Arab Academy for Science , Technology and Maritime Transport

SCENARIO BUILDING & BUSINESS CONTINUITY PLANNING

Prepared By : Dr. Mahmoud Beshr

Copyrights© AAST/Dr. Mahmoud Beshr

 OVERVIEW OF THE BCM PROCESS

▪ ISO22301 doesn’t include a ‘model’ for the BCM process –

something the former called ‘the BCM Lifecycle’, which was,
in fact, quite similar to the ‘Plan-Do-Check-Act’ (PDCA) cycle
which does form part of the basis of the Standard.
▪ The structure of ISO22301 is consistent with other ISO
management system standards.

2
 ▪ The ISO 22301 requirements and a compliant business continuity management system offers
valuable insight useful for strategic planning, risk management, supply chain management,
business transformation and resource management.
▪ Better understanding of you’re a business through analysis of critical issues and areas of
vulnerability
▪ Enhanced organizational resilience through cross-team collaborations
▪ Consistent approach throughout the entire organization (for multi-site organisations)
▪ Reduced costs and less impact on business performance if a disruptive incident occurs
▪ Demonstration of an organizations’ commitment to stakeholders such as customers, suppliers
and regulators that your organization has sound systems and processes in place for business
continuity
▪ Reap cost benefits from reduced insurance premiums

Copyrights© AAST/Dr. Mahmoud Beshr 3

 Continual Improvement of BCM Program

Establish business continuity

(BC) policy, objectives,
targets, control, process &
procedures relevant to Implement & operate the BC
improving BC in order to policy, controls, processes &
deliver results that align procedures
with the department’s
overall policies & objectives

CONTINUEL
IMPROVEMENT OF
BCM PROGRAM

Maintian & Improve the BCM Monitor & review performance

program by taking corrective against business continuity
action, based on the results policy & objectives, report the
of the management review & results to the Executive for
reappraising the scope of the review, determine & authorize
BCM Program & BC policy & actions for remediation &
objectives improvement

Copyrights© AAST/Dr. Mahmoud Beshr 4

 The key sections of ISO22301:2019

Clause(4):
Context of Clause (8):
Clause (7):
Operation
the Support
organisation

Clause (5): Clause (6):

Clause (9): Clause (10):
Performance
Leadership Planning
evaluation Improvement

5
 4.1 Understand your organization and its unique context
4.2 Define the needs and expectations of your interested parties
4.2.1 Clarify who interested parties are and specify their requirements
4.2.2 Consider legal and regulatory requirements when designing BCMS
4.3 Figure out what your BCMS should apply to and clarify its scope
4.3.1 Think about what your organization's BCMS should cover and include
4.3.2 Establish your requirements and define the scope of your BCMS
4.4 Develop a BCMS that meets your needs and complies with this standard

Copyrights© AAST/Dr. Mahmoud Beshr 6

PDCA model applied to BCMS
processes

7
Context of the Organization
 9
Copyrights© AAST/Dr. Mahmoud Beshr
 Contractual and
other
requirements
Relationship with
other policies and Who are the
wider risk interested parties
management

What the
organisation Context of Scope of the
does, and the the management
potential impact organisation system
of disruptions

10
 4.2 Define the
4.2.1 Clarify who
needs and
interested parties
expectations of
are and specify
your interested
their requirements
parties

4.2.2 Consider legal 4.3 Figure out what

and regulatory your BCMS should
requirements when apply to and clarify
designing BCMS its scope

11
 Mission
Business
Values Strategic Alignment Continuity
Values
Objectives

Objectives

Identifying the scope of the BCMS, taking into account the

organization’s strategic objectives, key products and services, risk
tolerance, and any regulatory, contractual or stakeholder obligations is
part of this clause.

Corporate Policy Business Continuity Policy

Copyrights© AAST/Dr. Mahmoud Beshr 12
4.1 Understanding the organization and its context

4.2 Understanding the needs and expectations of interested

parties

4.3 Determining the scope of the business continuity

management system

4.4 business continuity management system and its

processes

13
Copyrights© AAST/Dr. Mahmoud Beshr
▪ Determine external and internal issues that are
▪ Relevant to its purpose and
▪ Its strategic direction and
▪ That affect its ability to achieve the intended result

▪ Monitor and review information about these

external and internal issues.

14
Copyrights© AAST/Dr. Mahmoud Beshr
▪ Due to their effect or potential effect on the
organization, the organization shall determine:
▪ The interested parties
▪ The requirements of these interested parties

▪ The organization shall monitor and review

information about these interested parties and their
relevant requirements.

15
Copyrights© AAST/Dr. Mahmoud Beshr
 16
Copyrights© AAST/Dr. Mahmoud Beshr
▪ The Organization shall Determine the boundaries and
applicability of the BCMS to establish its scope.
▪ Apply all the requirements if they are applicable
within scope of its BCMS.

▪ Scope shall:
▪ State types of products and services covered,
▪ Provide justification for any requirement not applicable to the scope of its BCMS
▪ shall be available and be maintained as Documented Information.

17
Copyrights© AAST/Dr. Mahmoud Beshr
Think about what your Establish your
organization's BCMS requirements and
should cover and define the scope of
include your BCMS

Develop a BCMS that

Understand
meets your needs and
your organization and
complies with this
its unique context
international standard

18
 Senior management needs to show clear leadership of, and ongoing
commitment to, the BCMS.
▪ It lays out how that should work in the following three sub-clauses:
1 Leadership and commitment
2 Policy
3 Roles, responsibilities and authorities
Meeting the needs of these sub-clauses will help the organization show its
customers and key stakeholders that the BCMS has strong support right
from the top. That creates certainty that the BCMS will work as it should in
times of crisis, safeguarding your organization’s essential functioning.

Copyrights© AAST/Dr. Mahmoud Beshr 19

 ▪ This section emphasizes how important the functional and financial
support of senior management is for business continuity. It identifies
specific areas where senior managers need to show leadership and
commitment in clearly defined, practical ways.
▪ Senior leaders need to be supportive of the organization’s BCMS and
make a declaration of senior management activity both within and
beyond the BCMS, describing all the areas where they would be
involved.

Copyrights© AAST/Dr. Mahmoud Beshr 20

 ▪ Senior management must develop and document a business continuity
strategy showing that they have applied the requirements of that strategy
to their BCMS, and are confident that all interested parties know they
can trust it.
▪ Is relevant to the organization's goals and objectives
▪ Meets the organization's business continuity needs
▪ Has been fully reviewed by and coordinated with the organization and
stakeholders
Copyrights© AAST/Dr. Mahmoud Beshr 21
 ▪ The roles, responsibilities and authorities of all BCMS actors are clearly defined
and well understood. And once again, all relevant documentation must be both
in place and seen to be in place.
▪ This will ensure a timely, focused and consistent response to all business crises.
It also has clear practical benefits in non-critical times. Being able to
demonstrate high levels of readiness will let stakeholders know that the right
people are all ready to take the right actions at the right time, whatever
challenges they’re facing.

Copyrights© AAST/Dr. Mahmoud Beshr 22

 ▪ This requirement shows how to think through risks

and opportunities, plan the response to them and

set business continuity objective.

Copyrights© AAST/Dr. Mahmoud Beshr 23
 This section of the ISO 22301 specification helps think through the risks

or opportunities that might hinder or help make sure that the BCMS:

● Works as it should

● Doesn’t create any unexpected outcomes

● Will continually evolve and improve

Copyrights© AAST/Dr. Mahmoud Beshr 24

 ▪ The business continuity goals must take into account the requirements

set out in clauses 4.1 and 4.2. That means:

▪ Being clear about the organization’s definition, structure and business

context

▪ Defining the stakeholders’ business continuity needs and expectations

Copyrights© AAST/Dr. Mahmoud Beshr 25

 ▪ The purpose and possible consequences of any changes
▪ How they could impact the integrity of your BCMS
▪ To whom you’ll allocate any new responsibilities /
authorities
▪ Whether you need to reallocate any existing responsibilities
/ authorities
▪ What resources you’ll need to deploy to support them
▪ We Give You the

Copyrights© AAST/Dr. Mahmoud Beshr 26

 ▪ Managing an extensive, effective BCMS creates some very practical

challenges. To overcome them, you need to make sure that your

organisation’s made the right resources available.

Copyrights© AAST/Dr. Mahmoud Beshr 27

 ▪ The organization needs to make sure the right resources have

been assigned to the development, implementation, maintenance

and continuous improvement of the BCMS.

▪ Resources can include people, premises, technologies,

information, suppliers and partners.

Copyrights© AAST/Dr. Mahmoud Beshr 28
 ▪ To achieve ISO 22301 certification the organization needs to carefully evaluate

the competence of the employees who play a part in maintaining the BCMS and

carrying out the business continuity plan.

▪ A general statement must be recorded about the organization’s people and their

competencies. It should describe each one’s role within the BCMS and show

their suitability for it, noting any relevant experience, training or education.

Copyrights© AAST/Dr. Mahmoud Beshr 29

 The organization’s people need to have clear, specific knowledge of their business continuity
roles and responsibilities.
They must understand:
▪ The business continuity policy
▪ How they contribute to its effectiveness and why that’s good for the organization
▪ What not conforming with it means for them and for the organization

Copyrights© AAST/Dr. Mahmoud Beshr 30

 ▪ Effective communication’s a big part of a successful BCMS.

▪ All communications relevant to the BCMS needs to be clearly

planned out.

Copyrights© AAST/Dr. Mahmoud Beshr 31