Business continuity focuses on keeping the business operating. The importance of managing business continuity has risen in recent years; the Covid-19 pandemic and its aftermath have brought it further into the spotlight, and demonstrated why processes and procedures that enable an organisation to respond to events that last for an extended length of time are crucial to the survival of the business. Technology has been instrumental to business operations but organisations have stepped up its use to improve their business continuity processes and management, and keep up with changing regulatory expectations, while increasing interaction and engagement with stakeholder groups too.
Business continuity planning (BCP) is a project to build the Business Continuity Plan while Business Continuity Management (BCM) is the process of maintaining and operating the BCP. BCM includes regular testing of the Plan, and the maintenance and updating of related documents. Effective BCP needs to take into consideration the prevailing standards, guidelines, regulations and legislation. For example, official national or international standards and guidelines issued by accredited standards bodies (such as the International Standards Organisation, ISO) or authoritative organisations (eg: the Business Continuity Institute (BCI) or the British Standards Institute, BSI) may be used as a reference.
Companies will need to follow mandatory rules or audited guidance documents according to their industrial sector. Laws and regulations may already exist in certain jurisdictions which specify and imply requirements for BCP. These requirements may vary by industry sector, geographical region or country, and affect the development, focus and execution of BCPs. Government laws which include aspects of BCM will also apply. Regulatory requirements and changes need to be reviewed and updated on a regular basis to ensure that they continue to comply with the required legislation and regulations. But what actually goes into a BCP?
At the very least, it will need to have a Recovery Plan which details how the organisation will respond and recover from an incident. Individual responsibilities will be outlined, as well as the location of an alternative facility, and timeframes for the recovery process, together with the resources which will be required. The BCP will also include a Crisis Management Plan and Technical Recovery Plan. The Crisis Management Plan will detail the steps to be taken when an incident first occurs while the Technical Recovery Plan will consist of how individual business units – IT, accounting, processing, back-up centres etc – plan to recover.
The location of these Referred Procedures, i.e., the list of all BCPs (according to business unit), must be accessible at all times, either in the office or at offsite locations. Other information to have at hand will be contacts of all employees, contractors, suppliers and support organisations whose assistance will be required during the different phases of the incident. The BCP should also state the minimum resources required to establish the crisis centre, as additional resources are usually crucial to the resumption of the business in the wake of any untoward event. When setting up the BCP, understanding business processes and relevant regulations is therefore key.
The first step will be to identify the scope of the plan. Secondly, a business continuity team should be formed; a business impact analysis should then be conducted. These first three steps are necessary before the organisation can draw up the plan. The areas which need to be covered are:
- programme administration
- governance
- business impact analysis
- business continuity strategies and requirements
- training, testing and evaluation
- programme maintenance.
The purpose of the plan, its scope, goals and objectives, evaluation methods and estimated costs need to be stated. The governance area will detail the formation of the business continuity team; their designations, roles and responsibilities; lines of authority and succession of management; and external entities which the business will interact with when implementing the BCP. Business impact analysis results must be documented in detail so that the organisation’s vulnerabilities and potential impacts on operations may be identified. The organisation will thus be in a better position to evaluate and determine its state of readiness and responsiveness in the event of an untoward incident.
Two important items to highlight in the business impact analysis are the Recovery Time Objective (RTO) and the Recovery Point Objective (RPO). All plans, measures, procedures and preparations, resources and other requirements integral to the implementation of the BCP must be documented in detail under business continuity strategies and requirements. This section covers the strategies for before, during and after the event, and must include prevention and control measures such as setting up of off-site, back-up or alternative facilities for servers, storage and warehousing, for instance, and installing physical protection facilities such as emergency generators.
The scope of a BCP is extensive, and should therefore include a training component for the business continuity team members and others who may be involved in its execution. Testing of the BCP itself must cover the procedures for recovery and response. It needs to be easily understood by anyone who reads it, from employees at the lowest level of the organisation, to members of the board. When updating the document, there should be a ‘lessons learnt’ component and a historical reference to show how the process was managed, and how it can be improved. How the organisation will communicate internally and externally needs to also be written in the plan.
The plan will need stringent exercising and testing. This will validate the effectiveness of the strategies which have been put in place, and the accuracy of the information. It helps increase the preparedness of the individuals who are expected to execute it, and pinpoint the areas requiring attention or improvement, as well as any instruction gaps or missing information. The primary objective of exercise and testing is to ensure that the plan works when it is needed. In an exercise, failure is beneficial as it shows the areas that need improvement – before a real incident occurs.
But what kind of untoward events can be expected, in an environment that is already rife with uncertainty, and experiencing disruption? Countries may be slowly reverting to normal in a post-pandemic environment, but there are still natural disasters such as landslides, earthquakes and tsunamis that may add to the complications of recovery. Bad weather brought on by climate change may retard recovery schedules. With the increase in IT use, the threat of cyberattacks has grown exponentially. Floods, fire and acts of terrorism cannot be discounted. Even minor incidents may have extensive repercussions and negatively impact production, thus affecting the schedules of other firms.
A well-thought out and documented BCP will have clearly defined steps that allow for execution in a consistent and orderly fashion, with everyone knowing what to do, when and how to do it. Companies should review plans at least quarterly; conduct role playing sessions so that persons responsible may familiarise themselves with their roles; and simulate possible disaster scenarios. Full simulations should be run annually at least, and dry-run training should document errors and identify inconsistencies for correction and improvement. A BCP is like an insurance policy: an absolute necessity which you hope you will never have to use!
