About the Professional Practices for Business Continuity Management
Created and maintained by Disaster Recovery Institute International, The Professional Practices for Business Continuity Management is a body of knowledge designed to assist in the development, implementation, and maintenance of business continuity programs. It also is intended to serve as a tool for conducting assessments of existing programs.
Use of the Professional Practices framework to develop, implement, and maintain a business continuity program can reduce the likelihood of significant gaps in a program and increase cohesiveness. Using the Professional Practices to assess a program can identify gaps or deficiencies so they may be corrected.
Business continuity management (BCM), as defined in this document, is a management process that identifies risks, threats, and vulnerabilities that could impact continued operations. Business continuity provides a framework for building organizational resilience and the capability for an effective response. All other terms are defined in The International Glossary for Resiliency published and maintained by DRI International.
Professional Practices 2017
As part of DRI International’s ongoing efforts to maintain the relevance and utility of the Professional Practices, an extensive revision of substance, form, and function was undertaken starting in mid-2015 and finishing in the beginning of 2017. The goals were to provide information that would include:
- Advances in technology
- Cyber threat considerations
- Utilizing insurance as a risk transfer tool
- Strategies for manufacturing
- Supply chain processing
- Risk management concepts
- Legal and regulatory concerns
In addition, the titles of two of the Professional Practices were modified to be consistent with industry and professional standards, specifically:
- Professional Practice 2 was changed from “Risk Evaluation and Control” to “Risk Assessment”
- Professional Practice 5 was changed from “Emergency Response and Operations” to “Incident Response”
The Professional Practices for Business Continuity Management objectives:
- Program Initiation and Management
- Establish the need for a business continuity program.
- Obtain support and funding for the business continuity program.
- Build the organizational framework to support the business continuity program.
- Introduce key concepts, such as program management, risk awareness, identification of critical functions/processes, recovery strategies, training and awareness, and exercising/testing.
- Risk Assessment
- Identify risks that can adversely affect an entity’s resources or image.
- Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective use of resources to reduce these potential impacts.
- Business Impact Analysis
- Identify and prioritize the entity’s functions and processes in order to ascertain which ones will have the greatest impact should they not be available.
- Assess the resources required to support the business impact analysis process.
- Analyze the findings to ascertain any gaps between the entity’s requirements and its ability to deliver those requirements.
- Business Continuity Strategies
- Select cost-effective strategies to reduce deficiencies as identified during the risk assessment and business impact analysis processes.
- Incident Response
- Develop and assist with the implementation of an incident management system that defines organizational roles, lines of authority and succession of authority.
- Define requirements to develop and implement the entity’s incident response plan.
- Ensure that incident response is coordinated with outside organizations in a timely and effective manner when appropriate.
- Plan Development and Implementation
- Document plans to be used during an incident that will enable the entity to continue to function.
- Awareness and Training Programs
- Establish and maintain training and awareness programs that result in personnel being able to respond to incidents in a calm and efficient manner.
- Business Continuity Plan Exercise, Assessment, and Maintenance
- Establish an exercise, assessment and maintenance program to maintain a state of readiness.
- Crisis Communications
- Provide a framework for developing a crisis communications plan.
- Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties.
- Coordination with External Agencies
- Establish policies and procedures to coordinate incident response activities with public entities.