Business Continuity Management
Business continuity management is defined as the advanced
planning and preparation of an organization to maintaining business functions
or quickly resuming after a disaster has occurred. It also involves defining potential
risks including fire, flood or cyber-attacks.
Business leaders plan to identify and address potential crises before they
happen. Then testing those procedures to ensure that they work, and
periodically reviewing the process to make sure that it is up to date.
Business Continuity Management Framework
Business Continuity Management Framework (BCM Framework) outlines the planning
process of developing prior arrangements and procedures to enable organisations
to respond to an event in such a manner that critical business functions can
continue within planned levels of disruption.
1.
Policies
and Strategies
Continuity management is about more than the reaction to a natural disaster
or cyber-attack. It begins with the policies and procedures developed, tested,
and used when an incident occurs.
The policy defines the program’s scope, key parties, and management structure.
It needs to articulate why business continuity is necessary and Governance is
critical in this phase.
Knowing who is responsible for the creation and modification of a business
continuity plan checklist is one component. The other is identifying the team
responsible for implementation. Governance provides clarity in what can be a
chaotic time for all involved.
The scope is also crucial. It defines what business continuity means for the
organization.
2.
Risk
Assessment
Risk comes in many forms. A Business Impact Analysis and a Threat &
Risk Assessment should be performed.
Threats can include bad actors, internal players, competitors, market conditions,
political matters (both domestic and international), and natural occurrences. A
key component of your plan is to create a risk assessment that identifies
potential threats to the enterprise.
Risk assessment identifies the broad array of risks that could impact the
enterprise.
·
Identifying potential threats is the first step
and can be far-reaching. This includes:
·
The impact of personnel loss
·
Changes in consumer or customer preferences
·
Internal agility and ability to respond to
security incidents with a plan
·
Financial volatility
Regulated companies need to factor in the risk of non-compliance, which can
result in hefty financial penalties and fines, increased agency scrutiny and
the loss of standing, certification, or credibility.
Validation and Testing
The risks and their impacts need to be continuously monitored, measured and
tested. Once mitigation plans are in place, those also should be assessed to
ensure they are working correctly and cohesively.
Incident Identification
With business continuity, defining what constitutes an incident is
essential. Events should be clearly described in policy documents, as should
who or what can trigger that an incident has occurred. These triggering actions
should prompt the deployment of the business continuity plan as it is defined
and bring the team into action.
Disaster Recovery
Difference between business continuity and disaster recovery is that the
former is the overarching plans that guide operations and establish policy.
Disaster recovery is what happens when an incident occurs.
Disaster recovery is the deployment of the teams and actions that are sprung.
It is the net results of the work done to identify risks and remediate them.
Disaster recovery is about specific incident responses, as opposed to broader
planning.
Role of Communication & Managing Business Continuity
Communication is an essential component of managing business continuity.
Crisis communication is one component, ensuring that there are transparent
processes for communicating with customers, consumers, employees, senior-level
staff, and stakeholders. Consistent communication strategies are essential
during and after an incident. Messaging must be consistent, accurate, and
coming from a unified corporate voice.
Crisis management involves many layers of communication, including the creation
of tools to indicate progress, critical needs, and issues. The types of
communication may vary across constituencies but should be based on the same
sources of information.
Resilience and Reputation Management
The risks of not having a business continuity plan are significant. The
absence of preparing means the company is ill-prepared to address pressing
issues.
These risks can leave a company flat-footed and can lead to other significant
problems, including:
·
Downtime for cloud-based servers, systems, and
applications. Even minutes of downtime can result in the loss of substantial
revenue.
·
Credibility loss to reputation and brand
identity. Widespread, consistent, or frequent downtime can erode confidence
with customers and consumers. Customer retention can plummet.
·
Regulatory compliance can be at risk in
industries such as financial services, healthcare, and energy. If systems and
data are not operational and accessible, the consequences are severe.