As published in the Disaster Resource Guide Executive Issue – Volume 12, Issue 3.
The Need For Business Continuity Management
All businesses face the threat of an unplanned business interruption. While the causes vary from natural disasters to IT service interruptions, many organizations lack the capability to respond in an effective way. As a result, thousands of businesses large and small are crippled every year by unplanned business interruptions. However, there are cost effective protections that every business can establish to avoid this risk. Many of these protections are focused on isolated risks; for example, if a company has a critical product that has to be shipped no matter what – they may choose to store that product in two locations, thereby protecting it. However, such an approach ignores the broader purpose of risk management: to examine these risks in a structured approach will result in a comprehensive understanding of the organization’s risks, thereby optimizing its investment to limit those risks.
The structured approach needed for business interruption risks is business continuity management – a process that analyzes an organization’s risk of business interruption and takes actions to reduce it. While this is often achieved through a continuity plan, simply writing a plan will not substantially affect your business’s exposure to interruption risks. A business continuity management process is the key to identifying which activities will reduce risk and eliminating the activities that are less beneficial. By taking a structured approach to managing business interruption risk, an organization maximizes its risk reduction while minimizing costs and focusing its efforts on critical areas that are worth protecting.
If it’s not a plan, what’s the outcome? Organizations that embark on developing and implementing business continuity management processes often create well-rehearsed, documented business continuity plans. But they also create something more valuable: a well-aligned risk management culture that learns to proactively recognize business risk and take action, and when an issue persists, apply reactive frameworks to control the resulting impact.
The remainder of this article describes the business continuity management process and how each part of the process drives the effort towards value-added activities. Also offered is a simple, straightforward process to initiate business continuity management, and a number of key success factors.
Business continuity management is often daunting because of the number of ways it can be completed. With so many options, it’s easy to get lost and tempting to just start doing things without an understanding of what you are trying to achieve. To better understand the basic building blocks of business continuity management and how each generates business value, here are the five key tasks that make up a solid business continuity management program and the strategic benefits they provide:
1. Identify critical activities and associated dependencies
This provides the analysis needed to focus the business continuity management process on the areas that will provide the most benefit. During the analysis, every area of the company should be evaluated to identify critical activities and dependencies that may not be immediately obvious. This typically includes an estimated cost of downtime and prioritization of when each activity would be recovered after a widespread disaster, thereby focusing business continuity management efforts on the shortest timeframes. The longer timeframes are not neglected, but they are activities that could likely be prepared for during an interruption due to the long lead time allowed.
2. Identify likely causes of failure and protections against failure
Some causes of failure are pervasive across every critical activity, such as natural disasters or power outages. Those causes can be protected with facility-wide plans to respond to the event and communicate the response to stakeholders. In addition to pervasive causes, each critical activity may have some unique causes of failure, such as equipment failure, loss of a specific technology or loss of key personnel. These unique causes may be controllable through redundancy or other protections like cross training. When the potential protections compare favorably to the estimated cost of downtime identified in task 1, a business case can be built for implementing the protection.
3. Develop alternate modes of operation for critical activities based on likely causes of failure
Critical activities that cannot be adequately protected from failure will need to have alternate modes of operation defined. For office personnel, this typically involves alternate work space or manual workarounds in the event of technology downtime. For more complex environments, this typically involves a process to redistribute work to other locations. It is likely that departments across the organization have theorized about how they would continue to work in the event of an interruption. These theories should be gathered, analyzed, documented and agreed to for critical activities. While some alternate modes of operation may have little increased cost (such as using unused office space for recovery), others will have significant cost (dedicated alternate office space for 200 employees). Each of the decisions made for alternate modes of operation should also be compared to the cost of downtime (identified in task 1) to determine the most cost effective option that matches management’s tolerance for risk.
4. Document plans to implement the alternate modes of operation and manage the overall process of responding to a disaster and performing a recovery
Individual recovery plans will need to be developed to define the details of how each critical activity will deploy their set of alternate operating modes. In addition, executive level plans will also need to be developed. These documents will identify the people responsible for making decisions, the resources needed and the methods of communication that will be used.
5. Exercise the plans
Even though it is the last step, exercising plans provides some of the greatest benefit to the organization. Exercising ensures that the personnel critical to the recovery effort are capable of implementing the company’s plans. Exercising will also provide the most detailed and focused review of your strategies and plans.
Using the process above to analyze and evaluate the risk management options for an organization results in reliable and repeatable results. In addition, processes will result in the following key outcomes:
- An executive level crisis management plan that guides the process of responding to a disaster and allows each executive to focus on their area of responsibility
- Formalized alternate modes of operation that can ensure organizational goals will continue to be met
- Trained personnel that are knowledgeable of their responsibilities in the event of an interruption
Business continuity will never be a silver bullet that protects the organization from every interruption, but it can allow an organization to make smart investments in protecting against the most likely and most severe threats.
Starting any new process in an organization is challenging, but the key is always the same; have the right people involved and moving to achieve a central set of objectives. This often takes both time and diplomatic effort, so patience will be needed. Here are three key steps to getting a business continuity management process off the ground:
- Understand Expectations The best way to begin the conversation about business continuity is to have a conversation with executives about their expectations regarding the organization’s ability to respond to a disaster. Their response will probably be something like:“I think we’re fine, our people are used to responding to crisis and figuring out how to get product out the door” or “I haven’t spent much time thinking about it, but I’m not sure we would know what to do or how to react.” The criteria identified in the table below can be a guide on how other organizations like yours are approaching business continuity and provide same basis for your rebuttal on why business continuity is important or how you should approach it. Many times, that’s all that is needed to get executives interested in business continuity – at which point you can begin to understand their expectations. With these expectations as a guide, the program will be supported by the executive and provide the answers they are looking for.
- Establish Accountability Clear accountability for business continuity activities should be established to ensure their progression in the correct direction. This frequently resides under the CFO with a Director, such as Director of Risk Management or Insurance. Occasionally IT is given responsibility for business continuity; however, they often struggle with effectively connecting with the business.
- Conduct A Pilot When starting out with business continuity, most organizations conduct a pilot of one facility to understand the constraints and demonstrate the benefits of the program. Frequently, the pilot is the corporate headquarters so that senior executives can be involved and incorporated into the executive crisis management plan. Once the pilot is successfully deployed, the scope can be expanded to all facilities which house critical activities.
The use of business continuity management in organizations continues to expand and evolve in parallel with the broader discipline of risk management. Like risk management, business continuity management is a flexible process that is meant to be used in a way they best fits the organization. While using this process, each step will contain its own individual business case for continuing. As a result, the cost and benefit of business continuity management will vary from organization to organization. However, nearly all organizations should deploy some form of it to meet their obligations to stakeholders.
|Criteria influencing how much time or resources to allocate for Business Continuity|
Organizations whose ownership is open to the public have the clearest mandate: protecting the business from unforeseen interruptions is part of management’s fiduciary responsibility. If the board hasn’t asked about the business continuity capabilities of your organization, it may be because they assume that it has been taken care of.
Medium and large private organizations should understand the expectations of their owners and explicitly document them. Many owners will expect that business continuity management is part of doing business, so expectations may need to be managed regarding current capabilities in this area.
We recommend any organization or individual location with more than 500 employees conduct business continuity management. Smaller organizations will have less overall work to do, but even with 500 employees, having clearly defined communications, response and recovery expectations will increase the organization’s ability to overcome a business interruption.
|Industry and/or Regulatory Requirements?|
Heavily regulated industries such as financial services and health care providers are expected to perform business continuity. However, many industries have begun widespread adoption of business continuity management, particularly manufacturing and pharmaceutical/bio-tech where customer demands have sped adoption.
Widespread adoption in the manufacturing and pharmaceutical industries is being driven through an increased focus on supply chain risk management and ensuring the continuity of products movement. Many customers are inquiring about their vendor’s business continuity capability. This is especially true for companies which are sole source providers of critical products and services. Maintaining that enviable position will eventually require demonstrating an ability to persevere disasters.