To determine the relationship between Business Continuity Management (BCM), Disaster Recovery Planning (DRP) and Crisis Management, these first need to be defined. BCM is the process of planning for disruptive incidents so that any damage and down time resulting from the incident, will not have extensive impact on the business. In recent years, with the vagaries and uncertainties of the environment, BCM has become indispensable; some firms even see it as a form of insurance. They realise that with BCM in place, the business is likely to better survive operational disruptions and return to pre-incident operating levels, maintaining the company’s competitiveness and value in the process.
Disaster Recovery Planning is the action an organisation undertakes before, during and after a disaster, to protect the business from the fallout of an untoward event. Disasters can happen at any time, with little or no warning. Thus, DRP helps reduce potential damage to operations, and putting a DR plan in place helps the workforce prepare for eventualities. DRP focuses on detecting problems, instituting corrective measures and trying to prevent incidents from occurring in the first place. Preventive measures are one of the most important elements of any DR plan as they can identify, address and reduce hazards that confront the organisation, from an early stage.
Crisis Management is the anticipation of crises which could challenge the organisation, and planning how to deal with them effectively. It relates to action taken to deal with crises confronting the organisation in order to minimise damage, and enable quick recovery and reversion to normal operating levels. Crises can take several forms so firms should be prepared by envisaging or enacting different scenarios where crisis management will be necessary, when preparing a Crisis Management Plan. This is a document that outlines the processes and procedures to be followed in the event of a crisis.
It starts with a risk analysis, and usually includes directions on how to deal with internal and external stakeholders such as shareholders, employees, the media, the general public and the community the organisation operates in. DRP and Crisis Management are components of BCM and, therefore, share a number of commonalities- the main one being the planning process and mitigative action in the event of the occurrence of a negative incident. The move to put together a viable business continuity management plan, disaster recovery plan or crisis management plan starts with an assessment of the organisation’s risks and needs, then moves on to scenarios that may occur in the course of operations.
The incident management plan that is eventually drawn up, together with the list of people who will operationalise it, is the result of these analyses and assessments. With BCM, the business impact analysis (or business impact assessment) is imperative. When undertaking DRP, thorough research and assessment of the firm’s assets is necessary before an analysis of potential threats is drawn up. A major part concerns the recovery of IT systems and the preservation of data integrity, and how fast a business can get back online without extensive down time or loss of data. Even the shortest interruption could result in denial of service to customers, creating a negative impact.
Without an appropriate DR plan, a disruptive incident in today’s environment, such as a systems hacking or cyberattack, is likely to cause irreparable financial damage and loss of reputation, besides erosion of shareholder and stakeholder confidence. The firm could find itself in the spotlight for all the wrong reasons, and come under scrutiny by the regulators if it is found to lack a robust resilience framework. When an event does occur, the ultimate goal, with the application of BCM, DRP and Crisis Management, is to make the disruption imperceptible to those outside the organisation. DRP and Crisis Management are part of BCM and complement it.
BCM, as one of the components integral to maintaining the viability of an organisation which is contending with disruption, is designed to mitigate risk, and is therefore a risk mitigation component of ERM. ERM, with its holistic framework, supports DRP and Crisis Management at the organisational level via the BCM framework. Comprehensive BCM efforts will involve the setting up of a Business Continuity Management System (BCMS) that will allow the organisation to update, control and deploy plans in a structured manner, in the face of natural or manmade disasters, technological failure, damage to infrastructure, sabotage or acts of terrorism, or IT-related incidents such as data theft or cyberattacks.
Each one of these will need a different DRP or Crisis Management approach, although all of them require the application of BCM principles and tools. Acomprehensive BCM which integrates DRP and Crisis Management components is indicative of more than just the organisation’s determination to stay up and running regardless of circumstances.
It demonstrates that the organisation is well run; systems are well thought through; and regulations are being complied with. All this indicates competent, professional management and an effective, capable Board. Quick, effective response to a disruptive incident will always be well received, and be reflected in public support of the organisation’s brand and reputation. Organisations cannot be totally prepared for every kind of disaster that may affect them, but realising that such incidents may happen, and that it is in their power to respond and recover, will go a long way towards helping them stay alert and ready to deal with the challenges that will inevitably confront them.