Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

BCM Policy

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

The Government of the Republic of Trinidad and Tobago

Business Continuity Management Policy


for the Public Service

August 2015
The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Approval Page

Name Job Title Signature Date


Cabinet Minute No. 2224 27 August 2015

Distribution List

Recipient Issue Date Version Status Authorised By


August 2015 1.0 Final

Change Record

Date Author Version Changes to this Version


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Table of Contents
Abbreviations .............................................................................................................................. 1

1. Purpose ............................................................................................................................... 1

2. Policy Goals ......................................................................................................................... 2

3. Target Audience .................................................................................................................. 2

4. Applicability and Scope ...................................................................................................... 3

5. Governance and Accountability .......................................................................................... 4

6. Funding and Resources ...................................................................................................... 6

7. Risk Assessments and Business Impact Analysis ............................................................... 6

8. Business Continuity, Disaster Recovery and Emergency Response Plans ......................... 7

9. Post Incident Reviews ......................................................................................................... 7

10. Plan Maintenance and Testing ........................................................................................... 7

11. Compliance Auditing .......................................................................................................... 8

12. Periodic and Annual Reporting .......................................................................................... 8

13. Communication and Availability ........................................................................................ 8

14. Policy Maintenance ............................................................................................................. 9

15. Key Disaster Management Legislation and Guidelines ...................................................... 9

16. Relevant Standards and Guidance...................................................................................... 9

17. Glossary............................................................................................................................. 10

Version1.0 May 2015


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Abbreviations

BCM Business Continuity Management


BCP Business Continuity Plan
BIA Business Impact Analysis
DRP Disaster Recovery Plan
GoRTT Government of the Republic of Trinidad and Tobago
HSE Health, Safety and the Environment
ISO International Organization for Standardization
IT/ICT Information Technology/Information and Communications
Technology
MPA Ministry of Public Administration
ODPM Office of Disaster Preparedness and Management
RTO Recovery Time Objective

Version1.0 August 2015


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

1. Purpose
“Business Continuity Management is a holistic management process that identifies potential
threats to an organisation and the impact to business operations those threats, if realised, might
cause, and which provides a framework for building organisational resilience with the
capability of an effective response that safeguards the interests of its key stakeholders,
reputation, brand and value-creating activities”.1

The Government of the Republic of Trinidad & Tobago (GoRTT) has determined a need for the continuance of
critical services by Ministries, Departments and other Agencies across the Public Service, in the event of a unique
business debilitating incident. A unique business debilitating incident is any situation specific to the
organisation that might be or could lead to a business interruption, loss, emergency or crisis. During this period
of interruption, the rest of the country, and by extension the rest of the Public Service, is functional and therefore
users of Public Services expect the availability of services, notwithstanding an incident. The GoRTT
acknowledges that certain business debilitating incidents can escalate to a national or regional disaster, in which
instance the organisation facing the incident will be expected to keep the Office of Disaster Preparedness and
Management (ODPM) informed of the incident.

The GoRTT recognises that the unexpected could happen, the effect of which could compromise the ability to meet
acceptable standards of service. The GoRTT further recognises that it does not have the required business
resiliency to ensure seamless continuance of public services, in the event of a unique business interruption during
which citizens expect continued public services. To this end, the GoRTT wants assurance that it is protected
against such risks and threats that could materially impact upon or disrupt its critical business operations.

For these reasons, the GoRTT is implementing a Business Continuity Management (BCM) Programme across the
Public Service to ensure a timely and effective business continuity, disaster preparedness, response and total
business recovery, should a significant unique business interruption occur. The Programme minimises exposure
to risk, the adverse impact on employees and reputation, and protects the interests of stakeholders and the wider
community, while providing for continuity of operations.
This BCM Policy provides the framework on which the BCM Programme is designed and built and identifies the
principles to which the GoRTT aspires and provides the context in which the required capabilities will be
implemented. The BCM Policy demonstrates the GoRTT’s commitment to BCM.

The BCM Programme utilises a whole of Government approach which promotes the following:
1. A common and consistent methodology for BCM across the Public Service
2. A cost effective approach to implementing business continuity and disaster recovery strategies across the
Public Service
3. A centralised oversight and support system to monitor the successful implementation of BCM

The underlying assumptions of the BCM Programme are as follows:


 The business interruption is a unique event during which citizens expect continued delivery of public services
 The normal processing location of the impacted Ministry, Department or Agency is not accessible
 The rest of the Public Service is functional
 A robust Performance Appraisal System is in place to support accountability for BCM implementation by staff
of Ministries, Departments or Agencies.

1
ISO 22301:2012

Version 1.0 August 2015 Page 1


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

2. Policy Goals
The overarching goal of the BCM Policy is to realise continued delivery of public services to citizens in the event of
a unique business interruption using this organisational resiliency approach. In so doing the GoRTT expects to
achieve:

1. Ongoing mitigation, prevention and reduction of disruption in service to the public


2. Cost effective preparedness and response for any major event that may impact its business activities
3. Effective communication pre, during and after an incident
4. Recovery and continuity of critical business processes at an acceptable level of operation during and after an
incident
5. Timely restoration of business system software, hardware, IT infrastructure services and data during and after
an incident
6. Accounting for staff in general, and transfer of specific staff to alternative locations to maintain critical
business processes following major disruptions or disasters.
To achieve these goals, the BCM Oversight Committee and the BCM Services Division of the Ministry with
responsibility for BCM, working in close collaboration with Ministries, Departments and Agencies across the
Public Service, will:
 Promote leadership and management commitment to whole of Government BCM implementation
 Develop a Business Continuity Programme that includes risk assessment, plans and schedules that are
reviewed at least annually or as the need arises
 Lead, manage, monitor and evaluate the roll-out of the BCM implementation across the Public Service
 Provide planning and implementation guidance inclusive of standardised plans, questionnaires, forms and
report templates, to Ministries, Departments and Agencies, on how to integrate Business Continuity
requirements into organisational roles
 Lead a strong communications and training program to sustain a high level of BCM awareness and
competence in BCM concepts and principles amongst employees
 Identify and secure the requisite staff who will play a role in BCM implementation and ensure that they
understand their role and are continually engaged in BCM initiatives
 Identify BCM champions who will be fully engaged in BCM and take an active role in Business Continuity
planning and recovery of business processes and provide quality information to the Business Impact Analysis
(BIA) process.
 Promote active involvement in relevant professional, community and national activities

3. Target Audience
This BCM Policy is targeted to the Accounting Officers or Administrative Heads of a public service Ministries,
Departments and Agencies and includes Permanent Secretaries, Heads of Departments, the Chief Administrator,
Tobago House of Assembly or any equivalent, and to Directors, Managers, Facilities Management Officers,
Health, Safety and the Environment (HSE) Officers, Information Technology (IT) Officers, Human Resource (HR)
Officers and all other persons across the Public Service responsible for the provision of services offered in its
business operations.

Elected or selected Heads including the President, Commissioners and other Heads of Constitutional and Other
Authorities including the Tobago House of Assembly, Parliamentary Heads and Members, the Chief Justice and
other Judiciary Heads, the Prime Minister and Line Ministers are key stakeholders in endorsing this Policy and
where applicable, participating in the rollout of BCM, to ensure the continued provision of public services.

Version 1.0 August 2015 Page 2


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

It is the responsibility of the leadership of Ministries, Departments and Agencies across the Public Service to
inform staff about the BCM Policy.

It is the responsibility of staff to be aware of, understand and adhere to this Policy.

Each Ministry, Department and Agency is expected to comply with the provisions of this BCM Policy and to
develop and/or enhance its capability to continue critical operations in the event of a unique business
interruption.

4. Applicability and Scope


The BCM Policy is applicable to the agencies of the following arms of GoRTT, hereinto referred as the Public
Service:
 The Office of the President
 Constitutional and Other Authorities including the Tobago House of Assembly
 The Legislature specifically both houses of Parliament (the House of Representatives and the Senate)
 The Judiciary
 The Executive arm specifically all Ministries, Departments, Statutory Boards and Similar Bodies.

The BCM Policy is not applicable to State Agencies (wholly owned, majority owned, minority owned or indirectly
owned etc). However, State Agencies are free to be guided by this policy framework.

This Policy covers business continuance of the critical processes across the Public Service, and the critical
supporting IT/ICT and other systems which must be operational at the primary or alternative locations, in the
event of a unique business interruption. A necessary pre-requisite is to identify the business processes critical to
each Ministry, Department and Agency across the Public Service; the resources required to effectively perform
these processes, and how each Ministry, Department and Agency, can sustain critical service delivery operations
during periods of interruption.

Compliance with the provisions of this BCM Policy is mandatory and breaches will be dealt with in accordance
with established regulations set out in the Civil Service Act, Chapter 23.01 of the Laws of the Republic of Trinidad
and Tobago and other regulations that govern staff performance.

The BCM Policy is aligned to the Comprehensive Disaster Management Policy Framework for Trinidad and
Tobago and the National Response Framework. The management of island wide disasters falls under the scope of
the Office of Disaster Preparedness and Management (ODPM), a division of the Ministry of National Security.
Nothing in this BCM Policy subsumes or cancels the function of the ODPM.

In the event that a unique business interruption escalates, it will be addressed in accordance with the three-level
system of response as defined in the National Response Framework, through organisations within the National
Disaster network e.g. local government authorities and other first responder Agencies; ODPM’s National
Emergency Operations Centre (NEOC) and relevant Ministries such as, but not limited to the Office of the Prime
Minister and the Ministries of National Security , Foreign Affairs and Finance and the Economy.

The BCM Policy is also in alignment with the Public Service Excellence programme which from 2014 includes the
Trinidad and Tobago Diamond Standard Certification, which provides national certification to services of
Ministries, Departments and Agencies that exemplifies excellence in delivering public services to citizens and

Version 1.0 August 2015 Page 3


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

other client groups. Services seeking certification will be assessed on the basis on a number of criteria including
the level of Business Continuity capability.

5. Governance and Accountability


The BCM Policy will be monitored and evaluated by the BCM Oversight Committee. The BCM Oversight
Committee and BCM Services Division of the Ministry with responsibility for BCM will work with Ministries,
Departments and Agencies to oversee and coordinate the requirements of this Policy.

This BCM Governance and Operational Framework, diagrammatically shown in Appendix A, consists of three (3)
tiers:

 Tier I - BCM Oversight Committee - representing the Governance Structure


 Tier II - BCM Services Division of the Ministry with responsibility for BCM, and
 Tier III- Accounting Officers or Administrative Heads including Permanent Secretaries, Heads of
Departments and Head of Agencies across the Public Service.

Tiers II and III represent the Operational Structure.

BCM Governance Structure

The BCM Oversight Committee will be responsible for leadership and oversight of the BCM operations across the
Public Service. This Committee will provide strategic direction of BCM across the Public Service, update and set
new Policy, make across-government decisions, guide across-government financing decisions relative to BCM,
identify and facilitate across-government BCM related synergies, develop the people capacity to ensure the
critical mass for sustainability of BCM, resolve across-government issues, set the boundaries for the working
relationship between the Ministry with responsibility for BCM, and the Ministries, Departments and Agencies
across the Public Service as it relates to business continuity; and monitor and inform the development,
continuous improvement, maturity and sustainability of the GoRTT’s BCM Programme.

The BCM Oversight Committee will comprise of representatives from the National Operations Centre (NOC) and
ODPM (or their equivalent new or restructured agencies) who will ensure direct linkage with the national disaster
network. The Committee will provide timely and accurate feedback to the Cabinet of the Republic of Trinidad and
Tobago, and facilitate information sharing with Permanent Secretaries, Heads of Departments and Heads of
Agencies across the Public Service on BCM matters. This Committee will collaborate with the ODPM to ensure
that GoRTT’s BCM Policy is incorporated into its deliberations and decision making. This Committee will be
chaired by the Permanent Secretary of the Ministry with responsibility for BCM and will work closely with the
BCM Services Division.

It is to be noted that government Ministries, in accordance with Section 66 D of Act No 29 of 1999 cited as the
Constitution (Amendment) Act of 1999, are required to report to the President and both Houses of Parliament on
an annual basis on their operations. As such, information on the BCM matters will be in the public domain.

Version 1.0 August 2015 Page 4


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

BCM Operational Structure

The BCM Division of the Ministry with responsibility for BCM

The BCM Services Division of the Ministry with responsibility for BCM will be responsible for managing and
coordinating business continuity implementation across the Public Service. This includes standardisation of
business continuity and disaster recovery planning, policy and plan development, validation and compliance,
project management, training, and BCM monitoring and evaluation across the Public Service. The BCM Services
Division will be headed by a Director BCM Services, who will be responsible for the overall management and
coordination of BCM for the Public Service. The Director will report to the Permanent Secretary of the Ministry
with responsibility for BCM. The BCM Services Division will be resourced with the requisite skills to roll-out BCM
to the Public Service

Ministries, Departments and Agencies across the Public Service

Accounting Officers or Administrative Heads of each Ministry, Department and Agency across the Public Service
will be responsible for adherence to this BCM Policy, implementing the BCM methodology as well as for the
maintenance of the Ministry’s, Department’s or Agency’s Business Continuity and Recovery Plans. Accounting
Officers or Administrative Heads will be supported by the Head of each Division or Business Unit. The Head of
each Division or Business Unit will be responsible for ensuring the implementation and maintenance of Divisional
or Business Unit Business Continuity and Recovery plans, and adherence by all staff of each Division or Business
Unit to this BCM Policy and the plans. Each Ministry, Department or Agency will appoint a BCM Co-ordinator
who will liaise with the BCM Services Division of the Ministry with responsibility for BCM and will ensure that the
Ministry, Department or Agency’s Business Impact Assessment (BIAs) are completed and BCM plans are tested
and updated periodically. The BCM Co-ordinator will report to the Permanent Secretary, Head of the Department
or Head of the Agency i.e. the Accounting Officer or Administrative Head on BCM matters.

Version 1.0 August 2015 Page 5


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

6. Funding and Resources


Appropriate funding from the GoRTT will be allocated to meet BCM implementation efforts within each Ministry,
Department and Agency across the Public Service. Each Ministry, Department and Agency will identify and
communicate its BCM funding requirements for developing and strengthening BCM capacity in accordance with
the normal budgeting process, for consideration within the Public Sector Investment Programme (PSIP) and
GoRTT’s Recurrent expenditure budget.
Appropriate staff in terms of skills and numbers, will be identified and allocated to meet the BCM planning, BCM
people and skills capacity and implementation requirements across the Public Service. Each Ministry, Department
and Agency will make provisions for the requisite training to ensure the BCM capability within the organisation.

All Public Service organisations will make adequate provisions to facilitate staff who are assigned to respond to
relevant business interruptions beyond the normal operational hours.

7. Risk Assessments and Business Impact Analysis


Ministries, Departments and Agencies across the Public Service will conduct risk assessments and business
impact analysis at least annually as follows:
 A Facilities Risk and Vulnerability Assessment to determine, at a high level, the threats that could result
in a significant business interruption and the risk exposure related to these threats. This assessment will
adopt an all hazards approach (natural and man-made hazards) and cover the physical environment,
facilities issues, power supply, physical security, key personnel availability, equipment failure,
information systems, exposure to flooding, civil unrest and other similar threats. Potential risks, including
but not limited to crime, fire, flood, physical security, and third party exposure will be assessed for
mitigation, transfer or acceptance. The results of the BIA and the Facilities Risk and Vulnerability
Assessment will be used as the basis for collaboration and support amongst Ministries, Departments, and
Agencies offering related services, alliance management with significant third parties, and the
development and evaluation of recovery strategies for Ministries, Departments and Agencies across the
Public Service. For greater financial and operational effectiveness, whole of government recovery
strategies will also be assessed.

 A Business Impact Analysis (BIA) to identify and understand the impact of a significant business
interruption on the Ministry, Department or Agency and associated business units, as well as the impact
of significant business interruptions at key third parties; to obtain an inventory of the Ministry,
Department or Agency’s business processes, to identify the time criticality of each business process, to
determine their order of recovery in the event of disruptions, and to identify the minimum supporting
data and resources to maintain or recover these critical processes following disruptions.
In consideration of the fact that there are very small and very large public service Ministries, Departments and
Agencies, and cognisant of the maturity level of BCM and economies of scale, conduct of risk assessments and
business impact analysis may be appropriately scoped, and is to be done in consultation with the BCM Services
Division.

Version 1.0 August 2015 Page 6


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

8. Business Continuity, Disaster Recovery and Emergency Response Plans

Business Continuity, Disaster Recovery and Emergency Response Plans will be developed and documented so that
business continuity strategies can be implemented and maintained. These plans will also provide scenario based
guidance on the sequence of actions to be taken in the event of business interruptions and disaster. These plans
will include continuity and recovery measures and teams with their roles, responsibilities, and accountabilities
during and after business interruptions. Plans will have clear procedures to deal with significant unique
disruptions; including communication with ODPM should these escalate to geographic or national crises.
Therefore Crisis Communication Plans will be tightly integrated into BCPs and DRPs, as well as inventories of
back up resources for rapid deployment to maintain services to the public.

Business Continuity, Disaster Recovery and Emergency Response Plans will be available in both hard and soft
copies at the relevant Ministry, Department and Agency.

9. Post Incident Reviews


Ministries, Departments and Agencies across the Public Service will conduct post incident reviews as soon as
practical after an incident. These reviews will be used by each Ministry, Department and Agency to ensure the
currency of plans and preparedness, as well as to update the BCM Programme with lessons learnt. The results of
these reviews will be documented and maintained in accordance with the GoRTT’s policy on data retention.
Immediately following completion, both hard and soft copies of these documents will be forwarded to the BCM
Services Division of the Ministry with responsibility for BCM

10. Plan Maintenance and Testing


As part of normal operations, each Ministry, Department and Agency across the Public Service will carry out BCM
maintenance activities which will include the annual review, updating and testing of BCM Plans to ensure that
they remain fit for purpose.

Each Ministry, Department or Agency will have ownership of its business continuity plan and will be responsible
for its maintenance and evaluation to ensure that business continuity and disaster recovery strategies are
appropriate, and that the plan adequately addresses its service level requirements.

Testing of BCM plans will be conducted by each Ministry, Department and Agency across the Public Service at
least annually or more frequently as the need arises and will increase in scope each subsequent year as the BCM
Programme matures. Where possible, this can coincide with the National Annual Drill spearheaded by the
National Disaster Office. . Between the annual test intervals, components of the overall plan can also be tested in
preparation for the full blown exercise. The scope of each test will be discussed and agreed by the BCM Services
Division of the Ministry with responsibility for BCM and the relevant Ministry, Department and Agency.

Each test plan will define:


 A key disruption scenario
 Objectives
 Scope
 Roles and responsibilities
 Assumptions and parameters
 Criteria for assessing the outcomes, and

Version 1.0 August 2015 Page 7


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

 Logistics of the test i.e. date, time, venue, transportation and technical support
 Communications, Disaster Declaration and Plan Execution Sequence
 Test activities
 Report of the test results
 Corrective action, where relevant

De-briefing sessions will be held immediately after each test to identify strengths, weaknesses, capacity to meet
response time objectives (RTOs), lessons learnt and ways for improving the exercise and/or business
continuity/disaster recovery plans.

A report outlining the outcomes of the exercise, lessons learnt and recommendations for improvements will also
be prepared and presented to the Permanent Secretary of the relevant Ministry, Head of the Department, or Head
of the Agency. When completed a copy of this report will be forwarded to the BCM Services Division of the
Ministry with responsibility for BCM.
The results of the tests will be used to identify and correct continuity planning gaps, update existing plan
documentation, and procedures.

In consideration of the fact that there are very small and very large public service Ministries, Departments and
Agencies and cognisant of the maturity level of BCM and economies of scale, Plan Maintenance and Testing may
be appropriately scoped, and is to be done in consultation with the BCM Services Division.

11. Compliance Auditing


Periodic auditing of the BCM Programme will be performed by the BCM Services Division of the Ministry with
responsibility for BCM. The scope of each audit will be discussed and agreed by the BCM Services Division with
the relevant Ministry/Ministries, Department /Departments or Agency/Agencies within the Public Service.

12. Periodic and Annual Reporting


BCM reporting will be performed semi-annually by each Ministry, Department or Agency across the Public Service
as directed by the BCM Oversight Committee and the BCM Services Division. Such reporting will be used to
inform the evolution and continuous improvement of the BCM Programme.

The BCM Services Division of the Ministry with responsibility for BCM will prepare and submit an Annual Report
on BCM to the Oversight Committee. This Report will address matters such as but not limited to, the following:
the BCM activities undertaken, capacity measurements (number of staff involved in BCM activities; number of
trained personnel; number of Agencies that have completed, pursuing and/or maintaining BCM; number of tests
completed and the results; number of audits conducted and the results, also a record of outages and their impact
during the reporting period); BCM maturity of the Ministries, Departments and Agencies and plans for the
following year.

13. Communication and Availability


This Policy will be communicated through relevant Public Service publications and other media/channels in
accordance with the roll-out plan to implement BCM across the Public Service.

The Policy will be available electronically to staff via the GovNeTT Communications Backbone and hardcopies will
be maintained by each Ministry, Department or Agency.

Version 1.0 August 2015 Page 8


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

14. Policy Maintenance


The BCM Services Division of the Ministry with responsibility for BCM will review this Policy annually to ensure
its effectiveness in achieving the stated objectives. If necessary, the Policy will be updated between annual reviews
to take into account, but not limited to, evolving legal and regulatory requirements and strategic initiatives of the
GoRTT. The BCM Oversight Committee will be responsible for approving any amendments to this Policy.

Feedback is welcome and is to be addressed to the Permanent Secretary of the Ministry with responsibility for
BCM.

15. Key Disaster Management Legislation and Guidelines


BCM is guided by the legislative framework around disaster preparedness.

The core disaster management legislation is the Disaster Measures Act, 1978 supported by the following plans
which were prepared and are monitored by the ODPM
 ODPM Disaster/Emergency Standard Operating Procedures and Contingency Plans
 National Recovery Plan
 Earthquake Contingency Response and Recovery Plan
 Severe Weather Contingency Response and Recovery Plan
 Tropical Storm/Hurricane Contingency Response and Recovery Plan

Additional legislation is as follows:


 The Constitution of the Republic of Trinidad and Tobago
 Civil Service Act of Trinidad and Tobago and Civil Service Regulations
 Exchequer and Audit Act
 Defence Act, 1962
 Police Service Act, 1965 and Mass Casualty Management Plan
 Fire Service Act, 1997 and Disaster/Emergency Standard Operating Procedures and Contingency Plan
 Cadet Force Act and Regulations
 Municipal Corporations Act, 1990
 Environmental Management Act, 2000
 Regional Health Authorities Act
 Trinidad and Tobago Occupational Health and Safety Act 2006
 Water and Sewerage Authority Act
 Telecommunications Act
 Trinidad and Tobago Electricity Commission Act
 National Oil Spill Contingency Plan
 Tobago House of Assembly Act, 1996

16. Relevant Standards and Guidance


This Policy was informed by the requirements of the ISO 22301:2012, Societal Security - Business Continuity
Management Systems – Requirements, and other guidelines which are defined in Appendix B. The Trinidad and
Tobago equivalent of the standard TTS/ISO 22301:2014 is not currently available to the Public. Once the

Version 1.0 August 2015 Page 9


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

standard is available it will be reviewed, by the BCM Division of MPA who will update the BCM Policy where
relevant.

17. Glossary
Refer to Appendix C for definitions of key terms used in this Policy.

Version 1.0 August 2015 Page 10


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Appendix A – Governance and Operational Framework

GoRTT’s BCM Governance and Operational Framework

Tier 1: BCM Oversight Committee


Oversight and Monitoring -Whole of Government

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Tier II:
MPA Leading and Managing Ministry of Public
BCM Implementation Administration
Permanent Secretary

BCM Services Division


Director

Business and Disaster Business and Disaster Business and Disaster BC Compliance
Recovery Manager Recovery Manager Recovery Manager Manager
- Project Management - Business Continuity - Disaster Recovery - Policy Development
- Training and Awareness Planning Planning - Compliance & Audit
Business Operations
Co-ordinator
Business Operations
Assistant
- Administration
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Tier III: Ministry or Agency


Implementation Across the Permanent Secretary or
Public Service Head of Agency

BCM Coordinator
Ministry or
Agency BCM
Team

Head – Information Head – Head – Head – Head -


Technology Human Resources Health Safety and the Facilities Management Communications
Environment

Version 1.0 August 2015 Page 11


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Appendix B – List of References

In preparing this BCM Policy, across Government and across Industry leading practice information was reviewed.
Some of these are:

Governments/Ministries/Agencies

British Columbia Ministry of Finance, “BCM Policy” 2013

Department for Transport, UK “Business Continuity Management Policy”. 13 pages. October 2011

Metropolitan Police, London, UK “Business Continuity Management Policy”4 pages. September 2009

National Health Service, UK “Business Continuity Management Strategy” 26 pages. August 2013

The Government of the Republic of Trinidad and Tobago, “Crisis Communications Guidelines and Response
Plan” 124 pages April 2011

The Government of the Republic of Trinidad and Tobago, “National Climate Change Policy” 28 pages July 2011

The Government of the Republic of Trinidad and Tobago “National Policy on Gender and Development”. 64
pages June 2009

The Government of the Republic of Trinidad and Tobago. “National Response Framework”. 13 pages.
December 2010.

The Government of the Republic of Trinidad and Tobago, Ministry of Public Administration. “Green Paper.
Transforming the Civil Service: Renewal and Modernisation”. 48 pages. May 25 2011.

The Government of the Republic of Trinidad and Tobago, Ministry of Public Administration and Information.
Draft Policy on Governance for the Trinidad and Tobago e-Government Portal. Version 2.00. 19 pages.
November 2006.

International Standards

International Organisation for Standardisation. Societal security – Business Continuity Management Systems –
Requirements. ISO 22301:2012(E). 24 pages. ISO2012.

Corporations including Energy Companies and Universities

Health, Safety and the Environment (HSE) Policies from a range of Energy companies and BCM Policies and
Strategies from select Universities

Methodologies

Pricewaterhouse Coopers. Business Continuity Management. PwC Methodologies.

Pricewaterhouse Coopers. Risk Evaluation and Vulnerability. PwC Methodologies.

Pricewaterhouse Coopers. Smart Business Continuity Management. PwC Methodologies.

Version 1.0 August 2015 Page 12


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Publications

Business Continuity Institute. “Good Practice Guidelines 3013 Global Edition A Guide to Global Good Practice in
Business Continuity”. 115 pages. bci@thebci.org. 2013.

Dorey, Peter (2005, reprinted 2008) – Making Policy in Britain, An Introduction

HM Government. “How prepared are you? Business Continuity Management”. Version 1. 19 pages.

Information Systems Audit and Control Association (ISACA). Journal. 2014.

Internal Audit & Advisory Services. “Report on the Cross Government Review of Business Continuity
Management.” 80 pages March 2007

Lalla, Kenneth R. The Public Service and Service Commissions. (Universal Printers (T&T) Limited, 2013).

National School of Government, September 2008 - Making Policy that Happens - A Policy Toolkit (Draft)

Office of Disaster Preparedness and Management “National Institutional Disaster Management Framework for
Trinidad and Tobago” Nov 2013

Office of Disaster Preparedness and Management “Comprehensive Disaster Management Policy Framework for
Trinidad and Tobago ” (Draft) 31 pages

Version 1.0 August 2015 Page 13


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Appendix C - Glossary
The following are definitions of key terms utilized in this Policy:-

Term Definition
Agency A business or organisation providing a particular service on behalf of another
business or person.
(Source:http://www.oxforddictionaries.com/us/definition/English)
Business Service(s) delivered by the Ministries, Departments and Agencies, administrative
processes; general operations.

Business Interruption Any event whether anticipated or unanticipated which disrupts the normal
course of business operations at the established location. The business
interruption will be unique to the location only as the rest of the country will be
operational.

Business Continuity (BC) The capability of the organisation to continue delivery of products or services at
acceptable predefined levels following a disruptive incident. (Source: ISO
22301:2012)

Business Continuity (BC) An organisation's risk management strategy for threats that may interrupt,
Planning terminate or significantly disrupt core business proceses. It involves mitigation
activities and contingency planning for response and recovery actions.

Business Continuity Plan Documented procedures that guide organisations to respond, recover, resume
(BCP) and restore to a predefined level of operation following disruption. (Source: ISO
22301:2012)

Business Continuity (BC) The ongoing management and governance process supported by top
Programme Management and appropriately resourced to implement and maintain business
continuity management. (Source: ISO 22301:2012)

Business Continuity A holistic management process that identifies potential threats to an


Management (BCM) organisation and the impacts to business operations those threats, if realised,
might cause, and which provides a framework for building organisational
resilience with the capability of an effective response that safeguards the
interests of its key stakeholders, reputation, brand and value-creating activities.
(Source: ISO 22301:2012)

Business Continuity The BCM Co-ordinator will have delegated authority from the Permanent
Management (BCM) Secretary, Head of Department or Head of Agency for coordinating the BCM
Co-ordinator activities of the Ministry, Department or Agency, and will be expected to work in
close collaboration with the BCM Services Division of the Ministry with
responsibility for BCM. The incumbent will report to the Permanent Secretary of
the relevant Ministry, Head of Department or Head of Agency.

Business Impact Analysis Process of analysing activities and the effect that a unique business disruption
(BIA) might have on them. (Source: ISO 22301:2012)

Crisis A situation with a high level of uncertainty that disrupts the core activities
and/or credibility of an organisation and requires urgent action. (Source: ISO
22301:2012)

Version 1.0 August 2015 Page 14


The Government of the Republic of Trinidad and Tobago
Business Continuity Management Policy for the Public Service

Term Definition
Crisis Management Plan A Crisis Management Plan describes the various actions which need to be taken
(CMP) during critical situations or crisis and the roles and responsibilities of employees
and other critical dependencies during crises.

Department A department of Government not under Ministerial control (Source: Laws of


Trinidad and Tobago – Civil Service Act)
Disaster Recovery This refers to Information Technology (IT) recovery. Disaster Recovery Plans
(DRPs) document the process to recover and restore the technology (computer
processing, applications and data) needed to support critical business functions.
Emergency Response Plan An ERP is created to facilitate and organise employer and employee actions
(ERP) during workplace emergencies. This involves life safety procedures to protect the
well-being of personnel and visitors.
Event The occurrence of a particular set of circumstances that creates an actual or
potential emergency or disaster or other crisis situation.

Incident Situation that might be or could lead to a disruption, loss, emergency or crisis.
(Source: ISO 22300:2012)

Key Performance Indicators Key performance indicators are measures used to gauge performance in terms of
(KPI) meeting goals. Examples of KPIs are as follows: BCM activities undertaken vis-
a-vis the BCM Programme; number of Ministries, Departments and Agencies
that have completed, pursuing and/or maintaining BCM; number of audits
conducted and the results; and BCM maturity of the Ministries, Departments
and Agencies
Ministry A government department headed by a Minister of State (Source: Merriam-
Webster)
Public Service Refers to Ministries, Departments (e.g. Service Commissions Department,
Personnel Department) and Agencies (Fire Service, Prison Service, Teaching
Service, Judicial and Legal Service and the Police Service.)
Recovery Time Objective The period of time following an incident within which a product or an activity
(RTO) must be resumed, or resources must be recovered. (Source: ISO 22301:2012)

Resilience Adaptive capacity of an organisation in a complex changing environment


(Source: ISO Guide 73)
Risk The chance of something happening that will have an adverse impact upon
objectives.

Risk Assessment A risk assessment is a process to identify potential hazards and analyse what
could happen if a hazard occurs. A business impact analysis (BIA) is the process
for determining the potential impacts resulting from the interruption of time
sensitive or critical business processes. (Source: http://www.ready.gov/risk-
assessment)

Stakeholder A person, group or unit that has an interest or concern in an organisation. A


Stakeholder can inform or be informed by the objectives, policies and decisions
of an organisation. Examples of stakeholders are the Cabinet of the Republic of
Trinidad and Tobago, Unions, employees

Version 1.0 August 2015 Page 15

You might also like