Smart About Risk  
Business Continuity Management

Business Continuity Management

The aim of Business Continuity Management is to ensure a quick recovery of key processes to a predetermined minimum level within a predetermined time frame should disruptions or total loss of functionality occur. Within BCM, the following areas require close attention:

  • Business Impact Analysis (BIA) process in which the following is evaluated:
    • the importance of processes/activities for the company, and
    • consequences that may arise in the event of disruption of processes/activities;
  • internal strategies to minimize the impact of potential threats:
    • the creation of Business Continuity Plans (BCP), their testing and related trainings;
    • the enhancement of company's resilience to potential threats (precautionary measures);
  • in case of an accident, recovery of processes/activities according to BCP

Offered services:

Design/revision of BCM methodology

  • Description of basic principles of BCM
  • Description of BIA process
  • Design of management and regular monitoring of BCM processes
  • Description of BCP
  • Design of information and training mechanisms
  • Definition of roles and responsibilities, and description of the control framework


Assistance in identifying potential threats and estimating their impacts on processes/activities (BIA)

  • Identification of crisis situations based on results from internal risk assessment process, recent events, and situations that have occurred in institutions of similar focus and size in relevant history
  • Developing a BIA methodology to serve as a manual for business impact analysis
  • Evaluation of processes/activities in the company with regard to their significance for the operation of the company and estimation of the impacts that may arise in case of their disruption
  • Identification of key processes/activities and resources that are necessary for their proper functioning
  • Assistance with setting up the risk assessment system (one of the BIA basis):
    • proposal of rules for risk identification (choice of an appropriate method and description of its principles),
    • proposal of rules and principles for risk assessment (impact assessment and frequency of identified risks, principle of overall risk assessment),
    • risk catalogue creation
  • Assistance in setting up a system for collecting events that occurred in companies of similar focus, especially processing of related press releases
  • Determination of Level of Business Continuity (LBC) and maximum tolerated periods (per process/activity):
    • Maximum Tolerable Period of Disruption (MTPD),
    • Recovery Time Objectives (RTO)
  • Assistance in designing a strategy to minimize the impact of crisis situations on key processes/activities
  • Design of documents necessary for:
    • the preparation of BIA, reporting and documentation of its results (quantitative and qualitative identification of impacts of business interruption or loss of resources/processes),
    • development of a catalogue of assets


Design/revision/testing of BCP

  • Design of BCP implementation methodology including methodology for IT systems recovery and IT services continuity (Disaster Recovery Plans, DRP).
  • Creation of unwanted event scenarios for setup of individual BCP.
  • Design of documents necessary for:
    • documentation of individual BCP,
    • BCP testing and recording the result of testing,
    • recording requirements for a backup location,
    • BCP assessment including related reporting of deficiencies and proposal of remedial measures
  • Recommendation of appropriate test types for BCP verification
  • Revision and testing of created scenarios and developed methodologies
  • Description of responses to crisis situations and methods of incident management
  • Design of procedures for risk management of external suppliers (outsourcing) and third parties


Assessment of BCM methodology compliance with regulatory requirements

  • Review of existing methodologies and draft recommendations resulting from the assessment of compliance with regulatory requirements and standards
  • Verification of the interconnection of BCM processes with the risk management system and the company's management system
  • Verification of mutual consistency of internal regulations and logical correctness
  • BCM standards:
    • High-level principles for business continuity, BCBS, 2006
    • ISO 22301: Societal Security — Business continuity management systems — Requirements
    • CRD IV (Directive 2013/36/EU of the European Parliament and of the Council of 26 June 2013 on access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, amending Directive 2002/87/EC and repealing Directives 2006/48/EC and 2006/49/EC),
    • Guidelines on common procedures and methodologies for the supervisory review and evaluation process (SREP), EBA, 2014,
    • Guidelines on Internal Governance (GL 44), EBA, September 2011 and Consultation Paper Draft Guidelines on internal governance, EBA, October 2016,
    • Final Guidelines on ICT Risk Assessment under SREP, EBA, 2017,
    • ISO/DIS 22313 Security and resilience -- Business continuity management systems – Guidance (under development).