Skip to content

ICR Standard

Business Continuity and IT Disaster Recovery Blog

ICR Standard

Author: Dr. Akhtar Syed

Section 1.0 – Introduction

The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (brcci.org), is a comprehensive framework for continuity and resiliency best practices. This standard offers organizations a unified framework to achieve continuity and resiliency across business functions, IT services, and Cloud environment.

Resiliency is not just a trait but has become a critical requirement for organizations in today’s challenging business and technology-driven environment. To navigate these challenges, organizations require a robust resiliency approach that incorporates resiliency across all service levels irrespective of operating conditions and scenarios. The scope of the ICR framework extends beyond the traditional business continuity and IT DR practices to achieve integrated and continuous resiliency requirements.

  • Integrated Resiliency: This requirement emphasizes the importance of permeating resiliency across all levels of an organization – from its core business functions to its IT systems and cloud services. A lack of resiliency at one level can compromise resiliency at other levels. ICR offers a holistic approach to implementing an effective resiliency program by integrating resilience at every level.
  • Continuous Resiliency: ICR introduces the “Continuous Resiliency” concept to underscore the organization’s requirements to maintain operational stability and service reliability at all times, irrespective of disaster scenarios. Unlike traditional business continuity frameworks, which often focus solely on preparing for disaster scenarios, ICR recognizes the importance of maintaining resilience even during normal, non-disaster conditions. This proactive approach ensures that organizations are prepared to weather any storm, whether it be a minor disruption or a full-scale crisis.

The ICR standard is intended as a guide for organizations to develop their Business Continuity and Resiliency (BCR) programs to achieve resiliency

  • across all levels of an organization – from its core business functions to its IT systems and cloud services, and
  • continuously, under all operating conditions and scenarios.

Section 2.0 – SCOPE

Applicable to organizations of all types and sizes, the ICR standard specifies a framework of structure and requirements to assess, design, implement, maintain, and improve business continuity and resiliency programs. The ICR standard caters to entities seeking to establish a culture of integrated continuous resilience across all levels, from core business functions to IT systems and cloud services.

As a generic framework, ICR offers various uses and applications. Key applications of the ICR standard include, but are not limited to:

  1. Comprehensive BCR Program Development: Organizations can leverage the ICR standard to establish robust business continuity and resiliency (BCR) programs tailored to their specific resiliency objectives. By following the guidelines outlined in the standard, entities can create integrated frameworks to achieve continuous operational resiliency.
  2. Enhancement of Existing BC Programs: For organizations with existing business continuity (BC) programs, the ICR standard includes requirements to further strengthen and evolve these initiatives into resiliency programs. By integrating the principles and practices specified in the ICR standard, entities can elevate disaster event-focused business continuity capabilities to achieve continuous resiliency under all operating conditions.
  3. Integration of BC, IT DR, and Cloud Recovery Plans: The ICR standard provides a cohesive resiliency framework for organizations with existing BC plans, IT disaster recovery (DR) plans, and cloud recovery strategies. By aligning these disparate plans within the overall ICR framework, organizations can achieve a unified approach to resilience management, with seamless coordination and response across all operational domains.
  4. Evaluation and Auditing of BCR Plans: Organizations can use the ICR standard as a benchmark for evaluating the compliance and effectiveness of their existing BCR plans and programs. Through assessments and audits based on the criteria outlined in the standard, entities can identify both areas of strengths and areas for improvement.

Section 3.0 – ICR Design Approach

The ICR Standard captures the fundamental essence of established standards and guidelines while seamlessly integrating practical, easy-to-follow directives for real-world BCR program implementation. The ICR Framework comprises a BCR lifecycle with seven stages and a singular core component featuring 11 elements to manage these stages. This framework ensures th separation of the BCR program process from Program management aspects while preserving essential interdependencies.

The ICR integrates resiliency at three key levels of the business resiliency program: Program Definition, Program Architecture, and Business-Technology Interface.

Section 3.1 – Program Definition

The traditional BC and IT DR programs are guided by the objective of maintaining operational continuity and their scope is limited to disaster events. This definition of objective and scope, while adequate for operational continuity, falls short of achieving comprehensive resiliency.

ICR standard incorporates resiliency within its program definition by expanding both the objective and scope of traditional BC and IT DR programs. The resiliency objective is expressed as integrated operational stability of business, IT, and Cloud environments.  The operational continuity objective becomes a part of the integrated operational stability objective.  The resiliency scope extends beyond the disaster condition to include normal operating conditions.  This extension of the scope implies that maintaining integrated operational stability under all operating conditions becomes an integral part of the resiliency objective.

Section 3.2 – Program Architecture

While traditional BC and IT DR frameworks often amalgamate program management components and planning processes, a resilient architecture demands a functional separation between these elements. This separation allows for the delineation of resiliency objectives across three levels:

  1. Overall program resiliency objectives
  2. Planning process resiliency objectives
  3. Program management resiliency objectives.

Section 3.3 – Business-Technology Interface

ICR embeds resiliency within the Business-Technology interface. It views the program planning process as the nexus between business and technology resilience. Unlike conventional BC and DR frameworks where Business Impact Assessment (BIA) serves as the primary interface, ICR extends this interface to encompass additional stages.  These additional stages include “Constraints and Dependencies,” “Skills-Strategy Gap Assessment,” and “Monitoring and Testing.”

Section 4.0 – Resiliency Definition

The resiliency objective definition is based on the “Continuous Resiliency” concept, which expands the traditional business continuity and IT DR objective recovery definitions. The traditional objective definitions are based on MTDs and RTOs related to the time of a disaster event.  Before a disaster event, during normal conditions, the IT organization is concerned with availability objectives such as MTBF (Mean Time Between Failure), MTTR (Mean Time To Recovery), and MTTD (Mean Time to Detection).

However, resiliency objectives for “Continuous Resiliency” span across both normal operational conditions and post-disaster conditions. ICR abstracts both availability objectives and continuity objectives to a higher level.  At this higher level, the resiliency objective is expressed in terms of Acceptable Stability Levels (ASL).

The resiliency definition is stated as follows:

“Resiliency is a process to ensure Acceptable Stability Levels (ASL) during both normal and disaster periods.”

Figure 1 – Continuous Resiliency

Section 5.0 – Resiliency Program Architecture

Management of the Business continuity and resiliency program involves two distinct but related functions.  The first of these functions is a resiliency planning process or lifecycle that generally follows a path from plan assessments, design, development, testing, and maintenance. The second function is resiliency program management which is concerned with the management of the resiliency planning process. The traditional BC and IT DR frameworks do not separate these two functions from each other.

Separation of the resiliency planning process from resiliency program management helps to achieve the overall program resiliency objectives.  The program resiliency objectives can be divided into more granular levels in terms of separate resiliency objectives for each function.

Figure 2 – ICR Architecture

As shown in Figure 2, ICR architecture consists of two segments: Segment A and Segment B.  Segment A is the resiliency planning process consisting of 8 stages.  Segment B is resiliency program management, and it deals with the program management aspects. The core component is made up of 11 elements.

This framework ensures a functional separation of the BCR program process from Program management aspects while preserving essential interdependencies between the two.

Section 5.1 – Segment A: Resiliency Planning Process

Segment A consists of 8 stages, S1 through S8:

S1 – Resiliency Process Definition

S2 – Resiliency Risk Management

S3 – Business Impact Analysis (BIA)

S4 – Constraints and Dependencies Management

S5 – Resiliency Strategy Development

S6 – Skills-strategy Gap Assessment

S7 – Plan Design and Development

S8 – Monitoring and Testing

Section 5 describes each of the 8 stages of the Resiliency Planning Process.

Section 5.2 – Segment B: Resiliency Program Management

Segment B, also referred to as the “core component”, deals with the program management aspects. The core component is made up of 8 management functions:

F1 – Resiliency Objective Management

F2 – Personnel and Resource Management

F3 – Incident Resiliency Management

F4 – Resiliency Plans Maintenance

F5 – Program Documentation Management

F6 – Plans Integration and Rollout

F7 – Program Communication and Coordination
F8 – Continual Program Improvement

Section 6 describes each of the 8 management functions.


BRCCI – Business Resilience Certification Consortium International (www.brcci.org)

We are thankful to the author for allowing us to post this insightful article on our website. BRCCI provides a comprehensive training and certification program in business resiliency, continuity and IT disaster recovery planning:
1. 3-day CBRM (Certified Business Resilience Manager) is a comprehensive, all-in-one, 3-day Business Continuity Planning and Management Training and Certification course which is designed to teach practical methods to develop, test, and maintain a business continuity plan and establish a business continuity program.
2. 3-day CBRITP (Certified Business Resilience IT Professional) is a comprehensive training on how to assess, develop, test, and maintain an information technology (IT) Disaster Recovery Plan for recovering IT and telecommunications systems and infrastructure in the event of a disaster or business disruption. The training provides a step-by-step methodology to ensure a reliable and effective IT disaster recovery and continuity plan consistent with the industry’s standards and best practices.
3. 2-day CBRA (Certified Business Resilience Auditor) It provides 2 days of intensive, Business Continuity Audit training to enable students to determine the effectiveness, adequacy, quality and reliability of an organization’s Business Continuity Program. Students will learn an audit methodology to evaluate compliance of Business Continuity and IT Disaster Recovery Programs with the current industry’s best practices and standards including:

      • ISO 22301: Business Continuity Management Systems – Requirements
      • NFPA: Standard on Disaster/Emergency Management and Business Continuity Programs
      • ITIL: Information Technology Infrastructure Library

For information on the above program, please contact BRCCI (www.brcci.org1-888-962-7224).
To read or download the complete ICR standard document, please visit brcci.org/standard

 
On Key

Related Posts

ICR Standard

ICR Standard Author: Dr. Akhtar Syed Download PDF Section 1.0 – Introduction The Integrated Continuous Resiliency (ICR) standard, developed by BRCCI (brcci.org), is a comprehensive

What is ISO 22301 standard?

What is ISO 22301 standard? Author: Andrea Patricia Sanchez Dominguez Download PDF 1. Introduction The Standard ISO 22301 was proposed in 2012 as a new