 |
| John Bartlett CBCI,DBCI |
The benefits of
implementing Business Continuity can be far reaching and although they are not
always tangible, amongst other things they help reduce the exposure to risks,
provide information for informed decisions and provide confidence to customers
and stakeholders. Business Continuity Management (BCM) is about ensuring the
essential services and activities can keep running or can be restarted
following a disruption. After all, Insurance for incidents may provide a
financial safety net, but it will not win back lost customers who go to your
competitors; backups and alternative data centres are great for your systems and
applications, but do not provide a location for your business to work, or a
plan to recover your business activities. So how do we go about putting BCM in
place?
BCM Programme
management is central to the whole Business Continuity Lifecycle (as shown in
the diagram below) and fundamental for successfully implementing Business
Continuity as it defines, controls and manages the approach and its
implementation; ensuring it achieves the desired objectives.
(Source: ISO 22313 - Societal security — Business
continuity management systems — Guidance)
Support & Commitment
Establishing the necessary support and commitment
from Top Management is essential, and should be obtained through the nomination
of a Top Management sponsor who will become the point of accountability for
Business Continuity within the organisation. This may be the owner or a member
of Executive Management, depending upon the size of the organisation. This person
will need to:
Demonstrate commitment to Business Continuity by
providing or agreeing direction;
Lead by example;
- Help communicate the importance of BCM;
- Approve (or sponsor for Board approval) the Business Continuity Policy;
- Agree or approve BCM budget and resources;
- Prioritise BCM against other initiatives;
- Ensure Business Continuity is included in strategic planning;
- Ensure regular progress reporting and reviews as part of the organisation's governance;
- Demonstrate support for BCM through assistance in resolving conflicts and issues that may arise.
This level of Top Management support and commitment
can usually be obtained and maintained through identifying key benefits, such
as the need and requirements for BCM (legal commitments and obligations for
continued service within contracts, regulatory requirements or fiduciary duties
for sound corporate governance and risk management); highlighting related
requirements, observations and non-conformities in external reports and reviews
(external auditors, regulators, etc.); communicating the benefits of having a
sound BCM practice in place (reduced insurance premiums, improved working
practices/disciplines. identifying opportunities for business improvements and
efficiencies, improved understanding of risks and therefore better informed
risk decisions, protection of cash flow, profits, services and customers and
support of strategic initiatives); demonstrating the potential impacts of not
having BCM in place (hard Costs at risk e.g. buildings, equipment, etc., soft costs at risk e.g. goodwill, reputation,
brand, etc., the potential backlog of work, lost income and opportunity, fines
/ fees that may result from disruption, and the repercussions of non-compliance
with respect to legal, regulatory & contractual commitments).
BCM Policy
A BCM Policy should be defined, documented and
approved by the Top Management or Board of Directors to demonstrate a BCM commitment
from the Board to the organisation's stakeholders. Policies typically
take one of two different forms; either short documents of a couple of pages or
long detailed documents. The two contain similar information, with the
exception that the latter also includes explanations and guidance.
A policy should define a statement of intent by Top
Management that communicates their high level commitment, intentions and
requirements regarding a specific topic, which then needs to be implemented by
the organisations management. Policies are normally viewed as part of the
organisation's internal governance framework and for BCM would be expected to
contain the following as a minimum
Standard document control (date, version number,
title);
- Details of ownership and the required review period/cycle;
- The scope of BCM and any necessary boundaries and/or exclusions;
- The objectives of implementing and maintaining BCM;
- The BCM requirements, activities or aspects that need to be met or performed;
- The required aspects to implement appropriate BCM governance;
- BCM Principles needing to be achieved and measured against;
- BCM roles, responsibilities and accountabilities.
Scoping the programme
Once you have defined the scope for Business
Continuity (within the Policy), it is possible to review this scope and define
the approach desired for the initial Business Continuity programme (i.e.
whether it should initially cover a sub-set of the overall scope or whether it
should cover the entire scope). This should take into consideration
geographical locations, departments or business units as well as the different
products, services and processes. It is also recommended to define what is
specifically excluded from the scope of the programme so there can be no
ambiguity.
Once the scope has been clearly defined, the
remaining elements of the programme can be documented with a programme scoping
document to assist establishing the framework for the programme, these should
include:
- The objectives for this BC programme and what it aims to achieve;
- The measurement and success criteria for the programme;
- An initial Programme budget and the resources/people required to be involved;
- A communication plan for the programme;
- The roles and responsibilities for the programme resource;
- The programme governance structure and framework;
- How risks, issues and priority conflicts will be
resolved during the programme; how recommendations will be addressed and how
issues will be escalated.
Current state assessment
The chances are you already have some parts of
Business Continuity already in place within your organisation, they are just
perhaps known under a different name (Backups, emergency planning, incident
management, Crisis management, etc.).
Once you have defined the scope for your Business
Continuity programme it is practical to meet with (other members of) Management
to identify, understand and review existing capabilities and existing
weaknesses within these scope areas. These existing capabilities may be identified
through reviewing historical internal/external audit reports, regulator
reports, independent consultant reports/observations, discussions with (other)
member of the management team or engaging with a consultant to assess the
current capabilities.
Once existing capabilities and practices have been
identified that could form part of the Business Continuity capability, these
should be assessed to ensure they are appropriate, adequate and effective and a
gap analysis conducted against best practice or recognised industry standards
(such as ISO 22301/22313). This does not mean that you intend to implement the
standard, but it will provide a solid industry-wide benchmark against which to
compare yourself. Performing this will also help identify some immediate risks
and issues associated with resilience and recovery that can be used for ‘quick
wins’ and enable you to prioritise the gaps and/or weaknesses that need to be
addressed in order to find the most appropriate remediation.
Another useful aspect to conducting a current state
assessment is that once you have managed to define your baseline against an
industry standard, you can identify those aspects that are most appropriate to
your organisation, define and document a tailored BCM maturity model and then
benchmark your organisations BCM against this in order to measure future
improvements and enhancements.
Management & Maintenance
Business Continuity is intended to be a continuous process
of improvement through a Plan, Do, Check, Act (PDCA) lifecycle:
- Plan/establish it;
- Implement & operate it;
- Monitor & review it;
- Maintain and improve it.
Business Continuity therefore requires on-going management and maintenance. This is where most organisations fail. They believe that having created a Business Continuity capability, the resources assigned to create it can be reassigned to other activities, resulting in the Business Continuity information and capability becoming out of date whilst other changes take place in the organisation (such as changes in staff, service or process priorities, technology, strategic changes, etc.).
The commitment required to the on-going management,
maintenance and development of Business Continuity is just as important as the
initial commitment required to commence the capability. Without this, the
investment made to develop the capability may become wasted and the Management
of the organisation believing they have a resilience and recovery capability
that in reality is out of date, not fit for purpose and places the organisation
at risk.
Therefore, defining and implementing the required
and appropriately skilled/experienced resource as part of the BCM programme and
establishing an appropriate governance and performance measurement system (metrics,
key performance indicators, key risk indicators, etc.) is essential for
maintaining an on-going BCM capability. Performance measurement will help
retain control by identifying early warning signs of the Business Continuity
capability losing its effectiveness by becoming out of date. These metrics and
performance measurements should be aligned to the criteria defined within the
BCM maturity model to correctly identify the level of maturity based on actual
BCM management and maintenance activities.
No comments:
Post a Comment