Three Key Components of Creating a Business Continuity Strategy
For many organizations, the COVID-19 crisis has highlighted the importance of a defined business continuity strategy. Economic downturn, supply chain disruption and emerging cyber threats continue to reinforce this need. In a volatile world, a consistent and robust framework for business continuity can maintain productivity and minimize costs. Business disruption comes in many forms, but using a consistent framework helps organizations prepare for the unexpected and understand their total cost of risk.
A well-executed business continuity plan follows defined standards, codes and best practices (e.g., ISO 22301 – Societal Security, Business Continuity Management Systems) and best practices (DRII – Disaster Recovery Institute International) to yield benefits.
There are three critical phases when developing a compliant business continuity management program:
- Discovery – risk assessment and business impact analysis
- Planning – emergency response and management, crisis management and communications, business unit continuity planning
- Governance – plan auditing, updating, training and exercising
Adhering to standards, codes and best practices during the planning phases, ensures these planning components generate both tangible and intangible benefits.
|
Governance
|
|
Planning
|
|
Discovery
|
|
|
|
Phase 1: Discovery Process
The Discovery Process phase provides the opportunity to identify potential risks and measure the amount of disruption an organization can withstand or those which must be addressed, either by reduction/remediation or through tactical and strategic planning. There are two planning components that are the baseline for a business continuity plan. These tools also help organizations measure ROI on the business continuity program:
- Risk Assessment and Remediation (RA) should yield measurable results by quantifying and qualifying those risks and threats that disrupt the organization’s ability to continue time-sensitive business functions and processes. Determining the organization’s optimal risk appetite and acceptance levels and implementing a consistent assessment process provide the means for measuring and replicating the process throughout all locations. Dozens of RA methodologies exist and range from very simplistic heat maps to highly complex formula-based methodologies. Whichever process is selected, implementation across the organization needs to be consistent to ensure proper and accurate risk-measurement and remediation.
- Business Impact Analysis (BIA) identifies and qualifies the time-sensitive business functions and processes. This measurement enables the organization to understand the point in time when an impact starts to drive negative consequences. The measured impact is not just a financial calculation but also measures when the impact begins to affect customer service, legal/regulatory and contractual issues, operational performance, organizational image and reputation, and leadership / management. The BIA can be designed to accommodate additional impacts by quantifying and evaluating the output. Once these impacts are understood, the organization can develop the framework to accept, remediate or develop planning strategies to support organizational recovery.
Planning Process
The Planning Process phase collates three separate but integrated plans to coordinate activities, authorities and responsibilities. These plans draw from the information captured and analyzed during the Discovery Process phase to ensure the organization not only survives catastrophic events, but can more effectively manage the situation, drive operational resiliency, and reduce reputational risk.
- The Emergency Management & Response component outlines the initial strategies for responding to – and stabilizing – an event. First responders are responsible for life safety, stabilizing the incident, qualifying and remediation of damage, and communicating to authorities and the crisis management team.
- The Crisis Management & Communications plan bridges the responsibility and coordination between the emergency management / response team and business restoration and operational recovery, providing the leadership, decision-making and communications structure with internal and external stakeholders to support recovery-time objectives, while restoring or maintaining critical functions.
- The development of Business Restoration and Operational Recovery plans includes the strategy development, documentation and deployment of activities required to restore and recover functional operations to meet or exceed the recovery time objective.
Governance
The Governance phase provides the organization with the ability to keep the business continuity plans fresh and accurate. This phase includes three distinct processes:
- Plan Auditing provides a formalized method for measuring how business continuity processes are managed and determining the effectiveness of the organizations objectives an understanding of capabilities or maturity of the plans.
- Plan Updating ensures that accurate and up to date strategies, resources and agreements have been documented in compliance with the business continuity policy.
- Plan Training prepares the different stakeholders to face a disruptive situation by providing them with key information about their roles and response procedures
- Plan Exercising is conducted on a preset schedule allowing the teams to practice plan implementation, strengthen responsibilities and capabilities while identifying improvements to strategies and resources.
Unknown risks and unpredictable crises are inevitable, but looking forward, we can take what we’ve learned from the COVID-19 crisis and apply it to a sound business continuity strategy. Using specific tools, risk managers now have a real opportunity to lead their organizations toward greater resilience and a stronger future.