Business Continuity Management (BCM) is critical to managing risk as it is the planning process for managing disruption-related risk. Besides providing a structured approach to managing risk within the organisation’s environment, it also offers a strategy to respond to, and recover from risk. This helps the organisation minimise damage and loss in abnormal conditions, and reduces the negative impact on business objectives. Having BCM in place assures stakeholders that the organisation is capable of managing adverse disruptions, and increases their confidence in its management. An organisation with effective BCM has a competitive advantage as it is capable of delivering when others cannot.
But what exactly does BCM entail, and how can organisations know that what they have put in place actually works? BCM is a wide term that includes crisis management, crisis communication and disaster recovery planning. It is a holistic management process for identifying threats to the firm and the potential harm arising from these, and developing the appropriate response plans. All this is done with the objective of increasing the organisation’s resilience in the face of business disruption, and to minimise or mitigate adverse impacts.
Generally, organisations should ensure that the plans they make are based on a sound understanding of what the firm actually needs – i.e., what matters most to the business, and what it depends on. This means a thorough understanding of the business is a prerequisite for the setting of BCM strategy, frameworks, policies and processes. The Business Continuity Plan (BCP) is the main document that will guide the firm in its response to disruptions. Following the BCP will allow the organisation to recover and restore its services, particularly critical business functions, to the level they were at before the disruption, or as close as prevailing conditions permit.
‘Critical business functions’ may be defined as the vital functions of the business, without which the organisation cannot survive, or does not have the capability to achieve its critical objectives. This may include maintaining its manufacturing capability or the ability to deliver its services. Today, businesses face not only threats to the continuity of their processes but also to their infrastructure, in particular their IT infrastructure. Most businesses today have an online presence; under pandemic conditions over the last two years, many have come to depend heavily on secure, reliable infrastructure like payment gateways and confidential data capture systems.
Organisations could be adversely affected if systems like these are breached or compromised. BCM therefore includes disaster recovery planning (DRP) for IT disruption. This emergency response plan covers the processes and procedures which enable the organisation to respond to system breaches or hacking incidents which compromise their electronic networks and cripple their business and IT applications, severely inhibiting their ability to carry on business as usual. BCM also covers Business Continuity Planning (BCP), which will allow the organisation to carry on business functions despite being in a state of disruption.
Crisis Management (CM) – the overall coordination of the organisation’s response to a crisis effectively and in a timely manner – is another component of BCM. With so many factors to consider simultaneously, BCM can feel overwhelming but it is worth noting that implementing it actually follows a logical sequence of activities which are grouped in stages, with each stage making use of the others. The progression of these stages is called the BCM lifecycle. It starts with the Business Impact Analysis (BIA), then moves on to Risk Assessment, formulating BCM strategy, planning and implementation. These are supported by training and awareness, and conclude with Testing.
Test results then go into the next round of BIA which should incorporate the findings for further improvement of the BCM process. Organisations need to develop a detailed, structured approach – the BCM framework – that integrates BCM lifecycle elements into its key deliverables, such as raising awareness and developing competencies through communication, training and exercises; identifying critical business functions; estimating resource requirements; implementing solutions; and conducting regular testing and review of plans in place. As the purpose of all this is to prepare the firm to cope with major disruption, BCM plans need careful auditing for correct implementation and effectiveness.
This increases the quality and consistency of the response to the disruption; stakeholders, board and management need assurance that the measures put in place will work when required. Auditors thus need to make independent and objective assessments; gaps identified must be carefully documented, and test results reviewed and analysed so that remedial actions can be taken if mechanisms and resource allocations need adjustments or reassessment. BCM is intended to be for the long haul. Its measures should reduce the organisation’s vulnerability and improve its capacity to manage crises. The implications of these are serious, so what should auditors look out for?
The auditing required will depend on the risks involved, the organisation’s requirements, and the availability of audit resources. A BCM audit is an independent examination of a firm’s BCM plans, procedures and documentation, to assess compliance with specifications, standards, contractual agreements or other criteria as determined by the organisation. Audits start with the assessment of current operations to gauge if they are fit for purpose, and in most cases lead to the reviewing of the quality of decision-making and communication of senior management. Auditors are often called upon to evaluate the thought processes of planners to determine if plans match requirements.
The audit checklist should include the scope of the audit. Frameworks, policies, processes and procedures should be clearly aligned to the firm’s objectives; the audit should validate if these will aid the organisation in completing its critical tasks in the event of disruption. BCM activities must meet certain standards to be effective, and audits should objectively give feedback on what needs improvement. Roles, responsibilities and accountability need to be clearly defined, and when all audit procedures are complete, an audit opinion and final report should be prepared. These findings should be communicated to the relevant personnel.
BCM is not a one-off exercise that ends with documentation that is neatly filed away. It changes as often as there are changes in the environment in which the organisation operates; it is a process of continual assessment, updating and fine-tuning to ensure that the firm can meet the challenges of a dynamic environment. Contingency arrangements have to be made; staff have to be trained to operate effectively in times of disruption; and everyone should be aware of who does what when an event happens. The BCP, too, needs to be tested for efficacy and robustness; and when all components are in place, go over everything again – just to make sure that it will all function when disruption hits.