The most fundamental question on business continuity is: “Do I need a business continuity management (BCM) program for the company?”. It does not have to take a second and the answer is an absolute “yes”.
Why? Would you know how to respond when an unexpected scenario affects the continuity of your day-to-day business? What if your key resources were reduced to 50% working capacity? What if a power cut affects your operations? What if your key supplies become unavailable due to unforeseen circumstances? What if you were locked out from your office due to an incident in the building?
Notice that the questions all start with “what if”? Of course, we may bury our heads in the sand and deny the fact that these circumstances are entirely irrelevant to us. Over the course of time, however, as business grows and becomes more intricately connected, the domino effect of one devastation may bring about a nasty shock. The question is not “what if” but “when”. The above are just some common issues that we often hear from news or conversations. Whether they are triggered by nature or human actions, the unfortunate stark reality is that business disruptions will not end, and the impact, along with its long-term implications will vary according to how ready the company is when faced with such incidents.
BCM exists for a reason. Unlike mainstream functions like investment management, sales and marketing, and people management, it is a low-profile discipline. Yet, its primary focus is to ensure that the company can weather through incidents whilst minimising any uncalled-for effects that the incidents might bring. To put it simply, it strengthens the viability of a company and its business.
In short, it is a systematic business management process that can be readily introduced to existing activities. It does not necessarily have to cause a major shake-up in the company, but it can provide a fresh perspective of the entire corporation’s operations from a vulnerability-resilience standpoint, identifying ways underpinning how we work.
During the heat of an incident, without a predetermined course of responding, there will most likely be a delay in actions and decisions. This in turn could affect the outcome of the recovery effort. Though incidents come in a variety of ways, a thorough thought-through process during the business continuity planning stage can help to address key issues that may be encountered during an incident.
So, where do we begin? The first thing is to convince decision makers that a resilience initiative is needed to safeguard critical operations. There are many approaches to make a case for business continuity. The most effective way is to pitch the message during a board meeting. This can be in the form of a scenario discussion – how would they respond if an incident strikes and affects the company’s income earning capacity? Do remember to make it punchy and snappy. Another option is to use a high level briefing note. However, the language needs to be succinct and has to address the key points that you want to make.
If all goes as planned and you receive the necessary backing from the company’s board members, the actual planning and realisation of work can truly begin. From the start, BCM is initiated as a one-off project before it becomes a full blown management program. The next step is to develop a blueprint of the BCM process i.e. its lifecycle. Though BCM lifecycles come in different forms, it is generally made up of six cyclical phases.
1. Program management
The building blocks of how various phases are linked and performed. At the outset, appointed individuals are assigned to their roles in the project and then the program. It essentially sets out the governance for the entire BCM initiative.
2. Business analysis
This step is a foundation for the entire BCM program. It comprises of two components, namely, business impact analysis and risk assessment. Business impact analysis identifies critical activities according to the severity of impact over time, while risk assessment determines the probability and impact of potential threats to those criticalities.
3. Strategy development
After an analysis is done, executive decision is made on the most appropriate course of action that will best maximise continuity, whilst reducing the likelihood and impact of an incident. The commonly adopted approach is to develop risk mitigation and control measures which are supported by business continuity strategies.
4. Plan development
This phase focuses on documenting actions and arrangements that safeguard the continuity of critical activities into plans. A point to note, the number and types of business continuity plans are primarily dependant on the organisational structure of a company and the complexity of its operations.
5. Program maintenance and improvement
Since companies and their operations are always shifting in response to changes in the wider environment, the BCM program, likewise, needs to be reviewed,exercised (or tested), and maintained to ensure adequacy, fit for-purpose and effectiveness.
6. Building and embedding a business continuity culture
To establish BCM as part of a company's working ethos, awareness campaigns need to be developed to fire up executive and staff interest in business continuity. Ongoing training will also be necessary for enhancing the capability of those tasked with managing the BCM program.
Adopting business continuity is a step towards organisational resilience. It is a measured approach that will enable companies to respond accordingly to unexpected situations. Rather than floundering in the face of an incident, it establishes a management grip to regain continuity that puts business back on track. While implementing a BCM program can bring about positive benefits to a business, it is the ongoing commitment to its relevance that brings a lasting value to corporate performance.
Jianping Shi | Partner | INSTRAMAX
Jianping is a highly experienced business and investment consultant with over 20 years of experience. She has worked in various sectors, including financial services and management consultancies, with a strong background in corporate strategic planning, asset management, risk and business continuity management. She is the co-author of Business Continuity Management System: A Complete Guide to Implementing ISO 22301. Jianping is a partner of INSTRAMAX, a specialist company in business continuity management services.