As a form of crisis management, business continuity management (BCM) has evolved since the 1970s in response to the technical and operational risks that threaten an organisation’s recovery from hazards and interruptions. All business ventures have hazards and disruptive factor with which to contend. All manner of disasters can and do happen which can lead to loss of confidence by clients and customers further compounded by the fact that competitors may take advantage of your misfortunes. Often production and even data systems would have been disrupted leading to huge losses for stakeholders, employees and even to the community.
BCM not only ensures the survival of your company, but also helps protect the reputation and value of your organisation. It specifies the requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system. The aim is to protect against, reduce the likelihood of occurrence, prepare for, respond to and recover from disruptive operational incidents when they arise.
ISO 22301 defines BCM as “a holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capacity for an effective (business continuity) response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities”.
Thus, BCM is an on-going management and governance process supported by senior management to ensure that the necessary steps are taken to identify the financial and other impacts arising out of operational disruptions. It identifies and mitigates relevant BCM risk, develops resilience, and maintains viable recovery strategies and plans, while ensuring continuity of products or services.
Today good business continuity management is not about being forced into taking action to address external pressures. Rather it is about recognising the positive value of business continuity good practices being embedded throughout the organisation. For this to be successful, risk professionals have to ensure there is an enterprise-wide perspective with the full support and commitment of the management. All individuals must be aware of BCM risks.
This is because BCM identifies relevant hazards and the steps to be taken to treat such risks in a manner that makes the organisation resilient to events or conditions that cause operational disruptions. Further, it develops strategies to continue the operation of the organisation’s functions and keeps staff trained and ready to follow the detailed plans to implement the recovery strategies. However, for this to materialise the framework for the business continuity management system (BCMS) must be established.
BCMS is a management system that relates to policy, planning, improvement, performance assessment and any other processes relevant to the organisation. It broadly focuses on understanding the corporate requirements and incorporating these into the business continuity policy and objectives. BCMS focuses on designing, implementing, managing and maintaining an organisation’s overall capability to manage disruptive incidents before and during periods of operational disruptions.
Several incidents illustrate the importance of BCM and the effects of disruption on businesses. The biggest would undoubtedly be 9/11 which brought down the Twin Towers in New York, USA in 2001. At the same time, the Pentagon, the seat of the US Defence Department was attacked and an aircraft was hijacked that eventually saw the loss of all lives on board. More than 3000 lives in all were lost.
It has been estimated that the attacks on the World Trade Centre and the other related incidents, cost in the region of USD3.5 trillion. Some companies lost key personnel, while others had their infrastructure destroyed as well. While perhaps nobody could have predicted an attack of this nature, despite the trauma and tragedy and loss of lives, business went on as usual. A number of companies housed in the Twin Towers had alternative sites – which were immediately activated. Disaster Recovery plans, emergency response protocols and crisis management strategies were also activated. Companies which had robust and properly tested BCM’s in place dealt with the disruption, amidst the tragedy, and resumed business within a short timeframe – minimising potential loss of business, customers, and value.
Even currently, business continuity and disaster recovery plans often go overlooked or neglected. Lack of support from management is a frequent problem because BCM planning can be expensive and provides no immediate ROI. It is often compared to buying insurance – investing in something you hope you will never need. However, it does not have to be that way.
A recent rise in cyberattacks, the ever-present threat of extreme weather and the possibility of outages and failures (example British Airways IT failure of 2017) that left thousands of holidaymakers stranded at Heathrow and Gatwick airports that serve London is a case in point. Apart from financial loss to the airline, dependent partners like hotels, tour guides, car rentals and even important business meetings were all losers. While BA had a BCM plan of action, it did not really work as nearly 400,000 passengers were the innocent victims, as something went terribly wrong.
Ensuring BCM in times of disaster is essential, and the faster, the better. Any downtime is considered unacceptable, so the top priority is getting things up and running quickly. Airports are common targets of terrorist agents, but with contingency plans and alert risk managers knowing exactly the plan of action, such terrorist threats can be mitigated to a certain extent.
What conclusions can be drawn from all these disasters and their after-effects? Being prepared for any eventuality is key to survival, renewal and new beginnings. The importance of BCM cannot be understated or down played. It is a subset of Enterprise Risk Management (ERM) and goes hand in hand with corporate governance. Organisations should strive to ensure the implementation of robust objective centric approaches by appropriately qualified Risk Professionals properly supported by BCM professionals who understand the relationship of BCM to ERM and Corporate Governance.