Business disruption could, at times, be a confusing term. i.e., what exactly it means and what possible implication any form of disruption could have on a business? The possible and probable sources of business disruption could take many forms. From a simple unplanned and prolonged absence of key personnel, to security breaches, blockages in supply chain, technical breakdowns, security breaches, and extreme weather conditions are all examples of events which can cause business disruption.
If an organization is unable to address/resolve operations downtime and suspension of service and products delivery, this could take a serious toll on organizational health. Unless organizations are well prepared through effective planning, the potential damage caused by disruption could be irreversible. The planning for managing disruption results in better prepared systems, continuity and recovery plans, and most importantly, prepared/trained people.
Putting in place an effective Business Continuity Management (BCM) framework is a must to effectively identify, manage, respond and recover from major disruptions. In this article, we will attempt to establish sort of a guideline for developing an effective Business Continuity Management framework.
Lets us define Business Continuity Management
The British Standards Institution Code of Practice for Business Continuity Management, BS25999-1, defines BCM as:
An holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creation.
In simple terms, Business Continuity Management means development of a set of competencies and processes that are needed to effectively respond to any threat posed by a disruptive event, ensure/reinstate continuity, and then achieve a full restoration of business activities.
A roadmap for developing a BCM framework
Whilst this could be achieved in a variety of ways, given below is a simple roadmap/checklist for developing an effective BCM framework. Remember that this is a checklist and not a sequential list of activities. Certain points will seem a bit ambiguous at first. Read through the article and you will gain more clarity on a lot of these.
1. Establish the building blocks of BCM framework
Outline the scope of the BCM Program. The scope of a BCM program must be determined by the objectives and outputs it needs to deliver
establish the objectives, roles and responsibilities (see point 3 below for more details)
ensure that you understand the organization and the possible impact of identified threats is clear (see point 4, 5, & 6 below for more details)
develop the BCM strategy
develop and implement the BCM response
establish a mechanism to exercise, maintain and review the BCM framework to ensure it remains fit for purpose at all times
establish a program to embed BCM in the organization’s culture
2. Achieve senior management buy in
To ensure that the activities needed for the success of a BCM program have full support from the top down, senior management buy in is a must. The scope of the BCM program must be owned by the senior management. It should also be ensured that there is a strategic and operational alignment between the BCM program and the needs of the organization.
3. Allocate the program roles and responsibilities
The effective management of a BCM program is only possible if the roles and responsibilities are clearly assigned and are approved by the senior management. Appointment of owners of champions for various elements of the system could aid smooth delivery and success of the program. The methods for reporting progress must also be clearly established, communicated and understood.
4. Perform Risk Assessment
To assess the impact of the possible threats (should these threats materialize), the program managers need to identify and asses these risks first, based on the agreed scope of the program. Performing risk assessment and business impact analysis activities helps with a deep understanding of the organization and enhances the program managers capability to manage business continuity.
The personnel involved with providing information for risk assessment and business impact analysis must be carefully selected so that they represent deep knowledge expertise.
Before embarking on risk assessment activities, the program managers must agree the types and sources of risk for assessment (loss of key personnel, security breaches, IT and telecommunication disruptions, loss of critical suppliers etc.).
An assessment of the identified risk should then be performed (recorded typically in a risk register) to determine the likelihood and impact of these risks. The impact is usually assessed in terms of the potential for full/partial suspension of the organization, resulting from a disruption in the critical processes and procedures, affecting the delivery of business-critical products and services.
5. Perform Business Impact Analysis
A through business impact analysis is a must for program managers to:
identify the critical products and services of the organization
identify the critical processes and procedures that combine to deliver each product and service
understand and establish the impact of suspension of these processes and procedures. i.e., how the suspension of these activities will affect the organization over an increasing time period (typically ranging from 24 hours through to 4 weeks). The impact is usually understood in terms of operational, strategic, financial and reputation dimensions.
establish an understanding of the threshold point for the organization, i.e. the point at which continued suspension may lead to potentially serious or irreversible damage to the organization
estimate the resources needed to respond to the disruption. For instance, resources required to recover data, people-knowledge, IT systems, bespoke equipment, suppliers, etc.
form an opinion on the organization’s recovery capabilities and likely time frames
The process to capture this information should be based on methodical questioning and fact finding. All evidence provided must be reviewed critically.
Collectively the information gathered through risk assessment and business impact analysis activities should then be presented to the senior management to agree BCM strategies. The activities involved in undertaking a impact analysis and risk assessment also enable the program managers to better understand their organization and to build their BCM capability.
6. Establish risk mitigation options
Once the program managers have identified the potential risks and they understand the likelihood and impact of those risks materializing, they can now turn to the mitigation options available to them. Mitigation options are developed with an objective to reduce the likelihood and/or impact of the identified risks. The mitigation options are typically based on the following objectives:
Transfer the risk. i.e., outsource the root cause so that a third party carries the risk.
Reduce the risk probability & impact. i.e., apply risk treatment techniques such as taking preventive measures (installing fire-fighting systems for instance) or preparing for the risk materializing by developing specific business continuity plans to recover from it.
Terminate the risk. i.e., re-engineering a process to eliminate the source of an identified risk.
Accept. i.e., choose to do nothing in the hope the risk never materializes. This might be appropriate if an informed decision has been made that the costs of mitigation outweigh the expected costs of the risk.
7. Develop the BCM Strategy
The BCM strategy aims business continuity. i.e., planning for how to maintain the delivery of the critical products and services if and when the major disruptions occur?
The business impact analysis would normally enable the program managers to establish the known recovery capabilities and the related restoration time frames. The actual business continuity strategies and resources needed to achieve the restoration time frames must now be agreed (by the senior management) and documented.
To better understand, let us take a few examples i.e., BCM strategies may include the following:
Document the critical processes
Cross-skill other staff members to be able to deliver critical processes in case of loss/downtime/unplanned leave of process critical personnel
Enable provisioning of alternative sites
Enable/facilitate remote working
Split/spread technology infrastructure across multiple connected sites
Identify/enable backup technology stack
Enable and maintain critical data back-up
Enable remote/cloud storage of data for prompt retrieval and loading
Identify and engage alternative ‘stand-by’ sourcing channels/vendors.
Formal documentation should be developed and maintained for business continuity and technical disaster recovery. All approved business continuity strategies should be documented.
8. Establish the roles and responsibilities of the business continuity management team
When aiming to gain the ability to recover the organization’s critical operations following a major disruption, the program managers need to plan for clearly establishing the roles and responsibilities of the incident management team. For effective recovery and continuity to take place, incident management systems also need to be defined, processes created, and appropriate plans written.
A clear understanding of the drivers/triggers which will invoke a response by the incident management team is absolutely essential. It should also be pre-determined who will be responsible for assessing response triggering events/incidents and who will be making decisions on whether the trigger should invoke response by the incident management team.
The members of the Incident management team must be clearly identified. They should be given proper training to prepare them to perform their roles as individuals and as part of the team. Responsibilities should be clearly defined and assigned to each member ahead of a major incident occurring. Assignment of deputies (as a contingency for leading personnel not reachable or available on time) if possible, will always be a good idea as it provides that extra layer of security against plan failure.
Protection and preservation of life must always be the top priority for the incident team. To ensure that this happens, health and safety procedures should be integrated within the business continuity plans.
9. Develop detailed plan for direction and support information to the incident management team
Depending upon the preference of the program managers, the actual plan could be in the form of a single document (which could consist of different sections) or there could be multiple plans developed for specific purposes/areas. Regardless of the way it is done, essentially the detailed business continuity plans provide direction and support information to the incident management team to:
mobilize, manage, and direct the resources in the best possible way to achieve continuity and recovery
Working within the time thresholds, recover the critical products and services before potentially irreversible damage is caused to the organization
manage internal and external communication effectively to safeguard the organizational reputation
effectively coordinate/manage third party supply chain components (e.g. suppliers)
effectively coordinate other third parties like emergency services as the situation needs
maintain/safeguard employee confidence by demonstrating that their wellbeing is always under consideration
assure the customers that business disruption is being managed professionally and normal services will be restored in the shortest possible time with minimum inconvenience caused
The plan must clearly state its purpose and scope and must include clear description of the methodology i.e., how the plan would be invoked by the incident management team. The plan should be self-explanatory and unnecessary use of jargon should be avoided. Sequential activities to achieve continuity and recovery should be included (to achieve the deliverables stated in the purpose and scope of the plan), with each activity pre-assigned to the individual roles that make up the incident management team.
The business continuity plans are only as good as the information contained within them so they should be regularly reviewed, maintained and revised as part of business as usual document version control.
In case of a major incident, the incident management team will need to communicate with a variety of internal and external stakeholders. These stakeholders should be clearly identified in the plan. Sharing of the plan with some key stakeholders before any incident occurs always merits consideration. This proactive approach can ensure that the key stakeholders know what to expect.
You will need to communicate with a variety of internal and external stakeholders in the event of a major incident, and these audiences should be clearly identified in your plans. You might consider sharing your plans with some key stakeholders before any incident occurs, so that they know what to expect. The communication requirements can be written as a standalone communications plan or can be added as a section of a larger business continuity plan.
10. Incorporate a mechanism for reviewing & maintaining the BCM framework
To maintain the effectiveness of the BCM plans and framework itself, organization need to review and test the plan/framework. These testing exercises should be performed at least annually. However, the frequency will be dictated by such things as business change, regulatory requirements, licensing requirements, and supply chain agreements, etc.
The review & testing activities could use a variety of different methodologies:
Specific system elements testing. i.e., where specific elements of the systems or plans are tested in isolation such as the incident management team invocation process
Discussions. i.e., workshops are conducted where instrumental groups of people walk through the business continuity plans and concerns and assumptions are highlighted immediately
Table top testing. i.e., virtual events are delivered to test systems, rehearse people and exercise plans against scenarios which an organization is known to be subject to
Live testing. i.e., when the other alternatives are not expected to be capable of providing real data enabling preparedness improvements, live testing exercise could be deployed. Live exercising has the potential to impact the organization detrimentally if not controlled and implemented properly. As such it requires a greater degree of planning and control than the other methodologies.
How to embed BCM in organizational culture
To ensure the effectiveness the BCM framework and BCM plans, organizations need to embed BCM into their business operations. All employees must understand their responsibilities for reporting incidents and should feel assured that the organization is well prepared to manage major disruptive incidents.
BCM should also be incorporated into business change processes. i.e., if there are changes in the way an organization conducts its business operations (for instance through new projects, new supply chain relationships, changes in the products and services portfolio etc.) it will have implications for the effectiveness of business continuity plans. These changes must therefore be considered to ensure that the organization remains prepared at all time.
✅ Strategic Finance Consultant ✅ ACS SYNERGY ✅ At ACS, we help growth seeking businesses with Finance Transformation, Accounting & Finance Operations, FP&A, Strategy, Valuation, & M&A 📧 Message me 🌐 acssynergy.com
Unprecedented marketplace disruptions require businesses to reinvent existing finance processes, organization structures, and strategic imperatives. Forecasting process needs to be agile, predictive, and continuous. To develop an effective rolling-forecast process, an organization needs to identify the right drivers that have an impact on the organization’s financial performance. Also important is the need to avoid an unnecessary lengthening of the overall budget cycle. The use of right technology, such as artificial intelligence and machine learning, to automate the process, where possible, can free up capacity within the organization to unlock value.
Follow the link given below to view this article on LinkedIn: