When The Unexpected Happens
Business Continuity Management Keeps Everything Up and Running
Be Prepared - Whether an enterprise prospers and flourishes hinges in no small part on the continuity of its business processes. Preventing disruption to key business processes even when disaster strikes, and ensuring that such a contingency will not jeopardize the existence of the enterprise - this is what business continuity management (BCM) is all about. BCM serves to systematically prepare for managing incidents or disruptions and is part of enterprise governance systems for risk management. With BCM increasingly mandated by law or other regulatory frameworks, it is essential for enterprises to establish BCM practices.
The Phases of BCM
Business continuity management is carried out in a six-phase process which comprises an ongoing cycle:
• Phase 1: Identify business processes
This step identifies the business processes that are critical to the company's success and therefore of relevance for business continuity management.
• Phase 2: Business impact analysis (BIA)
The BIA is a systematic investigation of the adverse impacts that can arise over the course of a disruption to business processes. Having pinpointed the impacts, a recovery time objective is defined for each process - the acceptable length of time to restore the process. The BIA also investigates which resources and services the processes rely on in order to function. The BIA results in a set of evaluated availability requirements.
• Phase 3: Risk analysis
Risk analysis investigates what threats the business processes and their resources are exposed to, and the probability that these threats will prevent recovery time objectives from being met - in other words, what probability there is that the maximum acceptable downtime will be exceeded.
• Phase 4: Planning and orchestrating measures
Wherever an unacceptable risk is identified, appropriate mitigation measures must be planned, decided upon and enacted. Measures can be either preventive or reactive in nature. They serve to secure the availability of resources, the objective being to prevent critical interruptions of business processes and the adverse impact that can result from such interruption.
• Phase 5: Create business continuity plans
Recovery following a major incident tends to be complex.
Since such incidents occur only seldom in real life, the essential activities must be documented in business continuity plans in order to ensure everything runs smoothly.
One of the tasks in developing business continuity plans is to establish dedicated disaster response teams comprising management personnel and selected specialists. These teams are only activated in the event of a real-life contingency. Their task then is to restore business operation as quickly as possible and stage recovery (backup) operation to ensure the survival of the enterprise.
• Phase 6: Business continuity testing
Business continuity measures, particularly recovery procedures and resources, must be tested regularly to verify that they will work as intended in a real-life disaster scenario. The rehearsals also serve to train the staff who will be charged with particular roles.
Business continuity management is based on specially defined roles that are part of the enterprise organisation. BCM roles can comprise a multilevel structure such as the following:
• One BCM officer for the enterprise. Ideally, this individual belongs to a central department of the management board, or at least reports directly to the board. He or she develops and represents the strategic aspects of BCM to corporate management and coordinates all BCM activities.
• BCM officers in the organisational units: these individuals are the points of contact for BCM issues in the units they serve. They are responsible for all BCM-related activities within their units and ensure that BC plans are kept up to date.
Touch Points with Other Organizational Issues
• An ongoing process which must be embedded in the corporate culture.
• An issue which cuts right across the enterprise, embracing every part of it. As such, BCM has interfaces with other enterprise processes.
In particular, due consideration must be given to the interdependencies with the following areas:
• Risk management
Risk management considers all the risks of the enterprise. BCM addresses part of the operational risks. Unlike general risk management, however, BCM also considers the chronology of a disruption or incident.
• Crisis management
Crisis management entails defining precautionary measures - alarm procedures, forms of organisation, systems and procedures which will come into operation in a crisis situation. The objective of crisis management is to prevent a crisis from compromising the company's ability to operate or to take and enact decisions; it also enables the crisis to be managed in a focused and coordinated manner.
• Health and safety
Health and safety embraces the technical, organisational and personal prerequisites which ensure safety at work for employees. Touch points between health and safety and BCM include the planning of appropriate measures to prevent emergencies, and designing how work will be conducted under emergency conditions.
• Information security management
The purpose of information security is to protect the availability, confidentiality and integrity of the enterprise's own information and the information entrusted to it by customers and business partners. Here, too, the objective is to prevent or limit the damage that can arise owing to undesired eventualities. Unlike information security, BCM does not consider confidentiality and integrity to be its goals - rather, it concentrates exclusively on the availability aspect. However BCM takes a wider view on the resource perspective: it considers all the resources that are required for business continuity, not just information resources.
Business continuity management, custom-developed and designed, offers an organisation the security of knowing it is equipped to deal with disaster. The focus on critical processes and resources, and on risk exposure and probability, keep the investment of effort to the level of what's necessary.