Business continuity management (BCM) is about identifying what your business can’t afford to lose – information, inventory, premises, staff – and planning how to maintain them if a disruptive incident occurs: large or small, natural, accidental or deliberate. But while this may seem a daunting prospect, determining your business continuity management strategy and response can be more straightforward than you might think.
Getting started with business continuity management
If you’re implementing BCM for the first time in your organization, you can kick-start the process by considering a handful of key questions common to any organization:
- What are your most important products or services?
- What activities and resources are critical to delivering them?
- What are the risks to these activities, and what is the likelihood of these risks occurring?
- In the event of disruption, how would you maintain these activities for a day? Up to 48 hours? For a week? Or more?
- What people, premises, technologies, information and partners would you need to do so?
Who is accountable for business continuity management?
You’ll need to appoint people who will be responsible for defining and managing your complete BCM program. Responsibility for BCM falls into three broad roles: sponsorship, ownership and custodianship. It’s vital to get management buy-in, and sponsors and owners should include your CFO, COO, CRO or CIO (or their direct reports), since business continuity is a financial, operational and risk and compliance issue, not just an IT issue.
It’s also good to nominate one senior individual with ultimate responsibility for coordinating your BC program development, and at lower levels of management, assign tactical responsibility for documenting and updating the plan, and providing training and awareness.
What is in a business continuity management framework?
There is no single best-practice approach to defining a BCM framework, since every organization is driven by its individual business requirements and constraints. However, common elements of a BC program include:
- Program design and deployment: Defining policies, standards and tools and assigning accountability for each key area
- Business impact analysis (BIA): Identifying and prioritizing business processes and dependencies, including critical applications
- Risk assessment: Identifying and prioritizing threats and failure scenarios
- Strategy design and implementation: Based on a cost-benefit analysis and findings from the BIA and risk assessment
- Documentation: Include what the response, recovery and restoration procedures are and who is responsible for each
- Testing, validation and continuous improvement: To ensure recovery solutions work before an actual event and spot problem areas
- Training and awareness: Include response/recovery team members, as well as other employees across the organization
- Compliance monitoring and audit: Ensuring adherence to policies and standards
Writing your business continuity management policy
While regulations and standards provide guidance on required areas of focus and suggested approaches, they don’t dictate content-specific items, formats or the level of detail needed in policy documentation.
A good BCM policy reflects the nature, scale, complexity, geography and criticality of your business processes, as well as their dependencies, the operating environment and your corporate culture. Include the potential limitations or obstacles you face, such as budget availability, time, manpower, regulatory aspects, deadlines and access to expert sources.
When to update and test BCM policies and frameworks
It’s a good idea for your business continuity-related documentation to be reviewed and updated at least annually. However, more frequent revisiting may be required to track changing risks, threats and dependencies in your organization, which are brought about by changes such as restructuring, entry into new markets or the implementation of new technology.
You should re-test your BC plan if any changes are made to business processes, technologies, facilities, BC program membership or executive management, as well as those that result from industry-specific requirements, anticipated or planned events.