An Introduction to Business Continuity Management

While some organizations rely heavily on insurance to see them through a major incident, it is important to realize that this is not a fail-safe strategy. In fact, it is estimated that when a major incident does occur, for every £1 of insured costs, uninsured costs of up to £36 can also be incurred by intangible losses, such as management time, and adverse publicity. This is sometimes referred to as ‘the loss iceberg’, because the greatest threats or costs to the organization are hidden. [4]

These statistics send out a very clear message: BCM is essential, not optional, for organizations that want to safeguard their long-term survival.

The good news is that once in place, an effective Business Continuity Plan can reduce losses by up to 90%, should an incident occur.[5]

Who Needs BCM?

The terrible events of 11 September 2001 provided a stark reminder to organizations, large and small, about the importance of comprehensive Business Continuity provision.

In New York, global financial firm Merrill Lynch, with four large downtown offices, found that after the disaster it had 9,000 staff without any office space to work in.[6] Despite being several thousand miles from the scene, 58% of UK organizations were also affected by the disaster, with one in eight experiencing serious disruption.[7]

Even though the majority of incidents that organizations face will be far less dramatic, it is advisable for all organizations to turn their attention to BCM if they haven’t already done so.

What Should BCM Cover?

BCM should assess the risks, and plan for recovery, for every conceivable disruption an organization might have to cope with. Generally these threats can be broken down into:

• natural disasters – e.g. fire or flood
• technical problems – e.g. systems failure or power failure
• human error or incompetence
• acts of malice – e.g. terrorism, arson, computer viruses
• economic disasters – e.g. a stock market crash

Without proper BCM, such disruptions can result in:

• loss of contracts
• loss of reputation
• human resources problems
• higher insurance premiums

The ultimate worst-case scenario, of course, is that the organization will fail altogether.

What is the BCM Process?

You will find an in-depth eight-stage plan for BCM in our article 8 Steps to Business Continuity Management, but as an overview, BCM should cover the following five steps:

• analyze your organization
• assess the risks
• develop a strategy
• develop a Business Continuity Plan
• rehearse the Plan

One aspect of BCM that merits special attention is media management. The organization that fails to communicate well with its customers, suppliers, employees or the public in a crisis risks damaging its reputation amongst these groups. This in turn can impact on profits.

Worryingly, a recent Business Continuity Institute survey revealed that only 16% of companies have a Business Continuity strategy with provision for protecting their reputation.[8]

Simple measures such as providing key staff with media training, and preparing public statements in advance of any crisis can help to avert a PR disaster.

Who Needs to Know About BCM?

For BCM to work well, it should be supported and endorsed from board level down. Internal and external stakeholders should understand what the organization’s Business Continuity Plan is, what it aims to achieve, and what is expected of everyone if an incident occurs. If only a few people in the organization know what to do during an incident, and they happen to be unavailable, the organization will immediately struggle to cope.

Keeping Your Plan Up to Date

As an organization changes, its BCP should be updated. Typical examples where changes would be necessary are when an organization expands, relocates staff, moves to new premises, or adopts new IT systems or applications. For bigger changes, such as mergers or acquisitions, a complete overhaul of BCM processes is usually necessary. It is important to test and rehearse any Plan regularly, and always when considerable changes are made.

Conclusion

BCM is about understanding your organization and establishing what is vital for its survival. Even a seemingly minor incident can escalate into a crisis situation if it is not anticipated, recognized and dealt with appropriately. BCM costs organizations relatively little in comparison to the potential costs of dealing with a disaster without a Continuity Plan in place.