Business Impact Analysis and Risk assessment

​

We have established, implemented and maintain processes for business impact analysis and assessing the risks of disruption.  We ​review business impact analysis and risk assessment on a regular and planned basis or when there are significant changes to the business the context in which we operate. 

​

Business continuity priorities will be determined as an output from the business impact analysis process.  The process shall define the impact types and assess them over time, resulting from from the disruption of these activities.

​

Maximum tolerable periods of disruption shall be established and recovery time objectives identified to enable resumption of disrupted activity to a specified minimum acceptable capacity.

​

The analysis shall also identify the prioritised activities and the dependencies and interdependencies for those prioritised activities.

​

We have established a risk register for the business that identifies the risks of disruption, analyses them and determines which risks require treatment.

​

Business Continuity Strategies and Solutions

​

Business continuity strategies and plans will be developed as an output from the business impact analysis exercise. The strategies will be comprised of one or more solutions that ensure that prioritised activities are recovered within time frames to agreed capacities. The strategies shall also ensure that the likelihood of disruption is reduced and the period of disruption shortened and the impact of the disruption minimised.

​

Strategies and solutions shall be selected based on risk and consider any associated costs and benefits. The resources required shall be determined and include people, information and data, equipment, IT systems, finance, partners and suppliers.

​

Business Continuity Plans and Procedures

​

We have identified plans and procedures to manage the business during a disruption. These plans shall include the immediate steps to take, be flexible to the changing circumstances of the disruption, focus on the incidents that led to the disruption, minimise the impact of disruption and assign the roles and tasks for managing the disruption.

​

Response structures have been established for managing the disruption and undertake the actions defined in the business continuity plans. Internal and external communications have been defined  to ensure that all interested parties are communicated with effectively.

​

Business continuity plans  are documented and provide guidance to assist staff and response teams to respond to a disruption and assist us with response and recovery. Plans shall include actions to recover prioritised activities and timescales, procedures to enable the delivery of services at a defined capacity.

​

Plans shall include the purpose, scope and objectives, the roles and responsibilities, the actions to implement the solutions, the internal and external dependencies, the resource requirements, reporting requirements and a process for standing down.

​

Business continuity testing is conducted to ensure that particular scenarios are rehearsed, teamwork is developed, strategies and solutions are effective, outcomes and improvements are identified and results from the exercise are reviewed.

​

Business continuity documentation and processes are regularly evaluated through reviews, exercises, tests and post incident reviews.