Unfortunately recent events and the increased uncertainty of the world in which we which we now live means that all organisations, no matter what their size or nature, should take Business Continuity very seriously. However although Business Continuity has been with us for many years there is still confusion about what it is. Part of the problem is sorting out the various terms that appear to relate the subject. Let’s try to provide some clarification by defining the terms used in Business Continuity and they fit together.
Business Continuity is about dealing with major, possibly catastrophic, events that, although they have a very low possibility of occurring, would have a potentially disastrous affect on an organization and its ability to function. Although part of Risk Management, Business Continuity is different from Organisational Resilience which is concerned with reducing, or mitigating, risks arising from normal business activities.
The aim of Business Continuity is not to attempt to maintain all the normal activities of organisation while resources are lost but to focus on the activities that are key to the survival of the business. This is where Business Impact Analysis (‘BIA’) can be usefully employed. BIA is a rigorous methodology used to identify the most important products/or services of the organisation and identifying the critically important assets: people, processes, systems and external suppliers of goods and services to maintain business continuity.
There are a number of plans associated with Business Continuity. There is the Crisis Management Plan, sometimes called a Major Incident Management Plan. (This has nothing to do with incident management term used in the ITIL methodology for IT services.) This plan relates to the initial actions that the senior management of organisations should take when a potentially catastrophic event occurs. The initial actions are vital, as the wrong decisions at the start of the incident may severely jeopardise the organisation’s recovery, the safety of employees and ultimately the reputation of the organisation. This plan establishes the responsibilities and critical actions needed to recognise, respond and recover from a major incident. As every incident is different, the steps within a Major Incident Plan need to be flexible and generic enough to cover any type of incident and not be rated to a specific scenario.
The Business Continuity Plan is about maintaining the key activities of the organisation when resources – physical, human, or technological are significantly reduced for a considerable period of time. It is only when these resources can be restored that the business continuity phase moves to the recovery phase and normal operations resume. This plan details how each operational unit should manage prioritised services with reduced resources after an incident occurs. In larger organisations each department may have its own Business Continuity Plan
Although a Disaster Recovery Plan sounds as if it should be a synonym for a Business Continuity Plan it is quite different and solely concerned about how quickly IT system can be back up and running. Almost all businesses now rely on IT for their operation and the potential loss of IT systems or data, including as a result of an all too common information security attack, should be a feature of a robust Business Continuity Plan. However Disaster Recovery is a separate discipline requiring specific IT expertise.
Further Business Continuity decisions to be made
There are two further decisions to be taken once the business continuity plans have been written. The first is whether to test the plan by running an exercise. There is little point in him in writing Business Continuity Plans if they gather electronic dust on a shared drive or document management system. Realistic exercises can not only ensure that the plan is validated but also provide those managers and staff with significant Business Continuity roles the opportunity to practice and be confident in these roles in a safe environment before they are called upon to deal with real emergency.
The second decision is whether to seek accreditation against the ISO22301 standard. To a cynic the publishing of standards and their accreditation has become a lucrative self-sustaining business. However the costs and time expended to obtain accreditation may be justified if it readily provides the reassurance to to their customers and other stakeholders that they have taken sufficiently robust measures to stay in business.
Business Continuity as a System
Although we often focus on the planning aspects of Business Continuity, organisations should consider a Business Continuity Management System. to provide a framework on which to base Business Continuity Planning, which proportionately reflects the risks and threats which the organisation may face. This provides a continuous process that is driven by a Business Continuity Strategy which embeds Business Continuity best practice within the organisation. The strategy should include mechanisms to improve its Business Continuity through audits, exercises and lessons learned from incidents that arise.
The Business Continuity Management System
Of course an organisation’s commitment to Business Continuity should not be a secret. Key to the success of Business Continuity in an organisation is buy-in from the most senior management. A good way of demonstrating this commitment by senior management, and the organisation as a whole, is to develop a Business Continuity Policy as a concise statement that serves to inform to employees, contractors, customers, and other stakeholders of the organisation’s and individuals’ responsibilities. While the Business Continuity Plan may be need to be confidential for commercial reasons the policy should be made as visible as possible.