Implementing ISO 22301: The Business Continuity Management System Standard
9 Tips for Business Continuity Management Success
Business Continuity Management (BCM) is vital in preparing and protecting business operations from disruptions caused by threats stemming from cyber-attack and natural disasters, as well as resource unavailability such as building loss, technology loss, staff absenteeism, and supply chain failure. A robust business continuity programme manages the likelihood and impact stemming from disruptive incidents through proactive response and recovery planning, with the objective of reducing operational downtime.
As a consultant and former BCM practitioner, I am regularly asked by senior executives, “What are the most essential aspects to focus on when launching a successful BCM Programme?” This article discusses 9 key steps to follow for success.
1. BUSINESS CONTINUITY PLAN — MAKE SURE YOU HAVE ONE
Taking the time to develop and invest in business continuity strategies and plans is an opportunity to protect staff, clients, operations, profits, and brand. It’s important to understand and identify critical processes, gaps, and risks to ensure the organisation can develop effective response and recovery plans to address stakeholder expectations.
2. WHO DOES WHAT, WHEN?
If your key staff are aware of their responsibilities during a major incident (i.e. they know what to do, how to do it, and when to do it), there is a high likelihood that your organisation will recover your business activities and potentially minimise negative impacts in a more timely manner, especially in relation to potential operational, financial, and reputational losses and damages.
3. ENSURE RECOVERY SUPPORT STAFF ARE FULLY ACCOUNTABLE
Choose those accountable for business continuity performance (recovery support teams) carefully. Senior staff with strong oversight and knowledge of critical processes, systems, and interdependencies, will be most effective during a major incident and will ensure staff are fully accountable for their recovery roles. They will require appropriate business continuity and recovery training and their recovery accountabilities should be noted within their personal scorecard / performance objectives.
4. HOW TO MANAGE RISKS — WHAT RISKS?
Identify what types of threats and risks are likely to impact your business. Explore each threat and risk, aim to understand how each impacts your business, and then consider what controls or preventative measures you may already have in place which can minimise the risk (e.g. a secondary office location, multiple suppliers). Where there are no controls or preventative measures in place, consider planning to mitigate/reduce, remove, or accept these risks. Document all identified risks as part of a risk register, which will help you take control and manage risks effectively. Many identified risks can be addressed through a well thought out business continuity plan.
5. RECOVERY STRATEGIES — PLAN FOR FOUR KEY BUSINESS DISRUPTIONS!
You can’t plan or have a recovery strategy for every eventuality, but you can develop strategies and plans for four key disruptions that will cover the outcome stemming from most threats. Ensure you prepare and have a plan to recover from:
- Denial of access to your building (e.g., building damage, Health & Safety)
- Denial of staff availability (strike, severe weather, etc.)
- Denial of technology
- Denial of supply chain (loss of a dependent supplier)
6. BUSINESS RECOVERY — MORE THAN JUST TECHNOLOGY RECOVERY
The information technology team is not responsible for the recovery of business operations from all causes – they are only responsible technology recovery! While it is essential to have IT disaster recovery strategies and plans, it’s only part of the story. The business, outside of the IT organisation, should take responsibility and ownership for a wider operational recovery (non-technical). Technical teams support an operational recovery as part of a suite of services they provide to the business. The business needs to plan for multiple, potential interruptions to services caused by the unavailability of staff, workplaces, and third-parties.
7. TEST YOUR BUSINESS CONTINUITY PLANS
If you don’t test or exercise your business continuity plans, then you don’t know if they work. There are always plan gaps and performance issues that have not been considered. Testing and exercising helps to identify the gaps and provides an opportunity to address and close these corrective actions over time.
8. CRISIS/INCIDENT MANAGEMENT — AGREE ON THE RECOVERY PROTOCOLS
Have clear and well-understood crisis/incident management protocols. Identify what information and how information about an incident should be managed and communicated both internally and externally. Incident management requires an understanding of who the key stakeholders are, what the timeframes for escalation are, who information should be shared with, how information should flow between teams (such as the board and executive management, the crisis/incident management teams, technology teams, BCM teams, facility teams, human resources teams, marketing and communications teams, customers, and essentially all staff). It is important to have clear documented indicators to support quick escalation, actions, and stakeholder engagement.
9. WHEN DOES A STANDARD INTERRUPTION TO SERVICE BECOME UNACCEPTABLE?
Take all interruptions to normal business processing seriously, as small incidents have the potential to grow and creep significantly. However, some business processes are more important than others due to their time sensitivity (short-time to impact) and their high potential impact to the long-term viability of the organisation. The impact of not being able to deliver a product/service or complete a critical process could give rise to penalties, regulation issues, client impact, financial losses, and reputational impairment. These factors should be considered within the incident management protocols and escalation paths.
We protect our clients’ business operations by building business continuity, IT disaster recovery, and information security solutions that are tightly aligned to the strategic priorities of the organization. If you’re looking for assistance with the development of your program, we can help! Please contact us today to learn more.
Get resilience insights delivered to your inbox.