top of page

BCI's GPG: 2018 and GPG 7.0

Updated: Mar 27

This write-up is not only about differences between GPG 2018 and GPG 7.0, but it also additionally has my views as well.


I have not made a word-to-word comparison between the two books. These impressions were developed while I was reading GPG 7.0.


My overall impression is that it is not just a new version of GPG, rather the GPG has been rewritten.

1. PP2: Embracing Business Continuity

"This chapter highlights the importance of Embracing BC. The premise for Embracing BC is designed to deliver outcomes that are the product of an organization with a strong BC culture, where individuals and teams have a deeper and more empathetic understanding of the BCMS and believe that BC is a core function."

 

This gives me the wrong impression that BCM is or is to be established only in organisations that have a strong BC Culture. I believe the strong BC culture will be the outcome of embracing Business Continuity.

 

2. RA - "The RA analyses relevant risks to prioritised activities to identify concentrations of risk or single points of failure that may result in disruption."


I believe a little correction is required here – RA has only two components – identification and evaluation (prioritization), so concentration or risk or single points of failure are not known yet. It is only after I fail to find or implement a mitigation (that happens in the next phase) that I come to know any SPoFs.

 

3. Enabling solutions – I would always like to write an assumption that the BC Plan (the first version – written, reviewed, and approved) is built on an assumption that all approved solutions are in place (while enabling some of the solutions can still take weeks and months).

 

4. BC Champions have been defined - "Persons tasked with supporting the BCMS from the perspective of their area of expertise, by inputting and maintaining the system and periodically updating documentation."

This is good.

 

5. Injects have been defined - "Individual timeline events that are part of an exercise. They may include simulated media news clips, website articles, social media feeds, telephone calls, emails, and text messages."

This is good.

 

6. Priority Suppliers have been defined - "Priority suppliers are those who support prioritised activities and are identified as having the greatest impact if they fail to deliver resources, thereby impacting the organization’s ability to deliver its own products or services."

This is good.

 

7. There is no term Exercise (and I am happy with it – let us just use Test). But PP6 is full of Exercises. I find this conflicting and confusing.

 

8. PP6 Validation: "Validation is the PP that confirms the established BCMS meets the objectives set out in the policy and enables the organization to embrace BC through an effective and efficient awareness, exercising, maintenance, and review program."


So, I am surprised that Awareness is talked about in this PP. Nothing wrong though as I had been saying ‘there is awareness (also embedding in the past) in each phase. GPG 2018 did not talk about Awareness in PP6.

 

9. Workforce has been defined - "People/workers who provide a service or input to contribute to the business or organizational outcomes. This can include employees, contractors, and volunteers."

 

10. Workplace has been defined - "A workplace is any location where people conduct business for their employer or themselves."

 

11. Team cohesion is said to be one of the main outcomes of BC Tests. This did not exist in GPG 2018.

 

12. Is Simulation a type of test? The definition of Simulation does not say so (that for Test says clearly that it is a type of exercise).

 

13. I would prefer all standards and guidelines to make a statement that BCM is not BAU. GPG 7 still does not make this statement.

 

14. PP3 defines the BCM Objectives – I believe this should happen in the PP1 itself. It is almost on day 1 of the program that I would like to know the objectives so that I design and develop BCMS according to those.

 

15. PP1 – Establishing the BCMS. I believe this is misleading. A ‘System’ will be in place only after one full cycle is completed (or debatably, even long after that).

 

16. PP1 - The scope of the BCMS is independent of the BC policy, so it may be defined before or after the policy is written.

 

I would like to challenge this. One non-negotiable/ mandatory component of a policy is its applicability (e.g., this policy is applicable to all employees across our organization/ to BU1/ to Geography1 etc.). This means I need to know the Scope of BCM Implementation before I write the BC Policy.

 

17. PP1: The BCMS documentation may include the following:

a.       A defined BCMS scope.

b.      A BC policy.

c.       High-level governance structure.

d.      Objectives for the BCMS.

e.       How the objectives will be met.

f.        Detailed operational processes and associated roles and responsibilities.

g.      Ways in which the BCMS will be validated.

h.      How organizational culture will support the BCMS.

i.         How the BCMS will be monitored, reviewed, and continually improved over time.


I believe these are mandatory to be included in the Scope document. The policy may be a separate document.

 

18. PP1: Global organizations may need to issue multiple policies to take account of different cultures in different locations.

 

I am not sure whether the culture of the location may force organisations to issue a different version of the BC Policy.

 

19. PP1: Policy. ISO 22301 and GPG 7 say that the BCMS/ Policy should be aligned to the organisation’s context, but none have any example (Standard anyway will not tell ‘how’, but GPG is developed to bridge that gap).


I suggest linking BCM/ BCMS with the organisation’s VMV, Purpose,  Objectives etc.

 

20. PP1: Governance “..The early identification of clearly defined roles and associated responsibilities is a key element of governance…”

 

Again, ISO 22301 needs Roles, Responsibilities, and Authorities to be defined. GPG is inconsistent in the way that it mostly talks about Roles & Responsibilities only. In my audit experience also, I have found that almost no organization has written Authorities (even those that have been certified for years and decades). GPG does not have any examples/ samples of Authorities associated with various roles in the BCMS.

 

 21. PP1 – page 26 gives a checklist to ensure the successful completion of the PP.

Sadly, this is not given for other PPs.

 

22. Surprisingly, GPG still does not talk about risks to the BCM Program, while there is such expectation in ISO 22301 and is logical.

 

23. PP2 – Embracing Business Continuity: Embracing BC is a paradigm shift from mandating and enforcing compliance (for example, to a policy) by embedding BC into the organization. Embracing supports the requirements present in policies and audit requirements and it is an outcome of education, awareness, and a greater understanding of the reason why the organization needs protection from operational disruptions. Embracing also elaborates and provides clarity on those nuances and grey areas that are often missing from compliance and statutory requirements. This level of pragmatism is specifically designed to help persuade all members of an organization to adopt a BCMS. Time demands and overall commitment from personnel will only be met once the workforce truly believes that BC must be up-to-date and operational to protect the organization and its interested parties. This results in an improved BC culture that delivers fit-for-purpose capability and competency.

 

So, while the name has been changed, the means is still through education (training), and awareness.

 

24. PP2- Embracing Business Continuity: The following table has been introduced, and is good (while I have a little difference of opinion that these are shortcomings, and not necessarily the reason to move to Embracing from Embedding):

Table 3: examples of why embedding does not always result in BCMS quality.

 

25. PP2: I like this Head to Heart concept that has been introduced:

“Only then can BC move: From – head (rational): A corporate mandate driven by policy, To – heart (emotional): A cultural mandate driven by personal beliefs and corporate behaviours.”

 

26. PP2: “..For organizations with a large BC culture gap, the approach is to start with the basics…”.

 

I guess this opens a can of worms, and endless discussions. We will now have to spend time judging the current BC Culture, and then the desired BC Culture to find the gaps and bridge them. How can one measure BC Culture? Are there any existing models?


This provides me with an action to develop a BC Culture Measurement Tool.

 

27. I found the following table very useful:

 

28. While I finished reading PP2 from GPG 7.0, I am inclined to write that the BCM Dashboard (planned vs achieved) will provide a measure of BC Embracing in the organization.

 

One sample dashboard may look like this or will have all the following components:


 

29. PP3 and other places – while stage 4 has been renamed as Solutions Design, there are inconsistencies to still using strategies, strategy design stage etc. e.g.

“The BIA is the foundation for designing effective recovery strategies and plans. The outcome of the BIA and the RA is an input to the strategy design stage of the BCMS.”

 

30. PP3: GPG for long continued with 4 types of BIAs – Initial, Product and Service, Process, and Activities BIA.

 

The first one has been dropped in GPG 7 and it now has only three types of BIAs, namely Product and service BIA, Process BIA, and Activity BIA.

 

Practically, I have only conducted BIA at a process level, and it has worked well. But Initial BIA (conducted formally or otherwise under any name) has its usefulness.

 

31. I would have expected GPG to provide a clarification like this:



32.    PP3: page 39 – ‘The BIA process aims to’ - the order of bullets be better as MTPD, RTO, RPO, MBCO, Resources – resources required are a function of MBCO, hence this recommendation.

 

33. PP3: page 42 – the RTO-MTPD diagram as shown below:

 


Is debatable. We have seen multiple versions of such diagrams, but this one provides the least information. It just shows the terms MTPD and RTO – does not help one to understand what is what.

 

34. PP3: page 49 – “..Detailed MTPD and RTO and the justification for them, which should determine the timeframe of the solutions for each activity…”


How can MTPD and RTO be detailed – is not clear.

 

35. PP3: Risk and Threat Assessment (from GPG 2018) is now Risk Assessment.

 

36. PP3: BIA, RA – While ISO 22301 implicitly says BIA is to be conducted before RA (clause no and also that RA is to be conducted for prioritized processes/ activities), GPG continues to be ambiguous as below:

 

“In the Analysis stage, the BIA is often conducted before the RA so that the organization can just focus on the prioritised activities. “

 

37. PP3: There is the addition of a concept of velocity of a risk e.g., see below:

 

“Together these may indicate how fast a risk could affect an organization.”

 

But this is said to be the outcome of likelihood and consequence – which is not correct. The outcome of likelihood and consequence is risk value/ rating. To gauge the speed of the risk, we need to capture another parameter – speed or velocity.

 

38. PP3: page 51 talks of Risk Treatment e.g., see below:

 

“Risk treatment: using the information from the RA process to identify opportunities to mitigate each risk identified by seeking to reduce the likelihood of the risk materialising or lowering the impact of the disruption to the organization.”

 

If this were to be done at this stage, then the stage should be called RM and not RA.

 

39. PP4 – the word ‘strategy/ strategies’ is back with a bang. (strategy = 44 times, strategies = 67 times in GPG 7.0 vs 8 and 4 times in GPG 2018).

 

Long ago, this stage in short was known as ‘strategies,’ it seems we are back to that, or that concept is supported much better by this version of the GPG.


40. PP4 – there is a clear distinction between the ‘strategies’ and ‘solutions’ e.g., see below:

“Strategies outline the high-level approach for meeting the organization’s BC requirements. Solutions detail how the strategy will be delivered.”

 

41. PP4: has gone through major changes, and I formed my opening opinion (that GPG has been re-written) while reading this portion of GPG 7.

 

42. PP4: GPG 2018 had the following 5 solutions (strategies):

a.       Diversification

b.      Replication

c.       Standby

d.      Post-incident acquisition

e.       Do nothing

And then there were tables for various categories e.g., what is diversification and what is replication for people, building, IT, and so on.

 

GPG 7.0 on the other hand has defined ‘strategy categories over time’ based on 5 RTO ranges i.e., within one hour, within hours, within days, within week, and weeks to months.


There are then multiple tables showing possible strategies for each type of failure (people, building, IT etc.) for each category of RTO.


Also, the old traditioned bronze, silver, gold, platinum levels have been reintroduced.


I wish the tables of GPG 7 and those of GPG 2018 could be superimposed to bring the best of both for the implementers’ benefit.

 

43. PP4 – pag61 – there are discussions about providing support to suppliers

 


This is not understood. I need to take care of my business, and I will have double suppliers for my needs (my strategy). If one fails, I continue with the other one (I invoke my plan according to my strategy), and the one that failed will do their recovery and continuity based on their strategies. Why would I like to provide any support of cash or kind to the first supplier that has failed? And, even if I wish (according to GPG 7), I cannot have the equipment and type of facilities that the supplier would need.

 

44. PP5: So, the name has changed. It is now called Enabling Solutions vs Implementation in GPG 2018.

 

45. PP5: page 66 – refers to PP6 Validation:

 

“Each implementation should include Validation (PP6) – without this, it cannot be confirmed to have met the specifications.”


This is an incorrect reference. This needs to be understood. E.g., a solution was approved to have a secondary workplace and the option was picked up to hire this space. The Facilities department who would own getting this in place either partially built by someone or fully fitted space. They will still conduct some tests (AC, lighting etc.) before handing this over to the BCM Team. This is a validation by the Facilities team and as referred to in the above statement in GPG 7. They most likely check the availability of light and AC, not the efficacy.


After this, the BCM Team will conduct tests (validation as in PP6) – one example is that they will not test the light and AC, but rather the time taken for recovery time to reach the secondary site after BC invocation. This team working from the alternate site may now also notice the efficacy of the light and AC.

 

Step 10 in process on page 67 and ‘Outcomes and Review’ on page 68 of GPG 7 is understood to do this.

 

46. PP5: Communications has been dealt with in greater detail.

 

47. PP5: A new concept of ‘Warning Plans’ has been introduced.

 

48.  PP5: “The BC professional should consider that the spokesperson must: Be appropriate to the audience and relevant to the type and impact of the incident..”

 

I doubt this responsibility is on or can be or should be put to the BC Professional (manager). This is the responsibility of the top management who will appoint the spokesperson.

 

49. PP5: page 84, Tactical Plans says, “Procurement plan: coordinating how resources will be sourced and allocated when a supplier disruption affects multiple business units.”

 

I once again doubt whether a suppliers’ failure needs to go to Procurement like this. I will simply invoke BC plan to use the alternate supplier. We must also remember that our supply needs will also be reduced and perhaps we will need supplies at a different place.

 

50. PP5: Operational Plans says, “The outcomes of developing operational plans include the ability to: Respond to emergencies, including threats to life, property, or the environment.”.


But all this is part of the Strategic Level Plan!

 

51. PP5: now specifically mentions ‘Process for Returning to BAU’, which is dealt with at length and is good.

 

So, the general agreement is that it is not possible to have Return to BAU plans, but page 88 mentions validation of these plans!

 

52. PP5: ‘Plans for Specific Situations’ (almost new entry) has been dealt with at length.

 

53. PP5: ‘Product Recall Plan’ deals up to recall of the impacted product.

 

Which plan will ‘fix’ this - is not clear. This case is not that the primary had failed, it has been rectified and is simply restarted. Nothing needs to be changed. In product recall, it is not a restart, some special fix is also required. ‘No Product is better than a Faulty Product!.’

 

54. PP6: “Validation is the PP that confirms the established BCMS meets the objectives set out in the policy and enables the organization to embrace BC through an effective and efficient awareness, exercising, maintenance, and review programme.”


That way awareness happens at all other stages also, but not mentioned there.

 

Later it says, “Validation provides methodologies to measure the quality and effectiveness of the BCMS and BC capability, the competence of individuals, and team cohesiveness.”

 

So, if an organization says they follow the GPG, they will be audited on this point. But what is the measure of ‘cohesiveness’?

 

55. PP6: As one main change, Embedding has been replaced with Embracing (PP name level change), but on page 91, it again says “The identification of and investment into specific roles and responsibilities that support BC to become embedded within the organization.”


I call such instances ‘inconsistencies.’

 

56. PP6: Concept of virtual testing has been introduced.

 

57. PP6: A new type of Review has been introduced i.e., Post-incident Review.

 

58. P6: QA, page 110 – “Ensuring the BIA identifies the MTPDs for all prioritised activities.

 

This is not correct. MTPD needs to be established for all processes/ activities, then only do we know the priority (based on RTO).

 

I close this document by acknowledging the great work done by my fellow professionals who were involved in the development and review of GPG 7.0. That this document has extended to 10 pages does not mean to question their capabilities and competencies at all.

83 views1 comment

1 opmerking

Beoordeeld met 0 uit 5 sterren.
Nog geen beoordelingen

Voeg een beoordeling toe
Beoordeeld met 5 uit 5 sterren.

As allways, I look forward to your views.

Like
bottom of page