Meet business continuity
Climate change, terrorism, pandemics and other crises all mean that business continuity management is now a mainstream activity across all sectors. explains the ins and outs of the concept
The origin of business continuity management (BCM) is often attributed to IT disaster recovery (DR). Even the terms ‘business continuity’ and ‘disaster recovery’ get confused – some people use them to mean the same thing and to some people they are completely different.
With terms such as contingency planning, reserves, alternatives, deputies, resilience and redundancy appearing in a wide variety of fields, we can see there is nothing new or unique about the concept. Every sports team has a bench of substitutes to come on as replacements; Waterloo was won by Wellington having reserves. In fact, maintaining a reserve is still a military principle taught at Dartmouth, Sandhurst, Cranwell and Westpoint.
Other terms such as risk evaluation, business impact analysis, crisis management, incident management, security, protection and governance have been added to the mix. Every manager in the world would rightly say they deal with crisis every single day.
However, the topic is still considered vague and in the main people don’t understand what goes into BCM. The answers to the following FAQs should give a good insight.
The top ten questions you've been afraid to ask
1. Is BCM only about computers?
No, historically in the 1970s when organizations became dependent on computers, IT DR was born. DR is part of BCM, but BCM is about the business (functions and activities) of any organization whether they be commercial, public sector or not for profit.
2. Is BCM the new risk management?
Certainly not. BCM should do what it says on the tin – it creates the capability to continue what is critical regardless of the circumstances. However, if you can avoid risks, this is good for BCM; prevention is better than cure.
3. Is BCM law?
There are compelling standards, regulatory guidance, best practice, contractual obligation and of course common sense that drive the need for BCM, but no other legislation.
4. Is BCM expensive?
It doesn’t have to be. Organizations need to see BCM in context and invest more cleverly in awareness, training and rehearsals which provide a real capability, instead of knee-jerk panic purchases which have not been thought through.
5. Is BCM complex?
BCM is only as complex as your organization. The structure for preparing for a disruption, dealing with the crisis as it strikes, continuing time-critical activities and recovering everything else in sequence must be on the same level as your business; if plans are not simple and familiar they won’t work.
6. Where do we begin?
Like any journey, you need to identify your destination before you start out. Start with a rehearsal to prove why we need leadership, structure, plans and procedures. Once your organization understands why it is going on the journey and what the final destination looks like, it will be much easier to complete the tricky stages en route, like business impact analysis, plan writing and governance.
7. How do we know it will work?
If you don’t rehearse you will not know. Not only can you start with a rehearsal, but you can finish with one and indeed use rehearsals for training, maintenance and for proving to auditors, customers and regulators that you do have a real capability.
Rehearsals are essential, they can be done in hours not weeks and can cost little more than the business time of getting staff together. Beware of humiliation and reprisals; this is not a test, you cannot fail, you can only find out weaknesses. Exercises give you the luxury to identify and revise weakness before a real event. Rehearsals facilitated properly inspire confidence.
8. Why has it been difficult to achieve executive support?
There have been too many grey areas and too much strange terminology to cut through. Rarely will anyone buy something they don’t understand. If it sounds complicated, the benefits are unclear; if there are no SMART objectives and no parameters of scale, cost and appropriateness, it will be pushed back.
9. What is BS 25999?
In 2007 a British Standard was created for business continuity management. The interest in it has been significant in the UK and globally. There are two parts, the first explaining ‘what it is’ and part two detailing ‘what you have to have’. The missing piece is ‘how to do it’.
The good news is the standard has inspired and conspired to converge of lots of concepts, terminology and methodology. The bad news is BS 25999 is perceived as contradictory, expensive and administratively intrusive.
10. How long, how much?
I have seen millions of pounds and years of activity invested in BCM and found the results to be at best inconclusive and at worse more harm than good. On the other hand, I know it is possible to implement a high quality and comprehensive BCM system in a week for £5,000.
About the author
Andy Tomkinson is a partner at Adtapt delivering business continuity, incident management and disaster recovery across all sectors. He was elected board director of the Business Continuity Institute until 2006 and has chaired the Survive Personnel SIG. www.adtapt.com
 |
 Have an issue to raise? A question to ask? Give us your opinions now in the Online Forums. |
- Meet business continuity
- BS 25999 and other business
continuity standards - ISO 9001:2008 - what will it mean?
- Effective governance through real-world system thinking
-
From compliance to performance: assessing management systems
- Procurement and supply chain processes: are you doing it right?
Benchmark your organization
Benchmark yourself, by answering 'yes' or 'no' honestly:
1. Do you have a business
continuity plan?
(in writing, up-to-date, which tells you what to do)
2. Have you rehearsed it?
(by making and receiving real telephone calls/holding meetings in a simulation)
3. Do you know the differences between risk evaluation and business impact analysis (BIA)?
(if you mention fire, flood or pandemic for BIA score ‘o’ and if you don’t have a business case for a solution to risk evaluation score ‘no’)
4. Have you got a policy for BCM signed by the CEO/MD?
(don’t cheat, you need a real signature like the one for health and safety)
5. Do you know of the whereabouts and contents of a battlebox or grab bag?
(with documents and equipment that you know how to use to help you handle a crisis)
Results
If you have answered all five ‘yes’ you are in the top one per cent of organizations – or you are kidding yourself.
If you have answered four ‘yes’ you will survive a disaster, but would everyone in your organization affirm your answers? You are in the top ten per cent.
If you have answered three ‘yes’ you have some capability and are pretty average.
If you have answered two ‘yes’ you need to get some attention and resources to help you because it is only a matter of time before you will be audited, tested or encounter a real event. You are below average in the bottom 50 per cent.
If you have answered one ‘yes’ or none, you will have to make up BCM as you go and chance to luck. You will lose competitive advantage to your competitors and fall foul of your regulators, insurers, supply chain and local authorities. Do something now!