S 6.120 Checking and controlling the business continuity management process

Initiation responsibility: Emergency Officer, Top Management

Implementation responsibility: Emergency Officer, Top Management

The organisation's management is responsible for examining, controlling, and improving the business continuity management system. An important basis for making the decisions required includes clearly prepared and succinct information on the current status of business continuity management in the organisation.

In order to control and maintain the business continuity management system, it is necessary to check its effectiveness and efficiency regularly and to have the results of this examination evaluated by management. In doing so, the goal is to coordinate the subsequent tasks to be performed in the business continuity management process. For this reason, it is necessary to point out all changes and modifications required to the business continuity management process, for example to the goals or to the requirements placed on business continuity management. The results must be documented and integrated into the documentation previously recorded.

Regular management reports

In order for the top management of the organisation to make the right decisions when controlling and steering the business continuity management process, they need basic data on the status of business continuity management. This data should be prepared in management reports providing this data and covering the following aspects, among others:

• the results of internal audits as well as of examinations conducted on outsourcing service providers and suppliers, including lists of shortcomings and suggestions for improvement,
• results of the tests and drills,
• feedback from the various interest groups including cooperation partners, outsourcing service providers, suppliers, and regulatory authorities,
• reports on the current risk situation, vulnerabilities, and damage events, as well as the knowledge and recommendations derived thereof,
• reports on any changes made affecting the business continuity management system (changes to the infrastructure, business processes, or with service providers, for example),
• status reports on the established emergency measures and on implementation and improvement projects,
• reports on the training and sensitisation measures and their success,
• reports of changes to the legal or contractual requirements placed on business continuity management
• reports on previous successes and problems in the business continuity management process.

The management must be informed regularly and in an appropriate form of the results of the examinations and the status of the business continuity management process by the business continuity management team. This includes pointing out problems, successes, and potential improvements.

A management report should be clear and concise. The following aspects may be relevant depending on the current situation. However, the report should not contain too much information or conceal information needed to assess the situation. It is therefore necessary to consider pointing out the following:

• the extent to which the requirements of the business continuity concept have already been implemented in the organisation,
• the locations where gaps and therefore residual risks still exist,
• which security incidents have occurred, the damage caused by these incidents, and the damage prevented,
• the results of internal examinations,
• the extent to which the security level reached meets the requirements of the organisation and its risk situation
• if any general conditions have changed requiring additional measures to be taken,
• whether the emergency measures have proven themselves suitable or whether the measures need to be changed or extended,
• the feedback received from customers, business partners, employees, or the general public relating to aspects of business continuity management,
• the resources used for business continuity management,
• if and how the previous management decisions were implemented.

In addition, an outlook of the further development of the organisation-wide business continuity management system should be provided, as well as an outlook of the technical developments and procedures with the power of contributing to the improvement of the business continuity management process.

Reports of damage resulting in interruptions of business are always in the focus of the mass media. It has proven useful to comment on such incidents in other organisations in the management reports and to point out the extent to which your own organisation is prepared for similar incidents.

Event-based management reports

In addition to the regular management reports, it may be necessary to create event-based management reports due to the sudden occurrence of unexpected problems or new risks resulting from new developments. This is the case particularly when these problems cannot be solved at the working level because material resources are needed that are beyond the scope of those currently approved or supplemental personnel rules are need, for example. An event-based management report may also be useful when the risk situation changes (for example due to new basic threats, new technologies, or new laws).

When writing the management report, it should be taken into account that the group of readers is normally not made up of technical experts. Correspondingly, the text should be characterised by the highest possible conciseness and understandability by emphasising the most important points specifically (such as the vulnerabilities found), but also the successes achieved.

At the end of every management report, and especially in all event-based reports, there should always be clearly prioritised suggested measures together with a realistic estimate of the amount of time and expense required to implement them. This ensures that the management will be able to make a decision promptly without causing any unnecessary delays.

The management report on the business continuity management process should be presented to management personally by a member of the business continuity management team. In this way the most important points can be emphasised, for example existing or potential shortcomings. The member of the business continuity management team should also be available directly to answer questions and provide further explanations accelerating the decision-making process according to experience.

Furthermore, personal contact is also important so that management is better prepared to make decisions and to be able to resolve problems in advance. It would also be helpful if a member of management with the corresponding technical background and interests is available as a contact. Personal contact allows for establishing a "short official channel", the existence of which may prove to be an advantage in urgent emergencies.

Management decisions

Based on the management reports, management decides if any changes, modifications, or further procedures are needed in the business continuity management process. The Emergency Officer must support the organisation's management when needed. All decisions must be documented. This includes documenting the following aspects in particular:

• changes to the scope
• changes to the level of risk acceptance (appetite for risk)
• changes to the priorities of business processes
• changes to the business continuity strategy
• actions taken to improve the effectiveness of the business continuity concept together with the resources needed to this end
• changes with a potential influence on the business continuity concept, for example regarding:
  - business targets
  - requirements
  - business processes

All management reports and management decisions relating to business continuity management should be archived in an orderly manner to enable continuous monitoring of the business continuity management process. This documentation should be available quickly when it is needed by the people responsible.

Since the management reports on business continuity management generally contain sensitive information on the vulnerabilities and residual risks existing in the organisation, their confidentiality must be protected. Adequate precautions must be taken to ensure no unauthorised persons can obtain knowledge of the contents of the management reports.

Review questions:

• Does management actually perform the task of regularly examining, evaluating, and, if necessary, correcting the business continuity management system?
• Is management informed regularly of the status of the business continuity management process by means of management reports?