Get 4 FREE months of Conformio to implement ISO 27001

Beyond the BCM Manager: Additional roles to consider during the disruptive incident

A crisis or disaster is something that no organization, regardless of its size, wants to go through. Because of this, many of them adopt business continuity practices, such as Business Continuity Management Systems (BCMS) based on ISO 22301, to minimize the chances of such events occurring and, if they occur, to minimize their impacts and resume activities as quickly as possible.

A key element in minimization of impacts and resumption of activities is the Business Continuity Plan (BCP), which lays out the people to be involved, activities to be performed, and resources to be allocated during a disruptive incident, and depending upon the organization’s size and complexity, could include anywhere from a few people to dozens of professionals. For more information, see Business continuity plan: How to structure it according to ISO 22301.

This article addresses an important point when elaborating BCPs: during disruptive incidents, many activities may have to be performed in parallel, and not considering this may overwhelm team members or all of the team. To help handle this, I will be presenting critical roles that should be considered in a BCP when designating responsibilities, so the team can have a better chance to meet BCP objectives.

BCP lifecycle and responsibilities

Taking as reference ISO 22301, clauses 8.4 and 8.5, a BCP lifecycle can be described by these general steps:

Elaboration: definition of scenarios under which a disruptive event can occur, and what to do to handle such potentially catastrophic incidents.

Testing: performing of exercises and simulations to ensure plans, personnel, and resources will work properly during a disruptive event.

Execution: when a disruptive event hits the organization, impacts must be minimized and business processes must be resumed and recovered as defined in BCP objectives.

Updating: critical reviews must be performed after plan testing or activation, so the plan can be corrected or improved.

During elaboration, testing, and updating, BCPs are generally under the responsibility of a person in the role of Business Continuity Management (BCM) Manager, or someone who inherits this function. For more information about the BCM Manager, read The challenging role of the ISO 22301 BCM Manager.

During a disruptive event, a BCP is under the responsibility of roles previously defined, which can be roughly divided into business decision makers, BCP manager, BCP leader, and BCP team members.

Other business continuity frameworks, such as the “Good Practices Guidelines” (GPG) from Business Continuity Institute (BCI), and the “Special Publication 800-34” (Contingency Planning Guide for Federal Information Systems) from NIST (National Institute of Standards and Technology), have similar structures that can make use of these recommendations.


How does an event disrupt a business and impact the BCP?

We can say that an incident disrupts business when the disruption lasts longer than what would be acceptable by an organization, and this can occur when:

  • external infrastructure failure prevents the organization from delivering products and/or providing services (e.g., an interrupted road, or a massive DDOS attack against the Internet)
  • the organization’s infrastructure is unable to deliver products and/or provide services (e.g., fire at a facility, or a data loss after a ransomware attack)
  • the organization’s workforce is unable to perform its activities (e.g., after an accident, or epidemic)

If each of these situations alone were no longer a major problem, when they occur together, e.g., as a consequence of a major natural disaster, they make things even worse, because the BCP team must:

  • coordinate efforts with external parties to handle the external infrastructure failure
  • perform the activities defined to handle the internal failure
  • assist wounded personnel and support their families

As you can see, these activities may be very different from each other and cannot be prioritized to the detriment of each other.

Critical roles to be considered in a BCP

Since every organization may be hit by an event that can result in the situation described previously, how should it consider that situation when developing its BCP?

The basic idea is to avoid making any single person responsible for activities covering more than one line of action (external efforts, internal continuity activities, and personnel assistance). And you may accomplish that by organizing activities considering these roles:

HR leader: team member responsible for all activities related to people affected by the event (workforce, visitors, contractors, and other people). The team designated to him should take care of personnel evacuation, first aid to the wounded, and contact with emergency services and personnel families.

Business leader: team member responsible for all activities related to coordination with external infrastructure, taking care, for example, of alternative routes and suppliers. As well as being responsible for ensuring products and services are resumed, he also should be the contact with those responsible for internal infrastructure recovering.

Infrastructure leader: team member responsible for activities related to internal infrastructure recovery. This role can be subdivided, if necessary, according to the type of infrastructure (e.g., physical infrastructure, IT, etc.).

Communications leader: team member who is the point of contact with media and public services, to avoid communication misunderstandings.

Note that since these are roles, there is no need to have one person to exclusively perform each role. Your organization must only take care to not designate two or more of these roles to the same person.

What if splitting the roles is not possible?

When an organization, because of its size or resources, is not able to split roles in its BCP team, it should check what impact this situation will have on its Recovery Time Objective (RTO), and make proper adjustments, either by allocating more people or redefining recovery priorities and/or objectives.

Organize roles to avoid overloading your team

Disruptive events bring great stress to an organization, and BCP teams will be under great pressure.

By properly organizing BCP roles so team members won’t be unnecessary overwhelmed by activities that require almost simultaneous attention, they will more capable of performing their duties and ensuring the achievement of BCP objectives.

Check out this free webinar  ISO 22301: An overview of the BCM implementation process to learn how business continuity planning fits the overall ISO 22301 implementation.

Advisera Rhand Leal
Author
Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001.


Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.