Recent research conducted in association with the Institute of Management suggested that business continuity management (BCM) issues were regarded as very important by 41% of senior managers, with a further 34% considering them to be important. But this represented a drop in board level interest of 8% on the previous survey. Perhaps the success of Y2K compliance projects permitted a complacency to creep in, when our abilities as a nation to deflect the negative impact of non-IT events such as last year's fuel, rail and flood crises, would suggest that we should embrace BCM more keenly than ever before.
All too often, BCM is regarded as a grudge purchase, another joyless task the board must address in order to keep the auditors happy. Rarely does it seem to be considered as a dynamic, interesting and evolving process that is part of the lifeblood of the organisation. With the right attitude, BCM becomes more than business best practice or good corporate governance. It becomes something that can contribute to profitability, share price, market confidence, commercial success and long-term business availability.
If this sounds too good to be true, consider the drivers affecting most organisations today:
This being so, what do organisations require? Presumably, the ability to keep the auditors happy, effective operational and financial risk management, enterprise-wide availability, and customer and staff loyalty.
With disasters happening all around, from unexpected sources, can any organisation afford for BCM to be its weakest link?
The following rationale is taken from Business Continuity Management: A Strategy for Business Survival. The BCM process encompasses the entire business – not just IT, the domain within which activity and responsibility for in this area tend to lie. BCM enables management – from the top down – to improve business resilience in general terms as well as response during times of crisis. And to be effective, the board's endorsement is the first stage in implementing a successful BCM process.
So why bother with BCM? Much as they would like, modern organisations cannot avoid all forms of corporate risk or potential damage. A realistic objective is to ensure the survival of the operation by establishing a culture that will identify and manage those risks that could cause it to suffer: an inability to maintain customer services; damage to image, reputation or brand; failure to protect the company assets; business control failure; or failure to meet legal or regulatory requirements.
BCM provides the strategic framework to achieve this objective – a start-point that, once endorsed, can be filtered throughout the business to different areas of operation for a truly holistic approach to be taken.
Five steps to BCM
BCM is not just about disaster recovery, crisis management, risk management or IT. It presents the opportunity to review the way your organisation performs its processes, to improve procedures and practices and increase resilience to interruption and loss. To quote the Business Continuity Institute: “BCM is the process of anticipating incidents that will affect critical functions and activities of the organisation, and ensuring response to any such incident in a planned and rehearsed manner.”
Contrary to popular belief, BCM is not a one-off project, but a phased process consisting of five main steps:
1 Understanding your business:
The key stage for any BCM process is taking stock of what it does, how it does it, what is important to business success and what weaknesses exist that could hold it back in normal operations and impede recovery in crisis situations. Using business impact and risk assessment, you can identify the critical deliverables and enablers in your business, evaluate recovery priorities and assess the risks which could lead to business interruption and/or damage to your organisation's reputation.
2 Continuity strategies:
Once analysis is complete, the next stage is to evaluate available resilience and recovery strategies against corporate and recovery objectives. Thus, you may determine the selection of alternative strategies available to mitigate loss, assess the relative merits of these against the business environment and their likely effectiveness in maintaining the organisation's critical functions.
3 Developing the response:
This is where you implement decisions made as a result of stages 1 and 2, improving the organisation's risk profile through improvements to operational procedures and practices, by implementing alternative business strategies and using risk-financing measures.
4 Establish the continuity culture:
Board endorsement is a critical success factor for BCM, and so is getting the rest of the organisation to understand its importance. This stage introduces the BCM process by education and awareness to employees, customers, suppliers and shareholders.
5 Exercising and plan maintenance:
Ongoing plan testing, audit and change management of the business continuity plan and its processes must occur. Your business is dynamic – so is its risk profile. Ongoing audit, review and testing of the BCM process ensures that recovery strategies keep pace with the business and that you maintain the edge BCM delivers.
Why implement BCM now? Simply because in the 21st century, customers expect continuity of supply in all circumstances, shareholders expect management to be fully in control (and be seen to be in control) of any crisis, and employees and suppliers expect you to protect their livelihoods. Your company's reputation and brand is at risk if you don't, and it is implicit in good corporate governance and demonstrates best practice in business management.
And this is against a background in which the pressures on business generally are changing, technology is transforming and underpinning the business environment, and consolidation, re-structuring and increasing competition are now a fact of life. These factors create new and more risks and exposures.
How to start
As with most things, the only way to get BCM implemented is to get the process started now. It is easier than you might think. Here are some pointers, which will help assure success:
With the business landscape embracing globalisation, 24-7 operations, mobile workforces, sophisticated and demanding consumers, e-business and technology deployment on a scale unheard of in previous generations – the pace of change and scope for error has increased accordingly. And as events of the past year have demonstrated, they are not limited to IT, and frequently bring the board into account.