S 6.112 Establishment of a suitable organisational structure for business continuity management
Initiation responsibility: Top Management
Implementation responsibility: Top Management, Emergency Officer
Planning and establishing the organisational structure for business continuity management
In order to successfully plan, implement, and maintain a business continuity management process, a suitable organisational structure for business continuity management must be in place. It is therefore necessary to define the corresponding roles and the tasks, duties, rights, and authorities of these roles. The type and characteristics of the organisational structure for business continuity management depend on the size, nature, and structure of the particular organisation.
When establishing a business continuity management system, it may become apparent that persons in charge have already been appointed for various aspects of business continuity management in the organisation, but that there are no organisation-wide structures for this purpose. In this case, a suitable, overall organisational structure for business continuity management should be established in the organisation.
Since business continuity management can be divided into two basic phases, the contingency planning and the emergency response phases, the organisational structure should also be divided into two areas: contingency planning organisation and emergency response organisation.
Roles in contingency planning
The contingency planning organisation is responsible for planning, establishing, operating, and improving the business continuity management system. The following lists the primary roles in the contingency planning organisation:
Top management of the government agency and/or company:
The top management of the company and/or government agency is responsible for ensuring the business continuity management throughout the entire organisation.
Emergency Officer:
The central position of Emergency Officer must be established in every organisation, since this person is responsible for all aspects of business continuity management.
Emergency Coordinators:
In larger organisations, the Emergency Officer may be supported by additional Emergency Coordinators.
Contingency Team:
The Contingency Team is a temporary team intended to advise the Emergency Coordinators.
Roles in the emergency response
The emergency response organisation takes temporary actions in an emergency or in a crisis and is responsible for responding quickly and effectively to the emergency as well as for recovering from the emergency. It must be suitably defined, established, and documented in advance of an emergency. The most important roles in emergency response include the following:
Crisis Decision Committee:
The Crisis Decision Committee specifies the strategic direction to take in an emergency or in a crisis and makes wide-ranging decisions that are above and beyond the authority of the crisis team leader.
Crisis Team:
The Crisis Team is a body planning, coordinating, and providing information and support in an emergency or a crisis. It is a special, temporary organisational structure that overrides the normal organisational structure for managing the response to an emergency and bundles authorities from all departments. The Crisis Team is composed of a leader, a core team, and an extended crisis team. Additional experts can also be added to the team, if necessary.
Business Continuity Teams:
The Business Continuity Teams represent the operative component of the emergency response. These teams are responsible for recovering and restoring business processes, applications, or systems.
A detailed description of the roles in business continuity management and their tasks can be found in BSI standard 100-4 Business continuity management.
The roles defined by the organisation for the contingency planning organisation must be clearly documented together with their tasks, duties, and rights. This also includes the most important work instructions and organisational rules. It is recommended to create requirements profiles for the persons fulfilling these roles. Qualified employees must be appointed to each role defined.
Examination of the organisational structure of business continuity management
The business continuity management organisational structure, once it has been established, is not a static structure. Business processes and general conditions change constantly, which means the organisational structure for business continuity management must be reconsidered again and again. When reviewing the organisational structure, it should be examined if the tasks and authorities in the business continuity management process are defined clearly enough, for example, but also if the tasks defined can be carried out as planned. The following aspects are particularly important in this regard:
- Monitoring the responsibilities
It must be examined regularly if all responsibilities and authorities have been clearly assigned and if they are practical. - Checking if the requirements are being complied with
Regular checks must be conducted to ensure that all processes and procedures in the contingency planning organisation are used and executed as intended. At the same time, it should be ensured that the organisational structures established for business continuity management actually meet the requirements. - Evaluating the efficiency of processes and organisational rules
It must be examined regularly if the processes and organisational rules in business continuity management are practical and efficient. - Management evaluations
Management is to be informed regularly of the results of the checks and examinations mentioned above. The reports are not only needed to solve urgent or time-critical problems, but also contain important information needed by management to control the business continuity management process.
Review questions:
- Have the roles for business continuity management been adequately defined according to the conditions in the organisation and documented in writing together with their tasks, duties, and authorities?
- Have qualified employees been appointed to all roles in business continuity management?
- Are the practicality, effectiveness, and efficiency of the organisational structure examined regularly regarding business continuity management?