Skip to content

Business Continuity and Resiliency Implementation (BCRI) Standard

Table of Contents

Business Continuity and Resiliency Implementation (BCRI) Standard

Download BCRI Standard
We value your comments and suggestions to improve BCRI standard. Please use this Form if you would like to join the BCRI standard committee or to provide your comments.

Abstract

The Business Continuity and Resiliency Implementation (BCRI) Standard, developed by BRCCI (brcci.org), offers a practical framework for organizations seeking to fortify their business continuity and resilience strategies. BCRI introduces the concept of “Continuous Resiliency,” emphasizing the need for operational stability in both normal and disaster scenarios, a departure from traditional Business Continuity (BC) and IT Disaster Recovery (DR) frameworks which primarily focus on disaster recovery.

This standard addresses the widening “Technology-BC/DR” gap by reshaping existing frameworks to incorporate resiliency objectives and expanding the scope to ensure continuity during all operational phases.

The BCRI framework is structured around three key components: Program Definition, Program Architecture, and Business-Technology Interface. It advocates for a functional separation between program management and planning processes, enabling organizations to define resiliency objectives at various levels.

At the core of BCRI lies its Resiliency Definition, which introduces the concept of Acceptable Stability Levels (ASL) to encapsulate both availability and continuity objectives. This broader definition ensures resilience across all operational states.

Section 1.0 - Introduction

The Business Continuity and Resiliency Implementation (BCRI) Standard, developed by BRCCI, serves as a practical and comprehensive best practice framework. Through this framework, BCRI equips organizations with a holistic and practical roadmap for implementing a robust and reliable business continuity and resiliency program.

BCRI is founded on the principle of “Continuous Resiliency,” which prioritizes the stability of operations and services at all times, including both normal non-disaster conditions and during disaster situations. In contrast, traditional Business Continuity (BC) and IT Disaster Recovery (DR) frameworks often narrow their focus to continuity solely during disaster conditions.

The rapid advancement of information technology and its widespread adoption in the business environment have surpassed the progress in the field of business continuity and IT DR. BCRI addresses this “Technology-BC/DR” gap by:
• Reshaping BC/DR frameworks to align with resiliency objectives.
• Expanding the scope of BC/DR to encompass “Continuous Resiliency.”

Section 2.0 - BCRI Design Approach

The BCRI integrates resiliency at three key levels of the business resiliency program: Program Definition, Program Architecture, and Business-Technology Interface.
Program Definition:

Achieving continuous resiliency necessitates an expanded definition of traditional business continuity and IT Disaster Recovery (DR), which traditionally focuses on maintaining operational continuity during disaster situations. BCRI extends its resiliency scope to encompass both normal operating conditions and disaster scenarios.

Program Architecture:

While traditional BC and IT DR frameworks often amalgamate program management components and planning processes, a resilient architecture demands a functional separation between these elements. This separation allows for the delineation of resiliency objectives across three levels:
1. Overall program resiliency objectives
2. Planning process resiliency objectives
3. Program management resiliency objectives.

Business-Technology Interface:

BCRI embeds resiliency within the Business-Technology interface. It views the program planning process as the nexus between business and technology resilience. Unlike conventional BC and DR frameworks where Business Impact Assessment (BIA) serves as the primary interface, BCRI extends this interface to encompass additional stages such as “Constraints and Dependencies,” “Skills-Strategy Gap Assessment,” and “Monitoring and Testing.”

Section 3.0 – Resiliency Definition

The resiliency objective definition is based on the concept of “Continuous Resiliency” which expands the traditional business continuity and IT DR objective recovery definitions. The traditional objective definitions are based on MTDs and RTOs which are linked to when a disaster event may occur. Before a disaster event, during normal conditions, the IT organization is concerned with availability objectives such as MTBF (Mean Time Between Failure), MTTR (Mean Time To Recovery), and MTTD (Mean Time to Detection). However, as shown in Figure 1, resiliency objectives for “Continuous Resiliency” span across both normal operational conditions and post-disaster conditions. BCRI abstracts both availability objectives and continuity objectives to a higher level.

At this higher level, the resiliency objective is expressed in terms of Acceptable Stability Levels (ASL).

The resiliency definition is stated as follows:

Resiliency is a process to ensure Acceptable Stability Levels (ASL) during both normal and disaster periods.

Figure 1: Continuous Resiliency

Section 4.0 – Resiliency Program Architecture

Management of the Business continuity and resiliency program involves two distinct but related functions. The first of these functions is a resiliency planning process or lifecycle that generally follows a path from plan assessments, design, development, testing, and maintenance. The second function is resiliency program management which is concerned with the management of the resiliency planning process. The traditional BC and IT DR frameworks do not separate these two functions from each other.

Separation of the resiliency planning process from resiliency program management helps to achieve the overall program resiliency objectives. The program resiliency objectives can be divided into more granular levels in terms of separate resiliency objectives for each function.
As shown in Figure 2, BCRI architecture consists of two segments: Segment A and Segment B. Segment A is the resiliency planning process consisting of 8 stages. Segment B is resiliency program management, and it deals with the program management aspects. The core component is made up of 11 elements.

This framework ensures a functional separation of the BCR program process from Program management aspects while preserving essential interdependencies between the two.

Figure 2: BCRI Architecture 

Section 4.1 – Segment A: Resiliency Planning Process

Segment A consists of 8 stages,
S1 through S8:

S1 – Resiliency Process Definition
S2 – Resiliency Risk Management
S3 – Business Impact Analysis (BIA)
S4 – Constraints and Dependencies Management
S5 – Resiliency Strategy Development
S6 – Skills-strategy Gap Assessment
S7 – Design and Development
S8 – Monitoring and Testing

Section 4.2 – Segment B: Resiliency Program Management

Segment B, also referred to as the “core component”, deals with the program management aspects.

The core component is made up of 11 elements:

E1 – Resiliency Objective Assessment
E2 – Resiliency-Stability Management
E3 – Personnel and Resource Management
E4 – Resiliency Plan Maintenance
E5 – Program plans and documentation Management
E6 – Program-failure Risk management
E7 – Continuous Program Improvement
E8 – Plans Integration and Rollout
E9 – Communication and coordination
E10 – Resiliency culture development
E11 – Program Quality Assurance

Section 6 describes each of the 11 elements of the core component.

Section 5.0 – Resiliency Planning Process

Resiliency Plans are developed through a planning process that contains a sequence of key stages or activities. Segment A of BCRI architecture defines the resiliency planning process.
Figure 3 represents the planning process as a lifecycle of key 8 stages.

Figure 3: Segment B – Resiliency Planning Process.

The remainder of this section describes each of the 8 stages of the resiliency planning process.

Section 5.1. – S1: Resiliency Process Definition

This initial stage defines the objectives, scope, constraints, and interdependencies for each of the following 7 stages in BCR lifecycle:

S.2 – Risk Management
S.3 – Business Impact Analysis (BIA)
S.4 – Management of Business Continuity and Resiliency Constraints and Dependencies (e.g., supply chain dependencies, resources)
S.5 – Development of Continuity and Resiliency Strategies
S.6 – Skills and Capability Alignment
S.7 – Design and Development of BCR Plans
S.8 – Testing and Validation of BCR Plans
The objectives, scope, and constraints are aligned with the resiliency objective and definition:
“Resiliency is a process to ensure Acceptable Stability Levels (ASL) during both normal and disaster periods.”

Section 5.2 – S2: Resiliency Risk Management

The second stage focuses on assessment and management of risk to Acceptable Stability Levels (ASL). The assessment includes the identification of metrics to measure stability during both normal and disaster periods.

A risk management process includes a comprehensive risk assessment, analyzing potential threats to ASL, estimating their likelihood and potential impact, and formulating appropriate mitigation strategies to address the identified risks.

The results and findings from the risk management process form a basis for crafting robust BCR plans. A central objective of a BCR plan is to manage the threats and risks identified during the risk management process.

Section 5.3 – S3: Business Impact Analysis (BIA)

Through the BIA, organizations gain a comprehensive understanding of the potential impacts of disruptions.

The BIA process includes the following objectives:

1. Identifying critical and non-critical business functions
2. Assessing potential impact to critical functions in case of their disruptions
3. Identifying requirements to recover the critical functions when a disruption occurs.

The BIA serves as the foundation for subsequent stages of the BCR lifecycle, as it helps prioritize recovery efforts and resource allocation.
The Maximum Tolerable Downtimes (MTDs) and Recovery Time Objectives (RTOs) are identified as metrics for recovery requirements. The ASL for the disaster recovery period is defined in terms of the metrics for recovery requirements.

Section 5.4 – S4: Constraints and Dependencies Management

The fourth stage focuses on managing constraints and dependencies that could affect the organization’s ability to maintain continuity and resiliency. This may include addressing supply chain dependencies, resource constraints, and regulatory requirements.

The constraints and dependencies can be divided into four categories:

1. General BCR Constraints and Dependencies: BCR program budget constraints, regulatory compliance, supply chain dependencies, etc.
2. Recovery Requirement Constraints and Dependencies: MTD constraints, RTO, Recovery team, and expertise dependencies.
3. Availability Constraints and Dependencies: MTDDS,
4. BCR Strategy Constraints: The strategies developed for business and IT configurations, operations, and services during normal conditions and disaster recovery periods.

The success of the BCR program depends on the effective management of these categories of constraints and dependencies.

Section 5.5 – S5: Resiliency Strategy Development

The preceding stages define the requirements for BCR program. This fifth stage provides strategies and solutions to satisfy the BCR program requirements such that Acceptable Stability Levels (ASL) are maintained.

The process in the fifth stage includes an assessment of alternative operating models, backup systems and services, and recovery solutions. The assessment considers the critical functions and services, their recovery time constraints, costs, complexity, and feasibility.

The strategies and solutions should consider the following phases:

1. Prevention: Before a potential disaster, solutions and strategies are needed to prevent or minimize the likelihood of a disruption.
2. Response: During a disaster, immediate actions are required to stabilize and minimize the effect of a disruption.
3. Recovery: After an immediate response to stabilize the disruption, strategies are needed to restore the business environment and its operation to normal or to a new environment.

Section 5.6 – S6: Skills-Strategy Gap Assessment

This stage (S6) requires a Skills-Strategy gap assessment which identifies the gap between existing skills and capabilities and those required by the strategies selected in the preceding stage (S5). Once the gap is assessed, the next step is to develop an alignment strategy to align the skills and capabilities required to achieve the resiliency strategy. The alignment strategy also determines the balance of in-house and outsourced skills and capabilities. A significant Skills-Strategy gap may require changes or modifications in the resiliency strategy to reduce the gap to an acceptable level.

Section 5.7 – S7: Design and Development

The seventh stage entails the actual creation of BCR plans based on the strategies developed in stage five and the alignment of skills and capabilities in stage six.

BCR plans must provide a detailed roadmap for effectively managing and recovering critical functions. These plans provide guidance and procedures including actions to be taken, the resources required, and the individuals responsible for executing the plans.
The guidance and procedures in BCR plans must be consistent with the constraints and dependencies identified in stage 4.

The scope of the plans should include the following:

1. All critical areas or functions
2. Critical IT functions and services
3. Critical non-IT functions and services
4. Critical suppliers and business partners

Section 5.8 – S8: Monitoring and Testing

This stage consists of two functions: Monitoring and Testing. Monitoring requires a continuous lookout for gaps and weaknesses that can lead to unacceptable stability levels. During normal conditions, monitoring helps to maintain and control the stability of business operations and IT services. During a disaster situation, monitoring helps to maintain and control the stability of the disaster recovery process.

During normal conditions, Testing helps to assess the stability impact of minor and major changes to business operations and IT services. Testing is also used to validate and improve BCR plans to ensure that they are effective and practical in real-world scenarios. This may include conducting tabletop exercises, simulations, or full-scale tests to evaluate the organization’s preparedness and ability to execute the plans as intended. Testing and validation are critical for identifying gaps, weaknesses, and areas for improvement in the plans, as well as for building confidence and competence among stakeholders responsible for their implementation.

Section 6.0 – Core Component: Resiliency Program Management

The previous section described the resiliency planning process as Segment A of the BCRI architecture. The core component, Segment B, provides a framework for the management of the resiliency planning process. This framework includes 10 management functions.

Section 6.1 - F1: Assessment of program resiliency objectives

a) A resiliency program is guided by the resiliency objective of “Continuous Resiliency”.
b) The objectives must be consistent with the organization’s overall mission, vision, and values.
c) All processes and activities within the program must collectively achieve the resiliency objectives.
d) The assessment should consider the organization’s risk appetite, regulatory requirements, and industry standards.
e) This process entails pinpointing crucial functions, prioritizing them based on their significance to the organization, and ascertaining requisite resources and recovery strategies.

Section 6.2 - F2: Management of program personnel and resources

a) The role of this management function is to provide oversight and coordination of Personnel and assets to support the objectives and activities of the BCR program.
b) This management function is performed in coordination with stage 6 (Skills-Strategy Gap Assessment) of the resiliency planning process.
c) The effectiveness of a BCR program relies on a coordinated effort from all stakeholders, including senior management, employees, customers, suppliers, and external partners.
d) This involves defining roles and responsibilities, developing a skilled and trained workforce, ensuring adequate resources and infrastructure, and fostering a culture of resiliency and collaboration.
e) The program should also consider the impact on the organization’s supply chain and stakeholders and ensure their involvement in the program.

Section 6.3 - F3: Maintenance of resiliency plans

a) Business continuity and resiliency plans are key deliverables of BCR program. Once the plans have been tested and validated for their effectiveness, these plans require regular maintenance.
b) The plan maintenance function utilizes the “Monitoring and Testing” stage of the resiliency planning process to identify the requirements for maintenance.
c) The business environment experiences frequent internal and external changes. These changes can have a potential impact on the effectiveness of developed and tested plans.
d) As a part of the regular maintenance, plans must remain aligned with the program resiliency objectives. The alignment requires plans to be continuously adapted and modified to the changes.

Section 6.4 - F4: Management of program plans and documentation

Document management is a process that allows a systematic and organized handling of various documents and records which are either used in or produced by business resiliency program. This process allows all relevant information and documentation to be readily available, up-to-date, and accessible when needed during the lifecycle of business resiliency program.

Key elements involved in document management for a business continuity and resiliency program include:

1. Document Identification and Classification:

Identifying and categorizing all documents, records, and information that are essential for business continuity and resiliency. This may include plans, policies, procedures, contact lists, incident reports, recovery strategies, and more.

2. Version Control:

Maintaining a version control system to track revisions and updates to documents. This ensures that the most current and relevant information is always available.

3. Document Storage and Accessibility:

Determining where and how documents will be stored. Digital document management systems (DMS) are commonly used to store electronic files, while physical documents may be kept in secure, accessible locations. It’s crucial to establish access controls and permissions to limit who can view and edit specific documents.

4. Document Retrieval and Distribution:

Establishing protocols for quickly retrieving and distributing documents when needed, especially during a crisis. This includes defining roles and responsibilities for managing documents and providing access during emergencies.

5. Document Review and Maintenance:

Regularly reviewing and updating documents to ensure their accuracy and relevance. This may involve conducting periodic reviews, audits, and drills to identify and address any gaps or changes.

6. Disaster Recovery and Backups:

Ensuring that critical documents are backed up securely and stored in off-site locations to prevent loss in case of physical damage to primary document repositories.

7. Training and Awareness:

Training employees and stakeholders on document management procedures and the importance of business continuity documentation. Creating awareness about where to find essential documents and how to use them during an incident.

8. Compliance and Legal Requirements:

Ensuring that document management processes comply with legal and regulatory requirements, industry standards, and best practices.

9. Documentation Governance:

Establishing a governance framework with defined roles and responsibilities for managing the entire document lifecycle, from creation to disposal.

10. Document Disposal:

Determining how and when documents are disposed of once they are no longer needed or have become outdated. Some documents may need to be archived for historical reference.

Section 6.5 – F5: Program-failure Risk management

This core component focuses on managing the potential program-failures or the risk of failures within a business continuity and resiliency program throughout its lifecycle. The management of program-failure requires a comprehensive approach to identifying, assessing, mitigating, and continually monitoring potential risks and vulnerabilities that could impede the program’s effectiveness.

Here’s an overview of what’s involved in managing the risk of failures at various stages of the program’s lifecycle:

1. Initiation and Planning:

Identify potential risks and vulnerabilities that may affect the initiation and planning of the program. These risks could include insufficient resources, unclear objectives, or inadequate stakeholder support.
Assess the risks to determine their likelihood and impact on the program.
Develop risk mitigation strategies and contingency plans to address these risks during the planning phase.

2. Development and Implementation:

Identify risks associated with the development and implementation of the program, such as technical challenges, resource constraints, or changes in the business environment.
Continuously assess and update risk assessments as the program progresses and evolves.
Develop and implement risk mitigation measures and contingency plans to address potential failures during the development and implementation phases.

3. Testing and Validation:

Conduct risk assessments specific to testing and validation processes, which may include inadequate test scenarios, data integrity issues, or unexpected technology failures.
Continuously monitor the testing phase to identify potential weaknesses and failures in the program.
Develop response plans to address any issues discovered during testing and validation.

4. Maintenance and Ongoing Management:

Continuously monitor and assess risks associated with the maintenance and ongoing management of the program. This may involve issues related to outdated plans, changes in organizational structure, or evolving threats.
Periodically review and update risk assessments to ensure they remain current.
Maintain and enhance risk mitigation measures and contingency plans to adapt to changes over time.

5. Training and Awareness:

Ensure that program stakeholders and personnel are trained and aware of potential risks and failures throughout the program’s lifecycle.
Educate individuals on their roles and responsibilities in preventing and addressing program-related failures.

6. Testing and Evaluation:

Regularly conduct testing and evaluation exercises that focus on the program’s ability to address potential failures.
Analyze the results of these exercises to identify areas for improvement and refine risk mitigation strategies.

7. Learning from Past Failures:

Review and analyze any past failures or incidents that occurred within the program at different stages of its lifecycle.
Use this knowledge to improve and update risk mitigation strategies to prevent similar failures in the future.

8. Continuous Improvement:

Embrace a culture of continuous improvement by incorporating feedback and lessons learned into the program’s design and operation.
Be adaptable and responsive to emerging risks and evolving threats.

9. Documentation and Reporting:

Maintain comprehensive records of risk assessments, mitigation strategies, and response plans throughout the program’s lifecycle.
Report on risk management efforts to stakeholders and regulatory authorities as necessary.
Managing the risk of failures within a business continuity and resiliency program across its lifecycle is essential for ensuring the program’s effectiveness and adaptability in the face of changing circumstances and potential disruptions. By identifying and addressing risks at each stage, organizations can enhance their overall resilience and preparedness.

Section 6.6 – F6: Program maturity improvement

Continuous program maturity is a process for incrementally improving a business resiliency program. This component aims to advance the program from the current maturity to the next improved level. Regular reviews and evaluations of program performance, the identification of areas for improvement, and the implementation of necessary adjustments are all part of this process.

The Continuous program maturity process should be guided by these key elements and considerations:

1. Incremental Improvement:

Continuous Program Maturity is centered around the philosophy of gradual enhancement. Rather than viewing business resiliency as a static state, it acknowledges that the organizational environment, threats, and technologies are in constant flux. Incremental improvements allow the program to adapt and strengthen gradually, minimizing disruption and optimizing resource allocation.

2. Program Assessment:

Regular reviews and evaluations are integral to the continuous improvement process. These assessments should encompass various facets of the business resiliency program, including but not limited to risk assessments, response plans, and recovery strategies. Assessments may be scheduled at predefined intervals or triggered by significant organizational changes or external events.

3. Identification of Areas for Improvement:

Through comprehensive assessments, organizations can identify specific areas where the business resiliency program can be enhanced. This could involve gaps in preparedness, outdated response protocols, or emerging risks that were not initially considered. A systematic approach to identifying improvement areas ensures a targeted and strategic response.

4. Adjustments and Adaptations:

Once improvement areas are identified, the next step is to implement necessary adjustments. This might involve updating protocols, enhancing employee training, adopting new technologies, or revising risk management strategies. The ability to adapt quickly and effectively is a hallmark of a resilient organization.

5. Strategic Planning for Advancement:

Continuous Program Maturity should be guided by a strategic plan for advancement. This involves setting clear goals and milestones for each stage of maturity. These goals could be related to specific risk reduction, recovery time objectives, or the integration of advanced technologies. A well-defined roadmap provides direction and purpose to the continuous improvement efforts.

6. Feedback Mechanisms:

Establishing effective feedback mechanisms is crucial for the success of the continuous improvement process. This involves creating channels for employees, stakeholders, and relevant partners to provide input on the program’s performance. Feedback can be gathered through incident debriefs, simulations, and regular communication channels to ensure that the program remains aligned with organizational objectives.

7. Documentation and Reporting:

A robust documentation and reporting system is essential for tracking the progress of the continuous improvement efforts. This includes maintaining records of assessments, adjustment implementations, and the overall evolution of the program. Regular reports can provide valuable insights into the effectiveness of the program and serve as a basis for future enhancements.

Section 6.7 – F7: Rollout and Integration of program and plans

A. Rollout involves introducing and implementing the BCR program to all employees, departments, and stakeholders. This ensures everyone is aware of their roles and responsibilities in implementing the program.

B. The process of integration occurs at two levels. At the first level, the Integration process embeds the BCR program and plans into the organization’s existing systems and processes. It aligns the program with the organization’s culture, objectives, and strategy, identifies gaps and overlaps, and develops integration strategies. At the second level, resiliency plans from across the organization are integrated and coordinated into the overall BCR program.

Section 6.8 -F8: Program communication and coordination

Success in any Business Continuity and Resiliency (BCR) program heavily relies on the fundamental principles of effective communication and coordination. In responding to disruptions or incidents, the effectiveness of plan execution hinges on the clarity of communication. The clarity of communication ensures that everyone is well-informed and capable of responding with precision.

In addition to clarity, strong and transparent communication prevents misunderstandings, confusion, and the potential for errors. Effective communication and coordination are instrumental in preserving the program’s integrity and securing its success.

Internally, C8-component requires organizations to establish communication and coordination procedures that ensure that all stakeholders are aware of their roles and responsibilities in the BCR program. This may involve establishing clear lines of communication between different teams or departments, creating communication protocols, and establishing regular communication channels to keep stakeholders informed of any changes or updates to the program.

Externally, C8-component requires organizations to establish communication and coordination procedures with external partners, suppliers, and stakeholders involved in the BCR program and incident response efforts. This may involve establishing communication protocols with external parties, such as emergency services, vendors, or regulators, and ensuring that all stakeholders are aware of their roles and responsibilities in the BCR program.

Section 6.9 – F9: Development of a resiliency-focused culture

Cultivating a resiliency-focused culture within the organization is integral to the success and resiliency of a BCR program. The development of a resiliency-focused culture is an incremental process. Through this process, the level of resiliency-focused culture should be kept in alignment with the progress and advancement of the resiliency program within its lifecycle.

This process aims to increase awareness within the organization about the significance of continuity and resiliency. Moreover, it encourages employees to proactively manage risks and exhibit behaviors that boost the organization’s overall resilience. Developing such a culture necessitates the participation of all staff, from executives to entry-level staff. The process highlights the significance of their role in maintaining the organization’s continuity and resilience. This understanding will instill a sense of ownership and accountability that will promote a resilient culture. Incentives and rewards can also encourage behaviors that enhance the organization’s overall resilience.

Section 6.10 – F10: Program Quality assurance

Program Quality Assurance is made up of systematic processes and practices aimed at ensuring the effectiveness, reliability, and continuous improvement of BC and IT DR plans. The goal is to identify, measure, and manage the quality of BC and IT DR activities, making certain that they align with organizational objectives and industry standards.

Here are key components of Program Quality Assurance of BC and IT DR programs:

1. Policy and Procedure Development:

• Establish clear policies and procedures for BC and IT DR.
• Ensure that these documents are regularly updated to reflect changes in the business environment, technology, and regulations.

2. Documentation and Plan Review:

• Regularly review and update BC and IT DR plans to ensure accuracy and relevance.
• Implement a documentation control system to manage versions and changes to plans.

3. Testing and Exercises:

• Conduct regular testing and exercises to validate the effectiveness of BC and IT DR plans.
• Identify areas for improvement based on the outcomes of tests and exercises.

4. Audit Processes:

• Develop and implement internal audit processes to assess the compliance of BC and IT DR plans with organizational policies and industry standards.
• Consider external audits to provide an independent evaluation.

5. Alignment with Standards:

• Align BC and IT DR plans with relevant industry standards and frameworks such as ISO 22301 for BC and ISO 27001 for IT DR.
• Ensure ongoing compliance with these standards.

6. Key Performance Indicators (KPIs):

• Define and measure KPIs to assess the performance and effectiveness of BC and IT DR activities.
• Monitor metrics such as recovery time objectives (RTO) and recovery point objectives (RPO).

7. Continuous Improvement:

• Foster a culture of continuous improvement by analyzing incidents, test results, and audit findings.
• Use lessons learned to update plans and enhance the overall BC and IT DR program.

8. Training and Awareness:

• Provide ongoing training to employees involved in BC and IT DR activities.
• Raise awareness about the importance of BC and IT DR across the organization.

9. Change Management:

• Implement a robust change management process to track and control changes to business processes, IT systems, and infrastructure.
• Ensure changes are assessed for their impact on BC and IT DR.

10. Supplier and Third-Party Management:

• Assess and monitor the resilience of critical suppliers and third-party service providers.
• Include BC and IT DR requirements in contracts with vendors.

11. Incident Response and Communication:

• Develop and regularly update an incident response plan that integrates with BC and IT DR strategies.
• Establish effective communication plans to notify stakeholders during an incident.

Section 7.0 - Audience

The BCRI Implementation Reference Standard is intended for a wide range of stakeholders involved in the development, implementation, and maintenance of BCR programs, including:

1. Senior management and executive leaders responsible for setting the strategic direction and priorities of the organization.
2. Business continuity and resiliency professionals responsible for designing, implementing, and maintaining BCR programs.
3. Risk management professionals responsible for identifying, assessing, and mitigating risks that could disrupt business operations.
4. IT professionals responsible for ensuring the availability and resilience of critical systems, applications, and infrastructure.
5. Human resources professionals responsible for employee training, awareness, and support in the context of BCR.
6. Operations and supply chain management professionals responsible for ensuring the continuity and resilience of critical business processes and supply chains.

Glossary

Acceptable Stability Levels (ASL):
A broader definition of resiliency objectives introduced by BCRI, encapsulating both availability and continuity objectives across all operational states, both normal and during disaster scenarios.

BCRI (Business Continuity and Resiliency Implementation) Standard:
A framework developed by BRCCI that offers a practical approach for organizations to strengthen their business continuity and resilience strategies, emphasizing continuous resiliency.

Business Continuity (BC):
A traditional framework focusing on maintaining operational continuity during disaster situations.

Business Impact Analysis (BIA):
A process that identifies critical and non-critical business functions, assesses potential impacts of disruptions, and identifies recovery requirements for critical functions during a disruption.

Business Continuity and Resiliency Implementation (BCRI) Framework:
Structured around three key components: Program Definition, Program Architecture, and Business-Technology Interface. It advocates for functional separation between program management and planning processes.

Business-Technology Interface:
The nexus between business and technology resilience in BCRI, encompassing stages such as “Constraints and Dependencies,” “Skills-Strategy Gap Assessment,” and “Monitoring and Testing.”

Continuous Resiliency:
The principle prioritizing operational stability at all times, including both normal conditions and disaster situations, as introduced by BCRI.

Constraints and Dependencies:
Factors that may limit or impact the resiliency of an organization’s operations, including supply chain dependencies and resource limitations.

Core Component:
The central part of the BCRI architecture made up of 11 elements focusing on resiliency program management.

Continuous Resiliency:
A principle prioritizing operational stability at all times, including both normal conditions and disaster situations, as introduced by BCRI.

Mean Time Between Failure (MTBF):
A metric focusing on the average time between failures or disruptions in a system or process.

Mean Time to Recovery (MTTR):
A metric indicating the average time taken to restore a system or process after a failure or disruption.

Mean Time to Detection (MTTD):
A metric indicating the average time taken to detect a failure or disruption in a system or process.

Maximum Tolerable Downtimes (MTDs):
The maximum acceptable duration of time that a system or process can be down or unavailable without causing significant harm to an organization.

Program Architecture:
One of the three key components of BCRI, emphasizing functional separation between program management and planning processes and allowing for delineation of resiliency objectives at various levels.

Program Definition:
One of the three key components of BCRI, extending the scope of resiliency to encompass both normal operating conditions and disaster scenarios.

Resiliency:
A process to ensure Acceptable Stability Levels (ASL) during both normal and disaster periods, according to the BCRI definition.

Resiliency Objective:
Defined in terms of ASL, aiming to ensure stability and continuity across all operational states.

Resiliency Planning Process:
A lifecycle comprising eight stages (S1-S8) focusing on defining objectives, risk management, business impact analysis, strategy development, and testing and validation of BCR plans.

Resiliency Program Management:
Concerned with the management of the resiliency planning process, comprising 11 core elements that focus on various aspects of program management, including planning, maintenance, risk management, and continuous improvement.

Resiliency Risk Management:
Focuses on the assessment and management of risk to ASL, including identifying potential threats, estimating their likelihood and impact, and formulating mitigation strategies.

Skills-Strategy Gap Assessment:
An assessment within the BCRI framework to align organizational skills and capabilities with resiliency strategies.

Technology-BC/DR Gap:
The widening gap between the advancements in information technology and the progress in the field of business continuity and IT DR, addressed by BCRI through reshaping existing frameworks and expanding the scope to ensure continuity during all operational phases.

Traditional BC and IT DR Frameworks:
Frameworks primarily focused on disaster recovery and continuity during disaster conditions, contrasting with the broader scope of continuous resiliency introduced by BCRI.

BCR (Business Continuity and Resiliency):
A program focused on maintaining and enhancing an organization’s ability to operate during and after disruptions.

MTD (Maximum Tolerable Downtime):
The maximum amount of time a system or function can be down without causing significant harm to the organization.

RTO (Recovery Time Objective):
The targeted duration of time within which a business process must be restored after a disruption.

MTDDS (Maximum Tolerable Data Downtime and Loss):
The maximum amount of time and data an organization can afford to lose.

BCR Plans:
Detailed roadmaps that guide the organization on how to manage and recover critical functions during disruptions.

Monitoring:
Continuous surveillance for gaps and weaknesses in business operations and IT services.

Testing:
Activities aimed at assessing the impact of changes and validating the effectiveness of BCR plans.

Resiliency Program Management:
A framework encompassing various management functions to guide the resiliency planning process.

Risk Appetite:
The level of risk an organization is willing to accept in pursuit of its objectives.

Incident:
An event that disrupts normal business operations and may require activation of BCR plans.

Risk Mitigation:
Actions taken to reduce the potential impact or likelihood of identified risks.

Document Management:
Systematic handling of documents and records essential for business continuity and resiliency.

Disaster Recovery and Backups:
Measures to safeguard critical documents and data from loss or damage.

Program-failure Risk Management:
A comprehensive approach to identifying, assessing, mitigating, and monitoring potential risks and vulnerabilities within a BCR program.

Program Maturity:
The level of advancement and effectiveness of a business resiliency program.

Rollout:
The process of introducing and implementing the BCR program to all relevant stakeholders.

Integration:
The process of embedding the BCR program and plans into the organization’s existing systems and processes.

Program Quality Assurance:
Systematic processes aimed at ensuring the effectiveness, reliability, and continuous improvement of BC and IT DR plans.

Key Performance Indicators (KPIs):
Metrics used to measure the performance and effectiveness of BC and IT DR activities.

Continuous Improvement:
A culture of ongoing enhancement and refinement of the BCR program based on feedback and lessons learned.

Change Management:
A process to track, control, and assess changes to business processes, IT systems, and infrastructure.

Supplier and Third-Party Management:
The assessment and monitoring of the resilience of critical suppliers and third-party service providers.

We value your comments and suggestions to improve BCRI standard. Please use this Form if you would like to join the BCRI standard committee or to provide your comments.
Download BCRI Standard