CPPM Policy Chapter 16: Business Continuity Management
This Core Policy and Procedures Manual chapter outlines a specific risk management process for government. The policy, roles and responsibilities are presented separately to support understanding and performance.
- 16.0 Business Continuity Management
- 16.1 Objectives
- 16.2 General
- 16.3 Policy
- 16.3.1 Program Management
- 16.3.2 Risk Evaluation and Control
- 16.3.3 Business Impact Analysis (BIA)
- 16.3.4 Business Continuity Strategies
- 16.3.5 Emergency Response and Operations
- 16.3.6 Business Continuity Plans and IT Disaster Recovery Plans
- 16.3.7 Awareness and Training Programs
- 16.3.8 Business Continuity and Disaster Recovery Exercise, Audit and Maintenance
- 16.3.9 Crisis Communications
- 16.4 Information and References
- Safeguard critical government services and business processes by planning for the resumption of the functions, dependencies and resources that support them following a disaster or business disruption.
- Provide a common framework for the development and administration of Ministry Business Continuity Management Programs (BCMP).
- Define the authorities and accountabilities for Ministry Business Continuity Management Programs.
- Support government-wide emergency preparedness, response and recovery during a disaster or business disruption.
Business Continuity is a professional methodology that safeguards Critical Services by creating and maintaining Business Continuity Plans (BCPs). Business Continuity Plans contain the recovery procedures and strategies necessary to resume Critical Services and are activated when standard operational procedures and responses are overwhelmed by a disruptive event. While Emergency Management focuses on event containment and response, Business Continuity focuses on the resumption of Critical Services until a return to normal business operations is possible.
Business Continuity planning allows the Province to protect the availability of Critical Services in spite of challenging or extreme circumstances. Therefore, each ministry is required to implement a Business Continuity Management Program (BCMP) consistent with provincial recovery legislation, objectives and priorities. The Emergency Program Act and the corresponding Emergency Program Management Regulations provide the authority for Business Continuity Plans and procedures in government.
Business Impact Analysis - A detailed and documented process designed to identify and prioritize business functions and workflow, including establishing Recovery Time Objectives by assessing impacts over time that might result if an organization was to experience a disruptive event.
Business Priority Service – business function or process that is not mission critical, but, should it not be performed, could lead to the loss of a major government service.
Critical Services – general term that collectively refers to Business Priority and Mission Critical services.
Disaster Recovery – in Business Continuity Plans(BCPs), this term refers to Information Technology (IT) recovery. Disaster Recovery Plans (DRPs) document the process to recover and restore the technology (computer processing, applications and data) needed to support critical business functions.
Mission Critical Services – those functions and processes that, should they not be performed, could lead to loss of life or injury, personal hardship to citizens, major damage to the environment, or significant loss of revenue or assets.
Recovery Point Objectives – The point in time, relative to pre-disaster, at which available data from backup can be restored.
Recovery Time Objectives – The amount of time that a business function can withstand an interruption before a negative or unacceptable consequence occurs.
Risk Assessment - The overall process of risk identification, risk analysis and risk evaluation.
Roles and Responsibilities
The Inter-Agency Emergency Preparedness Council (IEPC) is a senior committee with executive level membership from ministries, Crown Corporations and selected provincial agencies. Its responsibilities are outlined in Emergency Program Management Regulation, Schedule 2 and include:
- Endorsing cross- government response and recovery recommendations; and
- Promoting a consistent, coordinated approach to Crisis Management in the Province of British Columbia.
Emergency Management BC (EMBC) is responsible for the centralized coordination and oversight of Ministry Business Continuity Programs and:
- Providing leadership in Emergency Management through executive coordination, strategic planning and multi-agency facilitation.
- Providing the framework and guidelines for the establishment of overall provincial Business Continuity priorities.
- Co-Chairing the Inter-Agency Emergency Preparedness Council (IEPC).
EMBC Provincial Advisors are responsible for:
- Developing Business Continuity Management Program policy and standards aligned with legislation, government objectives and industry best practice.
- Providing the methodology, templates and tools in support of the development, implementation, training, maintenance and monitoring of Ministry Business Continuity Management Programs.
- Providing direction and advice to ministry Business Continuity Advisors and staff, EMBC senior management, the IEPC and other government committees and agencies with respect to all aspects of Business Continuity planning, program management, government policy, procedures, legislation and regulations.
- Monitoring and reporting on Ministry Business Continuity Management Program compliance with Core Policy and Emergency Management BC standards.
- Assessing ministry Mission Critical Services and recommending consolidated government Mission Critical priorities to the Inter-Agency Emergency Preparedness Council for review and approval.
- Coordinating, documenting and supporting provincial wide-area Business Continuity strategies and initiatives, including managing the activation of a unit in the provincial emergency response structure to support government business continuity.
Deputy Ministers are responsible for:
- Implementing a Business Continuity Management Program in compliance with the Emergency Program Management Regulation, Core Policy and Emergency Management BC Standards.
- Aligning Business Continuity Plans with ministry responsibilities as outlined in Schedule 2 of the Emergency Program Management Regulation.
- Incorporating Business Continuity Management Program objectives and performance measures into ministry business plans and Employee Performance & Development Plans.
- Demonstrating executive support and communicating executive recovery priorities to ministry divisions, branches and departments.
- Providing adequate resources, appropriate controls and knowledgeable personnel to support the implementation and ongoing management of the Ministry Business Continuity Management Program, Business Continuity and Disaster Recovery Plan development, maintenance, training and related response and recovery.
- Maintaining a Business Continuity Advisor position responsible for managing the Ministry Business Continuity Management Program and, if Ministry size and complexity requires, identifying Business Continuity Co-ordinators to assist at the Region, Branch or Division level.
- Establishing a Ministry Operation Centre (MOC) Plan to support the ministry coordinated recovery and BCP activations.
- Establishing the capability to protect and resume Critical Services by putting appropriate risk mitigation measures in place to prevent and mitigate the impact of a business interruption and support the timely recovery of critical business activities.
- Identifying internal and external dependencies involved in the delivery of Critical Services and developing supportive Business Continuity strategies.
- Participating in and contributing to EMBC provincial wide area Business Continuity exercises, initiatives, strategy development and implementation.
Ministry Business Continuity Advisors are responsible for:
- Managing Ministry Business Continuity Management Program requirements and deliverables in accordance with Core Policy and Emergency Management BC standards, tools and templates.
- Facilitating Business Continuity Plan development and maintenance through the provision of consultation and training to ministry divisions, branches and business units.
- Providing expert Business Continuity advice and recommendations to Ministry Executive.
- Reviewing new Risk Assessments (RAs), Business Impact Analyses (BIAs) and Business Continuity Plans (BCPs) within their area of responsibility for validation and quality assurance purposes.
- Developing and facilitating Ministry level Business Continuity and Ministry Operations Centre (MOC) exercises, as well as tracking issue resolutions and the application of lessons learned.
- Participating in the development and execution of Disaster Recovery exercises to validate restoration and recovery of critical Ministry business data and applications.
- Reporting on Ministry Business Continuity Management Program status to Ministry Executive and EMBC and notifying Provincial Advisors in the event of a full or partial Ministry BCP and/or MOC activation.
- Assisting business units with post incident reviews to capture plan updates, additions, changes or deletions and communicating these changes to stakeholders.
Business Continuity Coordinators are responsible for:
- Developing, maintaining and exercising Business Unit, Branch or Division Business Continuity Plans, in accordance with Core Policy and Emergency Management BC standards, tools and templates.
- Aligning Business Continuity Plans with ministry responsibilities as outlined in Schedule 2 of the Emergency Program Management Regulation.
- Communicating strategy and plan resource requirements to the organizations responsible for providing them.
- Liaising with Ministry Advisors to confirm the completion of RAs, BIAs, BCPs and strategy implementation for resource and critical dependency requirements.
- Participating in Business Continuity and Disaster Recovery exercises, as well as updating documentation to incorporate lessons learned from the exercises.
- Ensuring that all BCMP program related documentation is available at the request of Ministry Executive, Ministry Advisors, EMBC staff or Internal Audit.
- Notifying Ministry Advisors in the event of a full or partial BCP activation.
- Conducting post incident and exercise reviews to allow any plan additions, changes or deletions to be captured and communicated to stakeholders.
Ministries and/or agencies providing centralized, cross-government infrastructure and support services are key to provincial recovery and are responsible for:
- Providing information, guidance and advice on related continuity service options and associated costs.
- Partnering with ministries, EMBC and external service providers to validate Disaster Recovery and Business Continuity Plans and verify the ability to meet Recovery Time Objectives for critical business functions. This validation process, including exercising, must be included in all service contracts that support Mission Critical Services.
- Participating and contributing to cross-government Business Continuity initiatives and strategy development and implementation.
In addition, the Public Service Agency is responsible for:
- Providing information and advice on government human resource related service options including general employment conditions, labour relations and occupational health and safety.
- Planning and coordinating messaging to government employees when required in major disruptive events.
EMBC’s Business Continuity program methodology aligns with the Disaster Recovery Institute’s Professional Practices for Business Continuity Practitioners. These professional practices provide both the standards and methods by which Ministry Business Continuity Management Programs are developed, delivered, maintained and assessed.
Ministries shall establish Business Continuity Management Programs to ensure that Business Continuity, Disaster Recovery and Ministry Operation Centre plans are developed, current and exercised with mechanisms for regular monitoring and review.
Risk Assessments are a means of protecting Critical Services by reducing the likelihood and impact of a disruption or vulnerability.
Each ministry shall conduct a Risk Assessment (RA) to identify and analyze threats to ministry business and services. Ministries should consult and leverage existing Enterprise-wide Risk Management (ERM) assessments for current risk identification, analysis and treatment information. Where possible, Ministries shall use the risk information to implement mitigation and recovery strategies to lower the impact or likelihood of a business interruption.
The Risk Assessment shall be reviewed and updated annually and when changes to core business, relative legislation, operations or location occur. Ministries are responsible for identifying and implementing Risk Assessment review triggers to ensure that risk information is refreshed when changes occur.
The Business Impact Analysis (BIA) identifies and evaluates business processes and provides the foundation for the development of recovery strategies and Business Continuity Plans.
Ministries must complete a BIA for each business unit or program area utilising EMBC templates. External contractors engaged to assist in the development of ministry BIA documentation are also subject to the use of EMBC templates, although Ministries may apply to EMBC for external contractor BIA template exemption. Exemptions should be sought prior to finalizing the contract.
The BIA shall be reviewed and updated annually, as well as when changes to business operations and processes, organizational structure, critical dependencies or resources occur. Ministries are responsible for identifying and implementing operational triggers to ensure the BIA is current.
Recovery Strategies are the means by which Critical Services resume and are required for each resource and critical dependency. Resources are the physical tools of recovery such as computers, staff, records, and work space. Critical dependencies refer to services or information sourced outside the business unit, such as other departments, branches, divisions or Ministries as well as non-government agencies, private sector partnerships, key vendor and service providers.
The delivery of Government Critical Services requires resources and critical dependency inputs, therefore Ministries must manage them with appropriate diligence by developing and negotiating supportive agreement documentation , utilizing one or more of the following:
- Memorandum of Understanding
- Service Level or Explicit Agreement
- Business Continuity/Disaster Recovery Contract Provisions and/or
- Vendor/Strategic Partner BCP Evaluations
Ministries shall identify, evaluate and select recovery strategies consistent with the following requirements:
- Fiscal responsibility – recovery strategies must be aligned with overall ministry financial planning, objectives and priorities.
- Suitability – recovery strategies must support the business function Recovery Time Objectives (RTO), Recovery Point Objectives (RPO) and provincial recovery strategies.
- Reliability – formal agreements or contracts are required for the use of externally sourced strategies, including critical dependencies, and must be reviewed annually as part of the ministry’s Business Continuity Program review and financial planning.
- Test Availability – recovery strategies must be exercised in order to identify gaps in Business Continuity and Disaster Recovery documentation and validate the ability to support Recovery Time Objectives.
Ministry Operations Centre and Business Continuity Plans integrate with Occupational Health and Safety as well as the Emergency Management BC provincial emergency response in the event of a widespread or severe disaster. Business Continuity plans support and align with the British Columbia Emergency Response Management System response goals through the identification of and planning for Mission Critical functions.
Using provincially approved templates, ministries must have a current Ministry Operations Centre (MOC) Plan which documents the Ministry’s Crisis Management organization structure, roles, responsibilities and communication lines for significant disruptive events to support, direct, and coordinate ministry response and recovery activities.
Ministries must set out, in Business Continuity and IT Disaster Recovery Plans and procedures, the manner and means by which the organization will resume Critical Services following a business disruption or event, regardless of the cause.
Plans shall include current lists of resource requirements including personnel, facilities, supplies and office equipment/furniture, information technology assets (hardware and software), data, communications, critical dependencies and documented recovery strategies and procedures.
Ministry Business Continuity Plans shall be developed utilising the provincially approved template. External vendors and contractors engaged to assist in the development of ministry Business Continuity Plan documentation are also subject to the use of provincial Business Continuity Plan template.
Business Continuity Plans shall be reviewed and updated at least annually and as warranted by changes to organizational structure, business operations, critical dependencies, resource requirements, location or critical contact information. Ministries are responsible for identifying and implementing operational review triggers to ensure that Plan information is refreshed when changes occur.
Ministries supporting and managing IT infrastructure, data and/or applications will develop IT Disaster Recovery Plans. IT Disaster Recovery Plans are subject to the same maintenance requirements as the Business Continuity Plans they support.
In addition to delivering training in the form of plan orientations, reviews, exercises or other means to assigned members of Ministry Operations Centre, Business Continuity and Disaster Recovery teams, ministries shall deliver general awareness and training activities to all staff members.
Business Continuity and Disaster Recovery exercises are conducted to validate plan strategies, procedures and the ability to meet Recovery Time Objectives.
Ministries shall conduct exercises for Business Continuity Plans and Ministry Operations Centres at least annually and as warranted by changes to the plans such as team members, location, business functions or organizational structure.
Ministries with Critical Services dependent on the restoration of IT data and applications shall participate in Disaster Recovery exercises to perform data and systems verification.
Ministries supporting or managing IT infrastructure, data and/or applications shall implement a scheduled exercise cycle, not to exceed three years, for conducting IT Disaster Recovery exercises to validate systems and data integrity, availability and Recovery Time Objectives.
Ministries shall report the status of ministry-wide Business Continuity to EMBC semi-annually and on an ad-hoc basis, as requested. Ministries are responsible for self- monitoring compliance with Core Policy, standards, tools and templates.
Ministry Business Continuity documentation (including RAs, BIAs, BCPs, DRPs and MOCs, exercise, maintenance and training materials) may be selected to participate in an EMBC review.
Areas identified by Ministries or EMBC as deficient or non-compliant will require the development of a remediation plan identifying the actions, target dates and individuals responsible. The progress of the plan will be monitored until the required actions are completed.
More formal audits of government and Ministry Business Continuity Management Programs may be carried out from time to time by Internal Audit and Advisory Services or the Office of the Auditor General.
Ministries shall ensure that their Ministry Operations Centre, Disaster Recovery and Business Continuity Plans contain the messages and procedures to facilitate communication with recovery team members, staff, customers, stakeholders and agencies during a crisis.
Further information can be obtained by contacting Emergency Management BC at 250 952-4913 or consulting the EMBC website. Please note government idir and SharePoint site accounts are required for access, contact Shared Services BC for idir information and EMBC to register for a site account.