What is Business Continuity Management?
Business continuity management (BCM) identifies potential threats to an organization and the impacts of those threats. It also works to identify and quantify those risks and match them against available budget and resource constraints. Many issues can threaten a company: from global pandemics to utility outages to cybersecurity. Having an effective BCM plan in place can help organizations survive.
Having a comprehensive, effective — and most important — realistic BCM plan can be daunting. Let's look at some steps you can take to create your BCM plan.
What is Business Continuity Management?
When people think of business continuity, they tend to think about redundant servers, highly available networks, and geographically diverse systems. Business continuity involves how to keep an entire business running smoothly during various catastrophes. This involves how people, processes, and systems continue to work under adverse conditions.
That does not happen on its own. BCM aims to help assure continuity under predefined conditions or circumstances. Not all situations or scenarios are economically feasible to protect against. Many times there are strict budgetary constraints. With that said, poor BCM can lead to huge financial losses for businesses if they do not plan accordingly.
BCM helps to provide effective responses that safeguard business needs — primarily those of major stakeholders. That may be the CEO who needs to report to the board of directors and possibly stockholders. It could also mean a vice president of operations who prevents the business from getting penalized due to service level breach. Many businesses have assets that need to be protected as well to ensure their value. A large equipment manufacturer may have expensive machining tools and products made from them. BCM can help determine procedures for securing them during such events as hurricanes or floods.
Over time, as disasters, pandemics and other business risks that affect business continuity happen, it becomes apparent which businesses are prepared and which ones are not. This can affect a business reputation. If you are constantly unable to deliver due to various risks but other companies are able to, clients will slowly migrate to those that are more stable.
Why Should I Care About BCM?
Typically there is an order of priority for why an organization cares about BCM. Many times it comes down to regulatory compliance. If an organization is under one that requires it, it is the end of story and required to retain the certification.
The more common scenario is that a larger client tends to require it to do business with them. They have a vested interest in the success of their vendor and want to ensure they mitigate risk of having a vendor unable to fulfill their contractual obligations. Contracts where clients require this tend to be lucrative and warrant the requirement but they also carry a bit of overhead if you do not currently have BCM implemented.
Other times, it may be required by insurance. When an organization has insurance and/or is bonded, the insurance carrier may require BCM to help minimize risk. The particular risk in this case is non completion of job due to lack of business continuity.
Reputation is another factor. Perhaps clients and insurance of an organization does not require BCM. In other cases an organization may elect to do this anyway for their reputation. Companies that have BCM in place are likely to do much better during disasters as they have already planned for certain events.
How to Create an Effective BCM Plan
The most effective BCM planning starts with the right people. It starts with stakeholders, or people with a vested interest in having business continuity. They can help come up with the wish list. Employees from various disciplines within the organization need to be involved. They will have intimate knowledge of the key systems and business operations. They may also be the people activated during a response.
For example, IT infrastructure redundancy is usually a big part of BCM so it is important to involve someone from It. Computer system redundancy may need to be planned and implemented. There may be some manual failover processes during an event. Another big one is how will people work, can they still go to the office. Do they need shelter and still be able to work? Typically a VP of Operations will need to be involved for that part of it. It may be a matter of procuring generators for the building.
With all of this planning, budgetary constraints are usually a big factor in what gets implemented so finance usually needs to be involved to some degree. This can help narrow down the planning. They may have an initial budget in mind or give a budget range. This helps to avoid wasting time with grand plans that the company would never afford.
In these meetings, various threats or incidents should be discussed. A business impact analysis of each should be done to determine risk to business continuity. At this point it may be appropriate to put a price to each threat as to what it might take to mitigate or avoid. This can be helpful for management to decide which risks to address. They may opt for low hanging fruit that makes the most impact with the least spend. Other times budgets are a bit more healthy.
The best laid plans, unfortunately, do nothing if they sit on a shelf and are never read. It is important to periodically review and train so that during an incident, the response is properly triggered and that employees know what to do or where to look for the processes. There are many other reasons this is important. Plans may need to be updated. Staff that has changed but is a key component may need training for the first time. That may be a replacement hire or someone who simply changed roles or departments.
BCM is very important to be valued from the top down. This should be a goal or project that management is behind and expresses the importance of. Without their support, it will never work. Once they support it, employees will feel enabled to carry it out and it can be ready for success.
Important Things to Keep In Mind When Creating a BCM
When creating a BCM, there are some very important things to keep in mind. Scope is extremely important. It is very easy to get on tangents or rabbit holes in this planning. As you start thinking about one thing, another pops up that is related. A well defined scope helps keep BCM planning on track. The scope will define which risks management has deemed valuable and important and possibly the budgetary or resource constraints under which it could be mitigated. Many times the scope is limited to the least required resources used to keep the business running during an incident.
A very important but often overlooked priority is what do employees do and where do they go. Who will reach out to employees and notify them in the event that the building is unable to be accessed or is unsafe to do so. What method of communication will be used to ensure everyone is contacted. Where do employees go? Should they stay home or should they seek safer locations like a hotel in a safer area. Are there employees that are required to stay behind and try to mitigate a facility issue such as power.
Continual training is extremely important so that these types of issues can be addressed. The reality is many of the BCM plans will only have to be enacted once in a very long time. Training is a way to work through the issues before the plan has to be acted upon. This allows for review and improvement of the plan.
BCM can seem overwhelming at first, particularly so if it is your first time going through the process for the organization. It is important to break it down into its pieces and address those. You may not be able to knock out the entire BCM planning in one session and that's okay. Just ensure you bring the right people to the table and have the backing of management on it. When you think you are done, do not forget that you are not. Keep up the training and continual review and testing processes to improve it.