truly effective, BC must form part of the culture in an organisation. This can

be achieved by: leadership from senior personnel; assigning clear responsibilities;

awareness raising; skills training; and exercising plans.

6.99. Category 1 responders should extend their awareness-raising activities to those

third parties upon whom the Category 1 responder depends in both normal and

crisis operations. They need to be aware of how the response will develop when

a BCM event occurs, and what this will mean for them.

6.100. Category 1 responders also have an interest in ensuring that their suppliers and

contractors have in place robust BCM arrangements. To ensure the resilience of

operations, it is necessary to ensure that other aspects of the delivery chain are

resilient too. It is important to build BCM into procurement and contract management

processes. The Office of Government Commerce provides detailed advice on these

issues which is freely available on its website: http://www.ogc.gov.uk.

PAGE 36
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

6.101. Business continuity as part of Civil Protection is very much a multi-agency activity,

where Category 1 responders must work together - and understand each other’s

capabilities and vulnerabilities - if they are going to be effective.

6.102. In the emergency planning area, it is essential for Category 1 responders to be

aware of each other’s plans. BCM arrangements underpin emergency management

capabilities - it is important that Category 1 responders have an awareness of

the continuity issues facing their partners in the event of an emergency. Which

functions will be discontinued? How will functions be scaled down or up in the

event of an emergency? Where are partners’ contingency sites?

6.103. The Local Resilience Forum (LRF) provides a framework for dialogue about business

continuity issues. Category 1 responders should consider using the LRF process as

a means of raising mutual awareness, ensuring that plans dovetail, developing

frameworks for mutual assistance, and sharing best practice.

6.104. The Act requires Category 1 responders to publish aspects of their BCPs in so far as

this is necessary or desirable for the purposes of dealing with emergencies.24

6.105. The purpose of this requirement is to ensure that Category 1 responders make

relevant information available to the public about what will happen in the event

of an emergency. There are three principal classes of information which Category 1

responders should consider communicating to the public:

o a descriptive account of the business continuity plans they have in

place for the purposes of reassuring the public;

24 s.2(1)(f)

PAGE 37
Last updated:March 2012
 Emergency Preparedness | Business Continuity Management

o information about the implications of emergencies for the continuity

of a Category 1 responder’s ordinary operations – e.g. possibility of

service suspensions or adjustments. Proactively publishing this sort of

information in advance of an emergency allows the public to think

about their preparations. For example, parents might find it useful to

know under which circumstances schools might be closed in the

event of severe weather;

o sources of information and advice about service continuity issues that

the public could consult in the event of an emergency.

6.106. This communication can take place through a variety of means, including websites

and other publications. This could also be achieved by integrating business

continuity issues within mission statements, statements of service and other

public information brochures, relating either to the organisation as a whole or to

individual services.

6.107. Responders can get further guidance and support from the following website http://

shop.bsigroup.com/. In particular, the British Standard on business continuity, BS25999

parts 1 and 2, will be useful along with PB25666: Guidance on exercising and testing

for continuity and contingency programmes.

6.108. The International Standards Organisation (ISO) are in the process of producing a

requirements and guidance document on business continuity; ISO22301 and ISO22313.

Publication of these two documents has not been agreed. Early indication is however

that if published, there will be nothing substantially different to the British Standard

BS 25999, parts 1 and 2. Therefore, alignment with the British Standard will not only

provide a good basis for BCM but at this stage would also appear to align with the

forthcoming international standards.

PAGE 38
Last updated:March 2012
 Good Practice
Guidelines
2018 Lite Edition
Highlights of the global guide to good
practice in business continuity.

Risk
Management Communications

Facilities
Emergency Management
ANALYSI
Management S
N
TIO
VALIDA

EMBEDDING
DESIG

Health and Information
Safety Security
N

T

PL
IM

EN

EM
ENT
PO

EM

IC ATION Physical
AG
L

Y AN Security
N
Crisis
Management
D PROGRAMME MA
Human
Resources

Business Continuity Management
(BCM) Lifecycle
Building organizational resilience
BCI Good Practice Guidelines 2018 Lite Edition © 2018 The Business Continuity Institute

COPYRIGHT PROTECTED DOCUMENT

© The Business Continuity Institute/The BCI Forum Limited. Published 2018.
All rights reserved.

No part of this publication may be reproduced or utilised in any form or by
any means, electronic or mechanical, including photocopying and microfilm,
without permission in writing from the Business Continuity Institute at the
address below:

BCI Copyright
[email protected]
10-11 Southview Park, Marsack Street, Caversham, Berkshire, RG4 5AF, UK.
www.thebci.org

For those intending to take the Certificate of the BCI (CBCI)
examination, the full version of the GPG 2018 should be studied.

Physical
Information
Security
Crisis Security Human
Management Resources

Facilities
Management

2
 contents
Introduction to the Business Continuity Institute’s
Good Practice Guidelines 2018 Lite Edition 4
About the BCI 4
What is Business Continuity? 4
What is the Good Practice Guidelines 2018 Lite Edition? 4
Who is the Good Practice Guidelines 2018 Lite Edition for? 5
What to do next 5
The BCM Lifecycle: Building organizational resilience 6
The Professional Practices 2018 6
Glossary of Terms 7

PP1 Policy and Programme Management 9
PP2 Embedding Business Continuity 11
PP3 Analysis 13
PP4 Design 15
PP5 Implementation 17
PP6 Validation 19

Next steps 21
CBCI Classroom Course 21
CBCI Online 21
CBCI Exam 21
Additional training courses 21

Emergency
Management

Risk
Management Health and
Safety
Communications

3
BCI Good Practice Guidelines 2018 Lite Edition © 2018 The Business Continuity Institute

Introduction to the Business Continuity Institute’s
Good Practice Guidelines 2018 Lite Edition

The business continuity (BC) profession continues to evolve What is Business Continuity?
as its value is recognised by a wider audience. The world
in 2018 continues to be challenged by socio-economic and Business continuity is the key discipline that sits at the heart
geo-political change. Organizations must respond and adapt of building and improving the resilience of organizations.
to familiar challenges such as the increasing dominance of It is a tried and tested methodology that an organization
technology and the internet, as well as new disruptive threats should adopt as part of its overall approach to managing risks
arising from the globalisation of terrorism and the rapid and threats. Business continuity management identifies an
increase in cyber threats. organization’s priorities and prepares solutions to address
disruptive threats. An effective business continuity programme
The increasing awareness of the importance of enhancing supports the strategic objectives of the organization and pro-
organizational resilience reinforces the value of building actively builds the capability to continue business operations
effective business continuity capabilities, and is central to the in the event of disruption. The programme includes the
purpose of the BCI. identification of risks and threats, the creation of response
structures and plans to address incidents and crises, and
The business continuity management lifecycle is central to
promotes validation and continuous improvement.
improved organizational resilience. Through collaboration with

INTRODUCT ION
other management disciplines, for example, risk management,
communications, emergency management, crisis management,
health and safety, facilities management and human resources,
the BCI aims to promote and create a more resilient world. What is the difference between the
Full and Lite Editions of the Good
Practice Guidelines 2018?
About the BCI. The Good Practice Guidelines 2018 Edition provides a full
and comprehensive breakdown of business continuity
The BCI is the world’s leading professional association management. The business continuity management lifecycle
responsible for improving organizational resilience through provides a framework to structure the approach to business
building business continuity capability and professional continuity. It gives readers the understanding and knowledge
development of individuals all over the world. to sit our Certificate of the Business Continuity Institute
(CBCI) examination and progress their careers within business
The BCI’s vision is a world where all organizations,
continuity and the wider resilience landscape.
communities and societies become more resilient.
The Lite Edition provides you with an overview of the six
The BCI is built on the principle of professionalising business
Professional Practices. It is the perfect tool for organizations
continuity practice, and continues to be the authoritative
to inform staff of good practice, and for professionals to
and reliable source of information on all aspects of business
understand the Professional Practices before they enroll on the
continuity theory and practice for professionals, and offers
full CBCI course.
a wealth of online resources via www.thebci.org. The Good
Practice Guidelines have been revised as part of the BCI’s
process of continual improvement and ongoing development
of our body of knowledge to remain relevant to professionals
worldwide.

4
BCI Good Practice Guidelines 2018 Lite Edition © 2018 The Business Continuity Institute

Who is the Good Practice Guidelines Our CBCI exam tests your knowledge of the Good Practice
Guidelines 2018 Edition and can be taken in two ways; in
2018 Lite Edition for? person or online.
The GPG 2018 Lite Edition is for any professional or The BCI has a selection of other resources available, ranging
organization looking to take their first steps towards improved from sector specific training courses to mentoring and
organizational resilience. The GPG and GPG Lite are relevant networking opportunities.
to anyone with a business continuity or resilience related
role, which can include, but is not limited to, those working Once you are a certified member of the BCI, you will gain a
in risk management, information security, physical security, post nominal designation of CBCI which demonstrates your
emergency management, facilities management, health and knowledge of the Professional Practices. You can also explore
safety, communications, and human resources. your personalised member area and benefit from the BCI’s
extensive range of resources.

Further information on our range of resources is
What to do next available at the end of this document.
Once you have read the Good Practice Guidelines 2018
Lite Edition, you will have an understanding of the business
continuity management lifecycle which will help you to
progress to the full CBCI course and exam.