Who is responsible for business continuity management?
BCM has grown out of the need to provide IT disaster recovery. While this has focused on IT systems and networks, business continuity management is broader in its scope and encompasses crisis management combined with business, as well as IT resumption. Drilling down from this top-level it will involve identifying key business functions and revenue sources as well as the need to maintain the reputation of the organization as whole.
Together, these factors make business continuity management the shared responsibility of an organization’s entire senior management, from the chief executive through to the line-of business managers who are responsible for crucial business processes. Although IT remains central to the business continuity process, IT management alone cannot determine which processes are critical to the business and how much the company should pay to protect those resources.
It is important that business continuity management has the full support of an organization’s most senior committee to ensure the initiative does not stall. One member of this committee should be made the overall sponsor with responsibility for initiating BCM across the entire organization. With this top level support it should be possible for the undoubted difficulties that will be faced in putting together the plan to be overcome.
An overall BCM co-ordinator should then be appointed to report directly to the senior committee member responsible. This person is ideally someone who understands the business structures and people. They require good programme management, communication and interpersonal skills and need to be a good team leader. In addition a budget must be allocated for the initial stages of the process. For larger organizations matrix team management is the best method to approach business continuity management. The team will be drawn from existing managers within key divisions and or locations.
It is expected that they will not be full time members of the team but will need to dedicate appropriate time to the BCM process.
Business Continuity Management principles
The Business Continuity Institute recommends that the following principles are utilized when devising and implementing a BCM plan:
· BCM is an integral part of corporate governance
· BCM activities must match, focus upon and directly support the business strategy and goals of the organization
· BCM must provide organizational resilience to optimize product and service availability
· BCM must optimize cost efficiencies
· BCM is a business management process that is undertaken because it adds value rather than because of governance or regulatory considerations * All BCM strategies, plans and solutions must be business owned and driven
Bearing these in mind it becomes easier to develop your BCM plan.
Overview of the BCM life-cycle
There are five steps that should be followed when developing a business continuity management plan:
1. Analyze your business
2. Assess the risks
3. Develop your strategy
4. Develop your plan
5. Rehearse the plan
Due to the rapidly changing nature of business conditions the process is not static, but cyclical.
Once you have worked through and completed step 5 it is necessary to go back to step 1 and review the whole process again to ensure that any external or internal changes have not made elements of the plan redundant.
Analyze your business
This is the first stage of the business continuity management life-cycle as it is necessary to understand at the outset exactly where your business is vulnerable. You will need the fullest possible understanding of the important processes inside your organization and between you and your customers and suppliers.
This stage of the process will also help to gain the involvement and understanding of other people and departments and will also help identify if any parts of the organization already have plans or procedures in-place to deal with an unplanned event.
Assess the risks
There are two aspects to every risk to your organization:
1. How likely is the risk to happen?
2. What effect will it have on your organization?
Business continuity management will provide a framework for assessing the impact of each one. Many organizations usually define their assessment in terms of cost. For example:
· How much could you afford to lose if an emergency prevented you from doing business for days, weeks or months?
· How would suppliers, customers and potential customers react if your business received adverse publicity because you were unprepared for an incident?
There are three ways to work with the information you have gathered to provide an assessment of the risks.
1. Ask ‘what if?’ questions.
2. Ask what the worst-case scenario is.
3. Ask what functions and people are essential, and when.