Business continuity is the process to minimize the risk of disruption. More specifically, business continuity means working to decrease the likelihood of a disruptive incident and preparing your organization to continue the delivery of its most essential products and services if a disruption were to occur.
A business continuity process should result in two things:
We call this the right level of resiliency. Business continuity is also known as continuity planning, organizational resilience, or business continuity management.
This is how business continuity works:
There is a range of disciplines related to business continuity, including:
Business continuity helps protect an organization regardless of what disaster may occur. And, that’s important in today’s increasingly unpredictable world! Whether it’s unscheduled technology downtime, a supply chain disruption, a natural disaster, or a man-made event, organizations of all sizes recognize that they need to be ready for just about anything.
Most organizations build a BC program for one of three reasons:
All these groups are demanding business continuity as a way to protect the organization over the long-term.
It varies. Every organization is unique; however, a good rule of thumb is it should be placed with an executive that has the respect of others and has good visibility to the rest of the organization.
Common owners of business continuity include:
Regardless of who owns the program, cross-functional input throughout the process is essential to select solutions that fit the organization. Most business continuity standards also require senior executive involvement.
Business continuity planning is an on-going process, not a one-time project. There are the six main, recurring planning phases, or activities, that enable an organization to develop an effective program aligned to the strategy of the organization. Let’s take a closer look at each.
During the Startup phase, the organization determines why business continuity is important, who should be involved in the program, and what the scope of the program should include. To do this, Avalution completes a Frame meeting with the Business Continuity Steering Committee. When determining the scope of the program, Avalution recommends identifying which departments contribute to the production and delivery of the organization’s key products and services. We’ve included more on this topic below.
The Analysis phase is used to document the business activities, or processes, of in-scope departments, along with their dependencies (applications, people, suppliers, facilities, and equipment) for completing the identified activities. These activities and dependencies are captured during the business impact analysis. As part of this process, an organization should identify its overall risks and determine whether to accept or address each one. For more information on this topic, check out our ultimate guide to the business impact analysis.
The Strategy phase is when an organization determines the strategies it will use to recover different dependencies during a disruption in order to continue the delivery of the organization’s key products and services. A few quick examples of strategies include:
Business continuity plans are used to help an organization respond to and recover from a disruptive incident. Plans should focus on the people that need to be involved and the procedures that need activated to return to normal (based on the determined strategies) following an incident. At Avalution, we create resource loss-based plans versus threat-based plans, and we recommend that you do the same! This approach allows you to be prepared for a countless number of threats.
The Exercise phase is where business continuity plans are tested and validated. During this phase, plan participants are asked to demonstrate how they would respond to an incident. There are a variety of exercise types that can be completed based on your specific goals. That said, the most important part of exercising is that participants become familiar with their recovery responsibilities, the plan is validated, and improvement opportunities are identified and addressed.
Documenting a BC program and “leaving it on the shelf” negates all of the hard work you put into the program. Organizations change and evolve, and your business continuity program needs to do the same as personnel change, new suppliers and applications begin to be used, and as the critical products and services that impact your organization’s bottom-line evolve. The Improve phase ensures that a program continues to evolve alongside the business. After completing a business continuity program, it is important to continue to refresh and develop the program, track the program’s success, and determine short and long-term action items in order to help it grow.
Properly determining the scope of your program is the difference between a successful business continuity program and one that stalls with endless analysis. Here are three steps to properly scope your program:
Stakeholders include customers, regulators, management, and other interested parties. Examples of these requirements include:
Documenting stakeholder requirements allows the steering committee to effectively set the scope of the program using products and services.
Defining products and services is an effective way to manage the scoping effort at a strategic level because management, employees, regulators, and customers easily understand them. They create value! The program scope should include those products and services that, if interrupted, would result in missed obligations or unacceptable consequences.
Once the organization defines a list of “in-scope” products and services, it can map departments or business units back to these products and services (remembering that not every department will be included). This exercise:
To take your scoping effort even further, download our free guide to building executive support for business continuity.
There are four main types of business continuity plans – Crisis Management, Crisis Communications, Business Recovery, and IT Disaster Recovery – that all work together to create a seamless response to a disruption. Let’s take a closer look at each.
Crisis management plans supply a structured response to a disruption that could threaten the survivability of an organization. An effective Crisis management plan includes high-level tasks for executives to respond to an incident.
Effective crisis management plans:
Crisis management plans typically do not focus on recovering activities. Rather, crisis management supplies the resources and guidance to allow the organization to recover in a timely manner by eliminating issues impacting a successful recovery. There is no rule on who should take part in a Crisis Management Team, but in general, it should include individuals that can make decisions on behalf of the organization.
A crisis communications plan serves as a supplement to a crisis management plan by coordinating two-way communications with key internal and external interested parties. Many different entities may be affected by, or could contribute to, the recovery effort, including employees, customers, partners, regulators, and suppliers. A crisis communications plan helps to minimize the communications burden and increase the timeliness of messaging and feedback by providing a framework that defines who (to communicate with), how (to deliver the message or receive information), and what (to say). To enable effective communications, crisis communications plans should:
Ideally, organizations have representatives from Communications, Public Affairs, and/or Human Resources that participate in this plan. Organizations may also employ third-parties or public relations firms to aid with message development and delivery.
Business continuity plans focus on the recovery of activities and resources that support the creation and delivery of products and services, or as ISO 22301 notes: “[business continuity plans] typically cover resources, services and activities required to ensure the continuity of critical business functions.” The orientation of a BC plan is also like a crisis management plan in some ways; however, the scope is the primary differentiator. While a crisis management plan looks to respond in a timely manner to enable the recovery an organizational entity, a business continuity plan works to restore a subset of related activities and resources. Effective business continuity plans often have the following characteristics:
In some situations, BC plans may be activated without the activation of a crisis management plan and vice-versa. Flexible, mature business continuity programs allow for this type of decentralized or isolated activation. This relationship between the department level recovery team and the crisis management team is critical in supporting an effective recovery during and following a business disruption.
IT disaster recovery plans are focused on the technical details required to restore a technology asset. IT disaster recovery plans are also typically designed to be executed by IT practitioners.
Effective IT disaster recovery plans:
IT disaster recovery plans are important when one considers how intertwined organizations are with technology, but it is important to note that IT disaster recovery plans are not, by themselves, a complete business continuity strategy.
We help companies around the world build strong business continuity programs.
If you’re ready to get hands-on help to quickly get results, please book a strategy session with a member of my team today to:
Are you ready? Book a meeting here.