The client
Our customer is an IT Managed Services Provider, providing hybrid multi-cloud, data protection, and cyber security solutions to mid- and upper tier organisations. We engaged with them in 2019, initially developing their business continuity management system, and supporting their journey to ISO 22301 certification in 2022.
Their objectives
- Develop a Business Continuity Managed System capable of withstanding scrutiny by a demanding client base, including financial institutions and banks.
- Realistically exercise their plans to demonstrate capability and provide assurance to clients. Produce exercise reports that can be shared with clients as evidence.
- Their already provided incident management on behalf of clients; however, they recognised the clear need for a response to major internal incidents, potentially affecting many or all clients. This involved creation and embedding practical crisis management and business recovery plans.
- They also offer IT Disaster Recovery services to clients, but again needed their own robust IT DR Plan to deal with internal technology disruption.
Our approach
Fast and painless delivery
We use workshops and video calls to gather planning information. In this case, high-grade up-front data meant a single intensive half-day session allowed us to develop a robust operational insight, followed by a further half-day to understand their IT DR and technology requirements.
Our consultants used the collected data to populate our client’s dedicated account on our online system, generating draft documents for review and comment. We then invested time with their project coordinator to validate the collected data and refine output documentation.
This concentrated first phase was completed in less than eight weeks.
Project outcomes
We built a client-dedicated standards-aligned Business Continuity Management System (BCMS)
It included the following automated documents:
- Business Impact Analysis and Risk Assessment – providing a detailed analysis of the business from a continuity perspective. It identifies critical business services, specifies recovery deadlines in a major incident, and defines the continuity scenarios the business faces and must plan for.
- Business Continuity Plan – providing a step-by-step decision guide, role-task allocation and information to enable recovery from continuity-threatening incidents.
- Scenario runbooks – provides detailed but easy-to-read responses to each identified business continuity scenario.
- Role cards – anyone with a designated BCP responsibility received one of these, detailing their specific role tasks and requirements when responding to a continuity incident.
- IT Disaster Recovery Plan - in the same format and integrated with the BCP, the IT DRP included dedicated IT scenario runbooks and IT-specific Role Cards
- Framework – demonstrating alignment with ISO 22301 and defining the components of the business continuity programme.
We helped develop BC capability through training and exercising
This activity was new for many staff, so we aimed to build their knowledge, familiarity, and capability gradually and consistently.
We took the following steps, ensuring their response to major incidents becomes seamless and embedded:
- Walkthrough with the business continuity committee, providing top-level validation, agreement and understanding of the Business Continuity Management System.
- Virtual training with all role assignees, introducing them to the plan, the strategies and their assigned roles.
- Development of online training modules, integrated into the client’s internal LMS (Learning Management System), which gave our client the ability to regularly refresh all staff on their business continuity arrangements.
- Business Continuity Exercises against challenging scenarios, which provided the opportunity to further enhance individual capabilities, build their confidence, and test the effectiveness of the BCP.
We continue to work regularly with our client to ensure all response team members are effectively trained, the plan exercised, and the system maintained.
Our software accelerated programme delivery; it now provides rapid access and makes updating easier
- Our consultants developed end-to-end standards-aligned documentation using the Inoni SaaS system.
- The client can now access to the system to easily manage change themselves.
- All business continuity role assignees have read-only access to the latest version of documents and plan, from any device, anywhere.