It's a perilous world. Fires burn, winds blow, lightning strikes, water rises, computer systems crash and people make mistakes, among a myriad of other unexpected misfortunes. If that weren't enough, accidents and nasty natural catastrophes are not the most gracious of guests, rarely arriving with any predictability, leaving you little time to prepare and never offering to help clean up the mess they make. With so much calamity knocking at the door, and so much potential for weakening the links on already stretched supply chains, more and more organizations today are recognizing the importance of business continuity management (BCM).
In a study commissioned by FM Global, more than 95% of 600 financial executives surveyed reported BCM was of moderate or high priority in relation to other management functions within their companies (www.protectingvalue.com). Half of those same executives cited property-related risks as being the greatest threat to their companies' revenue.
WHAT IS BCM?
The Business Continuity Institute defines BCM as a holistic management process that identifies potential impacts threatening an organization. It provides a framework for building resilience and the capability for an effective response that safeguards the interest of an organization's key stakeholders, reputation, brand and value-creating activities.
BCM is a business culture rather than a project. It's a continual effort by all members of an organization to help build resilient processes. It's a framework that combines various elements of risk management and related disciplines, ultimately leading in some instances to an actionoriented document called the business continuity plan (BCP).
It's important to differentiate between business continuity management and business continuity planning. Business continuity planning, or a business continuity plan, is just one element of business continuity management. A BCP is drawn from information-gathering and risk assessments; it involves assigning responsibilities to key individuals, who then create recovery strategies based on specific objectives.
WHY IS BCM IMPORTANT?
Many organizations fail to recognize there is plenty to do even before they develop the plan. This is where BCM comes in. Why is BCM important? Within any business, certain products and services are deemed critical to continued success because they generate or help generate a large proportion of value for the business. It follows, then, that anything (either inside or outside the organization) enabling the delivery of the critical products and services will, itself, be considered critical to the business. Since the failure of any critical part of the business might prevent the delivery of products and services, a business needs to identify and protect all things critical if it hopes to withstand a disruption. The business must be sufficiently resilient in order to achieve this.
How does BCM work? The ideal outcome of BCM is called Design for Resilience, which occurs when an organization has internalized BCM to the extent that all strategic decisions -- such as the development of new products, services and markets -- are made with a view towards making critical enabling processes resilient from the beginning. BCM should not be an afterthought. It should be considered in every step of the process.
Many savvy companies develop a recurring process of analysis, planning and implementation. That process includes six key components: strategy, culture, understanding your business, developing your continuity strategies, implementing your continuity strategies and keeping continuity alive.
Strategy At the outset of the BCM, it is essential to obtain support and secure sponsorship from the company's senior executives. Given the strategic nature of this process, the lack of such support is likely to result in failure. Selling BCM to senior management is crucial.
Culture Business continuity must be supported at the executive level, but it must also must be owned throughout the organization. Communication of the benefits of BCM must be organization-wide.
Understand your business In the context of an organization's strategy, various risk assessment tools are used to identify the critical products, services and enabling processes. They're also used to gain a full appreciation of the complex relationships between -- and potential vulnerabilities of -- extended disruptions within your own organization, within your suppliers' organizations, to customers and to the economic environment in which your company operates.
Develop your continuity strategies Strategies to maintain the effective delivery of products and services in the event of an impaired process need to be established and evaluated at the following levels:
• organization (corporate);
• process; and
• resource recovery.
Such strategies derive from three core types of solutions: physical, operational and those relating to response and recovery. These solutions are not mutually exclusive. For example, you may choose to physically protect a critical process to the maximum feasible extent, but still provide operational backup.
Implement your continuity strategies After you've gained a sound understanding of the business, established critical processes, determined priorities and identified the BCM strategic choices, your attention should turn to implementation. Some strategies -- ones relating to operational
solutions, for example -- will be implemented pre-incident, to increase the resilience of the process. Others will be implemented post-incident; as such, they will require effective and efficient planning. The BCP transforms all the conclusions and judgements applied during the information-gathering process and business impact analysis into direct action. It should be clear, concise and well-organized. In addition, it should address the five key areas of any organization: people, facilities, data/processes/information technology, supply chain and distribution channels.
Keep continuity alive Two elements in particular are necessary if BCM is to become more than just another initiative. First, the BCP must be exercised at least once a year to gauge a company's ability to continue business in the event of a major incident. Second, the BCP must be altered in response to changes in key processes. Organizations are dynamic, and so a plan can quickly become out of date. Design for Resilience is an iterative management process, not simply the one-off development of a set of plans.
Everyone within an organization must embrace BCM for it to be effective. It it must be embedded in the culture, beginning at the top and working its way down through continual communication. That said, there are a few key people involved in business continuity planning:
• executive management designates a business continuity coordinator;
• senior operational managers work with business continuity coordinators to ensure each entity develops a plan for its critical functions and suppliers;
• senior department managers designate someone to develop a BCP within an agreed-upon timeframe and approve a specific BCP for their entity; and finally
• business continuity coordinators work with each level of the organization to ensure individual BCPs are aligned with
the overall objectives of the business.
Where and when should BCM begin? BCM is a function of good risk management, so it begins and ends at the risk manager's desk. The risk manager's role is increasingly complex, but with the right approach to business continuity management, the tools are provided to demystify those complexities.
No is the time to embrace BCM. Implementing BCM in an organization can be a very complicated matter, but the benefits far outweigh the efforts. The fact is, too many organizations today are one business interruption away from permanent shutdown. It is prudent for companies to prioritize mitigation action, develop and support proposals for capital expenditure, and develop cost-effective, strategically focused risk management programs.
For organizations looking to protect the value their businesses create, proper business continuity management supports that goal.