The Business Continuity Management (BCM) module is aimed at making sure that the company is prepared to tackle unexpected risk events that might cause significant business damages, which is why conscious planning and preparation for such risks may become a core objective of business processes.
SeCube is capable of bringing together business and IT technology/service continuity planning and recovery and also of handling them both in a uniform manner.
The BCM module is set to support the full life-cycle of business continuity management in a uniform system (taking into account the ISO 22301 standard):
- Operations modelling (Inventory)
- Risk analysis (Risk) and business impact analysis (Governance).
- Defining restoration target times and comparing those with our plans (BCM)
- The preparation of BCP and DRP detailed plans (BCM)
- Planning the preparation tasks during business-as-usual periods and checking their implementation (BCM)
- Maintaining and reviewing plans (BCM)
- Testing plans (BCM)
- Emergency application and simulations (BCM)
SeCube’s modular structure also supports partial modular use based on requirements.
Business continuity planning (BCP)
Business continuity management prepares organizations for the correct management of crisis situations, providing an alternative for the operation of critical business processes, and specifies priorities and time frames for the organization. Fundamental purpose:
- In case of a loss of resources, the critical business processes should be able to operate at the pre-defined level.
- Mitigating risks and losses associated with the loss of critical business processes
- In case of possible downtime, maintained action plans enable the use of the solution most effective from the aspect of costs, with the smallest possible losses.
The main focus of Business continuity planning (BCP) is planning the continuity of Business or Production processes by taking into account their resource dependencies. Business continuity planning may offer replacement solutions or other remedies to avoid the lack of business/production process enhancing resources (either technological, data, human or facility-related). In addition, alternative business or production processes may be defined. In case of alternative processes, the actions necessary for preparations and for returning to normal operations after the end of the emergency situation can be defined.
In the course of the BCP activity, the aim is to develop plans that can be implemented with adequate preparation in a specified emergency situation using available resources and competences, and can ensure that business/production processes perform at a sufficient level even in cases of emergency.
The main target group of BCP planning is the areas implementing business and production processes and the persons responsible for those.
Process and IT/technology operations modelling
When performing BCM planning, the structure and normal operating design (business and/or production system) of the company should be known and these information should be readily available. In the Inventory, resources and business/production processes as well as their dependency relations can be defined and displayed in visual dependency graphs. The Inventory function can be used to model the details of company operations and processes, and/or the functioning of IT systems.
Recovery time objectives
Recovery time objective values for resources can be evaluated and determined manually and/or based on the calculations and populations using the results of the business impact analysis (BIA function – Governance module).
- RTO – Recovery Time Objective
- MTPD – Maximum Tolerable Period of Disruption
- RPO – Recovery Point Objective
The restoration capability of the procedures defined in the plans are compared and continuously monitored with the recovery time objectives.
Continuous maintenance of planning and plans
BCM plans can be created in line with objectives. BCP plans for one or several concurrent business areas or processes; DRP plans for one or more systems, infrastructures, services, system components, as required by the company’s modelling practice.
- Supporting the continuity and replaceability planning of business processes, scheduling recovery plans, and planning alternative processes.
- Emergency and recovery planning of IT resources and services, defining recovery actions.
Special abilities of the designer function:
- Graphic drafting table: Compile the scope of your BCP or DRP plan on a visual operational/dependency drafting table, supplemented with simulation functions.
- Emergency actions: Recovery, continuity, alternative execution, preparation, etc. actions to be executed in emergencies can be drawn up in the breakdown and with the level of detail required by your targets.
- Emergency scenarios: Scenarios are defined emergency or risk events, or emergency recovery methods, to which the manner of executing the emergency action plan can be assigned; scenarios are also supported by the Critical Path – PERT illustration method.
- The software continuously monitors the ETR (Execution Time to Recovery) of the various scenarios, comparing them to business recovery objectives.
- Inventory levels: The BCM module can be used to keep records of and manage warehouse elements and reserves (hot/cold).
- Plan system and reusability: The plans can include cross-references to emergency actions and annexes. This allows the easy creation of type plans or systemized framework plans, with the ability to maintain the elements used by more than one plan in one location.
- Any annexes can be linked to plans (lists, general information, etc.).
- Preparatory actions: Preparatory actions can be defined for the elements of the plan, which actions have to be executed in standstill periods. These tasks can be managed with comprehensive task management functions supported with email notifications.
- Records of historical versions of review logs and plans: The plans are supported with review functions. The review plan versions are used to create historical records; the review plan versions can be viewed in a time machine-like manner, ensuring full audit compliance.
Plans as results: The end products of BCM planning are the detailed BCP or DRP action plans. The plans include the completed emergency actions categorized into scenarios and the preparatory actions necessary to ensure the functioning of the plans. The plans can be exported into docx format, complete with a table of contents.
Continuous maintenance of plans: The software uses validation assessments to constantly monitor the state of the plans and to notify the persons responsible for the plan. The goal is to ensure the plans are functional in case of an emergency and to maintain their applicability:
- Logical errors in planning
- Relevant data changes in Inventory
- Monitoring recovery time objectives and comparing them to the capabilities in the plan
- The current status of preparatory actions effect the operability of the plan
- Review and test results
Tests can be made for the created plans; the testing activity can be planned and managed and a test report can be generated. Test structures (wat should be tested) can be freely compiled using the plans subject to testing. Real execution times can be measured. Test reports can be generated on the basis of the tests.
Management of preparatory actions
Preparatory actions can be assigned to the plans or various plan elements; these actions have to be executed in standstill periods in the interest of ensuring that the plans are executable in emergencies. These can be ad hoc (e.g. capability increasing, documentation, procurement), periodical, or continuous tasks. Testing and training tasks can be compiled. Task management functions are associated to the tasks, including responsible persons, statuses, and email notifications.
The simulation function helps the fast modeling of emergency events and searching for applicable BCM plans, including the generation of Word format documents.
The various elements of the BCM plans can be used to simply and quickly compile new ad hoc emergency scenarios, using plan elements specified earlier. This provides decision support based on the usefulness of possible solutions and even the quick development of new recovery scenarios.
What happens if the SeCube system is not available?
The SeCube projects/tenants in which the work is performed can be exported into a single dump file and then imported into any other SeCube framework system, where all data will then be available. The backup system could be, for example:
- Kürt SeCube cloud service or
- An offline SeCube on a laptop in the organization’s cabinet
- Keeping records and dependency models of business processes and resources
- Detailed BCP and DRP plans that can even be exported into MS Word documents
- Management of preparation actions during business-as-usual periods
- Testing protocols and testing reports
- Recovery time objective reports