The role of Business Continuity Management is to plan and prepare in advance so an that organization can identify, mitigate and reduce risk impact while ensuring continuity of its critical business processes.
Regardless of a company’s current BCM maturity, planning and preparing for the next incident is an ongoing process driven by continuous improvement. The cornerstone of that is the business continuity management (BCM) plan.
A BCM plan is the base for most BCM processes and consists of three distinct sections: an emergency response plan, a crisis management plan and an operational recovery plan. Each part of a three-pronged business continuity plan must be strong to have a high-functioning BCM program.
Emergency Management and Response
An emergency response plan provides a detailed set of protocols and guidelines that seek to minimize the impact on the safety and health of personnel and reduce the overall effect of an emergency. Proper planning and training of an organization and its staff enable a quick and effective response to the threat. Every emergency response plan should:
- Set specific emergency response goals
- Design evacuation routes and staging areas
- Evaluate and enhance emergency response communications
Regular reviews and testing are needed to ensure that the plan functions as intended and delivers when disaster strikes.
Crisis Management and Communication
A crisis management plan may sound similar to an emergency response plan, but in a BCM context, they address two different needs. Organizations should view the crisis management plan as the bridge between its emergency response and its operational recovery. To execute a crisis management plan effectively, organizations need a well-trained crisis management team. Every crisis management plan should:
- Verify the appropriate resources available in support of the decisions and activities of the crisis management team
- Provide instructions for identifying, managing and recovering from the crisis
- Develop status boards designed to track all team activities and assist in the coordination of incident remediation
- Identify key constituencies and outline necessary communication protocols
Disasters will test even the most experienced people's capabilities, which is why it is necessary to conduct training and exercises that challenge the crisis management team to maintain the plan’s effectiveness.
Business Restoration and Operational Recovery
An operational recovery plan helps ensure that personnel and assets are protected, and operations are efficiently restored following business interruptions, emergencies, crises or disasters. This plan helps organizations recognize threats to their operations and develop functional response capabilities to recover. Every operational recovery plan should:
- Qualify and quantify threats and vulnerabilities
- Develop mitigation and control strategies for the significant threats to business continuity
- Determine the impact that major risks have on the supply chain and logistics
Threats and vulnerabilities often escalate after a business interruption. Qualitative and quantitative analysis across an organization is needed to identify the natural, technical and human-made gaps to any Business Continuity Management strategy.
Testing and Updating are Crucial to BCM Plan Success
Successfully recovering after an interruption depends on not only the business continuity plan's comprehensiveness, but also the organization's ability to execute the plan effectively. Untested plans and teams have a greater likelihood of failure, loss of revenue and increased reputation damage. Organizations can keep their plans updated and their employees sharp through rigorous exercising. The options can vary depending on the organization, but here are the most common and useful exercises and tests:
Structured Walkthrough: An informal review with team members to assess comprehensiveness, effectiveness and identify enhancements and deficiencies.
Desktop Exercise: A simulation typically conducted in a conference room and is designed to execute documented plan activities in a stress-free environment.
Multi-Location Simulation: A series of simulated events across several locations where multiple teams execute the plan.
Functional Test: An exam that tests whether plan procedures are effective, assumptions are accurate, and resources are available during a simulated event.