Eight Steps to Effective Business Continuity Management

The pace of modern business is such that a disruption of only a few hours can have a disastrous effect on an organization’s profitability and reputation. And it is not just full-blown disasters that cost organizations money – even seemingly minor incidents can prove costly.

So when putting together a BCM policy, it is important for an organization to analyze the threats and risks it faces. The types of risks and their likelihood will depend partly on the size and type of the organization and its location.

A helpful way for organizations to establish where particular risks or threats lie is to categorize them and then plot them as shown below. [2]

TECHNICAL/ECONOMIC

Internal
IT systems failure
Contamination
Industrial accident

External
Natural disasters
Utilities failure
Government crisis

Internal
Product tampering
Malicious acts
Organizational failure

External
Terrorism
Arson
Industrial action

PEOPLE/SOCIAL

Although all different kinds of organizations can be adversely affected by a disaster, some are at particular risk because of the nature of their business, or because of certain regulations imposed on them. In the UK, for example, these organizations include:

• Companies regulated by the Financial Services Authority – which requires such companies to continue to operate and meet regulatory requirements during any unforeseen interruption.
• Publicly listed companies – which need to implement the findings of the Turnbull Report on internal risk management. [3]
• Local Government and NHS Trusts – the Civil Contingencies Act requires them to develop a proper structure to handle emergency planning within their area. [4] [5]

4. Manage the Risks as Part of Risk Management

There are two aspects to every risk to an organization:

• the likelihood of it happening
• the effect it will have on the organization if it does happen

Having adequate insurance is important, of course, but this should not be the only method of addressing risk. Indeed, many organizations have discovered too late that uninsured costs such as loss of work to competitors, or damage to reputation, can far exceed insured losses.

Risk awareness should, therefore, be integrated into overall management procedures, so that it is given sufficient priority against other business requirements.

The ABC Method

The Department of Trade and Industry recommends what it calls the ABC Method for identifying physical risks to an organization. [6] This divides the organization’s environment into A for Area, B for Buildings and C for Content.

Take an organization’s premises, for example. The greatest risk may come from the area surrounding the premises. It may be close to a floodplain, or there could be a chemical plant nearby.

When managing risk, it is also important to consider what could happen within the building itself. Could it be vulnerable to fire, or sabotage? If occupancy is shared with another organization, what threats could their working practices pose?

Finally, what contents could be problematical? Remember threats can include theft, sabotage, pollution, or equipment failure. It is advisable to draw up a complete inventory of all contents and assets on the premises and to consider how vulnerable they are to these risks.

Once the risks have been detailed, a probability graph can be drawn up by charting severity of risk against likely frequency. This helps establish the risk any particular incident would pose to the organization, and whether the BCP should be activated, as shown below.

Risk rating/probability

Effect on organization

Low severity/high frequency

Unlikely to disrupt key business functions or damage reputation

Medium risk

May develop into crisis if not addressed quickly

High severity/low frequency

A catastrophe – activate full Business Continuity Plan

5. Conduct a Business Impact Analysis

As part of the BCP process, it is recommended that organizations carry out a Business Impact Analysis (BIA). The BIA aims to analyze what the critical assets and processes of the business are and the financial impact that the loss or destruction of some or all of these would have on the organization.

When carrying out a BIA, it is important to think in terms of functions.

• Primary functions – these are the business-critical functions, e.g. revenue generation. They may also include supporting secondary functions, without which the primary functions cannot happen.
• Secondary functions – these are functions, which, while important, are not essential for immediate recovery.
• Tertiary functions – these are tasks which are valuable to the organization’s day-to-day functioning, but which can be suspended for several days if necessary without any lasting effect on the business.

6. Develop Strategies

If disaster strikes, it is important for organizations to have a clear idea of what their recovery strategy is going to be. This should include plans for:

• communicating with stakeholders, from staff to customers, suppliers to regulators
• off-site recovery needs, e.g. off-site storage for backed-up data, and/or data mirroring of the entire organizational IT network at a second live data center, second-line telecoms.
• which business units and functions should prepare their own recovery plans, and who should do this
• strategies for handling media interest
• location of an Emergency Control Center – typically this would be in a secure area, with good communications, workstations for the Crisis Team, 24-hour access and parking, toilet and refreshment facilities

Ideal timescales for recovery of key business functions should be included in any plans, together with possible alternative operating strategies.

At this stage of the BCM process, a variety of strategies and responses should be outlined, relative to whether a crisis would be classed as minor, intermediate or major. In the event of a crisis, this can help avoid under-reaction or over-reaction to the incident.

7. Developing and Implementing the Plan

Continuity plans will differ depending on the type of organization, but a thorough, effective plan should include the following features:

• it should be endorsed by the highest levels of the business
• it should be based on a full risk assessment and aimed at achievable recovery
• it should drive individual departmental recovery plans
• it should make clear who should do what and include deputies for key roles
• it should be easy to use and understand in a crisis situation – checklists are handy and jargon should be avoided
• it should give clear, direct instructions for handling the crucial first hour of the incident and what can be dealt with later
• copies of the plan should be stored offsite in case they can’t be accessed in a crisis situation
• responsibility and frequency for keeping all details of the plan up to date (e.g. staff changes) should be agreed
• it should plan for worst-case scenarios
• it should include information on key external contacts, e.g. local authority emergency planning department, emergency services, utility services, neighboring businesses, suppliers and customers and insurance companies

8. Test and Maintain the Plan

Once an organization is happy with its BCM process, it is important to test and maintain the BCP. It should be seen as a living document that has to be adapted and updated as the organization changes, in order to keep it relevant.

There are various options for rehearsing a BCP:

• Paper-based tests, where the plan is read through by a group, who question each action, e.g. ‘is it the right thing to do?’ ‘is it in the right order?’. It is then helpful to ask questions that relate to how a disaster situation might unfold, e.g. ‘what if the electricity supply failed?’. Any important scenarios that have been overlooked can then be fed back into the plan.
• Telephone cascading is a way of testing the communications structure of the plan. It involves sending out a test message without warning to everyone at the top of the telephone lists in the BCP. Each person, in turn, contacts someone below them on the list (hence the term ‘cascading’), with the length of time taken for the whole process monitored.
• A full rehearsal is the best way to find out whether a plan works as a whole, although it can be time-consuming and expensive to carry out.

All results, thoughts and feedback from any tests should be fed back into the plan.

Some organizations choose to use an external auditor to assess their plan. This can bring added objectivity, and can also highlight details that may have been overlooked.

Conclusion

Organizations have three options for confronting risk. They can do nothing, rely on insurance, or invest time and resources in BCM. For organizations that want to protect their assets, their people and their business, then BCM is the wisest choice.