. 125
( 131 .)


Compare and contrast the business continuity cycle and the risk management

The business impact analysis (BIA)
Understand the role and the values of a business impact analysis (BIA)
within the business continuity management process;
Understand the BIA framework, its needs, its players and its ownership;
Enable consistency and clarity of objectives;
Enable a consistent, clear and measured communication of risk issues;
Access and evaluate sources of information; and
Consider the opportunities for decision making around information evolving
from the BIA.

The business impact analysis: a hitch hikers guide
Understand practical considerations when delivering a BIA;
Be aware of some of the options to obtain information and gain trust in the
balanced picture being developed; and
Appendix F “ Institute of Risk Management “ Business Continuity and Crisis Management syllabus

Consider options for tools to be able to present risk concepts in a clear and
concise way ready for decision making.

Application and uses of BIA information
Illustrate the wider role and the practicalities of the BIA by reference to indi-
vidual risks;
Consider individual risks to intellectual assets, physical damage to work-
stations and production lines, and outsourcing and the value chain; and
Illustrate the differing values of the BIA including the creation of tools and
information that lead directly into business recovery plans.

Technology exposures and continuity
Consider the special dependencies and the exposures around the techno-
logical services to an organisation;
Identify the dependencies and interdependencies of centralised computer
services, distributed systems, communications and end-user equipment.
Furthermore identify the exposures around laptops and other remote
Identify the risks within both in-house and also outsourced services and
Bring together and match the crucial, urgent operational needs and opportun-
ities available from the technology suppliers;
Consider the special expectations, exposures and dependencies of e-commerce.
Ensure the risk management and continuity of computerised systems
embrace the mutual dependencies between technical services and the ˜old
technologies™ and people are clearly recognised;
Encourage the organisation, once the dependencies and opportunities are
clear, to develop technological continuity plans that will precisely meet
those urgent crucial needs;
Ensure as best as possible a credibility in technology risk management and
continuity planning; and
Establish ground rules and checklists in establishing technology continuity

Dependency management: supplier management,
outsourcing and business support
Provide definitional language for supplier management, outsourcing and
Explore the implications of supplier management and lead times for replace-
ment following loss or disruption;
Examine the issues involved and the planning required in managing the exit
from an outsourcing agreement;
Appendix F “ Institute of Risk Management “ Business Continuity and Crisis Management syllabus 697

Examine with the use of case studies the implications of single-source and
critical components in production and supply-chain processes;
Investigate the issues associated with production-line management tech-
niques including just-in-time;
Consider the services provided to support business continuity management
and the issues of dependency associated with these; and
Discuss an approach for dovetailing business continuity with supplier and
outsourcing management.

Other applications for business continuity tools and
Recognise where the business continuity principles and tools can be used
elsewhere in the organisation;
Make as much additional use as possible out of the business continuity tools,
information and resources that have been created;
By maximising all such values, improve the business case further for the
resources and time applied; and any monetary investment made in business
continuity management; and
Illustrate these additional values by considering individual exposures.

The role of people
To gain an appreciation of the issues associated with people and business
continuity management;
To gain an understanding of why some people excel following an incident
while others falter and what makes the difference;
Examine the dynamics of team performance, the team players and issues
associated with plan invocation and recovery;
Consider the people success factors of an invocation;
Examine post-trauma considerations and management;
Consider supply-chain, outsourcing and off-shoring people-related issues; and
Consider business continuity management training and education needs and
the options for delivery.

The values of insurance products in a crisis situation
To consider insurance products from the viewpoint of the critical or cata-
strophic risks carried by an organisation;
To understand whether and where insurers™ products and the insureds™
needs interface;
To assess the value of conventional insurance products to organisations
facing potentially catastrophic damage; and
To identify in particular where these insurance products do not provide pro-
tection for the continuity needs of an organisation.
Appendix F “ Institute of Risk Management “ Business Continuity and Crisis Management syllabus

Communications in a crisis
Examine the role of communication;
Consider aspects of reputation;
Consider communication by stakeholder and the options available;
Gain an appreciation that building resilience applies to communication too;
Consider communication as part of the planning process;
Consider communication as part of the notification, invocation and recovery
Evaluate the opportunities and threats associated specifically with the media;
Review the communications issues associated with team training, rehearsal
and exercising.

Relationships with emergency and governmental services
To consider the role that emergency services and other governmental depart-
ments play in business continuity;
To consider the role that emergency services and other governmental depart-
ments play in crisis management;
Explore the value in understanding those roles and in cooperation when
undertaking a process of continuity management; and
Recognise the opportunities and challenges brought by public authorities
throughout the management of a business-threatening incident that has

Rehearsals and exercising of plans and risk decision
Discuss the importance of ensuring as much credibility as is possible in cata-
strophic risk management and continuity planning;
Consider the values of rehearsal training and exercising of people and the
resources that are expected to be used;
Understand the use of exercising and rehearsal training as a quality measur-
ing tool for decision making around risk;
Understand the importance of exercising plans as a vital check that these
plans are still up to date;
Consider the different types of exercises that are available to the risk manager
and where different styles best meet different requirements;
Consider guides and standards that are available on exercising; and their use
as benchmarking tools; and
Understand the limitations as well as the values of exercising.

Maintenance, benchmarking, assurance and audit
Review the drivers and options for plan review and maintenance;
Consider the role of benchmarking tools;
Appendix F “ Institute of Risk Management “ Business Continuity and Crisis Management syllabus 699

Discuss quality assurance and compliance in the context of business continuity
management; and
Explore the validation of business continuity plans through the processes of
internal and external audit.

The continuity plan and its role
Examine the purpose of a plan;
Explain the plan components;
Outline the stages of an incident and how plan design can address these;
Consider the differing needs of the small, medium and large organisation;
Review specialist plans™ needs from call centre to board level crisis;
Examine team characteristics at various positions within an organisation™s
plan framework;
Review support services and suppliers;
Evaluate the role of software; and
Consider where business continuity management heading fits as a discipline
both independently and as part of risk management.
This page intentionally left blank

CBC framework for corporate
governance for SMEs
G CBC framework for corporate
governance for SMEs

Elements of What should be in place

Commitment to A set of Business Principles adopted by the board and fully
Business communicated inside and outside the company.
Principles Comments on application for small SMEs:
The ˜CBC Business Principles™ apply equally to small SMEs as to large
Policies and * Written policies and supporting practices addressing the key
practices elements of corporate governance. This could be a document of a
few pages that summarises the elements that follow.
Comments on application for small SMEs:
Small SMEs should document policies and supporting practices,
albeit in very concise form.
Health, safety, A commitment by the board or owner to proper standards of HSSE.
security and Demonstrated action for a healthy, safe and secure working
environment environment.
Full compliance with HSSE laws and regulations.
Demonstrated actions to avoid environmental damage.
Leadership and Leadership exercised in a transparent manner for the benefit of the
structure whole entity.
A distinction between the owner and the enterprise as a separate
entity, avoiding conflicts of interest.
* A ˜board of directors™ (or equivalent) with:
A director selection and appointment process.
Agreed and understood roles and responsibilities.
Separate roles of chairperson and chief executive, if
Responsibility for cohesion in the board resting with the
A number of independent non-executive directors.
A balance of skills among the members of the board.
An audit committee composed of independent directors.
Board meetings on not less than a quarterly basis.
Pre-circulated board papers and record minutes of board meetings
and of decisions made in permanent form.
Appendix G “ CBC framework for corporate governance for SMEs 703

Comments on application for small SMEs:
Small SMEs should aim at an early stage of evolution to have the following (less formal)
mechanisms in place:
Availability to the enterprise of skills and experience, of objectivity and independence of
thought; and
Appointment of a company mentor or independent advisor.
Small SMEs may not have a board with independent directors. Nonetheless external
advice should be considered.

Strategy, planning A written strategy capable of being communicated to stakeholders.
and monitoring * A business/financial plan:
Setting out how the strategy will be achieved
Containing a financial plan
Containing plans for key resources such as human resources, systems,
assets and intellectual capital:
Setting key goals and plans for monitoring and (self-)assessment.
Management succession planning.
A safe record of key decisions made and reasons why (especially for
acquisition or disposal of assets).
Comments on application for small SMEs:
A small SME might not have the above steps in a detailed form.
Nonetheless a written financial plan should exist.
Risk management Awareness of risks to the business:
Identification of risks (as part of the business plan).
Assessment of likelihood of the risk eventuating and the impact
if it did.
Risk mitigation measures.
A ˜Whistleblowing™ system, with encouragement of open com-


. 125
( 131 .)