An Introduction to Business Continuity by John Bartlett CBCI, DBCI

John Bartlett CBCI, DBCI

Business Continuity is the implementation and management of a set of business practices that provide on-going resilience and recovery capabilities for the essential activities and infrastructure to keep an organisation working and providing its necessary services.

 

This is not a new concept; Business Continuity was established in the late-80’s following on from the 1980’s technology boom, the development of IT Disaster Recovery practices and realisation that the business activities also needed to be recovered. Since its establishment, Business Continuity has achieved world-wide recognition as a core management activity for good corporate governance and risk management that complements, supports and enhances other business functions and helps to ensure informed, risk based decisions can be made.

 

When talking to Executives and Senior Managers in organisations, the reaction and comments I often receive (in Oman and other countries) are ones such as ‘These major events rarely happen’, ‘It’ll never happen to me’, ‘But we have a backup data centre’ or ‘That’s not my responsibility’. More often than not these comments emphasise a lack of understanding about Business Continuity and the role it plays in managing and protecting an organisation. Every Executive and Senior Manager in an organisation has a duty and responsibility to ensure risks are being managed appropriately and effectively. The question therefore, should not be ‘Will it happen to me’, but more ‘Have we considered and evaluated this risk properly,
are we exposed to it, do we have an appropriate level of resilience in place to protect the organisation, how confident are we that this resilience will work, have we tested it and do we have the ability and capability to recover if these measures are not sufficient?’

 

Consequences of unfortunate and unforeseen events such as Gonu and Phet; political events in Egypt, Libya and Syria; overseas events in Pakistan (flooding), India (power outage) and Japan (tsunami), global events such as the financial crisis and even lesser more localised events experienced in 2012 such as power outages or water leaks/shortages are likely to have had a direct or indirect impact on either our own personal and business lives, or those of close relatives. However, Business Continuity is not just about those larger types of incident, it is also about resilience and protection against smaller disruptions that could threaten your organisation and/or its services, such as damage or disruption from leaks due to excessive rain, burst water pipes, a traffic accident, loss of staff, security intrusion, faulty software, fraud, adverse publicity and public comments, faulty or poor quality products, late delivery from suppliers, etc.

 

In our personal lives we tend to naturally develop and implement resilience and recovery. We determine what is important and essential to us, and either protect those items (for example through insurance or security systems for our houses), implement some form of resilience (having multiple cars, GSM’s, PC’s/laptops, houses, etc.) and have some form of recovery (backups of PC’s/laptops, copies of photographs, spare tyre in the car, maintenance people to fix air conditioning, etc.). The main principles of Business Continuity in organisations are no different, just slightly more complex and are just as applicable to small and medium enterprises (SME’s) as they are to larger organisations.

 

The role played by Business Continuity extends beyond these personal and business aspects and has been recognised globally as an integral part of planning and implementing protection for critical national infrastructures and establishing national preparedness to ensure individuals safety/welfare and protect national economy, financial stability, social infrastructure and national security. To achieve this Business Continuity has embraced and included emergency planning, crisis/incident management and Information Technology disaster recovery, as well as establishing and implementing resilience and recovery capabilities. At a national level, Business Continuity ensures essential societal services can continue such as emergency services, utilities (electricity and water), hospitals and clinics, telecommunications (GSM and internet), fuel supply, consumables (food and drinking water), availability of money, processing of payments, transportation infrastructure, sewage and refuge collections. At an organisational level, Business Continuity ensures the organisation can continue its essential activities (whatever the organisation decides is essential). 

 

Risks to an organisation's continuity can mainly be broken down into four key groups: people (quantity, skills/knowledge, living location, etc.); infrastructure (such as PC’s, Laptops, printers, Servers, network, internet services, telephony, office space, furniture, photocopiers, fax machines, etc.); information (electronic copies on CDs, paper copies on desks, in filing cabinets or in archive storage, etc.); and suppliers (such as consultancies, outsource companies, printers, manufacturers, maintenance companies, material suppliers, rental companies, etc.). The loss or disruption to any combination of these groups can lead to a serious disruption to the organisation and require elements of resilience or recovery to be activated to protect or recovery essential aspects of the business and ensure services can be continued or restored with minimal impact on the organisation.

 

In SME businesses, the owner and/or person running the business typically knows and is familiar with every aspect of the business and what parts are important for the business to keep running and remain viable. Instinctively some risks are managed and aspects of resilience and recovery are considered (for example having multiple suppliers, managing cash flow, backing up information). However, SME’s face more challenges than larger organisations when implementing Business Continuity due to greater competition and constraints such as location, equipment and limitations on budget, people/skills and infrastructure. These challenges and the options available obviously depend upon the nature of the SME business, a retail outlet will have different challenges to a manufacturing company and an office based company (such as accountants, lawyers and consultancies).

 

In larger organisations it is more difficult for a single individual to comprehend the detailed aspects for all elements of the business and responsibility is often delegated to management teams. However, without the appropriate information, it is difficult (if not impossible) for informed, risk-based decisions to be made to ensure the appropriate resilience and recovery capability is in place to protect those activities of the business that are necessary to ensure its survival following a disruptive event. The challenges facing larger organisations are slightly different and require more knowledge and planning due to a greater exposure from globalisation, diverse supply chains, more complex processes, greater interdependencies and bigger market and client expectations. However, the options available to larger organisations when implementing Business Continuity become greater due to a potentially larger budget, more locations, larger pool of resource and (if already considered) existing components of resilience and recovery.

 

Ensuring that the correct and appropriate level of Business Continuity is implemented within organisations will help to protect those organisations from unforeseen and unplanned events and disruptions. In turn, this will help to ensure these organisations can continue to provide their essential services, and help ensure commercial organisations can remain in business, thus providing resilience to national economies. In addition, as part of the Business Continuity implementation process, a number of organisations also tend to identify opportunities to improve efficiency and remove single points of failure, thereby adding value to owners/shareholders and often improving the bottom line.

 

A number of common aspects exist across those organisations that have established a successful and beneficial Business Continuity capability (irrespective of the organisations size). These are endorsed by the main Business Continuity industry bodies and are included within international Business Continuity Standards. These aspects include ensuring that the Business Continuity implementation is appropriate to the size and nature of the organisation, it is integrated into the organisations other activities and management, that Business Continuity has sufficient budget, resource and senior level (Executive) sponsorship, that the responsibility and accountability for Business Continuity rests with an appropriate person and that person has the authority to implement and manage it, that Business Continuity covers the whole business and Business Continuity management is treated as a proactive activity to prevent and reduce the likelihood and impact from events and disruptions rather than considering it to be a reactive set of plans and facilities that are invoked after an event or disruption takes place.