Business Continuity Management: Roles, Responsibilities, and Practices, Exams of Nursing

Download Business Continuity Management: Roles, Responsibilities, and Practices and more Exams Nursing in PDF only on Docsity! 1 | P a g e CBCI EXAM 2024 -2025 WITH ACTUAL CORRECT QUESTIONS AND VERIFIED DETAILED ANSWERS |FREQUENTLY TESTED QUESTIONS AND SOLUTIONS |ALREADY GRADED A+|NEWEST |GUARANTEED PASS |LATEST UPDATE What is the difference between current capability and business continuity requirements A gap where the requirement is not being met thus creating an operational exposure An over investment where the capability is greater than the organisation needs it to be The shorter the RPO and RTO The more expensive the solution is Design Process Identify and document existing capability Identify solutions to achieve RTO, RPO and MBCO Identifying new solutions to allow the closure of the gap Reviewing the existing continuity solutions to evaluate whether the most appropriate solutions are in place. Well established business continuity solutions include Diversification - Separating activities and resources - possibly location wise Replication - replicating all resources at an alternate site. Post incident acquisition - acquire resources after an incident Do nothing Diversification Seperating activities and resources at two or more locations. - Generally a costly solution and wont protect where both locations are in the same area. Generally used where RTO is measured in minutes. Replication Duplicating resources. The duplicated site is maintained at a high state of readiness. Generally used where RTO is measured in hours or days. Standby 2 | P a g e Warm site solution where facilities can be brought on line quickly. May involve staff working away from primary location for unknown period of time. Post incident acquisition Suitable where the RTO is measured in weeks. Do nothing MAy be appropriate where RTO is measured in months or there is no contractual obligations. The BC Pro must make sure this advice is fully documented and justified. Remote working is an alternative strategy but requires Adequate ICT facilities Appropriate data security Suitable work space Stable Electricity Appropriate data security Finance Access to finance and having someone with ability and tools to authorise expenditure is key in a DR scenario Insurance Can only really be useful for situation remedy where the RTO is measured in months. RTO Clasification scheme A/B/C/D on an urgency scale. I.e. A delivers high priority process and products required by the company. Subcontracting during an incident May be required to fulfill obligations. May have to use a rival or competitor. General principles of risk Measures should be targeted at unacceptable levels of risk, single points of failure and main threats to prioritised activities. Reducing what is the key to risk mitigation Likelihood and impact Suppliers BCP must be Assessed and verified as part of any pre contract assessment and established before signing Key requirements for implementation of an effective business continuity plan are: An ability to recognise and assess existing and potential threats when they occur. Personnel with authority and competence 5 | P a g e Rehearsing all plans Verifying all business continuity solutions Verifying all information contained in plans Exercising all relevant personnel (including alternates) The frequency, planning and management of the exercise programme Is established in the Business Continuity Policy & Programme Five categories of exercise are Discussion based exercises A scenario based exercise (usually table top) Simulation exercises - can involve the whole organisation and teams at strategic, tactical or operational levels. Live exercises Tests - a unique type of exercise which generally involves an element of pass or fail Exercise development outcomes include The objectives to be achieved The methods required to achieve the objectives Defined resource requirements Proposed timings and training requirements Make sure that the appropriate people are involved this could include: Customers, suppliers, regulators, statutory and professional bodies, emergency services For any exercise define the following Exercise aims and objectives Roles and responsibilities during the exercise Information communication tools and technologies used Action in the event of unforeseen circumstances Post-exercise activities Ways of debreifing after exercise Hot debrief - held immediately Formal debrief - held within one week Surveys Interviews - should be held within one week Post-exercise report Maintenance is effective when It is embedded within the organisations BAU processes rather than being viewed as a seperate activity. Requirements for maintenance activities can be identified as 6 | P a g e Lessons leanred through exercising Changes to the organisations structure, products and services Changes to the environment in which the organisation operates A review or audit A real incident - where lessons can be learned or incorporated Changes or updates in the business continuity management lifecycle Six types of review Audit - formal and impartial Self Assessment - Quality Assurance - Performance appraisal Supplier Performance Management review What are the outcomes of a product and services BIA process Clarification or modification of the scope of the business continuity programme. A list of the organisations prioritised products and services. Evaluations of impacts over time The purpose of the analysis professional practice is is to review and assess an organisation to identify its objectives, how it functions and the constraints of its operating environment. A test is defines as a unique type of exrcise which incorporates a pass or fail element Skills and competancy assessment should be extended to include any external consultants or other interested parties Competance reviews following training can be assessed using one of these methods Verbal or written tests Self-evaluation Observation of the individuals or teams Assessment during continued coaching Participation in exercises Recognition of academic qualifications Recognition of professional credentials What are the basic reviews of a business continuity programme Audit Self-assessment Quality Assurance Performance appraisal 7 | P a g e Supplier performance Management review Tactical plans should consider what other aspects key suppliers to the organisations supply chain other business partners who are able to support the continuity solution and response activities. What does the business continuity policy do It sets out the purpose, scope and governance of the business continuity programme If an organisation doesnt have any business continuity capacity Get an interim structure and plan in place The BCP should be what Short, precise and to the point Business Continuity should include Definition for use. Objectives and scope Roles and responsibilities Legals and standards Identification of interested parties Measurement and review frequency and methods Sign off and comms The definition of scope should be? Which areas of the organisation are included and which aren't. A grasp of the organisations strategies, objectives and culture and its risk appetite. Also list its regulatory constraints Business continuity governance focuses on Oversight and support. Monitoring and review. Alignment with organisational objectives Compliance with legal and regulatory requirements. Business continuity roles Should be embedded in the job descriptions and performance plans. Roles - top management Leadership, commitment and resources Roles - steering group 10 | P a g e Legal or regulatory plans SLA Risk register MTPD Limit This is reached when the damage levels mean organisational failure is imminent. Factors when calculating MTPD Financial damage Reputational damage Legal or regulatory breach Failure to meet strategic objectives MTPD is express in terms of Minutes, hours, days and weeks A BIA quantifies The impacts of a disruption on the organisation not the impact on interested third parties The RTO in relation to MTPD should always be RTO should always be less than MTPD When should a BIA be reviewed At regular pre-agreed intervals (annually) or following significant business change The initial BIA High level analysis that identifies the products, services and processes within the the organisation. The delivery of what is more important A timely initial BIA is more important than a detailed piece of work Outcomes from initial BIA List of products and services Impacts over time relating to delivery failure Estimated MTPD Processes and owners that contribute (including externals) A breakdown of internal and external dependencies List of exclusions and reasoning Product and services BIA Organisation identifies and prioritises its products and services A product and services BIA can be used 11 | P a g e to determine disruption before implementing a significant organisational change Process BIA Generally performed by process driven organisations say in manufacturing. Outcomes of the process BIA are A list of processes that contributes to the delivery of the organisations prioritised products and services. Identification of the interdependencies of the processes. The MTPD, RTO and RPO for each process Identification of any processes that have been ouitsourced and may present an increased risk. RPO Recovery Point Objective Definition of RPO The point to which information must be restored to enable the activity to operate on resumption. Sometimes referred to as "maximum data loss" During the activity BIA The organisation collects detailed information about the resources required to continue activities which support the organisations strategic objectives. ISO 22301 defines a risk as An effect of uncertainty on objectives ISO22300 defines a threat as potential cause of an unwanted incident, which can result in harm to individuals, a system or an organisation. Risk assessment is defined as overall process of risk identification, risk analysis and evaluation. The business continuity professional must have access to the risk register in the organisation possesses one. The risk and threat assessment must inform the options in the design phase of the business continuity management lifecycle Outcomes of the risk and threat assessment include An awareness of the range of potential threats that could disrupt the organisations activities. A prioritised list of threats based on the risk of disruption. Identification of any unacceptable risks and single points of failure. Identification of potential mitigation measures. 12 | P a g e The BIA final analysis should be Correct, accurate and reliable Credible, believable and reasonable Consistent, clear and repeatable Current and up to date Comprehensive BIA final analysis and consolidation should have the following Confirmation of impacts over time Review and confirm of resource dependencies and requirements Review and confirmation of the inter-dependencies of process and activities and their relation to the delivery of products and service Activity or activities One or more tasks undertaken by, or for an organization, that produces or supports the delivery of one or more products and services. Analysis (PP3) The Professional Practice within the business continuity management lifecycle that reviews and assesses an organization to identify its objectives, how it functions and the constraints of its operating environment. Audit A systematic, independent and documented process for obtaining evidence and evaluating it objectively to determine the extent to which the criteria are fulfilled. Business Continuity (BC) The capability of the organization to continue delivery of products or services at acceptable pre-defined levels following disruptive incident. Business continuity management A holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its keystakeholders, reputation, brand and value-creating activities. Business Continuity Management (BCM) Lifecycle The ongoing cycle of activities of the business continuity programme, that build organizational resilience. Business Continuity Management System (BCMS) 15 | P a g e The Professional Practice that establishes the organization's stance relating to business continuity and defines how it should be implemented throughout the business continuity programme. Prioritised activities The activities to which priority must be given following an incident in order to mitigate impacts. Process A set of interrelated or interacting activities which transforms inputs into outputs. Products and services Beneficial outcomes provided by an organization to its customers, recipients and interested parties. Recovery point objective (RPO) The point to which information used by an activity must be restored to enable the activity to operate on resumption. Recovery time objective (RTO) The period of time following an incident within which a product or service must be resumed, or activity must be resumed, or resources must be recovered. Resources All assets, people, skills, information, technology (including plant and equipment), premises, and supplies and information (whether electronic or not) that an organization has to have available to use, when needed, in order to operate and meet its objective. Risk The effect of uncertainty on objectives. Risk assessment The overall process of risk identification, risk analysis and risk evaluation. Risk management Coordinated activities to direct and control an organization with regard to risk. Test An exercise whose aim is to obtain an expected, measurable pass/fail outcome. Threat A potential cause of an unwanted incident, which can result in harm to individuals, the environment or the community. Top management A person or group of people who directs and controls an organization at the highest level. 16 | P a g e Validation (PP6) The Professional Practice within the business continuity management lifecycle that confirms that the business continuity programme meets the objectives set in the policy and that the plans and procedures in place are effective. It includes exercising, maintenance and review activities. Governance Activities - Providing oversight and support of the business continuity programme including provision of adequate resources and approval of budget - Ensuring the business continuity programme aligns with the organisations objectives - Ensuring the business continuity programme complied with the business continuity policy and any related legal and regulatory requirements - Monitoring and reviewing the business continuity programme regularly to ensure the requirements are being met - supporting continual improvement Leadership Commitment - Recognising and communicating the requirements for business continuity as a key management discipline when building organisational resilience - Ensuring that the business continuity policy and programme is aligned to the objectives of the organisation - Ensuring that the business continuity programme delivers its expected outcomes and meets the requirements stated in the policy - Maintaining support for the business continuity policy and programme - Ensuring individuals undertake activities so the business continuity programme is effective - Providing the resources required to implement the policy through the ongoing cycle of activities in the business continuity programme - Directing and supporting continual improvement of the business continuity programme through reviews and self assessments - Providing direction and guidance to embed business continuity into the organisation business as usual routines Top management responsibilities Proving leadership, commitment and resources as part of governance Business continuity steering group Oversees, advices and manages the business continuity programme making recommendations and reporting to top management Business continuity plan owner Ensures the business continuity plan adequately reflects the organisation business continuity capabilities Business continuity professional 17 | P a g e Develops and delivers an effective business continuity programme including the facilitation and coordination of plans throughout the organisation Incident response personnel Respond to an incident or crisis Departmental representatives - Communicate the implications of departmental changes that may impact the business continuity programme - Collect information for the BIA - Develop, implement and maintain departmental plans on behalf of the plan owner - Conduct and participate in exercise All personnel responsibilities - Acknowledge roles and responsibilities during an incident to ensure effectiveness by understanding the business continuity programme - Recognise an incident or crisis - Alert incident or crisis - Alert incident or crisis responders - Escalate action to the incident or crisis management team - Respond appropriately to specific threats - Respond appropriately when evacuated from the site - Understand relevant plans and associated roles and responsibilities Interested party responsibilities Act where relevant within the business continuity programme or in response to an incident Business continuity programme documentation - Business continuity policy - Business continuity programme of activities - Project management documentation - Business continuity team meeting agendas minutes and action trackers - Skills and competency requirements and records - Training and awareness activities - BIA Questionnaires and information - Risk Assessments - Papers supporting the choice of business continuity solutions - Response structure - Business continuity plans - Crisis management plans - Exercise programme - Exercise Reports - SLAs with customers and suppliers 20 | P a g e - A list of activities that contribute towards the processes needed to deliver products and services - The MTPD and RTO and the justification for each activity to determine the time frame for the solutions for each activity - A breakdown of activity dependancies both internally and externally - An understanding of the resources required to provide the agreed service levels - The RTO for data and hard copy records - Documentation of the internal and external interdependencies for the prioritised activities Risk and Threat assessment outcomes - An awareness of the range of potential threats that could disrupt the organisations activities - A prioritised list of the threats based on the risk of disruption to the organisations activities - Identification of any unacceptable risks and single points of failure - Identification of potential options for measures to reduce the frequency or scale of impact of the prioritised threats Final analysis and consolidation The challenge and check of the information to finalise the business continuity requirements Diversification The separation of activities and resources and running live activities at two or more locations so that in the event of disruption at one location activities can be continued. A costly solution for where the RTO is measured in seconds, minutes or hours rather than days. To work it may require the suspension of other non- essential operations to manage the additional workload from the displaced site Replication The duplication of resources to enable activities to be recovered quickly with the alternate site kept in a state of high readiness with all required resources in place, but not operational until its required also known as a 'hot site' is suitable for RTOs from hours days or weeks, but requires staff to be able and willing to work from both locations Standby A facility available that can be made operational within the RTO (typically days) also known as a 'warm site' Post incident acquisition Purchasing resources after disruption occurs from the third party for RTOs measures in days or weeks. The solution relies on the organisation having a pre-defined prioritised list of resource requirements and that there a suppliers available to provide the resources. Not a suitable solution if there is a requirement for specialist resources as they often have long lead times Do nothing Waiting until after an incident to decide what to do. May be appropriate where an RTO is measured in weeks or months where it is impossible, difficult or too expensive to provide alternative facilities or resources before an incident occurs 21 | P a g e Remote working Polices and technologies that enable personnel to work away from their primary place of work Insurance Financial compensation for loss of assets, increased costs, recovery and protection for associated league liabilities Strategic response team Focus on strategic issues that impact the organisations core objectives products and services and is usually lead by top management. Often called the crisis management team and has the primary responsibility for addressing any crisis impacting the organisation and may provide command and control guidance during less severe incidents and provide communications support Tactical response team Manage and coordinate the continuity of the processes required to deliver the impacted products and services and ensure that the resources are allocated appropriately. They are often responsible for the assessment and management of medium and short-term effects of an incident Operational response teams Focus on the continuity of the activities that contribute to the process or processes that deliver that prioritised products and services. Deals with the immediate effects of an incident by containing it where possible and managing the direct consequences to ensure the necessary capability required to continue to deliver prioritised products and services Response structure requirements - The ability to recognise and assess threats when they occur - Clear procedures for escalation when a disruption has occurred or may soon occur - Individuals and teams with the authority and capability to develop and select an appropriate response to an incident - Clearly understood procedures in place for the activation and control of the response to an incident or crisis - Responsible personnel with the authority and capability to implement the agreed business continuity solutions as defined within the organisations plans - An ability to communicate effectively with internal and external interested parties - Access to sufficient resources to support the implementation of the continuity solution - An ability to recognise when key external suppliers should be notified and included in the implementation of the continuity solution - An agreed budget for supporting the response structure Strategic response plan A high-level plan that defines how strategic issues resulting from a crisis or incident should be addressed and managed by top management Tactical response plan 22 | P a g e A plan that coordinates the response to an incident and facilitating the continuity of prioritised activities and provides guidelines to help analyse the impact of the incident and implement the appropriate solutions from those available in the plans to ensure the continuity of prioritised activities Operational response plans Plans that determine the individual departments or business unit responses Discussion based exercises Structured events where participants can explore relevant issues and walk through plans in a low pressure environment that often focus on a specific area for improvement Scenario exercise A commonly used discussion based activity using a relevant scenario with a time frame that can either run in real time or include time jumps to allow different phases of the scenario to be exercised usually conducted in a table top environment Simulation exercise A elaborate exercise involving strategic tactical or operational level teams working from their usual locations who are given information in a way that reflects a real incident with details such as questions from customers and interested parties using various platforms for example phone calls, emails and social media. Live exercises Range from small scale rehearsals of one part of the response for example evacuation to a full rehearsal of the whole organisation they are designed to include everyone likely to be involved in that part of the response Six types of review - Audit - Self assessment - Quality assurance - Performance appraisal - Supplier performance - Management review Review outcomes Options for improving the organisations level of resilience