Business Continuity Management — Part 1
Business Continuity Management is a topic that should be of concern to any organization, whether non-profit or for profit, whether small or large, whether a startup or a well- established and mature business; it is basically an integral component to your Crisis and Risk Management planned activities.
This article is just my personal view on the topic, coming from hands-on experience in several settings & organizations and yes it is a topic very dear to my heart.
What is really Business Continuity?
Whether your organization is an international huge corporation or a government agency or a small business or even a simple nonprofit, developing and utilizing a Business Continuity Management Plan (BCP) protects all organizations and their personnel (employees and volunteers), raw materials, facilities, various physical assets and activities from the broad ‘bouquet of risks’ that face businesses today.
“Business continuity encompasses planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period.”
It seems that in this post 9/11 and post Katrina era, and in an era where globalization has created dependencies in possibly fragile supply chains, Business Continuity is now taken serious by most companies. Also IT vulnerabilities had added to it.
Unfortunately still companies fall short in terms of contingency planning, as managers those with little or no training in crisis management handle the initial response requirements and information needs, often exacerbating the status of an emergency situation and unintentionally creating new threats through genuine poor decision making and uncoordinated response measures.
Practical: Why should you do it?
A proper Business Continuity Plan should — in case of a grave emergency:
- Put you in a position to still be able to provision and sell your products and/or services
- Keep you financially afloat, since it guarantees revenue coming up and relevant cash flow
- Allow you to be in touch with the world, including your customers, via e-mail, website, etc.
- Keep customers engaged via social media, been able to get support and been happy
- Bill/invoice promptly and correctly your customers
- Track all the transactions: billing, accounting, shipping, etc.
FYI: According to the U.S. Centre for Research on the Epidemiology of Disasters, between 2000 and 2008, there were on average 392 disasters per year — and the average annual economic damage was $102.6 billion worldwide.
Is there an ISO for all these?
Yes, the ISO 22031. More details can be found here: http://www.iso.org/iso/news.htm?refid=Ref1602
The confusion between Disaster Recovery Plan + Business Continuity Plan.
Business continuity is basically about maintaining ideally all business functions ‘alive’ during a crisis- event, or at least quickly resuming/ restoring the most critical business processes.
Many people wrongly consider a Disaster Recovery Plan (DRP) to be the same as a Business Continuity Plan, but a DRP plan focuses mainly on restoring IT infrastructure and operations after a crisis which is actually just one small part of a complete business continuity plan.
The BCP looks at the continuity of the entire organization. Do you have a way to get HR, manufacturing, finance, sales, distribution and client support functionally up and running so the company can continue to make money right after a disaster?
The 3 Phases of Business Continuity: The 3 Rs
- Ready for any Emergency or Preventive Contingency Planning. You can also call it, Proactive Risk Mitigation or whatever else you like to. The basic idea here is to do everything possible in order to avoid any crisis or any short of business disruption. A BCP (Business Continuity Plan) together with the right corporate policies and any relevant agreements with partners and vendors might be all that you need. Your corporate risk mitigation might also include technical actions e.g. active data mirroring, backups etc.
- Respond to any Emergency or Active Crisis Management. This is the time where you utilize and put into practice all pre-established contingency plans that you have developed for such time and you have optimized through all your constant bi-annual business continuity testing. And the owner of the Crisis Management process is clearly defined and everyone, including the CEO will listen to him/her during the whole duration of the Crisis and Recover phases. This is not a democratic decision making time- sorry if it doesn’t sound right, but I assume you get the drift.
- Recover from any Emergency or Recovery/ Back to Normalcy. This is probably the most underestimated phase because people wrongly assume that they can return to their normal work space or they can just pack up and go. Your original building might not be there or accessible for a long time; for example, a simple carpet fire might make the work space unusable/unfit to work in, for close to a year. You really have to plan for the Worst Case Scenario- with NO assumptions as to what might go right and have well-defined contingency plans to quickly and effectively recover from the crisis and resume operations.
So, how do you develop a Business Continuity Plan?
- Start by assessing ALL your business processes, determining which areas are vulnerable, and the potential losses if those processes go down for a day, and for a week or even a month. That is called Business Impact Analysis.
- Identify the scope of the Business Continuity plan, the key business areas and all critical functions.
- Now identify ALL (inter-)dependencies between various business areas and functions.
- Identify vendors/ partners where some of these areas/ functions have been outsourced to.
- Determine acceptable downtime/ unavailability for each critical function.
- Create the right plan to maintain operations.
The management of business continuity falls largely within the risk management activities, with some cross-over into related fields (GRC) such as governance, information security and compliance. You need to have information and physical security in place for a good BCP.
Risk management is an important tool for business continuity as it provides a structured way to identify all possible sources of business disruption and assess their probability to take place and their level of potential ‘harm’.
Practical Tip: while creating your plan, find and talk to people in organizations who have gone through a disaster successfully. People generally like to share their “disaster survival stories” and the steps and techniques (or clever ideas) that saved the day. Their realistic hands-on experience- insights would prove only amazingly valuable in helping you to develop a sound BCP.
Business Continuity: Most Common Mistakes
- Inadequate Funding. BCM is really very expensive and most ignorant or optimistic executive teams cut the funding for it before its full implementation, or during testing, or during the maintenance needed for the subsequent years. Do you really think it is a good idea to underfund your crisis management mechanism? Well, some people do… Plans are frequently prepared at signiﬁcant cost, only to then be ignored, be poorly distributed, or be underutilized during an emergency.
- Ownership. There are 4 Levels of Ownership to be clearly defined:
- The Total Owner of the BCP
- The Partial Owners of the Business Continuity Plans for different functional areas: e.g. finance, warehousing, etc.
- The Owner of the Crisis and Recovery Management Process. Ideally it would be nice if the BCP Manager and the Crisis and Recovery Manager are the same person, but that does not have to; sometimes an excellent planner is not always an excellent Crisis Ops person.
- Everybody else is the organization!!! Plans should be established to ensure that all employees/ participants (in case of external parties involved), they do understand and are accountable for their own part within a Business Continuity Management Plan.
Ownership also implies that there is a sensible mechanism in place regarding who should own certain aspects of the plan, evaluate and update them, and even manage them during crisis moments.
- The Crisis & Recovery Manager.
Sometimes this role is wrongly given to an ex-military or police officer who has been hired to be the Corporate Security Officer or even given to the Facilities Manager. Of course if the person qualifies, no problem. FYI: Technically organizational security is part of the BCP.
What is important is that the Crisis & Recovery Manager is well chosen and he is fully in charge during the crisis and can veto any BCP committee decisions.Let me give you an example from sports: in sail races, the amount of time a boat spends to make one 180 degrees turn might win you the race — this is a crisis management situation where we the sailing crew, cannot discuss openly and democratically with the skipper how to go about it and when to do it.
Obviously if you hired a consultant to do the BCP for your organization, please make sure you don’t rely on him/her to be available during your organizational crisis.
- Management Support.
That should need no comment. Any Business Continuity Management Plan that lacks high- level management support is likely to fail from its birth. Let me say it in a different way: If you are having today your scheduled BCP Test, your CEO should be an active part of it and no executives should be left in the office drinking coffee and playing solitaire.
Support should cascade from the top downward in order for plans to be successful.
- Limited Scope
People seem to pay emphasis on how to survive an irksome sea of data disaster & recovery and of utilities interruption. But IT Continuity, which is properly addressed within the ITIL Framework, might be only 10% of your BCP functional area coverage.Semi- informal statistics from the 9/11 terrorist attack showed that companies who couldn’t recover their financial system and make payments within 10 days, they all went out of business (again this is indicative not an absolute rule of thumb).
- User Buy-In.
Make sure that all involved in your BCP- even vendors, understand its importance of it to you and also the importance of their role and contribution.
- Applicability/ Relevancy.
BCPlans should be constantly updated since both personnel and business processes change.
- Lack of Training of all employees and even 3rd parties/ vendors
- BCP not readily available/ accessible to all.
Brain-Teaser: ever wondered about if the Titanic disaster (the ship -not the movie) could have been avoided with the right business continuity plan?
“Almost a quarter of all companies are likely to declare a disaster in a five-year time period”. From: Forrester Research, Inc. “Wake-Up Call: You Aren’t Ready For A Disaster,” February 9, 2011.
A clear corporate agenda with measurable well-structured goals will enable the design, development, and ultimately maintenance of the BCP to be achieved more effectively, and with least frustration. The plan should be considered a living entity / tool that requires group support and buy-in throughout the organization in order to succeed when facing a crisis situation.
Time spent on business continuity planning is rarely wasted.
Spiros Tsaltas is a seasoned Technology & Operations Executive and Management Consultant; he is also a former University Professor (RSM MBA, CUNY, etc). Spiros has hands-on experience on setting up all sorts of Startups both in the US and in Europe. He is an active transformational leader and strategist who has also years-long experience with Boards of Advisors and Boards of Directors. He is currently assisting a couple of Ghanaian companies with the setup of their BoDs.
We welcome all your comments/ remarks/ feedback at Press@HireLoyalty.com
© 2017 Spiros Tsaltas and © 2017 HireLoyalty