About the Professional PracticesLogin to Access
Created and maintained by Disaster Recovery Institute (DRI) International, The Professional Practices for Business Continuity Management is a body of knowledge designed to assist in the development, implementation, and maintenance of business continuity programs. It also is intended to serve as a tool for conducting assessments of existing programs.
Use of the Professional Practices framework to develop, implement, and maintain a business continuity program can reduce the likelihood of significant gaps in a program and increase cohesiveness. Using the Professional Practices to assess a program can identify gaps or deficiencies so they may be corrected.
Business continuity management (BCM) is a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities. Terms are defined in The International Glossary for Resilience published and maintained by DRI International.
Professional Practices 2023
As part of DRI International’s ongoing efforts to maintain the relevance and utility of the Professional Practices, an extensive revision of substance, form, and function was undertaken beginning on November 1, 2021, and finishing August 1, 2022. The goals were to provide information that would include:
- An enhanced version of Professional Practice Five: Incident Preparedness and Response to include more of the preparation activities related to incident management;
- More information on identifying various cyber threats and strategies for remediation by integrating cybersecurity activities into business continuity management;
- Enhancing the use of insurance as a risk transfer tool and providing more specific types of insurance policies that should be an integral part of business continuity management;
- Introducing more robust data backup techniques;
- More technology-specific strategies, and;
- More manufacturing strategies.
In addition, the titles of four of the Professional Practices were modified:
- Professional Practice One was changed from Program Initiation and Management to Program Management;
- Professional Practice Five was changed from Incident Response to Incident Preparedness and Response to emphasize the activities that are necessary to create an effective response plan;
- Professional Practice Eight was changed from Business Continuity Plan Exercise, Assessment, and Maintenance to Business Continuity Plan Exercise/Test, Assessment, and Maintenance for consistency; and
- Professional Practice Ten was changed from Coordination with External Agencies to Coordination with External Agencies and Resources.
Professional Practices Life Cycle
Objectives of The Professional Practices for Business Continuity Management
1. Program Management
- Establish the need for a business continuity program.
- Introduce key concepts, such as program management, risk awareness, impact to critical functions/processes, recovery strategies, training and awareness, and exercising/testing.
2. Risk Assessment
- Identify risks that could impact an entity’s resources, processes or reputation.
- Assess risks to determine the potential impacts to the entity, enabling the entity to determine the most effective means to reduce them.
3. Business Impact Analysis
- Identify and prioritize all of the entity’s functions, processes, and dependencies in order to determine the greatest impact upon the entity should the functions not be available. This analysis should be retained and available to assist the entity in understanding incidents and/or the resulting consequences. Quantify the impact to the entity, its services, and the affected parties.
- Analyze, document, and communicate the findings to highlight all gaps between the entity’s requirements and its current capabilities.
4. Business Continuity Strategies
- Select strategies to reduce gaps as identified during the risk assessment and business impact analysis.
- Identify the major functions of the entity, including potential third-party service providers, with the support of the responsible party for the business impact analysis.
5. Incident Preparedness and Response
- Understand the types of incidents that could threaten life, property, operations, or the environment and their potential impacts.
- Establish and maintain capabilities to protect life, property, operations, and the environment from potential incidents through the implementation of an incident management system to command, control, and coordinate response, continuity, and recovery activities with internal and external resources.
6. Plan Development and Implementation
- Document plans to be used during an incident that will enable the entity to continue to function.
- Define the exercise/testing criteria to validate that the plans will accomplish the desired goal.
7. Awareness and Training Programs
- Establish and maintain training and awareness programs that result in personnel being able to respond to disruptive incidents in a calm and efficient manner.
8. Business Continuity Plan Exercise/Test, Assessment, and Maintenance
- Establish a business continuity plan exercise/test, assessment and maintenance program to maintain a state of readiness of the entity.
9. Crisis Communications
- Create and maintain a crisis communications plan.
- Ensure that the crisis communications plan will provide for timely, effective communication with internal and external parties.
10. Coordination with External Agencies and Resources
- Establish policies and procedures to coordinate response activities with applicable public entities and private resources in accordance with Professional Practice Five: Incident Preparedness and Response.