What is Business Continuity Management?
Most businesses face, at some time, an event that can disrupt their normal operations. This can be due to a number of causes including loss of staff through sickness, non delivery of essential goods and services by an external provider or even a major loss of IT, communications or premises.
Business continuity is about making sure that you have prepared your business for the unexpected, so that when your business is affected by some form of disruption you can continue to operate and get it back to a normal level of operation as quickly as possible.
Three very good reasons why you should have a Business Continuity plan:
- 80% of businesses affected by a major incident close within 18 months.
- 90% of businesses that lose data from a disaster are forced to shut within 2 years.
- 58% of UK organisations were disrupted by September 11th. One in eight was seriously affected.
Who needs to have a Plan?
Whether your business is large or small and whatever your location, you can suffer a business interruption. This may come from an internal source ie. loss of staff or an external one, such as loss of power supply, in fact in almost 90% of cases, business threatening events are not as a result of a major incident.
How your business copes with such events is often down to what pre-planning has taken place. The answer therefore to ‘who needs have a plan’ is everyone who wants their business to survive.
The Business Continuity Process:
Elements of the business continuity management lifecycle
lifecycle comprises of six elements as illustrated. These can be implemented by organisations of all sizes, in all sectors: public, private, non profit, educational, manufacturing etc. The scope and structure of a BCM
programme can vary, and the effort expended will be tailored to the needs of the individual organisation, but essential elements still have to be undertaken.
BCM programme management
Programme management enables the business continuity capability to be both established (if necessary) and maintained in a manner appropriate to the size and complexity of the organisation.
Understanding the organisation
Understanding your business is a critical element in producing a Business Continuity Plan. To do this you need to ask the following questions:
- What are the objectives of the organisation?
- How are the business objectives achieved?
- What are the products/services of the organisation?
- Who is involved in achieving the business objectives?
- What are the time imperatives on delivery of the products or services?
Once these questions have been answered a Business Impact Analysis (BIA) can be undertaken. The BIA identifies the business consequences of a loss or interruption to the business functions and processes that have been identified. The BIA provides the data for determining the appropriate business continuity strategies that then need to be identified.
The final part of the ‘Understanding Your Business’ process is Risk Assessment. The risk assessment undertaken should concentrate on the most urgent business functions. Where possible measures should be put in place to reduce the risk
Determining business continuity strategy
The business continuity practitioner has a range of options that can be used to maintain business critical functions and processes. There are three levels of BCM strategy for which planning needs to be considered:
- Organisational Strategy – providing strategic policy
- Process Level Strategy – providing for a resumption of business functions and processes
- Resource Level Strategy – providing for the deployment of necessary resources to maintain functions and processes
The BCM Strategy should identify effective recovery solutions to enable the business to continue to operate key activities from the time of the business interruption until it is able to recover its full operational ability
Developing and implementing a BCM response
Once the business continuity strategy has been agreed it will be necessary to record and detail the actions and resources that will be required to implement the response. Typically this means having a Crisis Management plan and a Business Continuity plan. The Crisis Management plan will identify the roles and responsibilities of the key personnel given the responsibility of overseeing the management of the incident and the actions they should take. The Business Continuity plan will identify which activities need to be brought up and running in the time frame previously determined and identify the resources necessary to achieve that aim.
BCM exercising, maintaining and reviewing BCM arrangements
Business Continuity Management is not a ‘one-off’ process. As your business changes, then your plans must change to reflect that. It is, therefore, important that you periodically review your business continuity arrangements and that these changes are reflected in your business continuity and business resumption plans. However, going through the process and having Business Continuity plans will not in itself prove your resilience. A plan cannot be considered to be reliable until it has been exercised and the staff trained in its operation. It is important therefore that exercising and training is built into the Business Continuity Management programme and it is carried out on a regular basis.
Embedding BCM in the organisation’s culture
One of the most important, and quite often most difficult aspects of Business Continuity Management is establishing it within the organisation. It is important that there is ‘buy in’ at the highest level and an understanding of the benefits it brings to the organisation. Ownership of BCM should extend to every part of the organisation where operational risk originates and resides.
A Business Continuity culture leads to a high level of preparedness and an effective response should a business interruption occur.