Business Continuity and Contingency Management

An extract from the Office of Government Commerce.

What is business continuity management?

Business continuity management is an ongoing process of risk assessment and management with the purpose of ensuring that the business can continue if risks materialise. These risks could be from the external environment (over which you have no control, such as power failure) or from within your organisation, such as deliberate or accidental damage to systems. Business continuity is not just concerned with disaster recovery; it addresses anything that could affect the continuity of service over the long term, such as staff shortages in specialist areas.

Why is it important?

You must be confident that your organisation could continue to deliver its business objectives if things go wrong. You need to have contingency plans to cope with disasters such as system failure; you also need to look to the longer term and consider issues such as:
  • skills requirements
  • provider lock-in
  • technology obsolescence.

Who is involved?

A member of the board or Executive should be given overall responsibility for the process. This ensures that the process is given the correct level of importance within the organisation and a greater chance of effective implementation.

An overall business continuity management (BCM) co-ordinator should report directly to the board or Executive member responsible for BCM. This person is ideally someone who understands the business structures and people, there may also be a need for good programme management, communication and interpersonal skills and be a good team leader. The support of BCM analysts, lower level/ regional teams and appropriate administrative staff.

Principles

Business continuity management centres around a business continuity plan (BCP), which must be endorsed by senior management and subjected to rigorous testing.

BCM is about understanding the business and establishing what is vital for its survival. If a mission statement and key supporting aims exist these indicate where the organisation is focused. It is on mission critical activities that BCM has to focus.

Your organisation has many dependencies, both internally and externally, that support the mission critical process and functions. These can include providers, customers, other stakeholders, IT systems and manufacturing processes, which must be identified at an early stage. You should involve representatives from these key dependencies will add value to the process.

There must be a cultural readiness to accept BCM. There should be an education and awareness programme to ensure organisation-wide understanding and adoption of the plan, covering internal and external stakeholders.

Process

The stages of BCM are:
  • understanding your business
  • formulating continuity strategies
  • developing a response
  • implementing a continuity culture
  • testing the plan, maintenance and auditing.

Understanding your business

This stage is about the analysis of the business and is critical. It provides the basis upon which all subsequent BCM policies and processes are based. You should:
  • identify mission critical processes and functions
  • identify key internal and external dependencies upon which these rely
  • identify external influences that may have an impact on critical processes and functions.

There are four basic questions to be asked:

  • what is this business about?
  • when are we to achieve our goals?
  • who is involved, both internally and externally?
  • how are the goals to be achieved?

Carry out a risk assessment to identify the threats to these processes. Whatever risks the organisation faces, there are relatively few effects, for example: loss of critical system(s), site or personnel or denial of access to systems and premises, all of which produce similar disruption. You should focus on essential business elements rather than a global risk-specific analysis. The process will also take into account the time sensitivity of each business function/ process to disruption, and this information will determine the recovery objectives.

You should:
  • determine impact on the business if mission critical process/functions are lost
  • ensure involvement of appropriate functions
  • apply rating, including time dependencies
  • obtain sponsor's approval to business impact assessment output
  • determine the threats to critical processes/functions
  • examine existing risk strategies/analysis
  • apply scoring system to risks identified
  • produce combined business impact and risk assessment
  • obtain sponsor's approval to business impact and risk assessment

Formulating continuity strategies

You must decide on the approach to be taken to protect the business. This decision must be taken at board level.

Your options include:
  • do nothing – in some instances the board may consider a risk acceptable from a business perspective
  • changing or ending the process – deciding to alter existing procedures must be done bearing in mind the organisation's key focus
  • loss prevention – tangible procedures to eliminate / reduce risk
  • business continuity planning – an approach that seeks to improve organisational resilience to interruption, allowing for the recovery of key business and systems processes within the agreed recovery timeframes, whilst maintaining the organisation's critical functions.
You should:
  • identify possible business continuity strategies
  • assess suitability of alternative strategies against the output of the business impact and risk assessments
  • prepare cost / benefit analysis of various strategies
  • present recommendations to sponsors for approval.

Developing the response

For crisis management, you should develop a detailed response to a potential incident and formulate plans that support that response. Emergency response and operations covers the development and implementation of procedures for responding to and stabilising the situation following an incident, including establishing and managing an emergency (or crisis) operations centre. You must establish a procedure for command and control of the incident, to include:
  • opening the emergency operations centre and its security arrangements
  • the management and operations of the centre
  • closing down of the centre when the crisis has ended.

You should also determine the actions to be taken in the area of salvage and restoration.

You must develop a business continuity plan . This document brings together the actions to be taken at the time of an incident, who is involved and how they are to be contacted. The plan or plans must reflect the current position of the organisation and all it stakeholders. A business continuity plan should be designed to provide recovery of the organisation within the recovery time objectives established during the business impact assessment process. A procedure should also be established to shift from the emergency response plan to the business continuity plan.

Implementing an action plan

Ensure that the culture of BCM is embedded in your organisation. All those associated with the organisation need to have confidence in its ability to manage in a crisis. You should:
  • assemble Emergency Management/ BCM/ Crisis and Recovery Teams
  • implement relevant training programmes for each team dependent upon task, including crisis communications/ media training as appropriate
  • establish/ equip emergency and crisis centres
  • establish internal and external contractual arrangements/ service level agreements
  • implement back-up and off-site storage arrangements
  • distribute plan documentation as appropriate
  • conduct internal and external awareness programmes
  • prepare crisis communication statements for all stakeholders

Testing the plan, maintenance and auditing

A business continuity plan is unreliable until it is tested and has been proven workable, especially since false confidence may be placed in its integrity. A minimum requirement should be to test every 12 months. You should:

  • prepare a representative and suitably detailed disaster scenario. Include aspects such as date, time, current workload, political and economical conditions, accounting period end, concurrent activities.

You must keep the plan up to date to reflect changes in the business. You should:
  • define plan maintenance scheme and schedule for the plan
  • monitor activities
  • update the plan as required
  • distribute under formal change control procedures
  • carry out regular tests.
The plan should be audited ideally by an independent auditor – to ensure objectivity. The audit should be conducted on a minimum of an annual basis. You should:
  • set audit objectives and scope
  • assess and select the audit method
  • audit the administrative aspects of the BCM process
  • audit the plan's structure, contents and actions sections
  • audit the plan's documentation control procedures
  • submit to the sponsor