The benefits of implementing Business Continuity can be far reaching and although they are not always tangible, amongst other things they help reduce the exposure to risks, provide information for informed decisions and provide confidence to customers and stakeholders. Business Continuity Management (BCM) is about ensuring the essential services and activities can keep running or can be restarted following a disruption. After all, Insurance for incidents may provide a financial safety net, but it will not win back lost customers who go to your competitors; backups and alternative data centres are great for your systems and applications, but do not provide a location for your business to work, or a plan to recover your business activities. So how do we go about putting BCM in place?
BCM Programme management is central to the whole Business Continuity Lifecycle (as shown in the diagram below) and fundamental for successfully implementing Business Continuity as it defines, controls and manages the approach and its implementation; ensuring it achieves the desired objectives.
(Source: ISO 22313 - Societal security — Business continuity management systems — Guidance)
Support & Commitment
Establishing the necessary support and commitment from Top Management is essential, and should be obtained through the nomination of a Top Management sponsor who will become the point of accountability for Business Continuity within the organisation. This may be the owner or a member of Executive Management, depending upon the size of the organisation. This person will need to:
Demonstrate commitment to Business Continuity by providing or agreeing direction;
Lead by example;
- Help communicate the importance of BCM;
- Approve (or sponsor for Board approval) the Business Continuity Policy;
- Agree or approve BCM budget and resources;
- Prioritise BCM against other initiatives;
- Ensure Business Continuity is included in strategic planning;
- Ensure regular progress reporting and reviews as part of the organisation's governance;
- Demonstrate support for BCM through assistance in resolving conflicts and issues that may arise.
This level of Top Management support and commitment can usually be obtained and maintained through identifying key benefits, such as the need and requirements for BCM (legal commitments and obligations for continued service within contracts, regulatory requirements or fiduciary duties for sound corporate governance and risk management); highlighting related requirements, observations and non-conformities in external reports and reviews (external auditors, regulators, etc.); communicating the benefits of having a sound BCM practice in place (reduced insurance premiums, improved working practices/disciplines. identifying opportunities for business improvements and efficiencies, improved understanding of risks and therefore better informed risk decisions, protection of cash flow, profits, services and customers and support of strategic initiatives); demonstrating the potential impacts of not having BCM in place (hard Costs at risk e.g. buildings, equipment, etc., soft costs at risk e.g. goodwill, reputation, brand, etc., the potential backlog of work, lost income and opportunity, fines / fees that may result from disruption, and the repercussions of non-compliance with respect to legal, regulatory & contractual commitments).
A BCM Policy should be defined, documented and approved by the Top Management or Board of Directors to demonstrate a BCM commitment from the Board to the organisation's stakeholders. Policies typically take one of two different forms; either short documents of a couple of pages or long detailed documents. The two contain similar information, with the exception that the latter also includes explanations and guidance.
A policy should define a statement of intent by Top Management that communicates their high level commitment, intentions and requirements regarding a specific topic, which then needs to be implemented by the organisations management. Policies are normally viewed as part of the organisation's internal governance framework and for BCM would be expected to contain the following as a minimum
Standard document control (date, version number, title);
- Details of ownership and the required review period/cycle;
- The scope of BCM and any necessary boundaries and/or exclusions;
- The objectives of implementing and maintaining BCM;
- The BCM requirements, activities or aspects that need to be met or performed;
- The required aspects to implement appropriate BCM governance;
- BCM Principles needing to be achieved and measured against;
- BCM roles, responsibilities and accountabilities.
Scoping the programme
Once you have defined the scope for Business Continuity (within the Policy), it is possible to review this scope and define the approach desired for the initial Business Continuity programme (i.e. whether it should initially cover a sub-set of the overall scope or whether it should cover the entire scope). This should take into consideration geographical locations, departments or business units as well as the different products, services and processes. It is also recommended to define what is specifically excluded from the scope of the programme so there can be no ambiguity.
Once the scope has been clearly defined, the remaining elements of the programme can be documented with a programme scoping document to assist establishing the framework for the programme, these should include:
- The objectives for this BC programme and what it aims to achieve;
- The measurement and success criteria for the programme;
- An initial Programme budget and the resources/people required to be involved;
- A communication plan for the programme;
- The roles and responsibilities for the programme resource;
- The programme governance structure and framework;
- How risks, issues and priority conflicts will be
resolved during the programme; how recommendations will be addressed and how
issues will be escalated.
Current state assessment
The chances are you already have some parts of Business Continuity already in place within your organisation, they are just perhaps known under a different name (Backups, emergency planning, incident management, Crisis management, etc.).
Once you have defined the scope for your Business Continuity programme it is practical to meet with (other members of) Management to identify, understand and review existing capabilities and existing weaknesses within these scope areas. These existing capabilities may be identified through reviewing historical internal/external audit reports, regulator reports, independent consultant reports/observations, discussions with (other) member of the management team or engaging with a consultant to assess the current capabilities.
Once existing capabilities and practices have been identified that could form part of the Business Continuity capability, these should be assessed to ensure they are appropriate, adequate and effective and a gap analysis conducted against best practice or recognised industry standards (such as ISO 22301/22313). This does not mean that you intend to implement the standard, but it will provide a solid industry-wide benchmark against which to compare yourself. Performing this will also help identify some immediate risks and issues associated with resilience and recovery that can be used for ‘quick wins’ and enable you to prioritise the gaps and/or weaknesses that need to be addressed in order to find the most appropriate remediation.
Another useful aspect to conducting a current state assessment is that once you have managed to define your baseline against an industry standard, you can identify those aspects that are most appropriate to your organisation, define and document a tailored BCM maturity model and then benchmark your organisations BCM against this in order to measure future improvements and enhancements.
Management & Maintenance
Business Continuity is intended to be a continuous process of improvement through a Plan, Do, Check, Act (PDCA) lifecycle:
- Plan/establish it;
- Implement & operate it;
- Monitor & review it;
- Maintain and improve it.
Business Continuity therefore requires on-going management and maintenance. This is where most organisations fail. They believe that having created a Business Continuity capability, the resources assigned to create it can be reassigned to other activities, resulting in the Business Continuity information and capability becoming out of date whilst other changes take place in the organisation (such as changes in staff, service or process priorities, technology, strategic changes, etc.).
The commitment required to the on-going management, maintenance and development of Business Continuity is just as important as the initial commitment required to commence the capability. Without this, the investment made to develop the capability may become wasted and the Management of the organisation believing they have a resilience and recovery capability that in reality is out of date, not fit for purpose and places the organisation at risk.
Therefore, defining and implementing the required and appropriately skilled/experienced resource as part of the BCM programme and establishing an appropriate governance and performance measurement system (metrics, key performance indicators, key risk indicators, etc.) is essential for maintaining an on-going BCM capability. Performance measurement will help retain control by identifying early warning signs of the Business Continuity capability losing its effectiveness by becoming out of date. These metrics and performance measurements should be aligned to the criteria defined within the BCM maturity model to correctly identify the level of maturity based on actual BCM management and maintenance activities.