Business continuity management (BCM), as defined in international standard ISO 22301, is the holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause. BCM provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.
But what of the threats themselves? Those threats are business continuity risks. Business continuity risks are the potential events that can disrupt or halt a company’s operations.
To provide guidance on keeping these potential events from happening and disrupting your operations, we answer the questions, what is business continuity risk and how to protect your company from them?
Business continuity risk is risk
Business continuity, we know, is the capability of an organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident. What is risk, though?
Simply put, risk is the effect – any deviation from the expected – of uncertainty on objectives. Risk tends to be expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of that event happening.
What about objectives?
Objectives themselves can have different aspects. For instance, they can be financial, health and safety, and environmental goals.
Objectives can also apply at different levels, e.g., strategic, organization-wide, project, product, and process.
What’s more, an objective can be expressed in other ways, for instance, as an intended outcome, a purpose, an operational criterion, as a business continuity objective, or by the use of other words with similar meaning (e.g. aim, goal, or target).
Typically, in business continuity, objectives are set by the organization, consistent with the business continuity policy, to achieve specific results.
Types of business continuity risk
The challenge with mitigating business continuity risk is that business continuity risk takes so many forms. What are some the principal types of business continuity risk?
They include:
Power outage
Disruption in the supply of electricity. Typically resulting in loss of power to homes, businesses, or other facilities.
Data breaches
Any security incident that results in unauthorized access to confidential information.
Supply chain disruption
An interruption in the flow or process that involves any of the entities associated with the production, sales, and distribution of specific goods or services.
Epidemic
An unexpected increase in the number of disease cases in a specific geographical area.
Cyber attacks
Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
Natural disaster
Any dangerous meteorological phenomenon with the potential to cause damage, serious social disruption, or loss of human life.
Non-compliance
When a company fails to follow the policies, standards, regulations, or laws that apply to its operations.
The effect of not preparing for business continuity risk
We cite those risks because they haven’t remained risks for long. Indeed, we’ve seen a staggering rise in all of those event types.
Preparation for business continuity risk is, therefore, key.
What’s the alternative? Well, here, high rates of post-disaster business closure – roughly 40 to 60 percent of small businesses never reopen following a disaster, according to the U.S. Federal Emergency Management Agency – point up the importance of preparing for business continuity risks before they become business continuity disruptions.
What’s more, business closure data is heavily weighted towards companies who fail to develop business continuity plans to prepare for business continuity risks before major incidents. Case in point: as many as three in every four organizations without a business continuity plan fail within three years of a disaster.[i]
Mechanisms for preparing for business continuity risk
That means the primary mechanism for preparing for business continuity risk is the business continuity plan (BCP). What is it?
Typically covering resources, services, and activities required to ensure the continuity of critical business function, the BCP consists of documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.
The business impact analysis for cataloguing business continuity risks
So, how do you put one together? There’s actually a step prior to the business continuity plan: the business impact analysis (BIA).
The BIA defines the impacts of disruption over time to determine the organization’s response, recovery priorities, and resource requirements.
The outcomes of the BIA process – those activities that determine prioritized activities and recovery timeframes and resource requirements – are dependent on the organization’s understanding of both its external and internal operating environments. The latter is inclusive of its business processes, activities, and resources, as well as the potential impacts caused by disruptions to the delivery of products and services.
So, what steps are specifically involved in the BIA? The process often looks like the following:
- Collecting the information necessary to perform the BIA from interested parties, such as top management or activity owners. Such information may include:
- Mission, objectives, and strategic direction of the organization
- BCMS scope
- Legal and regulatory requirements to which the organization or specific activities are subject, as well as an assessment of the impact of breaching each requirement
- Contractual requirements, including penalties for failure to deliver products and services
- Expectations of customers and other interested parties
- Assessment of the impacts of failure to deliver
- Lessons learnt from past disruptions and exercises
- Potential impact of significant developments within the organization or its operating environment
- Defining timeframes based on impact types, criteria, and agreed methodology, estimate the MTPD and RTO for each activity
- Listing the activities sorted by priority and their continuity requirements
- Obtaining top management approval and sign-off on the list of prioritized activities
Of note, information collected for the BIA should include all-in scope activities which are to be prioritized by determining the MTPD and RTO. Factors that should be considered when estimating the MTPD and RTO include:
- Loss of financial value or viability
- Damage to reputation or interested-party confidence
- Breach of legal or regulatory obligations
- Failure to meet the business objectives of the organization
- Loss or impact to people/personnel or management efforts
Business continuity planning to mitigate business continuity risk
The contents of the BIA will eventually get fed into the BCP. Putting together the actual plan usually falls to a governance committee.
Here, C-suite involvement is critical. Most business continuity governing committees are headed by an executive sponsor. That sponsor is nominally responsible for initiating, approving, auditing, overseeing, and testing the BCP.
Meanwhile, day-to-day management falls to a business continuity coordinator. Depending on the size of the company, that coordinator might have a dedicated staff. Other in-house members of the committee include a senior security officer, the CIO (given the centrality of IT systems to business continuity), and senior representatives from the remaining business units.[ii]
As mentioned, before drafting the BCP, the governance committee will undertake a business impact analysis (BIA). Again, the BIA is intended to help organizations isolate critical business functions in tandem with the processes and resources needed to support them.
BIA findings then get fed into the BCP proper. However, BCPs can take different forms, usually, however, the following elements are present:
- A list of relevant company, insurance, and supplier contacts.
- References. Helpful information might include links to the appropriate state and federal regulator, e.g. Emergency Management Australia.
- Relevant standards with which the plan complies, e.g. ISO 22301.
- Organizing objectives and driving principles. The primary objective of your plan is to ensure maximum possible services levels are maintained. Meanwhile, assessing business risk for probability and impact might also be an important principle to document.
- The objectives and principles sections might be part of a longer executive summary, a comprehensive overview of the BCP.[iii]
- The contents of the BIA, including a list of likely threats, i.e. building loss, document(s) loss, systems going offline, loss of key staff, etc.
- Scenario planning for the risks you’ve identified. Once a risk is listed, the plan will outline probability and impact of occurrence, likeliest scenario(s) to unfold, business functions affected, actions to take and preventative mitigation strategies, staff responsibilities, as well as operational constraints.
Drafting the BCP isn’t the end of the story if you’re trying to address business continuity risk.
Senior management has to approve the draft, as well, before the process of validating (and updating) the plan can even begin.
Validating the plan means running periodic exercises and trainings to test its assumptions. Those trainings aren’t just for BC practitioners. They should be mandatory for all employees, and companies should strive to secure partner participation at any stage in the BCP lifecycle.
The importance of automation in business continuity risk management
Another important element of addressing business continuity risk is having the right tools and resources to perform preparatory activities like running a BIA, preparing a BCP, or trainings and exercises.
Here, business continuity software enables organizations to be prepared for adverse events and disruptions and stay ahead of the curve, with streamlined, integrated, and automated business continuity management that facilitates engagement and collaboration across all stakeholders and ensures a unified approach to resilience. How do they help mitigate risk?
- In-built BIA tools simplify the business impact analysis process, drive engagement across the organization, and guide teams through the process step-by-step, ensuring BIAs are rich with insightful data to help organizations truly understand how their business works and where their risks lie.
- Digitization helps replace paper-based, static business continuity plans with dynamic business continuity plans that ensure plans are always up-to-date and quickly available for all your users, on any device.
- Exercise management functionality keeps teams prepared to handle any situation that comes their way.
Of course, business continuity software platforms like Noggin do more to mitigate business continuity risk than that.
What else can Noggin do? Request a demo to find out.
Sources
[i] Logan Sisam, Utah Division of Emergency Management: 75% of companies without business plans fail within three years after facing a disaster and or operational disruption. Available at https://www.utah.gov/beready/business/documents/newsletters/2015/november.pdf.
[ii] Government of Canada, Public Safety Canada: A Guide to Business Continuity Planning. Available at https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/bsnss-cntnt-plnnng/index-en.aspx.
[iii] Queensland Government, Business Queensland: What’s in a business continuity plan? Available at https://www.business.qld.gov.au/running-business/protecting-business/risk-management/continuity-planning/plan.