Maturity Assessment is the Performance-Driven How to implement ISO 100% Integrated Management System in organization

Crisis Response Planning Manual (CRPM-Part- 3) /Business Continuity Management System -ISO 22301

((c)) AERPS / MASTERAVCON (A.H. Williams) 2007 to 2018 some rights reserved

The main idea of this paper to explain how important to be aware Integrated and Comprehensive ISO Quality Management Systems 100% advantages accomplish organizational goals and objectives.

This guideline (when used with other, appropriate guidance - [Particularly international business continuity standard ISO 22313:2012]) - generally describes 'what needs to be accomplished' in order to be able to introduce a 'Business Continuity Management Systems' into 'organization'. Where appropriate, this guideline relates to an aviation context e.g. as might typically be useful to airlines, airports, ground handling operators etc.

Note 1- The user/ reader should clearly understanding that in order to actually put the theory contained in this guideline into real (actual) practice, from the 'ground up' (i.e build, operate and maintain an actual business continuity management system [BCMS] - for a large / complex airline, airline, airport, ground handling operator etc.) is a major undertaking typically requiring significant (up to one or more years) work.

This assumes that just one or two persons (e.g. typically the Business Continuity Manager and alternate - back-up person or equivalent(s) are assigned primary responsibility for the task.

It is not just 'Work' that is required to establish a BCMS genuine, adequate, evidenced and on-going commitment and support as always necessary Top Management will be essential as will financing, procuring and allocating the considerable resources required, together with the achievement of appropriate levels of required competence skills (training & exercising) by designated persons. When all of this in place, the BCMS will then require ever on-going maintenance, review and evaluation - including 'compliance - audit' checks - throughout its entire life-cycle.

Note 2 - As this guideline is studied, the user /reader will hopefully come to acknowledge (if not already convinced) that business continuity is now must for most organizations - from the very smallest / simplest / local - to the most complex / largest / international.

However, the concept of (BC) as a practical tool has been around since mankind first evolved so nothings new here? Well, there is actually something new i.e since the industrial revolution and as part of the current technological - ICT revolution, the risk that certain organization will cease operations (for anything other than a very short period or time) due to disruption of some type, is simply now unacceptable to society in general e.g.

• Hospitals
• Emergency Services (Police, Fire & Rescue, Ambulance etc.)
• Utilities (Water; electricity; gas etc.)
• Telecommunications & Information Technology
• Distribution & Retail (food, fuel etc.)
• Transport Services
• Banking etc.

For similar political, legal, regulatory, commercial, financial, environmental, societal etc. reasons - BC is also now an essential requirement for the majority of 'organizations' in general whether they realise it or not!

Do the organization have disruption management to knowing the threats theme business could face can make mitigation easier. From external to internal, the nature of the threat and its severity can very help in order to avoid unacceptable consequence to those having an 'appropriate' interest i.e. stakeholder / other interested parties of all types, especially customer / clients and shareholders. One such 'unacceptable' consequence might ultimately mean going out of the business / case trading or operating.

Note 3 - If an organization (especially a 'larger and / or more complex' organization) wishes to establish a BCMS for itself today, it will probably need to refer (to a greater or lesser degree) to what is contained in the 'International Organization for Standardisation's BC guidelines standard - known a ISO 22313:2012 BC.

* Comment 1 - do not confuse use / context linked of the word 'guideline' as used in the para immediately above - with the / this document (also known as 'guideline') - which you are reading now. They are different!

* Comment 2 - ISO 22313 is directly linked to its associated (but separate) BC requirement standard - ISO 23301:2012. The former provider guidance on how the requirements of the latter might be met.

However, ISO 22313 may also be used to guides any organization to implement a BCMS, Independent of ISO 22301 requirements - provided that formal certification to the 22301 standard is not required

* Comment 3 - a whole BC 'vocabulary / terminology' has grown up around ISOs 22313 and 22301 (and their preceding 'national and industry standards [now largely superseded] - upon which they have largely been based e.g. BS 25999). Accordingly, much of this vocabulary has been used in this guideline - and the user / reader should become very familiar with same.

* Comment 4 - a brief overview of the ISO 22313 and ISO 22301 standards

Note 4 - The amount and variety of information contained in this guideline might appear daunting at first glance - and indeed, there is a lot to take in. However, do keep in mind that:

a. The information provide needs to be sufficient for the larger and / or more complex organizations to be able to obtain and understand all of the working basics of what is required in order to implement a fit for purpose BCMS i.e. such organizations will typically require 100% (and more - see note 4c below) of what is included herein

b. Some medium and most smaller and / or less complex organizations should be able to adapt / cut-down to a degree what has been referred to in item '4a.' above - commensurate with their own requirements - and provide that the BCMS essentials are covered (again, we are just referring here to the working basics)

c. Any organization will need all of the information contained herein (and more) if it is intended to meet (be certificated to) the requirements of BC Standard ISO 22301. The same applies (albeit to lesser degree) if an organization intend instead to make a self-determination / self-declaration of alignment with ISO 22313.

Reminder: Any organisation can implement a BCMS - without the need for ISO 22301 Certification or even a self-determination / declaration of alignment with ISO 22313. However, such organization will still generally require some from guidance in the task -which is where ISO 22313 might be able to help - at least to a limited degree

In order to achieve ISO 22301 certification, the minimum reference documentation required (i.e. over and above the guideline document you are now reading) typically includes:

• The Business Continuity - (BC) 'requirements' standard itself i.e. ISO 22301:2012
• The associated (supporting) 'guidelines' standard for how the ISO 22301 'requirements' are to be met i.e. ISO 22313:2012
• ISO 22300:2012 - Vocabulary / terminology used in ISO 22301 & 22313
• Possibly / probably ISO 31000:2009 (provides principles and generic guidelines of / on 'risk management')
• Possibly / probably ISO 31010:2009 (guidance on 'risk assessment techniques')
• Appropriate * further expansion / amplification of all of the above e.g. as contained in associated, specialist (mainly commercial) publications not already mentioned above - most of which will require purchase

* For example, performing a Business Impact Analysis (BIA) and associated Risk Assessment (RA) is generally acknowledge as the foundation of BCMS introduction into any organization. Whilst this guideline (the document you are reading now) provides sufficient information to reasonably understand the working basic of BIA & RA in general - a certain amount of additional information [and pre-preparation] will almost certainly be require if they [BIA & RA] are to be accomplished and used successfully

Comment - generally speaking, all ISO standard require purchase

Even if an organization has no intention of achieving ISO 22301 certification - the use of ISO 22313 (in conjunction with this guideline document [the one you are now reading] plus other, appropriate [commercially available] information) to assist in the planning, implementation, maintenance, review and evaluation of a BCMS into any but the smallest / simplest organization, is nevertheless very strongly recommended.

(However, do note the following quote from ISO 22313.................. "It is not the intention of this International Standard to provide general guidance on all aspects of business continuity")

Note 5 - To avoid confusion / for the sake of clarity - it must be clearly understood that this guideline document is not about simply putting together (producing) 'just a business continuity plan'. Rather, it is meant to give the user / reader a good working knowledge of the entire, overarching process as to how a BCMS might relate to any organization and, where so desired, then used further to assist in guiding the introduction of a BCMS into a particular organization.

As per above, one (But only one many) BCMS implementation tasks requires the production of an associated business continuity plan (BCP) i.e. (and to re-iterate) the latter is just one of the many building blocks (another being e.g. 'personnel competency and experience' - achieved by training and exercising) required to establish a full, successful BCMS. Each and every such building block needs to be addressed separately i.e. in its own right.

Note 6 - Prior to the 2012 introduction of (Business Continuity Standards) ISOs 22301 & 22313, there were a number of differing and unresolved viewpoints on the subject of 'business continuity' and it's 'relationship' with the separate but closely related subject of 'risk management' - some of which (viewpoints) were undoubtedly driven by partisan / vested interests related to on or other of these subjects and the persons practising them!

The relationship is actually quite clear - i.e. business continuity is simply a subordinate, component element (known as a 'risk control' or 'risk treatment') of Risk Management i.e.

• Threats to an organization are identified, analysed & assessed / evaluated - the evaluated results being expressed in terms of level of 'risk' to the organization
• An 'informed' decision is made on what to do with (how to 'treat' or 'control') evaluated risks - e.g. ignore; avoid, transfer; manage / mitigating / reducing etc.
• One (but only one of several ) method of managing / mitigating / reducing risk uses appropriate business continuity measures

The user / reader might ask 'why is this relationship important?'

The answer is that business continuity (BC) and risk management (RM) are so interdependently linked that neither can be ignored in their practical application.

This is particularly so for BC and its (still historically unacknowleged by some) subordination to the parent / overarching RM processes.

This relationship has always been evident within 'modern' BC - e.g. there is no point in completing a Business Impact Analysis (an essential BCMS building block) unless an associated 'Risk Assessment' is also undertaken - and the results merged, evaluated and managed

But - the BC 'experts' (ISO's Technical Committee [TC] 223) who put together ISO 22301 & ISO 22313 have now unfortunately (and possible unnecessarily) gone beyond simple risk assessment (which is relatively easy to understand and implement) and significantly complicated matters by additionally including the need for...........(quoting from ISO 22313):

• Accountabilities and actions relating to 'risk strategy' and 'risk apetite'
• The need for establishment of a formal 'risk assessment' processes
• The 'strongly implied' need to obtain, refer to (and understand) Risk management standard 'ISO 31000:2009' (Risk Management - Principles & Guidelines and its supporting standard 'ISO 31010:2009' (Guidance on Selection & Application of Risk Assessment Techniques.

Accordingly (and the main reason for this Note 6), ISOs 22301 & 22313 have now, effectively, put an additional burden on those persons assigned BC responsibilities & accountabilities within an organization - in that such ?persons will henceforth require (and / or require access to) a certain degree of risk management competence (knowledge & proficiency) - depending on the organization's circumstances and resources. For example, where an organization already has an effective & efficient RM-Department / Business Unit - much if not all of the risk management aspects of BC may be assigned / delegated to the department / business unit.

Indeed, many organization combine the RM & BC functions (or more realistically, BC is simply seen as component part of an organization's overarching RM roles & responsibilities).

However, the major problem here concerns organizations wishing to establish / update a BCMS - where no risk management expertise is internally available (i.e. beyond the ability to understand & apply simple risk assessmeent principles / implementation techniques) and where lack of appropriate resources (particularly money) does not readily permit engagement of appropriate external RM expertise (typically an RM consultant)

Should such organization wish to be guided by ISO 22313 (which is likely and actually recommended) - the job would be difficult enough if these 'new' BC requirements related to risk management were not there. But they are there.............. and in there current form may be seen (perhaps not unreasonably) to have needlessly over-complicated an already (relatively) complicated process - whilst significantly increasing the already onerous awareness, competence and implementation burdens on those primarily involved.

Note 7 - This guideline document (the one you are reading) should not be used in isolation from ISO 22313

Cross-referencing to ISO 22313 is widely used in this guideline document - as copyright matters do not generally permit direct reproduction of ISO 22313 info herein. It is, therefore, desirable (probably essential actually) to access to ISO 22313 this cross reference contained in this guideline [the document you are reading now] etc.) in order to reinforce and supplement (& possibly present slightly differing viewpoint in areas)

The author / owner of this guideline document is of the opinion 'societal security' type standards (including those above) should be freely accessible online i.e. no cost to the consumer for example and in contrast to the above, the equivalent USA standard covering Business Continuity (NFPA 1600 - 2018 version) is a purely national (USA) standard covering Disaster / Emergency Management and Business Continuity. However, if a US organization trades internationally it would alomst certainly be better use ISO 22301 / 22313. Many countries have already abandoned their national BC standards and adopted the associated ISO standards instead.

The 'National Fire Protection Association' (NFPA) strives to make its documents as accessible as possible, because they believe this is the best way to accomplish them mission simply sign in at nfpa.org

Note 8 - As it the most well known worldwide ISO covering all aspects of technology and business. A 'standard' is a document which provides requirements, specifications, guidelines and characteristics - which can be used consistently to ensure that materials, products, processes and services are fit for their intended purpose.

Some of the first ISO standard issued were in the (ISO 9000 - Quality Management) range - with perhaps the best known being 'ISO 9001 Quality Management System Requirements' which I call it the most popular and building block and the backbone and important which dominant by covering almost all aspects of overarching overarching quality management system so it obligatory first to have [ISO 9001-QMS- (human resources management)] than you can know how to following the processes to ensuring that products and services are safe, reliable and of good quality.

Strategic and tactical tool influence which can reduce costs by minimizing waste and errors - and increasing productivity. They can also help organization to access new markets, level the playing field for developing countries and facilities free and fair global trade .

Note - many countries produce their own national standards (similar in concept to ISO standards) on a vast range of subjects.Some take guidance from / are similar to ISO standards some do / are not, all the matter interdependently on responsibilities of internal - external audits & accountabilities Credibility.

In some subject matter areas the best of national standards have been combined to create an equivalent ISO 'international standard which then typically supersedes the associated national standards. An excellent example of this relates to Business Continuity Planning and Operations.

ISO Business Continuity Standards

Up to 2012 a significant number of countries had produced their own national standards re 'business continuity'. In that year many (but not all) such national standards were superseded (with agreement of the countries concerned) by two, new international (ISO) standard:

* ISO 22301:2012 - 'Societal Security - Business Continuity Management Systems (BCMS) - Requirement'

This standard specifies the requirement for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive incidents i.e. a BCMS

The extent of application of these requirements depends on the various aspects of an organisation's operating environment and also its complexity

Organization will (if they so desire) be able to apply fro formal ISO certification against the requirement of this standard - and thus be able to demonstrate to legislators, regulators, customers (actual & prospective) and other interested parties that they are adhering to best Business Continuity Management (BCM) practiice

Compliance with ISO 22301 or alignment with its supporting standard (ISO 22313) also enable the 'business continuity manager / equivalent person' to demonstrate to 'Top Management' / whoever - that a recognised, fit for purpose level of business continuity operation has been achieved by the organisation

ISO 22301 is necessarily formal in style (comprises short, concise requirements only) in order to facilitate compliance auditing and formal certification. Full compliance (no deviations) with its requirements is mandatory in order to achieve certification

However, a more extensive (and separate) standard (ISO 22313:201 - see next main bullet point further below) has been concurrently developed in order to provide greater detail (guidance) on each ISO 22301 requirement

Potential benefits of ISO 22301:2012 certification include:

• Identification and management of current and future threats
• Taking a proactive approach to minimizing the impact of incidents on business
• Keeping critical functions up and running during times of crisis
• Minimising downtime during incidents and improving recovery time
• Demonstrating resilience to customers, potential customers, suppliers etc.

ISO 22313:2012 - 'Societal Security - Business Continuity Management Systems (BCMS) - Guidance'

This standard provides guidance for planning, establishing, implementing, operating, monitoring, reviewing, maintaining, and continually improving a BCMS - thus better enabling organizations to prepare for, respond to and recover from disruptive incidents

It is not the intent of ISO 22313 to imply uniformity in the structure of a BCMS - but rather for an organization to design a BCMS which is appropriate to its own needs and which meets the requirements of associated 'interested parties / stakeholders' - including customers. Such needs are typical shaped by:

• Legal, regulatory, organisational and industry requirements
• The nature of an organization's product(s) and / or service(s) etc.
• The processes associated with providing the product(s) and / or service(s) etc.
• The organization's operating environment
• The size structure of the organization

ISO 22313:2012 is generic i.e. applicable to all sizes and types of organization, including large, medium, and small entities operating in industrial, commercial, public and-for-profit sectors - which wish to:

• Establish, implement maintain and continually improve a BCMS
• Ensure conformance with the organization's continuity policy
• Make a self-determination / self-declaration of compliance with ISO 22313 as required
• Use ISO 22313 guidance to assist in achieving formal ISO 22301 certification as required

Where so desired, an alternative to ISO 22301 certification (the later typically being a significant [work intensive / time consuming / resources related etc.] undertaking for many organization) might be for an organization to formally align its BCMS with ISO 22313 instead. If the latter is pursued, the work and other requirement etc. is /are still considerable, but the associated pressures related to 'certification' are removed

Note - ISO 22301 & 22313 were developed in the main - based on the best preceding national standards referred to above. They are also the product of significant global co-operation & input

What is Societal Security?

ISO's 22301 and 22313 were developed by ISO's Technical Committee (TC - 223) the latter dealing with 'societal security' type issues i.e. developing standards for the protection of society from (and response to) incidents, emergencies, etc. - caused e.g. by intentional and unintentional human acts, natural hazards, technical failures............................and so no

TC 223's 'all-hazard' remit includes pro-active, adaptive and reactive strategies - which can be used before, during and after 'societal security' related events. The area of societal security is multi disciplinary and typical (but not exclusively) requires active participation from both the public and private sectors

Some examples of Tc 223's other projects have include:

• ISO 22320:2011, Societal Security - Emergency Management - Incident Response Req'ts
• ISO 22315 - Societal Security - Mass Evacuation
• ISO 22322 - Societal Security - Emergency Management - Public Warning
• ISO 22324 - Societal Security - Emergency Management - Colour-coded Alert System
• ISO 22398 - Societal Security - Guidelines for Exercises and Testing

Important note to consideration 2018 purchase price for ISO 22313 was around USD $160 - a lot of money for such a small document. For this price one would hope that ISO 22313 would comprehensively and clearly deliver its intent i.e. as a complete guideline to the implementation of ISO 22301's requirements.

However (and in the informed opinion of the author / owner referred to above) it might be considered by some to be found wanting - for the following general reasons:

• Despite ISO 22313's opening disclaimer of '................it is not the intention of this international standard to provide general guidance on all aspects of business continuity.........'common sense alone would indicate that 46 pages it cannot come near to adequately providing the guidance needed to comprehensively complete what is a large and relatively complex project.

For example, books have been written (in their own right) on the subject of 'business impact analysis - BIA' and (separately) 'risk management (assessment) - RA', both of which are fundamental building blocks to the introduction of BCMS into organizations (BIA gets only a 1.5 page mention in ISO 22313 - and RA get even less i at .75 of page!!!!!)

• Concerning Risk Assessment, ISO 22313 obliquely refers the user to another (separate) ISO standard - which would also require purchase i.e. ISO 31000:2009 ('Risk Management - principles & Guidelines' - 24 pages / approx cost [early-2018] USD $120).

However, what ISO 22313 doesn't tell you is that in order to find your way around the 'risk assessment' bit of risk management, ISO 31000 has, in turn, its own related, supporting standard i.e. ISO IEC 31000:2009 (Guidance on Selection & Application of Risk Assessment Techniques - 176 pages / approx price $320)

• It is reasonable for an explanation terminology used in ISO's 22301 & 22313 to be included within the documents themselves. This is not so. Yet again, a sparate ISO document (ISO 22300 - $60) needs to be purchased to get at this terminology
• ISO 22313's layout fails to follow the desired 'Plan / Do / Check / Act - PDCA' cycle (in contrast, the document which you are now reading does follow this cycle). Instead, it (ISO 22313) follows a 'new' format for ISO Management system standards (in general) introduced 2012

The resulting document may be seen by some as being rather disjointed e.g. ISO 22313's Clause 6 (Planning) does not reflect' 'planning' as envisaged in the PDCA cycle (for more on PDCA cycle see page 65 of this guideline document)

In summary ISO 22313 is documented as being a guideline for the implementation of ISO 22301. In reality, many (most?) intended users will need to purchase additional ISO standards and other (non-ISO) commercial, specialist publications in order to successful achieve such implementation. For some context on this matter, see again 'preamble' Note 4 (page 5) and 6 (page 7)

Conclusion recommendation

Harmonize ISO obligatory to essential comprehensively steps to maturity assess performance driven to how implement ISO 100% integrated management system in an organization

The key to successful business in an increasingly complex, challenging and globalized environment, it to fulfill a number of essential preconditions: leadership, a sound organizational structure and well-designed business processes, as well as competent and highly motivated employees. Management systems based on international standard such as ISO 9001, are a great help in this respect.

On Friday, 18 July 2014 NBN (Bureau for Standardisation) purpose new: standards package "Management Essentials" thus launches the standard package "Management Essential".

This standard package contains the most important ISO management standards for quality, the environment, risk management, energy management etc. For the price of just 499 euros, you can immediately get to work with the "Management Essential" standard package. Your benefits:

• Up to date: you have permanent access to the most recent versions of your management standards.
• Efficient : NBN manages your standards collection, thereby reducing your administrative workload. Furthermore, a standards package works out a lot cheaper than buying each standard individually.
• User-friendly: with click of the mouse, you get an overview of your standard selected from our catalogue.
• Centrally managed: your standards collection is managed in one central place, with the result that all users always consult the same version of a standard.

The standard package "Management Essentials" contains the following ISO standards:

1. NBN EN ISO 9000: Quality Management Systems - Fundamentals and vocabulary
2. NBN EN ISO 9001: Quality Management Systems - Requirements
3. NBN EN ISO 9001/AC: Quality Management Systems - Requirements Technical Corrigendum 1
4. NBN EN ISO 9004: Managing for the sustained success of an organization - A quality management approach
5. NBN EN ISO 14001: Environment management systems - Requirements with guidance for use
6. NBN EN ISO 14004: Environment management systems - General guidelines on principles, systems and support techniques
7. NBN EN ISO 14050: Environmetal management - Vocabulary
8. NBN EN ISO 22301: Societal security - Business continuity management systems - Requirements
9. NBN EN ISO 22313: Societal security - Business continuity management system - Guidance
10. NBN ISO 26000: Guidance on social responsibility
11. NBN ISO/IEC 27000: Information technology - Security techniques - information security management systems - Overview and vocabulary
12. NBN ISO/IEC 27001: Information technology - Security techniques - information security management systems - Requirements
13. NBN ISO 31000 Risk management - Principles and guidelines
14. NBN EN ISO ISO 50001: Energy management systems - Requirements with guidance for use
15. NBN ISO 55000: Asset management - Overview, principles and terminology
16. NBN ISO 55001: Asset management - Management systems - Requirements
17. NBN ISO 55002: Asset management - Management systems - Guidelines for the application of ISO 55001

Exceptional offer:

• Yearly subscription price only 499 Euro.
• Moreover you can add 10 standards to your standards package.
• You are also entitled to follow a free training at the NBN Academy: ISO 45001 (OHSAS), ISO 14001 (environmental management) or ISO 18617 (sustainable purchasing)

?Interdependence of ISO types of series is appear clear cut quite interesting agenda to standardisation quality coordinating conjunction in all sorts/kinds/types of human activities so relationship can arise to more cooperative autonomous participants mutual reliance scenario which leads to globalization of economies.

Across review of ISO management series to refresh our minds how comprehensive interdependence and compatible and integrated work as state-of-the-art if you know how can use it with maturity assessment for example, and not as a limitation:

Harmonizing the different assessment maintains strong cooperation with continuing liaison committee status ensuring continued alignment

1. ISO/TS 16949 Internationa automotive industry supply chain
2. ISO 14064  Greenhouse gas (GHG) emissions and removals
3. ISO 20121 Events Sustainability Management Systems
4. ISO 26000 corporate ethical behavior in Social responsibility 
5. ISO 19600 Compliance management systems
6. ISO 37001  Anti-bribery management systems 
7. ISO 11620 Performance indicators for libraries
8. ISO 2789 International library statistics
9. ISO 17025 Accreditation testing and calibration laboratories
10. ISO 26800 Ergonomics - General approach, principles and concepts
11. ISO 17021 Represents the auditing standard for certification bodies
12. ISO 20000 Describes the requirements for an (ITSM) 
13. ISO 9241 Ergonomics of Human-System Interaction
14. ISO 22000 Food Safety Management System 
15. ISO 13485  Ability to provide medical devices and related services 
16. ISO 14971  Application of risk management to medical devices
17. ISO 1307 Specifies the sizes of rubber and plastics hoses
18. ISO 25010 Software Quality Requirements and Evaluation
19. ISO 19731 Applies to digital analytics and web analyses.
20. ISO 19011  Provides guidance on auditing management systems.
21. ISO 9004  Tool designed for quality management.
22. ISO 28000 Aerospace & Defense sector quality management. 
23. ISO 10993  Biological evaluation of medical devices within a risk management process.
24. ISO 19650 Information management using building information modelling.
25. ISO etc...............................................................................................................................>

Continuous Improvement Maturity Model

Many organization use maturity models to measure and improve their performances. Maturity model allows an organization to have its methods and processes assessed according to best management practice and against a clear set of external benchmarks. Significant benefits have been realized by using these methods for business improvement and in system development applications.

However these models have two issues. First, most of these maturity models are very comprehensive and complicated for many organizations.

Second, these models do not incorporate the full set of process improvement techniques and methods. Most models have been developed at the time of 'Total Quality Management' (TQM), but do not incorporate the full set of Lean and Six Sigma tools.

Improving processes within an organization is described by the 'Continuous Improvement Maturity Model' or (CIMM)TM. It is a framework that describes an approach of process improvement from creating a solid foundation to developing World Class products and techniques of process improvement, quality management and new products development. It includes elements from TQM, Kaizen, TPM, Lean, Six Sigma and Design for six sigma. CIMM is an open standard and is maintained by the 'Lean Six sigma Academy' (LSSA).

The CIMM Model is not meant to replace other maturity models, but to support them. Same as most of the matuirty models, CIMM includes five different levels. The CIMM Model can also be used as a stand-alone framework to guide the process of Continuous Improvement from a very early stage to the level of the World Class.

Choosing the proper process improvement methods and tools depends on the actual maturity level of the organization. If an organization works on getting to the next level, it should also maintain the levels below. For instance if a company is aiming for 'Capable' processes, it should sustain the Foundation, Culture and predictability.

In the review of each of the five levels briefly and explain the best way to achieve the next maturity level.

The levels will be identified as 'Continuous Improvement Level 1' (CIMM Level-I) through to 'Continuous Improvement Level 5' (CIMM Level-V)

Continuous Improvement Level 1 (CIMM Level-I)

Creating a solid foundation (Structured)

Before organization can really work on process improvement programs like Lean and Six Sigma, it is required that a proper foundation is put in place. This foundation consists of a proper and organized work environment, reliable equipment and Standardized Work (clear procedures and work instructions). This foundation guarantees a solid base for all future improvement initiatives and programs.

In this phase it is important to define the standards that are expected in a working environment. The type of working environment is independent.

The same questions can be asked in industry, government, construction, healthcare etc. Each department should be able to determine standards for quality and delivery based on it customer requirement. 'Quality Management Systems' (QMS), like ISO 9001, deal with the organizational objectives and the procedures that have been put in place.

One of the most applied methods to create the foundation is called '5S'. The 5S program is about good housekeeping and is a structured manner to set up a proper and safe work environment.

Setting up a 5S program can be done in any type of organization and is independent to the sector. Setting up a 5S program will be explained in more detail in section [4].

It is very important to realize that each of the mentioned elements requires continuous attention and effort.

Even when working on tools from a higher maturity level, it means that working on the fundamental tools is still important to sustain good results at a higher maturity level and prevent deterioration of the foundation.

Proper maintenance of tooling and equipment is important as well as to create a solid foundation. A comprehensive maintenance program is called 'Total Productive Maintenance' (TPM). The elements of TPM fit very well in level-I and II, but implementing the full TPM program fits better to level-III

Continuous Improvement Level 2 (CIMM Level-II)

Creating a Continuous Improvement culture (Managed)

The second level focuses on the creation of a culture in which all employees are involved in the improvement process. At this level we adhere to the philosophy Masaaki Imai in his book Kaizen (1986). Kaizen focuses on improvements at the workplace of an organization. In Japanese this workplace is called the 'Gema'.

The Kaizen philosophy is based on a continuous process of small improvement stepa rather than large breakthrough improvements as is done in programs like Six Sigma. Every week a number of small improvements should be visible to create a constant feeling of success.

The idea behind this is that by realizing a large number of small improvements actually a big improvement has been made. It's also much easier for staff to adapt to small changes rather than cope with one major change.

To support the realization of a Continuous Improvement culture it is important to involve as many people as possible to ensure the entire team will be part of this culture. Communication about the daily performance is very important to get all individuals aligned and involved. This is achieved by putting in place visual management board with the results of the process. Short daily stand-up meetings will be organized with all involved to discuss the daily output, the issues of the moment and agreement on the actions that need to be taken.

The approach for a Continuous Improvement Project is the PDCA circle. PDCA stands for Plan - Do - Check - Act.

The 5S program and the visual management boards will result in overview of the workplace and insight in the process. An additional approach to create overview and insight is WIP-control (control of 'Work in Process'). The intention is to reduce the number of orders that people are working on at a certain moment. The philosophy of this is that a person can only work on one order at a time. Why then have a pile of order at production floor or desk that are waiting for processing ? It will take a lot of space and will not support management oversight. It will also increase the average Lead Time of order. A simple equation to describe that relation between the amount of WIP and lead Time is called Little's Law.

Continuous Improvement Level 3 (CIMM Level-III)

Creating stable & efficient processes (Predictable)

The third level of process improvement focuses on the creation of stable and reliable processes with a predictable outcome. The main objective of creating stable processes is to avoid incident, stress, firefighting, downtime, unsafe situations, quality spills, mistakes etc.

In other words the creation of an environment where you know what will happen and what can be promised to the client. Remember that a reliable delivery data is better than a faster, but unreliable delivery data. For this you will need stable and predictable processes.

This stage has a high focus on optimizing the logistics in a work environment, rather than focusing on quality improvement programs. However, by creating s stable and reliable process where people only focus on adding value and elimination of Waste the quality of the product will increase as well. In this stage, there are hardly any differences between a production or an office environment, as long as you continue to think in terms of a process (the products) are physically present, while in an office setting the results of the process (the service) is very often hidden in a computer system.

The five principles of Lean are the starting point in this level.

Processes are described and established in a efficient manner by the identification and elimination of Waste in the process. One of the most powerful tools used in this level is Value Stream Mapping.

For manufacturing processes a very powerful method for creating stability is 'Total Productive Maintenance' (TPM).

TPM is a strategy to improve the efficiency of available production resoures and to reduce machine-related rejections. TPM is mainly used in production environment that are highly machine dependent like automotive and food.

TPM will be need indeed to explained in more detail. Also 'Theory of Constraints' (TOC) is another well-known improvement approach developed by (Eliyahu Goldratt - 19986) used at this stage.

Continuous Improvement Level 4 (CIMM Level-IV)

Creating capable processes (Capable)

The fourth level focuses on reducing variation in a stable process that is created in the first three levels.

The objective is to increase predictability, quality and customer satisfaction. The improvement method used in this level is Sis Sigma. This is a long-term strategy to improve performance by reducing variation.

At this stage statistical tool will be applied by black Belts to analyze the performance of processes and products. Some of the tools are also applied by Yellow, Orange and Green Belts. In order to apply statistic, data is needed. Therefore at this stage it is important to have a performance measurement system in place that is able to deliver data of the process performance and at the level of the products that are produced.

Besides statistical tools Six Sigma offers a structured approach for executing an improvement project. This approach is called the DMAIC road-map which stand for Define - Measure - Analyze Improve - Control.

Although the DMAIC road-map finds its origin in Six Sigma, it can be applied to Lean projects as well. The approach is too complex though for smaller projects like Kaizen initiatives. For these type of project it is recommend to follow the PDCA road-map.

Rather than increasing quality with a step-by-step approach like Kaizen proclaims, Six Sigma focuses on quality breakthrough improvement projects. An improvement project will take a few weeks or a few months rather than a few days. As a consequence the Six Sigma approach is much more Top-down driven by Green and Black Belts, than the Kaizen bottom-Up approach.

Continuous Improvement Level 5 (CIMM Level-V)

Creating World Class products & services (World Class)

Level-V a combination of Product Life-cycle Management (PLM) and design for Six Sigma (DfSS). PLM is the process of managing the entire life-cycle of products from inception, engineering, manufacturing, service and disposal.

PLM integrates all resources, processes and businesses systems and provides a product information backbone for companies.

The process of PLM was initiated by American Motors Corporation (AMC) in 1985 when the automakers was looking for a way to speed up innovation and improve its competitiveness.

DfSS is a systematic and rigorous method to support the development of new products that perform at a Six Sigma quality level right from the start. New products often demonstrate problems during introduction and ramp up of production.

Would you like to undergo a serious operation by a surgeon who just graduated? Do you recognize that a new car has a higher chance of demonstrating problems in the first year than in the second year? This all has to do with the so-called 'Infant mortality' phase of the new product.

DfSS brings the process into a controlled state much earlier by focusing on customer requirement process and risk at the earliest phase of the development process.

Critical requirement and risk will be given extra attention during the development process.

Regularly applying Design for Six Sigma is done by Black Belt, reliablility engineers and in some cases by Green Belts. It requires Knowledge about all the tools and techniques that are explained at Level-I to IV. Design for Six Sigma is very powerful industry and high-tech companies like electronic and automotive. The approach is not possible in processes that are not data-driven.

The above article refers to "Conclusion recommendation" Critical Perspective to explore the cause and consequences of not possible to implement ISO 22301:2012 Business Continuity Management System unless all Critical requirement have been implement to be validation and verification.

Crisis Response Planning Manual - CRPM part 3 - Aviation Business Continuity Plan. (Common body of Knowledge - Business Continuity System - ISO series - Continuous Improvement Maturity Model)

The deep detail will explain and appear clear cut the need indeed to harmonizing the different assessment maintain strong cooperation with continuing liaison committee status ensuring continued alignment any management systems.

ABCX Airways (Preamble 'Note 9' on page 10 refers) Crisis Response Planning Manual (CRPM)

The CRPM is the 'master' document which regulates and guide all forms of crisis / emergency / incident (contingency) response within 'ABCX Airways'

The CRPM is made up of 6 separate Parts - each part dealing with a specific type / aspect of an emergency / crisis / incident response - and containing associated accountabilities, procedures, checklists, information, explanations etc. The six 'Parts' of the CRPM are:

CRPM Part 1 - Catastrophic Aircaft Accident

CRPM Part 2 - Aircraft Incidents

CRPM Part 3 - Aviation Business Continuity Plan

CRPM Part 4 - Public Health Incident

CRPM Part 5 - Natural Disaster

CRPM Part 6 - Training Manual

Revision Information

This document comprises 303 pages - all dated 01 March 2018 'revision no 5'

Revision No: Original revision / Date: 30 Jul 2010 By: A H Williams (author / owner) Based generally on BS 25999 (ISO 22301 / ISO 22313 formally superseded BS25999 on 01 June 2014)

This document shall be reviewed and revised by its author / owner - on an 'as required' basis. As a guide - the review should take place at no more than 6 monthly intervals. Should a review result in the need for a revision - then the revision will be prepared and incorporated, and the associated controlled document information updated accordingly.

Acronyms / Abbreviations

BC---> Business Continuity

BCPM---> BC Programme Management

BCMS----> BC Management System

BCP-------> Business Continuity Plan

BCT------> Business Continuity Team

BIM-------> Business Impact Analysis

BRP--------> Business Recovery Plan

BRT--------> Business Recovery Team

CIQ-------> Customer, Immigration & Quarantine (Port Health) Services

DMC-------> Disruption Management Centre

DSU---------> Disruption Support Unit (see also IBU)

ERP---------> Emergency (Crisis / Incident) Response Plan

ERT----------> Emergency (Crisis / Incident) Response Team

IBU-----------> Individual Business Unit (part of a larger entity) (see also DSU)

ICAO---------> International Civil Aviation Organization

ICT------------> Information and Communications Technology

IRS------------> Incident Response Structure

ISO------------> International Organization for Standardisation

MAO----------> Maximum Acceptable Outage (i.e a period of time)

MBCO--------> Maximum Business Continuity Objective (i.e.an operationally related level

"""------> of continuity - as related to provision of product, services etc.

MMS---------> Modern Management System

MRO---------> (Aircraft) Maintenance, Repair, and Overhaul Organization

MTDL--------> Maximum Tolerable Data Loss (relating specifically to data &

"""""""--------> documentation

MTPD----> Maximum Tolerable Period of Disruption (re a product, service, activity etc.)

RA---------> Risk Assessment

RCA--------> Resources Consolidation Analysis

RM---------> Risk Management

RPO-------> Resources Point Objective

CDP---------> Critical Data Point if relating to data / documenatation

RTO---------> Recovery Time Objective

SMS----------> Safety Management System

SPOF----------> Single Point of Failure

Section 1 / Pre-Introduction

Purpose & Scope

The prupose of this guideline document is to:

• provide a suitable reference source related to facilitating the acquisition of a reasonable level of theoretical knowledge - re the subject of business continuity in general - and aviation related business continuity in particular.

Note - where a more in-depth knowledge is required, a additional reference material should be consulted see 'preamble note 4c above

The scope of this guideline:

• Provide an appropriate depth and range of material, sufficient to permit a foundation (reasonable) level of understanding to be acquired - relating to the concept and potential practice of a 'generic' Business Continuity Management System (BCMS) within a generic organization....................................AND
• Where appropriate - relates this generic BCMS to an aviation context
• Does not relate to the specific task (i.e. the actual work involved of introducing a BCMS into an organization (especially where this might be undertaken in conformance with a business continuity standard - e.g. ISO 22301 and / or ISO 22313) - But will nevertheless be found to be a very useful aid in such task (see 'Objectives' - net page)
• Generally excludes (for the sake of clarity, brevity and simplicity) business continuity requirements and activities relating to the recovery of 'data' - the latter being capable of existing in both soft and hard copy formats. In reality, however, this element of business continuity planning must be covered of course. The associated concepts / practices are relatively simple to understand and implement e.g.

* Regular backups made of electronic data (the term 'regular' as defined by the organization)

* Eletronica data backups to have an additional (adequate, secure & easily / rapidly accessible) 'off-site' storage capability

* Hard copy documents to be stored in fire-proof repositories

* Hard copy documentation of high importance to be copied and additionally stored in an adequate, secure & easily / rapidly accessible 'off-site' facility

* etc........................

Objectives

On successful completion of an appropriate course of training (as associated with the subject matter included in this guideline document) the typical user should be in a position to progress to the 'next phase' - which is expected to involve the acquisition of Business continuity (BC) related 'on-the job practical experience (and / or equivalent)' -as will typically be required in order to eventually conduct effective and efficient actual (real / practical) BC activities, particularly with reference to aircraft, airport and other aviation related operations

Note 1: This guideline can be used as the foundation material for the associated training course

Note 2: The 'next phase' (as mentioned above) is not within the scope of this guideline

Context

• The major part of this guideline is written in the context of BC activities related to 'generic' organizations. This is deemed necessary in order for the user / reader to build up a solid BC foundation, with the aim of using to progress (if and as required) to the application of BC in any practical context - provided that suitable further training and / or experience and qualification requirements are met
• Selected elements of this guideline provide an introduction to BC as it relates specifically to aviation. A medium to large sized operator / organisation (airline, airport, GHA etc.) has been assumed for this purpose unless stated otherwise.

However, the business continuity concept can be applied to just about any aviation entity, regardless of what the entity does - and of its complexity and / or size

Glossary (Know the' Jargon)

There is a significant amount of BC and * BC related terminology in use around the world and, as there has never been a truly international business continuity standard (until [arguable] the publication of ISO 22301 in May 2012 and ISO 22313 some months later) between interested parties has never been effectively addressed / achieved

* Example include 'Risk' Management, 'Emergency' / 'Crisis' / 'Incident' Response Management - etc.

That said, due credit must be given to certain organizations which have made some progress in the past - in at least documenting (but not being able to universally standardise) much of the terminology in use. Furthermore, the publication of ISOs 22301, 22313, and 22300 has helped in published a limited number of BC and BC related terms and definitions.

However, (and notwithstanding that this guideline [the document you are now reading] is generally predicated on ISO 22313), the author / owner is currently (2018) of the opinion (subjectivity acknowledged) that BC terms & definitions might be better expressed (especially from student's / trainee's perspective) using those in current and actual common use right now - albeit at the risk of losing an element of standardisation to a greater or lesser degree.

This is what has been included in the following glossary and subsequently used in this guideline

Some inclusion of slightly differing explanations for the same term / definition has been made in the glossary where felt necessary - in order to better understand the meaning of the [articular term / definition

It is anticipated that this guideline will transition to ISO 22300 / 22301 / 22313 terminologies - when same have reached an appropriate stage of maturity, 'completeness' and standardisation in actual widespread, international use - i.e. at some future time (but don't hold your breath for this to happen anytime soon!)

Note 1 - user / readers might fined difficulty in fully understanding what in this guideline document unless the following glossary in both studied and understood

Note 2 - Audit procedure in detail is generally beyond the scope of this guideline document. Consequently, most audit-related definitions are not included in this glossary. However, see Sub-sections 6.1 and 6.2 of this guideline where limited information on the subject has been provided

Note 3 - this glossary is always capable of improvement (especially for those for whom 'English' is not a first language) - and all suggestion / proposals for such will be gratefully received by the author / owner of this guideline document (via email please) at: [email protected]

* Activity

Process undertaken by an organization (and / or its behaif) - necessary to deliver and / or otherwise support (directly and / or indirectly) said organization individual and / or combined 'key product(s) / services / operations / tasks' etc.

Key main activities are those whose failure might most quickly 'threaten' the viability of the associated (parent) key product(s), service(s) etc. In aviation, they (key main activities) are typically carried out by e.g. ICT services; call /contact (reservation & customer services) centers; operations control centers; fuelling facilities; flight crew & cabin crew services; airport baggage system; airport / airlines freight systems; air traffic services; airport fire and rescue services; terminal and ground handling services; aircraft & airport engineering services; safety and security services etc.

Key supporting activities are those whose failure might threaten (in varying [generally 'less-urgent] timescale) the associated parent key main activity / activities. In aviation again, key supporting activities typically include in-flight catering' HR; finance, legal & insurance services; facilities & procurement services; medical services etc.

Activities are typically provide as a mix of those conducted directly by an organization itself (e.g airlines and airport) - and those depending on independent, third party suppliers / providers (e.g. ground handler; fuelling services; CIQ etc.)

An organization's activities (plus everything they depend on) provide the major inputs for the two fundamental aspects of facilities the management of business continuity - i.e 'Business Impact Analysis' and 'Risk Management / Risk Assessment' (sometimes otherwise known in common BC terminology as 'understanding the organization')

* Alternate (Recovery / Back-up / Fall-back) Facility / Site

An organization's designated secondary facility, held in a pre-designated degree of readiness, in order to take over designated operations / services / activities etc. from the organization's associated primary facility / facilities - when necessary e.g. an associated disruptive incident rendering the primary facility / facilities unavailable for a significant period' (latter term as defined by the organization itself)

A 'cold' alternate facility typically requires equipping, set-up, manning etc. 'on the day' (but in extremis may require building from the ground up)

A 'hot' alternate facility is generally full equipped and set-up functionally - simply requiring manning (if not already manned) to make it fully operational.

A 'warm' alternate facility sites somewhere between the cold and hot site described above

* Backlog

The effects on an organization of an uncontrolled build-up of work / product etc. - which occurs as a consequence of an activity, process, resource, etc. being temporarily unavailable and / or having a 'lower the normal' output

Note: a backlog may become so severe that it cannot be adequately cleared using normal resources - i.e a "backlog Trap"

* Business (as used in a business continuity context)

The entire infrastructure, as associated with all aspects of delivering the final outputs ( key products / services / operations) of a particular organization - regardless of the latter's type, (e.g. Government / Public, Commercial, Not-for-profit etc.) size, location etc.

* Business Continuity (BC)

An organization's ability / capability to continue delivering its key products, services, operations, tasks etc. to an acceptable, pre-defined level - following a significant, disruptive incident (BC is a component of 'risk' which is, in turn, a component of 'resilience')

* Business Continuity Context

Identifying and defining the external & internal factors to be accounted for - when setting the scope and criteria related to producing a BC Policy statement - and also during on-going management of any BCMS programme

* Business Continuity Management System (BCMS)

The part of an organization's overall 'modern management system' - which is applied specifically to business continuity management'

As with all modern management systems, a typical BCMS should include:

A BCMS policy

Management processes required to support the BCM policy.

Competent (aware, trained, and exercised) people with pre-defined, documented & measurable BCM roles, responsibilities and accountabilities.

Associated documentation e.g plans, information, instruction, guidance, etc. (also used to provide evidence as part of any audit / compliance process)

An appropriate BCM infrastructure

Specific processes & procedures required to support BCM

Other required BCM resources - including budget, time, facilities etc.

* Business Continuity Plan (BCP)

Documented procedures designed to guide organization in how to respond, resume, restore & recover to pre-defined level of operation / services / output following a significant disruption of same one or more of the organization's activities.

Note that production of a BCP is just one of several required elements - comprising in total a (Business Continuity Management System'

.............and another way of saying this:

Business continuity methodology components - produced as a documented plan

* Business Continuity Policy' statement typical sets out the 'higher level' view of:

• An organization's aims, principles, objectives and approach to BCMS in general and in introduction of a BCMS in particular
• How, when and in what ways(s) the BCMS shall be delivered - including scope
• Definition and documentation of key BCMS roles & responsibilities
• BCMS governance and review

* Business Continuity 'Requirement / Resources' Analysis

The process of collecting, documenting analysis information re all of the resources which might be required in order to continue / resume business activities (following a significant disruption event), at a level commensurate with supporting an organization's declared BC Policy and Strategies

* Business Continuity Strategy

Appropriate strategic (higher level / longer term) choices made by an organization - necessary to ensure (insofar as i possible / practicable / desirable) continued / production / operation (possibly following a temporary cessation of same) of its key product / services / operations / activities / tasks etc. (albeit to a potential, pre-defined level of operation - being below that of normal operations), following a significant, disruptive event

BC strategy is typically formulated as based on the result of (input from) the associated 'understanding the organization' task

Very general speaking, there are three 'generic types' of BC strategy which might be considered (i.e choose the most appropriate strategy and expand upon it) with regard to each key product / services / operation / activity / task etc. under consideration i.e.

1- Be fully productive / operational - at all times (e.g. trauma hospital)

2- Produce / Operate / Respond etc. to pre-defined (possibly incremental) and acceptable, minimum level(s) (see 'minimum BC objective ' MBCO) within pre-defined and acceptable time periods (see 'Maximum Tolerable Period of Disruption' - MTPD / and 'Recovery Time Objective' - RTO)y

3- Do nothing (Pedantically speaking, the 'do nothing' choice is not a BC strategy............> Rather, it is a Risk management strategy / treatment)

• Note - when general & current BC terminology, there is a fairly common (and somewhat confusing) intermixed usage of the terms 'BC Strategy' and 'BC Options'. Generally speaking, both terms refer to the same subject - as documented immediately above. However, the term 'BC strategy' is used in this guideline document - in preference to the term 'BC Options'

* Business Continuity (Tactical) Treatments / Controls

Tactical (operational level / shorter to medium term) measures, taken by an organization, in order to achieve the requirement of an associated BC strategy - with regard to specific key product / service / operation / activity / task etc.

• For 'Full Production / Operation' - the BC 'strategy' will require appropriate BC 'tactical treatments / controls' which are capable of immediately (or as near immediately as possible - given the actual disruption circumstances 'on the day' resuming production / operation of the associated activity etc, post disruption

Examples of such activities include surgical operating theatres; other critical hospittal facilities; other critical emergency services; a key main activity which can only be via ICT resources (e.g. the website of an 'on-line only' retail organization); an airline's 24H call (reservations) centre; a category IIIB ILS at airport when e.g. 'below normall' weather is forecast (and, in fact, most Air Traffic Services in general also 'qualify' here) etc.

?All such BC treatments must obviously be 24H ready for near immediate implementation / takeover - and this is generally only achievable via 'hot duplication' i.e. the same key product / service etc. is maintained at all times at a minimum of two different (strategically located from a BC viewpoint) - Or perhaps by having * multiple redundant systems etc. Not forgetting the need for 'competent - people' to take over operation of such hot backup facility - however this might be achieved

*However, such systems (e.g. a 'no-break' power supply system co-located or very close to where the activity takes place) will be of no use of course if e.g. the associated facility where that activity takes place burns to the ground i.e. the no-break supply should be located well off-sete

* For 'option' 2 (see definition of 'BC Strategy' on previous page), appropriate BC 'tactical treatments / controls' are applied in order to deliver what's is required.

Some typical examples include:

• An appropriately equipped (resourced) and located 'back-up / alternate' facility (warm or cold) - where staff delivering key operation / services / activities - can be transferred, accommodated and operate at short notice
• Alternative suppliers and or the self-storage and rapid availability of identified stock and similar
• Use of (competent) alternate / interim staff to fill 'empty' posts 'Working from home'
• Reciprocal (mutual) aid arrangements with similar organization(s) etc.
• * Doing Nothing' (strategy 3) - might be regarded a (cost / benefits analysis) of the BC treatment(s) available to meet a specific BC strategy - and where the conclusion is made that the potentail benefit(s) of deploying such treatment(s) are outweighed by the costs of same.

Not, however, that there may also be potential adverse implications in 'doing nothing' - if not managed correctly.

Such implications typically affect brand, image and reputation type issues; crisis communications; financial matters etc.

Consequently, in choosing this treatment it is important to identify any further potential, adverse impacts which might arise as a result of 'doing nothing' - and pre-establish appropriate counter-measures accordingly - e.g. the need to communicate with stakeholders / other interested parties as to 'why the decision to do nothing' was taken; providing some form of compensation or similar to those disadvantaged as a result of 'doing nothing' (e.g. airline customers) etc.

?Note 1- 'doing nothing' is a good example of a BC treatment which itself potentially creates further risks and associated impacts - leading in turn to the need for further risk and / or BC treatments.....................................and so on

Note 2 - the term 'BC tactical treatment / control' is specific to this guideline document only. Within general BC terminology around the world it can also be known as 'BC Option'; 'BC Tactical Responses' etc. Even more confusingly, 'BC Options' is also sometime used to mean the same thing as 'BC Strategy'

BC tactical treatment / controls are unlikely to be applied in isolation - rather, a combination of the appropriate treatment will typically be applied e.g. for an important (key) activities such as an airline's main operations control centre or an airport's terminal building management centre - it is likely that some / all of the following would be considered (the list is not exhaustive):

• Use of a fully equipped, relatively nearby (i.e.a different location) & ready to go (Warm) alternative / backup facility
• A suitable system for rapidly reinforcing on-duty staff
• A robust method of back-up communications (e.g. satellite phones, tetra radio [with telephone & messaging capability], smart phones)
• Access to a back-up (off-site) but easily and relatively quickly accessible repository for information (hard copy) and data (soft copy / electronic info)
• Use of cross-trained staff in appropriate secondary roles
• 'Working from home' capability for selected staff etc.

* Business Impact Analysis (BIA)

BIA (taken together with the other three components of the 'understanding the organization' task is the foundation of Business Continuity Programme Management. In very brief summary it (BIA):

• Identifies an organization's key product(s) / services / operations etc.
• Identifies key main activities and resources (internal & external) associated with delivering the above key product(s) / services / operations etc.
• Identifies key supporting activities and resources (internal & external) associated with supporting delivery of the above key main activities etc.
• Assesses the prioritisation (scoring of degree of urgency) of 'key main & key supporting activities' to the organization, with regard to their continuity / resumption, following a significant disruption event................and
• Assesses the impact over time of (uncontrolled & non-specific) disruption of such key main & supporting activities - on the delivery of the organization's key products / services / operations etc.
• Estimates the timescales (Maximum Tolerable Periad Disruption-MTPD & Recvery Time Objective-RTO) by which BC tactical treatments for each key main activity and key supporting activity above (individually - and in relation to one anther where appropriate) must be applied, in order to avoid unacceptable consequence to the organization's stakeholders........................and
• Identifies internal & external dependencies etc. - relating to the same 'key main activities' and 'key supporting activities' and, where appropriate, adjusts initial recvery time objective-RTOs (will be explain later below) to adequately account for same....................................and
• Sets the minimum level of operation (MBCO) to be achieved when a disrupted activity 'resumes' within or by RTO.............................and
• Identifies 'single point of failure' for any further action...........and
• Use 'degree / level of adverse impact outputs' from all/ any of above as one of the inputs to the associated risk management / assessment process.................and
• Pulls together & documents the results of All of the above (and more) into a report which, when approved by Top Management, is (going forward in the BCPM task) to formulate an associated 'BC Strategy / strategies'. That strategy (strategies) will, in turn, outline (from the higher level / longer term viewpoints) what the organization needs to achieve - in order to try to ensure continuity of its key activities, following a significant disruption event to same.......................and
• Identifies and accounts for other activities which might require consideration from a business continuity context- but which are not expected to require application of the formal BIA & Risk Assessment processes described above

Note - known / expected seasonal factors e.g. peak trading periods; peak vacation periods for staff; deadlines for submission of legal, regulatory, financial and similar returns / reports etc. must also be factored into appropriate elements of the above

The BIA necessarily focuses on those activities - failure of which would most quickly threaten whatever it is that needs to be operated /produced / delivered.

This focus is typically directed to 'operational / high profile /up-front' activities (key main activities - both internal and external). However, many (if not most) of such activities will depend, in turn, on other 'backroom' activities (key supporting activities - both internal and external) which must also be documented and analysed via the BIA

• The BIA can be difficult to perform competently but must be 'got right' if it is to be effective. It can also take quit a long time - depending on the size and / or complexity of the organization, the scope of the BIA, the co-operation of participants and the competence / experience / availability of the person(s) undertaking the associated data gathering & analysis of same - and, lastly, the degree of Top Management support

* Business Recovery / Business Recovery Plan

Whilst Business Continuity is targeted (following a disruptive event) at operating an organization's activities etc. to a pre-targeted minimum level of output (see MBCO) within pre-targeted timeframes (see MTPD & RTO) - Business Recovery aims thereafter to gradually restore such activities etc. to a more sustainable level than that required by MBCO - and eventually to 'normal operation' levels

Note - Business Recovery operation are not the subject of this guideline document. Where mentioned herein - it is typically for contextual and / or information purposes only

* Competence

The demonstrated ability of someone to adequately apply the knowledge, skills, experience etc. - considered necessary to achieve intended result / goals / targets etc. Competence is achieved via a mix of training, exercising, on the job experience etc.

* Compliance / Conformity

Compliance = the extent to which requirements are fulfilled. When a requirement is of a mandatory nature, the word conformity is used instead (the latter typically being a component of an appropriate 'Modern Management System' - as referred to herein)

* Corporate Governance (Governance, Risk & Compliance - GRC)

Companies generally direct & control their affairs by using a system of corporate governance - with 'Board of Directors' typically being responsible for such governance

The 'stockholders / shareholders' role in governance is to typically appoint directors & auditors - and to satisfy themselves that an appropriate governance structure is in place

The responsibilities of the 'board' typically include setting strategic goals, providing the leadership to put the latter into effect,, supervising the management of the business and reporting to the stockholder on the board's 'stewardship'. The board's actions are generally subject to laws, regulations, rules, morals and the wishes of stockholders

Form a BC /risk Management viewpoint, corporate governance generally includes a requirement to describe business risk to the organization, via audited annual reports together with the appropriate management / mitigation measures put in place to control such risks. In some jurisdictions a board level director assumes responsibilities for the organization's risk management (incuding BC) oversight responsibilities

* Critically Time-sensitives Activities + associated Resources & Dependencies

One definition

Component activities (together with associated resources, dependencies, interdependencies etc) of a key product / services / operation etc. which, if interrupted for a long enough duration (significant time / period), might cause the parent organization to incur unacceptably adverse economic / operational / reputational etc. impacts.....................& another

Important, time-sensitive activities (including associated resources, dependencies. inter-dependencies etc.) necessary for an organization to be able to deliver its key product / services / operations in the appropriate manner prescribed (including the taking of 'Risk Management' type activities)

Important Note - the term 'critical' (other similar term used in BC = 'essential', 'high importance', 'urgent' etc.) as used herein - is typically used in the context of 'time-criticality' - as indicated in the two definition immediately above. However, it should also be interpreted (where appropriate) in a different context e.g. of being critical for the purposes of prevention of death or injury - and similar - where time might be a significant factor

* Dependency

Relates to how one activity may depend (for its functionality etc.) on a different activity. Inter-dependency refers to the same concept - but now where all activities considered (being more than two) depend on each other for functionality etc.

* Disaster Recovery (DR)

A term traditionally used to describe the activities, processes and resources dedicated to prevention of an ICT failure / significant disruption and, if such prevention proves to be unsuccessful - the application of the appropriate recovery technique(s) to eventually restore 'normal operations'

The term is today much misunderstood and misused - especially outside its ICT context. Used of this term in this guideline document will only be as described above

Similarly, the term 'business continuity' is often [mistakenly] used today - where 'disaster recovery' would [at least pedantically] be the more appropriate term to use

* Disruption (Outage)

Anticipated / unanticipated events which significantly disrupt normal business activities

• Emergency (Emergency Response [plan /planning]) - (ERP)
• Crisis (Crisis Response [plan / planning])
• Incident (Incident Response [plan / planning])

All of the above can and do mean 'all things to all men' - depending on context, historical use, ignorance etc. However, and as used in this guideline document, the terms 'emergency' and 'crisis' relate to some form of * very serious occurrence and the initial (immediate / near-immediate) response(s) to same (e.g. evacuation; fire-fighting and rescue; immediate medical treatment; hospitalisation; provision of humanitarian assistance; provision of crisis related information etc. But - Not The Application of Business Continuity Measures)

* For an aviation context 'very serious' typically relates to a catastrophic aircraft accident type scenario or equivalent

Consequences of an emergency / crisis might (repeat - might) lead on (eventually) to activation of (separate) business continuity / recovery type operations i.e. additional to the emergency / crisis response itself which, if it (the later) lasts long enough will need to be operated and managed concurrently with any eventual BC response

As an example - a major aircraft accident might be termed an 'emergency' or 'crisis' - and the parent (or related) organization's initial response typically guided by some type of emergency / crisis response plan (Note - 'Emergency Response Plan [ERP]' is the preferrd term used in this guideline document)

A greater or lesser degree of disruption might typically be associated with such an emergency (e.g closure of the main airport / airport hub serving the [accident related] aircraft operator), requiring implementation of a separate business continuity plan and, eventually, a separate business recovery plan - for both the accident airline and airport concerned (as appropriate)

Note 1- within a Business Continuity context / common use terminology, all of the above named plans and supporting infrastructure are [incorrectly & confusingly], 'lumped in together' as something known as the 'Incident Response Structure - IRS' - even though what is being responded to might, in fact, be a major emergency / crisis - (i.e. use of the less impacting term 'incident' in such circumstance can be potentially confusing when used in an aviation context. See also 'notes starting on section 2 [important note - from author]for further clarification on this matter)

Note 2- in aviation related terminology the world 'incident' typically refers to a much less serious occurrence than that associated with the word 'emergency'. Incident happen relatively regularly within aviation and are usually responded to in a fairly low key manner. They rarely give rise to consequences which require activation of associated (formal) business continuity plans and / or emergency response plans

• Note 3 - Important for medium to larger sized airline/airport - it is common for 'emergency response' ops