What is business continuity management?
Business continuity management is an ongoing process
of risk assessment and management with the purpose of ensuring that
the business can continue if risks materialise. These risks could be
from the external environment (over which you have no control, such
as power failure) or from within your organisation, such as deliberate
or accidental damage to systems. Business continuity is not just concerned
with disaster recovery; it addresses anything that could affect the
continuity of service over the long term, such as staff shortages in
specialist areas.
Why is it important?
You must be confident that your organisation could continue to deliver
its business objectives if things go wrong. You need to have contingency
plans to cope with disasters such as system failure; you also need to
look to the longer term and consider issues such as:
- skills requirements
- provider lock-in
- technology obsolescence.
Who is involved?
A member of the board or Executive should be given
overall responsibility for the process. This ensures that the process
is given the correct level of importance within the organisation and
a greater chance of effective implementation.
An overall business continuity management (BCM) co-ordinator
should report directly to the board or Executive member responsible
for BCM. This person is ideally someone who understands the business
structures and people, there may also be a need for good programme management,
communication and interpersonal skills and be a good team leader. The
support of BCM analysts, lower level/ regional teams and appropriate
administrative staff.
Principles
Business continuity management centres around a business
continuity plan (BCP), which must be endorsed by senior management and
subjected to rigorous testing.
BCM is about understanding the business and establishing
what is vital for its survival. If a mission statement and key supporting
aims exist these indicate where the organisation is focused. It is on
mission critical activities that BCM has to focus.
Your organisation has many dependencies, both internally
and externally, that support the mission critical process and functions.
These can include providers, customers, other stakeholders, IT systems
and manufacturing processes, which must be identified at an early stage.
You should involve representatives from these key dependencies will
add value to the process.
There must be a cultural readiness to accept BCM. There
should be an education and awareness programme to ensure organisation-wide
understanding and adoption of the plan, covering internal and external
stakeholders.
Process
The stages of BCM are:
- understanding your business
- formulating continuity strategies
- developing a response
- implementing a continuity culture
- testing the plan, maintenance and auditing.
Understanding your business
This stage is about the analysis of the business and is critical. It provides
the basis upon which all subsequent BCM policies and processes are based.
You should:
- identify mission critical processes and functions
- identify key internal and external dependencies upon which these
rely
- identify external influences that may have an impact on critical
processes and functions.
There are four basic questions to be asked:
- what is this business about?
- when are we to achieve our goals?
- who is involved, both internally and externally?
- how are the goals to be achieved?
Carry out a risk assessment to identify the threats
to these processes. Whatever risks the organisation faces, there are
relatively few effects, for example: loss of critical system(s), site
or personnel or denial of access to systems and premises, all of which
produce similar disruption. You should focus on essential business elements
rather than a global risk-specific analysis. The process will also take
into account the time sensitivity of each business function/ process
to disruption, and this information will determine the recovery objectives.
You should:
- determine impact on the business if mission critical process/functions
are lost
- ensure involvement of appropriate functions
- apply rating, including time dependencies
- obtain sponsor's approval to business impact assessment output
- determine the threats to critical processes/functions
- examine existing risk strategies/analysis
- apply scoring system to risks identified
- produce combined business impact and risk assessment
- obtain sponsor's approval to business impact and risk assessment
Formulating continuity strategies
You must decide on the approach to be taken to protect the business.
This decision must be taken at board level.
Your options include:
- do nothing in some instances the board may consider a risk
acceptable from a business perspective
- changing or ending the process deciding to alter existing
procedures must be done bearing in mind the organisation's key focus
- loss prevention tangible procedures to eliminate / reduce
risk
- business continuity planning an approach that seeks to improve
organisational resilience to interruption, allowing for the recovery
of key business and systems processes within the agreed recovery timeframes,
whilst maintaining the organisation's critical functions.
You should:
- identify possible business continuity strategies
- assess suitability of alternative strategies against the output
of the business impact and risk assessments
- prepare cost / benefit analysis of various strategies
- present recommendations to sponsors for approval.
Developing the response
For crisis management, you should develop a detailed response to a potential
incident and formulate plans that support that response. Emergency response
and operations covers the development and implementation of procedures
for responding to and stabilising the situation following an incident,
including establishing and managing an emergency (or crisis) operations
centre. You must establish a procedure for command and control of the
incident, to include:
- opening the emergency operations centre and its security arrangements
- the management and operations of the centre
- closing down of the centre when the crisis has ended.
You should also determine the actions to be taken in the area of salvage
and restoration.
You must develop a business continuity plan . This
document brings together the actions to be taken at the time of an incident,
who is involved and how they are to be contacted. The plan or plans
must reflect the current position of the organisation and all it stakeholders.
A business continuity plan should be designed to provide recovery of
the organisation within the recovery time objectives established during
the business impact assessment process. A procedure should also be established
to shift from the emergency response plan to the business continuity
plan.
Implementing an action plan
Ensure that the culture of BCM is embedded in your organisation. All those
associated with the organisation need to have confidence in its ability
to manage in a crisis. You should:
- assemble Emergency Management/ BCM/ Crisis and Recovery Teams
- implement relevant training programmes for each team dependent
upon task, including crisis communications/ media training as appropriate
- establish/ equip emergency and crisis centres
- establish internal and external contractual arrangements/ service
level agreements
- implement back-up and off-site storage arrangements
- distribute plan documentation as appropriate
- conduct internal and external awareness programmes
- prepare crisis communication statements for all stakeholders
Testing the plan, maintenance and auditing
A business continuity plan is unreliable until it is tested and has
been proven workable, especially since false confidence may be placed
in its integrity. A minimum requirement should be to test every 12 months.
You should:
-
prepare a representative and suitably detailed disaster scenario.
Include aspects such as date, time, current workload, political
and economical conditions, accounting period end, concurrent activities.
You must keep the plan up to date to reflect changes in the business.
You should:
- define plan maintenance scheme and schedule for the plan
- monitor activities
- update the plan as required
- distribute under formal change control procedures
- carry out regular tests.
The plan should be audited ideally by an independent auditor to
ensure objectivity. The audit should be conducted on a minimum of an annual
basis. You should:
- set audit objectives and scope
- assess and select the audit method
- audit the administrative aspects of the BCM process
- audit the plan's structure, contents and actions sections
- audit the plan's documentation control procedures
- submit to the sponsor