Business Continuity is defined by ISO 22301 and ISO 22313 as the capability of an organisation to continue delivering products or services at acceptable levels following a disruptive incident. Business Continuity Management, BCM, is the ongoing management and governance process undertaken by an organisation to ensure that the necessary steps are taken to identify the impact of potential losses, manage risk, develop resiliency, maintain viable recovery strategies and plans, and ensure the continuity of products and services through exercising, rehearsal, testing, training, maintenance and assurance.
Business Continuity focuses on keeping the business operating; BCM encompasses a lot more, including Disaster Recovery, which focuses on getting technical infrastructure up and running after an operational disruption; and Crisis Management, which focuses on managing the disaster event. An organisation’s BCM programme is a management and governance process supported by top management and resources to implement and maintain BCM throughout its life cycle, from planning to crisis activation. BCM has grown in importance in recent years; the pandemic has raised its profile and spurred its uptake.
Organisations are seriously revisiting their BCM strategies and analysing business impacts in the wake of the pandemic, with particular focus on trends in the new normal; many have also increased investments in technology to support their revamped BCM programmes. Typically, a BCM programme encompasses programme administration, governance, Business Impact Assessment (BIA), continuity strategies and requirements, training, testing, evaluation and programme maintenance. It usually starts with the identification of the scope of the programme; the formation of the team which will undertake it; and the conducting of a BIA.
Only then can the organisation develop a customised plan, taking into consideration the practical guidelines and benefits involved, and the roles and responsibilities of managers. Quite a number of firms, particularly SMEs, may not have a full BCM programme in place; they may instead have elements of it. But – as demonstrated by the Covid-19 pandemic in recent times – it may not be enough to carry them through a disruptive event even if it covers the recovery process. The impact on business growth may not be immediately apparent, and could even be long-term, as the organisation may only later discover, to its detriment.
Bearing this in mind, an organisation wishing to increase the effectiveness of its BCM programme may want to consider other factors when implementing frameworks, policies, processes and procedures. It is worth noting that BCM is not the recovery of the organisation’s business processes and functions simultaneously in the wake of a disruption. It is a process, not a one-time event; it therefore involves a change within the organisation. To make it more impactful, those undertaking its implementation could start with raising the awareness of the risks which confront the organisation, across the firm.
Every employee should know that there are business continuity risks in the position their organisations are currently in, and needs to be trained in how to identify and manage them. In today’s environment, risk identification has become complicated, and can range from actual worksite accidents to natural disasters, cyber risk and even personal social media exposure. Because it is to be applied across the organisation, BCM should thus be approached holistically. Interdependencies should be addressed, particularly when coordinating, planning and testing; this helps to identify grey areas which may be emerging risks, and helps create organisational flexibility.
A flexible organisation is capable of reacting to adverse situations more quickly and effectively, helping to limit damage to operations and reputation, in many cases. Participation of senior management is essential to support this move towards flexibility; their perspectives, insights and input are crucial. There should also be an appropriate tone from the top to encourage take-up of BCM activities among all levels of staff, and sharing of information to speed up understanding and mitigation of risks. Risk professionals who are looking to elevate BCM should demonstrate that it creates value beyond just managing untoward events.
They can show how applying the methodologies involved actually support organisational growth and competitiveness, and how this could put the business in a better, more resilient position to convert opportunities. Besides this, BCM frameworks and systems, when properly implemented, are likely to identify pain points for the organisation, thus preventing unpleasant surprises. From this perspective, the testing and exercising of the plan is critical, and should thus be undertaken diligently as it serves as validation of the processes put in place and as an assessment of effectiveness.
Of course, putting a BCM programme in place is not easy despite the many frameworks, guidelines and manuals that are available to organisations which are serious about doing better. In fact, this may be one of the reasons that businesses tend not to put it on their list of must-haves, according to researchers. Another reason may be that it does require a certain amount of time and resources to be invested in mitigating risks stemming from events that may or may not happen – so businesses may be reluctant to invest in such programmes as they are unable to see immediate returns.
But statistics have shown that 75% of businesses which have no BCM actually fail within three years of a BCM incident – so it does make sense to have it. The organisation’s stakeholders can benefit from BCM programmes, as the data that is collected in the process can be leveraged to their strategic and tactical advantage. Sharing data helps build good relationships and facilitates the governance process, among other things. While it is not possible to identify and plan for every single threat that confronts the business, BCM allows firms to approach challenges from a multitude of angles, thereby supporting their efforts to build resilience.