For T-Mobile, Enterprise scorecard is the springboard from which the company launches its program for business continuity management in accordance with the British Standard Institution’s BS25999. The standard requires a “Plan-Do-Check-Act” (PDCA) process cycle for establishing policies and objectives, and then planning, implementing, exercising, monitoring, reviewing and improving the effectiveness of the organisation’s management system. Enterprise Scorecard provides a complete solution covering all of these areas, with prebuilt templates and reports to facilitate implementation.
The Business Continuity Management System (BCMS) solution for T-Mobile is a web-based system that provides full support for these requirements. Access to all the functions described below is via a normal drop-down menu, and a dashboard that groups functions and reports that are applicable at different stages of the life cycle.
Figure 1: BCMS Dashboard
Planning the BCMS (BS 25999-2 Section 3)
Establishing and managing the BCMS. BS 25999-2 states a number of high-level requirements for planning the management system:
184.108.40.206Requires that that the scope of the BCMS and the BC objectives should be defined, including a statement of acceptable levels of risk, statutory and contractual obligations, and the interests of stakeholders.
220.127.116.11 Top management must state its commitment to a BC management policy
18.104.22.168 The policy should be stated making reference to the BC objectives and scope, including any limitations and exclusions.
22.214.171.124 The policy must be approved by top management and communicated to all relevant staff, and reviewed periodically.
126.96.36.199 Commitment to provide the necessary resources should be made.
188.8.131.52 The roles, responsibilities, and authorities for BC need to be stated.
184.108.40.206 Person(s) with appropriate seniority should be authorised and accountable for defining policy, and implementing the BCMS
Enterprise Scorecard provides a questionnaire to allow statements for each requirement to be recorded, and reviewed periodically. This is useful for organisations requiring a checklist to guide their thinking (at least initially) and to make sure that all requirements of the standard are covered.
Figure 2: BCMS Scope. Objectives and Commitment
Alternatively a straight-forward policy statement can be made within the (wiki-style) documentation library.
Figure 3: BCMS Wiki
The advantage of this is that the manual for the management system can be accessed from a single reliable central location, as one coherent “on-line manual”, which only needs a web browser to access. As a result the manual is accessible when other computer systems may be unavailable, and via hyperlinks can be accessed from anywhere else from within the management system. Changes to this manual can be controlled, and since there is only one copy, users know that it is the current approved document that they are using.
A register of all key personnel is also provided. Each user can have a defined set of permissions to perform functions with the system, and also each user can be assigned to multiple user groups. Each user group can have different visibility of information or access to change or approve functions within the system. When establishing a system, one of the first tasks is to register all users, their permissions and group-memberships into the database. An Excel workbook is provided to allow a bulk-import of this data.
Figure 4: Registry of Key Personnel
Other activities that need to be performed whilst planning a BCMS include:
- Defining applicable offline skills and qualifications for key personnel.
- Defining applicable on-line training and testing
- Determining key stake-holders
- Defining appropriate values for the drop-downs lists used throughout the program.
- Defining values for Risk Probability, Risk Severity, and Risk Action. For example, given the following Probability and Likelihoods.
Enterprise Scorecard provides a “Readiness Review” questionnaire that can be used by organisations starting the process of defining their BC strategy by asking a number of “best practice” questions. Any negative response from this questionnaire can be used to trigger actions for subsequent implementation. Note the questions are not static, and can be edited and augmented as appropriate.
Figure 5: BC Readiness module
Defining the Scope of the BCMS
220.127.116.11 Requires that the key products and services within the BCMS must be identified.
Enterprise Scorecard defines questionnaires that allow the key activities of the organisation to be identified (both internally and externally), together with the people responsible for their operation. Although nomenclature may vary within organisations, Enterprise Scorecard creates a separate questionnaire for each “Business Unit”, and within each Business Unit the key “Processes” are identified. So “Business Unit” and “Activity” are synonymous.
Figure 6: Process register
In addition key Resources and Applications (such as IT systems) are also identified. Once the process register and key resources list are complete and agreed, a function is run to create a set of Business Impact Analysis questionnaires for the process owners.
Figure 7: Business Impact Analysis
A future enhancement to Enterprise Scorecard will provide a diagram that allows the flow of products and data between the processes within the business units to be illustrated.
Ensuring competency of personnel. Section 3.2.4 of the standard requires that:
- The appropriate competencies of BC personnel are stated
- Appropriate training needs to be identified and provided as necessary to staff
- Ensuring the necessary competence exists
- Records of education, training, skills, experience and qualifications are maintained.
As above Enterprise Scorecard allows these statements to be made within a document template, or as part of the policy statement in the documentation library.
Enterprise Scorecard provides on-line documentation for reference by staff. It also supports active documents which can display rich-text and video training material, retaining records that the training material has been read by the member of staff.
After delivering training to personnel, Enterprise Scorecard can be used to test people of their knowledge of BC, and retain their test results for review and retraining as deemed appropriate by the company.
Embedding BCM into the corporate culture. Section 3.3 of the standard requires that BCM shall become a core value in the management of the organisation, supported by ongoing awareness and evaluation programs.
In addition to the statement of policies and objectives by senior management, Enterprise Scorecard supports this requirement to maintain awareness by allowing ad-hoc messages to be broadcast to user groups with the organisation. Indeed Enterprise Scorecard can be used for a wide range of other management activities, so that the BCMS is integrated with other management systems within the organisation.
BCMS documentation and records. Section 3.4 of the standard requires that the organisation shall have documentation regarding all aspects of its BCMS. This is supported within Enterprise Scorecard by the online documentation libraries described earlier. Note that changes to the on-line documentation can only be made by authorised personnel, with a full-change history being maintained on line. Also by the nature that it is only ever accessed from one central-online location, there is no possibility of out-of-date documentation being used by personnel.
Figure 8: Documentation and Records Library
Implementing and operating the BCMS (BS 25999-2 Section 4)
The standard states the requirements in this section are essential: “To enable the organization to identify the critical activities and resources needed to support its key products and services, understand the threats to them and choose appropriate risk treatments.”
Business Impact Analysis (BIA). Section 18.104.22.168 of the standard requires that the process to assess the impact of any disruption to the key activities of the organisation is documented. The BCMS manual provided in Enterprise Scorecard provides a home for this documentation.
Section 22.214.171.124 requires that the key resources and activities are identified together with their dependencies on other key activities or resources. The impact of a disruption to the activity needs to be identified together with the maximum tolerable period of disruption including:
- The maximum time period after the start of a disruption within which each activity needs to be resumed;
- The minimum level at which each activity needs to be performed upon resumption; and
- The length of time within which normal levels of operation need to be resumed;
- Categorize its activities according to their priority for recovery and identify its critical activities;
- Identify all dependencies relevant to the critical activities, including suppliers and outsource partners;
- For suppliers and outsource partners on whom critical activities depend, determine what BCM arrangements are in place for the relevant products and services they provide;
- Set recovery time objectives for the resumption of critical activities within their maximum tolerable period of disruption; and
- Estimate the resources that each critical activity will require for resumption.
Enterprise Scorecard provides a project to allow each of the activities owners to provide these assessments, with the results consolidated into a set of reports that may be reviewed by senior management during after the data collection exercise. Note that the activity owners are sent instructions via email, with links into the appropriate questionnaire embedded in the email. In this way no specific software deployment or training is required. Any activity owner who fails to respond will be automatically reminded periodically to ensure compliance.
The Enterprise Scorecard BIA questionnaire allows process owners to:
- Describe the process in outline.
- Identify the most critical resources, and the Maximum Tolerable Period of Disruption (MTPD) for each.
- Identify the most critical up-stream processes, and the MTPD for each.
- Then for each of the perspectives (Loss of Revenue, Service Degradation, Legal Risks, Market Impact, and Morale) the relative severity that disruption in the process would incur.
- Finally the process owner is asked to evaluate existing contingency and recovery plans, the estimate the time it would take to fully recover the process in the event of an incident (RTO), and also to provide a minimal level of service.
A report is provided to list any processes where the MTPD of a dependent process exceeds its declared RTO or its Minimal RTO. In these cases improvements actions need to be instigated.
Figure 9: Business Impact Analysis -- Process Description
Figure 10: Business Impact Analysis - Identifying Critical Resources
Figure 11: Business Impact Analysis - Identifying Critical Processes
Figure 12: Business Impact Analysis - Assessing Loss of Revenue
Figure 13: Business Impact Analysis - Assessing Degradation of Service
Figure 14: Business Impact Analysis - Assessing Market Consequences
Figure 15: Business Impact Analysis - Assessing Effect on Employee Morale
Figure 16: Business Impact Analysis - Business Continuity Plans
Section 126.96.36.199 of the standard requires that the risk assessment process of the organisation is documented. The BCMS manual provides this documentation.
Section 188.8.131.52 requires that all significant threats that might disrupt the organisation be enumerated, together with their probability and impact assessed
Section 184.108.40.206 then requires the organisation to identify available risk treatments that might reduce the likelihood of a disruption, shorten its period, or limit its impact.
Section 220.127.116.11 then requires the organisation to choose which treatments are appropriate according to its stated “risk appetite”.
Enterprise Scorecard provides a project to allow each of the activities owners to provide these assessments, with the results consolidated into a set of reports that may be reviewed by senior management during and after the data collection exercise. Note that the activity owners are sent instructions via email, with links into the appropriate questionnaire embedded into the email. In this way no specific software deployment or training is required. Any activity owner who fails to respond will be automatically reminded periodically to ensure compliance.
Figure 17: Risk Assessment
The Business Continuity Strategy. Section 4.2 of the standard requires that documentation is created so that:
- An incident response structure is defined
- Each crucial activity and resource has a recovery plan that will achieve its declared RTO
- Relationships with key stakeholders and external parties are managed
Enterprise Scorecard provides on-line framework as described above to maintain this documentation. Contact lists are automatically kept up to date by the system sending periodic reminders, and if necessary in emergency situations SMS text messages can be sent to user’s mobile phones.
Developing and implementing a BCM response. Section 4.3 of the standard requires organisations to develop plans and to nominate personnel to manage incidents. As described above, Enterprise Scorecard provides a secure on-line home for this documentation
Exercising, maintaining and reviewing BCM arrangements. Section 4.4 of the standard requires that BCM arrangements are exercised periodically. Enterprise Scorecard provides documents to record the plans and approvals for exercises. In addition the BCM documentation needs to be reviewed and approved periodically. Enterprise Scorecard provides records to record the details of these reviews, and to remind management when the reviews need to be repeated.
Finally should incidents ever occur, a log can be maintained within Enterprise Scorecard so that potential inadequacies or suggestions for improvements can be noted.
Monitoring and reviewing the BCMS (BS 25999-2 Section 5)
Section 5 of BS25999-2, like other ISO standards, requires that the management system is monitored and reviewed periodically to ensure its effectiveness, and to authorise actions to improve the system and correct problems. This has two components the “Internal Audit” and the “Management Review”.
Enterprise Scorecard implements the Internal Audit by asking a number of questions which have been defined to act as a checklist to ensure that all aspects of the BCMS are being conformed to. After answering the questions any negative responses can be used to generate corrective actions – which can then be tracked to ensure closure.
Enterprise Scorecard supports the management review by providing a record of its occurrence, and any comments or conclusions that were raised.
Maintaining and improving the BCMS (BS 25999-2 Section 6)
This final section of the standard requires that records are kept of actions which are taken in order to prevent non-conformities. This requires records are made of:
- Identifying potential nonconformities and their causes;
- Determining and implementing preventive action needed;
- Recording results of action taken;
- Reviewing preventive action taken;
- Identifying changed risks and ensuring that attention is focused on significantly changed risks;
- Ensuring that all those who need to know are informed of the nonconformity and preventive action put in place;
- The priority of preventive actions based on the results of the risk assessment and the BIA.
Enterprise Scorecard provides a record of these actions. Also, as in the case of the BC readiness questionnaire and the Internal audit, a function is provided to convert all non-conformities into actions.