BC shares common goals and objectives with other management activities. When implemented correctly and with maturity, BC can provide significant benefit through the sharing of key information and the prioritisation of activities.
The Business Continuity Institute (BCI), a recognised world leader in setting and communication best practices for BC, states that an organisation’s vulnerabilities in its business and operating model can be categorised into seven areas: Reputation, Supply Chain, Information and Communication, Sites and Facilities, People, Finance and Customers. It can also be argued that the categories of Technology and Processes should also be included in this list. Anything that can affect one or more of these categories can potentially disrupt the organisation and therefore should be reviewed and/or considered by the organisations BC.
That does not mean that the BC function should manage areas that could introduce a vulnerability under these categories, but it does mean that BC should perform a Quality Assurance and Governance role to ensure activities that could introduce vulnerabilities are being performed correctly, diligently and with the necessary controls. This will ensure BC remains a pro-active measure within the organisation as well as a reactive one.
Looking at these vulnerabilities in a more depth allows us to build an understanding of their relationship with BC, and therefore some of the considerations required when conducting a BC risk assessment as well as performing the on-going BC management:
Reputation & Customers
Any activities that are customer facing (such as product or service quality and reliability, help desk, websites, branches, sales people, reception desks) could impact the customers perception of the organisation and therefore the organisations reputation and possibly result in negative publicity which would require management attention and could lead to more wide scale impact and disruption.
Selection and management of suppliers is an important quality criteria, get it wrong and you place your organisation in jeopardy. Therefore due diligence of suppliers and confidence in their ability to deliver reliable, quality services and have their own risk management and BC in place (for continuance of services to you in the event of an incident is critical). Being able to monitor and measure supplier performance (quality and reliability) and ensure controls are in place will help identify issues early and enable proactive management before an incident becomes a crisis. This may require specific contractual clauses in supplier agreements. For BC, spreading key supplies across suppliers and identifying alternative suppliers will also help manage the risks.
Information and Communication
Ensuring that key information is identified (e.g. during the BIA) and has the necessary controls for safe and secure storage and retrieval, along with preservation will help ensure the information can be available if something goes wrong.
Communication is vital in today’s world of technology, maintaining contact details for key suppliers and staff, and maintaining contact even following disruption is critical. Problems often occur with communication links, so controls should be in place to protect them and alternative links or methods of communication which can be relied upon in the event of an incident should be in place (e.g. email, SMS, GSM, fixed line, data links, satellite links/phones).
Sites and Facilities
Building and site facilities are essential for the smooth running of organisations and numerous resilience options are available from UPS systems and backup generators to spreading occupation over multiple sites. However, the right controls should also be in place to manage and maintain the sites, conducting risk assessments before maintenance work is carried out, notifying stakeholders and ensuring that only authorised or appropriate people conduct work or have access to facilities. It should not be forgotten that BC recovery facilities require the same level of maintenance and control as primary sites.
People are sometimes referred to as the ‘life blood’ of organisations therefore it is important to develop resilience and protection for them. This should include implementing Health and Safety (HSSE) to protect their wellbeing, providing suitable training to remove single points of failure (knowledge), improve staff morale & job satisfaction to reduce staff turnover rates, ensure BC requirements are included in job responsibilities and performance measurement. Assessing these is all part of the BC risk assessment as they could contribute to significant risks in the organisation.
Financial due diligence of suppliers as a control helps protect the organisation. But BC also requires budget, without the right budget facility BC can itself become a risk to the organisation as information and facilities may not be available or maintained as required and therefore not available when needed following a disruption. Also, the information from the BIA should help prioritise expenditure on risk reduction and resilience for critical activities and facilities to help protect the organisation from disruptions.
Ensuring controls and resilience over technology and infrastructure is paramount in protecting an organisation and developing resilience. This should include regular backups of systems, maintaining IT DR systems in-line with primary systems, include BC and DR assessments in projects and changes, ensuring security and access controls are in place to provide protection, controlling and managing the desktop environment at normal and Business recovery locations, and ensuring focus on the critical systems identified during the BIA and CRA.
A breakdown in a process often results in a disruption to the organisation. Therefore processes should be designed with controls in place and wherever possible alternative methods for conducting an activity. All these should be documented with procedures to ensure consistency and enforce controls, and maintained.
All of the above should be regularly monitored by the BC function to ensure the controls are in place, being managed and being maintained as they should be. The BC function should have the confidence that this is happening and the capability of escalating any problems if they are not.
BC cannot be implemented and managed in isolation. It holds critical information (from the BIA, RA and CRA) on the organisation, its critical activities, systems, information and suppliers. This should be shared with other management activities such as Enterprise Risk Management (ERM), IT, procurement and Quality Assurance, helping to focus controls, ensure prioritisation on expenditure, projects, etc. and enhance risk reporting. Thereby helping to manage risk more effectively and ensure informed risk-based decisions are made, reducing the likelihood of disruption and level of impact if it does occur. This is the proactive nature of BC and where it will truly add value to any organisation.
John Bartlett CBCI, DBCI