Cisco Public
BC Program Customer Overview
A printed or duplicate soft copy of this document is considered uncontrolled. Refer to the
nline version for the latest revision.
4 Cisco ONEx BCMS Structure
4.1 Program Initiation & Management
Cisco ONEx Executive Management recognizes the need for a BC management program and has
established the infrastructure to support this need. This infrastructure includes budget, personnel,
tools, and support in the form of policies and other communications.
Quarterly reviews of the Cisco ONEx BCMS are conducted with management. These reviews include
an overview status of the effectiveness of the program, the status of actions from previous reviews,
changes, and issues relevant to the BCMS, a review of performance metrics related to the program,
results of any audits performed, and opportunities for continual improvement.
4.2 Risk Evaluation & Control
Cisco maintains a documented risk assessment process that systematically identifies, analyzes, and
evaluates the risk of disruptive incidents to the organization. Periodic risk assessments are performed
to identify the risks, threats, and vulnerabilities that are both inherent and acquired which can
adversely affect Cisco ONEx and its resources or impact our brand.
Once identified, threats and vulnerabilities are assessed as to the likelihood that they would occur
and the potential level of impact that would result. Cisco ONEx focuses on high probability and high
impact events to identify where controls, mitigations or management processes are non-existent,
weak or ineffective. This evaluation results in recommendations from the BCM Program for additional
controls, mitigations or processes to be implemented to increase resiliency from the most commonly
occurring and/or highest impact events.
Cisco ONEx relies on partners to provide some products and services. Annual supplier risk
assessments are performed on suppliers meeting defined criteria. Suppliers use online forms to
describe their BC and DR programs and upload evidence to show the effectiveness of these
programs. The Cisco ONEx BC team audits the responses and evidence files. Assessment data is
used to calculate supplier risk, form mitigation strategies, and drive corrective action.
4.3 Business Impact Analysis
Cisco ONEx conducts a Business Impact Analysis (BIA) every year. BIAs are entered into a
repository and are used to capture the likely and potential impact over time from events on the
organization or our processes and the criteria that will be used to quantify and qualify such impacts.
Subject Matter Experts (SMEs) from business function groups provide financial, operational,
customer, regulatory and/or reputational impacts for critical processes. This data is used consistently
throughout Cisco ONEx to define the Recovery Time Objective (RTO) and Recovery Point Objective
(RPO) for each process.
The result of this analysis is a list of time-sensitive processes and the requirements to recover them in
the timeframe that is acceptable to our organization. The BIA data is subsequently used to create or
update the Business Continuity Plan (BCP) for each business function group.