Business Continuity
Business continuity is the advance planning and preparation undertaken to ensure that an organization will have the capability to operate its critical business functions during emergency events. Events can include natural disasters, a business crisis, pandemic, workplace violence, or any event that results in a disruption of your business operation. It is important to remember that you should plan and prepare not only for events that will stop functions completely but for those that also have the potential to adversely impact services or functions.
What Does Business Continuity Include?
BC covers the planning and preparation needed to ensure an organization will have the capability to perform its critical business functions during emergency events. It identifies, plans for, and/or creates:
* How to communicate with customers, vendors and other third parties to ensure you are providing good information and support.
* How to ensure services or products can still be provided to customers.
* The order and timing required to restore business processes.
* How to support employees during an emergency event.
* The required technology to support the business functions (disaster recovery (or DR) will implement recovery solutions for technology).
* Workaround processes to use when technology is not available.
* Where and how to relocate people and processes in the event business locations are impacted or not available.
* The teams and organization that will be necessary to manage emergency events.
* Business process dependencies (what, or who does each business process rely upon in order to do their work).
* Regular exercises to validate that plans and actions meet requirements and will be functional in an actual event.
* Ensure staffing levels will be adequate during an event for both external and internal needs.
* Documentation of the steps and actions to take during an event to accomplish the items above.
The Anatomy of a BCM Program
At Adan, we have divided up the Business Continuity Management (BCM) program into four key dimensions:
* Program Administration
* Crisis Management
* Business Recovery
* IT Disaster Recovery
We believe that when these four dimensions are operating optimally, individually and in an integrated fashion, the BCM program will have an elevated level of sophistication, maturity, and capability.
Organizations may not be able to work on the four dimensions in parallel and effectively implement the components, but without implementing all areas, an organization will not truly be prepared. Many unexpected issues arise during a crisis event, too many to address ad hoc. If your organization tries to address the unexpected and perform critical actions on the fly during a crisis event, it will not be able to effectively and efficiently perform the tasks required for a successful recovery.
The BCM Team
A good BC program starts with a Business Continuity Management (BCM) team. The following individuals are the core members of the BCM team. They are responsible for implementing the policies and directing BCM efforts across the organization.
* Sponsor: The senior management individual with overall responsibility and accountability for the BCM program.
* The Business Continuity Manager: The individual with direct responsibility for the BCM program.
* Assistant Business Continuity Manager: The backup to the Business Continuity Manager. This could be a titled position or an assigned position.
* Administrative Assistant: The individual responsible for supporting the BCM team. This is often an administrative assistant working in the Business Continuity office, if it exists, or another individual from the administrative assistant team. ?
In addition to these individuals, representatives from business units and IT must be involved to provide input related to the development of appropriate recovery strategies for business and technology functions. From a functional perspective, the non-BCM staff members will perform the work of recovery preparation; the BCM team will provide guidance and support.
The BCM Process
To get started, consider performing the following steps. We have provided links to relevant MHA blog posts on these topics.
* Assessment: The first step to a successful planning process is to make sure that you have a thorough understanding of what is, and is not, critical to your organization. You can (and should) perform a Business Impact Analysis (BIA) and a Threat & Risk Assessment to guide you. Without understanding your organization's processes, how critical those processes are, and the threats and risks inherent in your operations, you cannot effectively develop appropriate plans and strategies.
* Business Recovery: The purpose of business recovery planning is to ensure that your critical business processes can be recovered in the event of an emergency. Your plan will document the actions, including temporary workarounds, that will be necessary to keep critical functions operational until IT applications, systems, facilities, or personnel are again available.
* IT Recovery: IT recovery planning refers to the development of plans and strategies for the recovery of your technology, including actions that will be necessary to restore critical IT applications and systems.
* Crisis Management: Crisis Management refers to a specific plan that details how your organization will manage a crisis event, as well as to an internal organizational unit (the Crisis Management Team) that will manage that event. ?
BCP is a living process that must be updated to reflect technological and organizational changes. An outdated plan that sits in a binder on a shelf is of little use in an emergency - and could actually do more harm than good if it doesn't accurately reflect current recovery processes or organizational structures. A critical question to ask
Do your disaster recovery IT capabilities align with the recovery requirements that your business units have identified? For example, if your production department needs to be up and running 24 hours after an event occurs to avoid significant penalties under a major contract, your IT team must be able to deliver on this requirement.
Start With Something Manageable
It might seem overwhelming at first, but identifying critical processes and applications, and implementing basic recovery strategies and plans are a requirement for any functional, and effective, BC plan. Your plan should include a basic organizational structure for your team, as well as necessary guidance and checklists for your business units, IT department, and the management team that will allow for quick response and action.
Even if you are unable to implement your ideas, just having a basic strategy in mind will provide much-needed structure in the event of an emergency. Remember, it's important to have something in place; perfection will be less important than structure in the event of an emergency. Remember, something is better than nothing; perfect is the enemy of good.
Want to know more about the benefits of Business Continuity?
Our experts partner with clients on corporate planning, providing perspective not only on immediate value and impact, but on long-term implications. We work closely with management and other advisers to leverage and complement their knowledge and ensure maximum impact, and actively support implementation and skill building.
