Page 555 - ITGC_Audit Guides
P. 555
GTAG — BCM Requirements
units. All emergency management policies must be aligned • Communicating the importance of BCM and how it
to ensure that CM, ER, and BCM work together during an adds business value.
actual disaster. • Participating in BC exercises, training sessions, and
other emergency management events for the BU.
A. Senior Management Support • Ensuring appropriate funding for BU BCM activities
Senior management must display visible support for BCM via the BU annual business plan.
and the emergency management program. This can be
accomplished in various ways, including by: In deploying the BCM system, BU or regional manage-
• Defining a central group within the organization that ment should:
is responsible for BCM and managing governance • Update the BCM definition section to define busi-
(e.g., defining required standardization), knowledge ness value specific to the BU.
sharing, best practice coordination, consulting, and • Understand the steps that are required to deploy and
cross-business unit BCM activities. maintain a BCM program within a BU.
• Creating a BCM system that each business unit (BU) • Establish ownership for BCM within their BU,
must deploy. including assigning people to key roles such as BU
• Ensuring appropriate funding for organization-wide BCM sponsor (to arrange funding and provide lead-
BCM activities via the organization’s annual business ership of BCM), BU BCM manager (to lead and
plan, testing, and ensuring BUs include funding for maintain BCM capabilities), and BU BCM coordi-
their BCM efforts. nator (to arrange BCM activities at the direction of
• Communicating the importance of BCM and how it the BCM manager).
adds business value. • Define BU BCM metrics that can be used to evaluate
• Participating in BC exercises, training sessions, and progress of the program.
other emergency management events. • Deploy a BU BCM continuous quality program.
The BCM system that each BU must deploy should
include: 5.2 Risk Assessment and Risk Mitigation
• A definition of BCM and its business value within BU or regional management should complete a BC risk
the company. assessment for each of its business functions and associated
• A description of the steps required to deploy and sites (city or region). The purpose of this exercise is to iden-
maintain a BCM program within a BU. tify likely risks that could disrupt critical business processes
• The establishment of ownership for BCM by each BU performed at specific locations of operation. The BC risk
(see “Business Unit Management Support” below). assessment is used to shape the overall BCM program scope
• The definition of BCM metrics that can be used to by providing a list of likely events and associated conse-
evaluate progress of the program at the organization quences that should be addressed in a risk mitigation plan
level and BU or regional level (e.g., each BU creates (e.g., prevention) and the BCM program. There is no way
its own local metrics). to predict all risks or to mitigate all known risks that may
• Deployment of a BCM continuous quality program need to be accepted. Participants in the BC risk assessment
that can be updated by each BU to deploy and main- should include individuals such as staff from the business as
tain BCM. well as staff from the health, safety, and environment group;
facilities management; legal; human resources; and personnel
B. Business Unit Management Support from the medical field.
BU or regional management must also display visible support A few disruptive events are very likely to occur, like hurri-
for BCM and the emergency management program. This can canes and/or utilities failures in some parts of the world, or
be accomplished in various ways, including by: other regularly occurring events. Specific tactical BC plans
• Deploying the BCM system defined by the may be needed for these predictable events. Most events are
organization. somewhat likely to occur, such as earthquakes. Although an
• Ensuring participation by all teams within the BU in earthquake will occur in some regions, there is a good chance
the BCM effort so that they create BC capabilities to it will impact another part of the larger region. Therefore, if
match their risk and business value. the site of operations is in an earthquake zone, this must be
• Identifying someone to participate in organiza- considered a likely disruptive event, which is often referred
tion-wide BCM governance (e.g., define required to as a credible event.
standardization), knowledge sharing, best practice It is impossible to eradicate all risks from an environment
coordination, consulting, and cross-business unit and still conduct effective operations. Balance is the key to
BCM activities. risk management of BC. When evaluating disruptive events,
8
