Business continuity management

Most businesses, at some time, face an event that can disrupt their normal operations. This can be due to a number of causes including loss of staff through sickness, non delivery of essential goods and services by an external provider or even a major loss of IT, communications or premises.

Business continuity is about making sure that you have prepared your business for the unexpected. Meaning that when your business is disrupted, you can continue to operate key activities and get back to full operation as quickly as possible.

Three very good reasons why you should have a business continuity plan:

1. 80% of businesses affected by a major incident close within 18 months.
2. 90% of businesses that lose data from a disaster are forced to shut within 2 years.
3. 58% of UK organisations were disrupted by September 11th. One in eight was seriously affected.

Who needs to have a plan?

Whether your business is large or small and whatever your location, you can suffer a business interruption. This may come from an internal source ie. loss of staff or an external one, such as loss of power supply. In fact in almost 90% of cases, business threatening events are not as a result of a major incident.

How your business copes with such events is often down to what pre-planning has taken place. The answer to ‘who needs to have a plan?’ is everyone who wants their business to survive.

The business continuity process:

Elements of the business continuity management lifecycle

The BCM lifecycle comprises of six elements as illustrated. These can be implemented by organisations of all sizes, in all sectors: public, private, non profit, educational, manufacturing etc. The size and structure of a BCM programme can vary, and the effort needed will be tailored to the needs of the individual organisation, but essential elements still have to be undertaken.

BCM programme management

Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.

Understanding the organisation

Understanding your business is a critical element in producing a Business Continuity Plan. To do this you need to ask the following questions:

• What are the objectives of the organisation?
• How are the business objectives achieved?
• What are the products/services of the organisation?
• Who is involved in achieving the business objectives?
• What are the time imperatives on delivery of the products or services?

Once these questions have been answered a Business Impact Analysis (BIA) can be undertaken. The BIA identifies the business consequences of a loss or interruption to the business functions and processes that have been identified. The BIA provides the data for determining the appropriate business continuity strategies that then need to be identified.
The final part of the ‘Understanding Your Business’ process is Risk Assessment. The risk assessment undertaken should concentrate on the most urgent business functions. Where possible measures should be put in place to reduce the risk

Determining business continuity strategy

The business continuity practitioner has a range of options that can be used to maintain business critical functions and processes. There are three levels of BCM strategy for which planning needs to be considered:

• Organisational Strategy – providing strategic policy
• Process Level Strategy – providing for a resumption of business functions and processes
• Resource Level Strategy – providing for the deployment of necessary resources to maintain functions and processes
  
  The BCM Strategy should identify effective recovery solutions to enable the business to continue to operate key activities from the time of the business interruption until it is able to recover its full operational ability

Developing and implementing a BCM response

Once the business continuity strategy has been agreed it will be necessary to record and detail the actions and resources that will be required to implement the response. Typically this means having a Crisis Management plan and a Business Continuity plan. The Crisis Management plan will identify the roles and responsibilities of the key personnel given the responsibility of overseeing the management of the incident and the actions they should take. The Business Continuity plan will identify which activities need to be brought up and running in the time frame previously determined and identify the resources necessary to achieve that aim.

BCM exercising, maintaining and reviewing BCM arrangements

Business Continuity Management is not a ‘one-off’ process. As your business changes, then your plans must change to reflect that. It is, therefore, important that you periodically review your business continuity arrangements and that these changes are reflected in your business continuity and business resumption plans. However, going through the process and having Business Continuity plans will not in itself prove your resilience. A plan cannot be considered to be reliable until it has been exercised and the staff trained in its operation. It is important therefore that exercising and training is built into the Business Continuity Management programme and it is carried out on a regular basis.

Embedding BCM in the organisation’s culture

One of the most important, and quite often most difficult aspects of Business Continuity Management is establishing it within the organisation. It is important that there is ‘buy in’ at the highest level and an understanding of the benefits it brings to the organisation. Ownership of BCM should extend to every part of the organisation where operational risk originates and resides.
A Business Continuity culture leads to a high level of preparedness and an effective response should a business interruption occur.

Useful business continuity links and contacts

The following page seeks to provide sources for further information and advice about business continuity, as well as contact for support available from associated consultancies.

Please note that the information provided below to other websites/organisations are provided to assist you, and do not imply our endorsement of them and we take no responsibility for their content, or advice provided.

General business continuity links

• Business Continuity Institute - Institute representing Business Continuity professionals (information and best practice)
• Business Continuance Group - association for business continuity staff in companies with financial service interests
• Continuity Forum - Independent forum for all sectors to promote best practice and build skills
• Continuity Central - Business continuity news and information resource
• Continuity, Insurance and Risk (CIR) - Leading journal on Continuity, insurance and risk and information resources
• Global Continuity - Information resources for Business Continuity and Disaster Recovery
• UK Resilience - Cabinet Office, a central reference point and directory for use during wide-ranging national emergencies.
• London.GOV.UK have provided a checklist to assess the risks to your business in a Ten Minute Assessment.

Page last reviewed: 16 August 2022