NRS Business Continuity Management - DPG 12 May 12.
1. This paper will give an overview of the NRS approach to Business Continuity Management (BCM) and outline the proposed programme to further develop BCM capability across the organisation.
Background.
2. GROS had been developing a Business Continuity Management (BCM) capability. This work was well advanced but paused to allow the merger to be completed. Now the merger is all but complete, it is an appropriate time to review and update the existing GROS documents and plans and to develop and include the existing NAS BCM arrangements into a single, expanded NRS BCM structure.
NRS BCM Capability.
3. At the core of this capability is the BCM Strategy (BCMS), its main purpose is to establish, implement, operate, monitor, review, maintain and improve business continuity capability for the organisation. The BCMS is underpinned by a series of methodologies and procedures. In outline these are:
3.1 A Business Impact Analysis (BIA) for each key Product or Service and the activities and resources which deliver them. The BIA considers a range of factors for each product/ service such as an impact analysis, dependencies, ICT system recovery times after an incident and recovery tasks (this list is not exhaustive).
3.2 A Risk Assessment. The information provided by the BIA is linked to the measurement, prioritisation and action plans required to manage the risk of critical activity and supporting resource failure. The RA is undertaken in 4 steps:
- The BIA identifies critical activities and the supporting resources.
- Supporting resources are assessed in respect of threats and vulnerabilities.
- Risk Treatments are identified.
- Risk Treatments are assessed against risk acceptance criteria and implemented.
3.3 Recovery Strategies and Plans. The critical business activities defined in the BIA will require an appropriate recovery strategy(and plans) which covers each activity. For NRS these will normally be oriented by site. The overarching NRS strategy will be as far as is possible to operate disrupted business from an alternative NRS site.
3.4 Document Control. BCM documents are created, reviewed, updated and approved on at least an annual basis. All documents, including the BCMS, BIAs, RAs and plans are stored securely within a BCM application called Continuity 2 (C2).
3.5 Plan Exercises and Staff Training and Awareness are critical to the delivery and maintenance of an organisation’s BC capability. An appropriate BC exercise should be undertaken at least annually. General and specifically targeted BCM awareness can be delivered through ‘formal’ training events or C2 web based sessions.
3.6 Internal Audit and Reviews of BC capability will determine actual NRSBC capability against the international standard (ISO 22301) and will identify any areas on which to focus development activities.
3.7 Toolsets. C2 provides a range of functionality including document versioning and review notifications, call trees, SMS notifications, call conferencing and a ‘dark site’ information board, web based user training and awareness, exercising facilities and auditing capabilities. This list is not exhaustive and details of the operation and features of the C2 application will be given as part of the roll-out of the proposed programme.
Proposed Programme.
4. It is proposed that NRS undertakes a programme of BCM activities. These activities will be focussed on creating a single, fully integrated NRSBC capability at a pace which will ensure delivery without any significant impact to business objectives. To achieve this the programme will be scheduled to run over about 12 months.
The time needed to undertake each activity will be determined by an individual’s role and the pace of the programme will be set to ensure nominated staff do not have to spend extended periods of time on this work.
Some activitieswill be undertaken with the assistance of external specialists, typically these will be ½ or 1 day sessions hosted within an NRS site. Most activities will require nominated staff to work from their desks, updating the C2 system with key documents and information. It is anticipated that the programme will require some staff to commit between 5 and 7 working days to the programme while others will be required to input only 2 or 3 days.
An outline of the key activities to be undertaken is attached as Annex A.
DPG is requested to consider this proposal and provide any points it has to allow a detained schedule of events to be organised and undertaken.
Sam Burns
22 May 12
Annex A to NRS Business Continuity Management Paper 22 May 12