Servicesarrow Organization security
Organization security

Business continuity

Sudden interruptions in the provision of services or the implementation of production processes result in a decrease in revenues, financial penalties from business partners, reduced customer confidence and damage to the image of stakeholders. How to effectively prepare your company for business continuity incidents to avoid negative consequences? The answer is the implementation of BCMS (Business Continuity Management System) in the scope adjusted to the needs of the Organization.

The rationale for implementing the Business Continuity Management System or its elements varies. They may result, inter alia, from:

  • willingness to implement and certify the Business Continuity Management System according to international standards, such as ISO 22301,
  • the need to adapt to the conditions imposed by the customer as part of supply chain management,
  • obligation to meet legal requirements, such as the Act on the National Cybersecurity System, about which we write here,
  • the terms of the insurance policy purchased by the company,
  • or the sincere need to secure your business.

Regardless of the reason for the decision to implement BCMS or its selected elements, it should be remembered that effective business continuity management is always based on two pillars – prevention and appropriate response. The first one concerns the analysis of the activities carried out by the client as part of the BIA, identification of resources for critical processes, identification of threats that may result in unavailability of resources and taking appropriate actions in relation to the identified risks. The second area is preparation for probable incident and accident scenarios that will be identified during the risk assessment or result from past experience. How to do it? Create appropriate business continuity plans, crisis communication rules, emergency and recovery procedures. However, this is not all – it is crucial to test them properly to be sure that the adopted solutions will not fail us in a real threat.

None of the elements described can be omitted or simplified too much. This leads to an incorrect definition of business continuity needs, omission of important resources, neglect of risks, significant deficiencies in emergency and recovery procedures or the creation of business continuity plans, the use of which is questionable due to the lack of testing their effectiveness.



We recommend that each project of BCMS implementation or selected elements of business continuity management begin with a pre-audit. The main objective of the study is to verify the degree of compliance by the Customer with the requirements of reference standards and good practices in the field of business continuity management, and to get acquainted with the Organization, the adopted process model, implemented business continuity management mechanisms and the technology used.

As part of the initial audit, Blue Energy Experts carry out a documentation audit and a proper BCMS audit at the client’s premises. The product of this stage is a report presenting strengths and weaknesses in business continuity management and recommendations in the form of a roadmap with a description of tasks necessary to be implemented in order to increase the level of security of the conducted activity.


Business Impact Analysis (BIA) aims to provide an answer to the question which of the processes carried out in the Organization are particularly important. In order to ensure the most objective assessment of the processes by their owners, Blue Energy Experts together with the Project Team develop a detailed BIA analysis methodology. The methodology includes criteria for assessing financial, image, and regulatory and legal effects resulting from a break in the implementation of processes in fixed units of time (from several hours to several days).

In addition, as part of the BIA analysis, business continuity parameters are determined for each of the processes, including at least:

  • RTO – Recovery Time Objective – Maximum Process Unavailability Time,
  • MBCO – Minimum Business Continuity Objective – the level of the Process implementation allowing for the maintenance of business continuity to a minimum extent,
  • MTPD – Maximum Tolerable Period of Disruption – the time after which the process should be resumed in normal mode.


The results of the analysis are compiled in the form of a BIA analysis report containing a detailed assessment of individual processes. The document also lists the critical processes on which further design work is focused. Thanks to this approach, irrelevant processes are not included in the design of the BCMS, resulting in significant savings for the client.

In the case of IT projects, the BIA analysis is performed in relation to specific systems.

Risk Assessment

The business continuity risk assessment focuses on the processes recognized by the BIA as critical activities. Business Impact Aanalysis, Risk Assessment are implemented in accordance with the methodology developed by the Project Team. The purpose of the risk assessment is to obtain full knowledge of threats and vulnerabilities that may significantly affect the continuity of processes carried out in the Organization. Correctly performed risk assessment is therefore a mine of knowledge for people managing the organization.

We recommend that the risk assessment takes place in relation to the resources necessary to implement the critical processes. Resource categories vary by business. They can be people, their specific competences, IT systems, industrial automation systems, machinery and infrastructure, means of communication, internal procedures and many, many more.

As part of the risk assessment, Blue Energy’s experts and the Client’s representatives identify threats, vulnerabilities and determine the probability and effects of a potential risk. As part of the risk assessment, actions are defined in the Risk Treatment Plan and include both planned preventive actions and event scenarios that should be covered by appropriate business continuity procedures.

The product of this stage is a report containing detailed results of the risk assessment together with the Risk Treatment Plan.

Business Contuinity Management documentation

As part of this stage, Blue Energy Experts prepare the BCMS documentation. The scope of documents, their structure and content are agreed by the Project Team to meet the client’s requirements. The documentation model is different for a company that comprehensively implements ISO 22301 requirements and different for an organization focusing only on developing a Business Continuity Plan due to the insurer’s requirements. Each time a list of documents to be developed is created.

The proposed scope of documentation for the implementation of the Business Continuity Management System based on ISO 22301 includes, among others:

  • Bussiness Contuinity Management Policy & Strategy
  • The proposed scope of documentation for the implementation of the Business Continuity Management System based on ISO 22301 includes, among others:
  • BIA analysis methodology,
  • Risk Management methodology,
  • Business Continuity Plan Template,
  • Model of an emergency / recovery procedure,
  • Procedure for creating and testing business continuity,
  • Security requirements for external suppliers.

Each document is proposed by Blue Energy Experts. The final versions of the regulations are created with the active participation of the client.

Business continuity plans and emergency and recovery procedures

We recommend that your business continuity incident response documentation be divided into 2 levels. Higher – addressed in the Business Continuity Plan, and lower – included in emergency and recovery procedures.

As part of the project, Blue Energy Experts develop a Business Continuity Plan including:

  • a list of critical processes along with the resources necessary for their implementation,
  • the structure of crisis management in the Organization,
  • rules of notification as well as internal and external communication,
  • rules for starting and canceling crisis mode,
  • business continuity strategy,
  • way of monitoring and reporting work in crisis mode.

The target shape of the Business Continuity Plan is developed together with the Project Team.


The Business Continuity Plan is supplemented at the operational level with specific procedures and instructions. Blue Energy experts support the client both in the preparation of emergency procedures for the maintenance of business, production and technological processes, as well as IT and industrial automation. The Blue Energy team consists of security architects, system administrators and pentesters, whose knowledge will add value at the stage of creating procedures.

The adopted model ensures an effective response to events both at the level of Crisis Management by Top Management (Business Continuity Plan) and the recovery of processes and resources at the operational level (emergency and recovery procedures).

Bussiness Contuinity testing

Testing the effectiveness of the developed business continuity incident response procedures is the best test of the organization before a real threat occurs. That is why Blue Energy Experts place great emphasis on the organization of practical BCMS tests. As part of the preparation of business continuity tests, we develop internal regulations in the field of test planning, their organization and the selection of effective testing methods. They include the organization of tests in the form of tests, staff games, and the most advanced – operational tests.

As part of this stage, Blue Energy Experts:

  • develop an annual schedule of business continuity tests with the Project Team,
  • select test methods appropriate for the tested scenarios,
  • develop test assumptions containing scenarios of emergency situations that are the subject of tests,
  • they take an active part in the tests by moderating staff games and operational tests,
  • prepare business continuity test reports containing recommendations for continuous improvement.

Due to their experience and technical knowledge, Blue Energy Experts plan and moderate tests on organizational and business processes, as well as more complex tests in the area of IT / OT infrastructure maintenance.


Do you need safety support?
contact us arrow
Service implementation process
Audit An optional step to get to know the Organization and assess the level of compliance with good practices in the BCMS area, e.g. ISO 22301
Business Impact Analysis - Process Owner Assessment of the consequences of interrupting processes, determining the parameters of business continuity. Identification of critical processes.
Risk Assessment Establishing a Risk Treatment Plan, including the identification of requiring scenarios.
Development of documentation of the Business Continuity Management System in accordance with the structure agreed with the client.
Preparation of a Business Continuity Plan as well as emergency and recovery procedures.
Planning and implementation of business continuity tests based on scenarios of potential failures agreed with the client. Defining improvement actions based on test results.
Do you have questions about this service?
Write to us arrow
Additional materials