||January 6, 2014
Guide to Business Continuity Management FAQ: Table of Contents
View and download the entire booklet
Business Continuity Basics
Overview of the Regulations and Standards Landscape
- 1. What is business continuity management (BCM)?
- 2. BCM seems to include many different terms, some of which appear to be very similar. How are they similar or different?
- 3. Is there a best practice approach to business continuity planning (BCP)?
- 4. What BCM elements are included in ITIL – specifically, IT service continuity management?
- 5. What is the relationship between business continuity and enterprise risk management (ERM)?
Executive Management Support and Sponsorship
- 6. How should regulations and standards shape the development of a BCM program?
- 7. What are ISO 22031 and ISO 22313?
- 8. What is NFPA 1600?
- 9. There is a BCP requirement published by the U.S. Securities and Exchange Commission (SEC) regarding New York Stock Exchange (NYSE) members. Are all NYSE-listed companies required to follow these BCP guidelines?
- 10. Does the Health Insurance Portability and Accountability Act (HIPAA) include a requirement to implement BCM processes?
- 11. Does The Joint Commission require BCM for hospitals?
- 12. What guidance does the Federal Financial Institutions Examination Council (FFIEC) provide specific to BCP?
- 13. What BCM standards exist in COBIT standard?
- 14. Are these the only BCM mandates an organization should consider?
Risk Assessment and Business Impact Analysis (BIA)
- 15. Who is the right person in the organization to own the BCM process?
- 16. How can a BCM team gain management guy-in?
- 17. How can executive management be “sold” on business continuity?
- 18. What is the value to an organization in designing and deploying BCM programs?
- 19. What are the critical elements of a business continuity policy?
- 20. How should an internal business continuity function/planning team be structured?
Business Continuity Strategy Design
- 21. What are the most common approaches to executing a risk assessment?
- 22. What are the most common approaches to executing a BIA?
- 23. Should key vendors be included in BIA?
- 24. What is a recovery time objective (RTO)?
- 25. What is a recovery point objective (RPO)?
- 26. Are questionnaires necessary when planning for business continuity?
- 27. Are there ways around completing a formal BIA and risk assessment?
Plan Development and Strategy Implementation
- 28. What are the key considerations when developing recovery strategies?
- 29. How far apart should primary and alternate sites be?
- 30. What are the key considerations for pursing an internal versus a third-party recovery solution?
- 31. What is a “mobile recovery center”?
- 32. What is an emergency operations center (EOC)?
- 33. What are the differences among cold, warm and hot sites?
- 34. What are key recovery considerations when negotiating a contract for a hosted solution or disaster recovery support (e.g., hot site contract)?
- 35. How is advancement in technology changing disaster recovery planning considerations?
Training and Awareness
- 36. Is software necessary to develop a BCP?
- 37. What is the difference between crisis management and crisis communications?
- 38. What is a call tree?
- 39. Is there a way to make the plan more efficient and effective?
- 40. Are training and awareness the same?
- 41. What are some successful business continuity training approaches?
- 42. What are the available certification options?
- 43. What are the available BCM education options?
Compliance Monitoring and Auditing
- 44. What are the prevailing practices regarding the storage of BCP documentation?
- 45. How often should business continuity-related documentation be updated and how should the organization keep the plans current?
- 46. How often should the BCP be tested?
- 47. What are the available testing options?
- 48. Should the organization expand testing beyond IT?
Social Media Considerations
- 49. Describe the connection (if any) between Sarbanes-Oxley and business continuity?
- 50. How do organizations mature their business continuity programs?
- 51. How often should the business continuity program be audited?
- 52. What is the optimal role for internal audit in the BCM process?
- 53. How does an organization review key vendor planning for business continuity compliance with industry best practices?
Large-Scale Disasters and Potential Pandemic Events: Lessons Learned
- 54. Should social media be a component of an organization’s business continuity program?
- 55. What are the risks of using social media to support a business continuity program?
- 56. What are some best practices for monitoring social media during a crisis event?
Industry-Specific Considerations for BCM Programs
- 57. What are some of the common lessons learned from large-scale natural disasters that organizations should be aware of when developing their own BCM programs?
- 58. What can organizations do to prepare for a pandemic event?
- 59. How well have we focused on the critical network infrastructure elements supporting our customers? What are our practices for ensuring BCM strategies and objectives for these environments are kept up to date as we continue to expand our infrastructure and/or upgrade critical network components?
- 60. Have we properly evaluated the risk of interruption from key suppliers (e.g., equipment and support, handsets, smart devices, programming and entertainment) that are critical to our ability to provide products and services to our customers and/or support essential internal business functions?
- 61. How well have we designed and tested alternative operational procedures for critical internal functions such as system maintenance, billing and mediation functions?
- 62. How would management handle customer support if a call center or key call center support system were unavailable? Do we have appropriate failover capabilities for this type of event?
- 63. Are there regulatory BCP requirements that typically affect the energy industry?
- 64. What are the most common business processes affected by an outage?
- 65. Energy-related companies typically have a program to manage environmental health and safety (EHS) at their work sites. Does that cover business continuity requirements?
- 66. Energy companies often operate in politically sensitive areas and/or other areas overseas that experience frequent major natural disasters. What BCP-related precautions should be considered to reflect the risk of operating in those environments?
- 67. What regulatory guidance should financial institutions rely on?
- 68. Are organizations required to apply all aspects of business continuity guidance as outlined by the regulators?
- 69. Are financial institutions, such as banks, required to recover within a defined time period?
- 70. Are business continuity standards for financial institutions set only by the regulatory agencies?
- 71. To what extent are financial institutions responsible for the business continuity of vendor-supported systems?