Business Continuity Management — An Overview

Intended Audience:

1. Complete beginners new to Business Continuity Management (BCM)
2. Someone who knows/has heard some of the concepts of BCP but would like to know how one concept links to the other
3. Someone who’d like to know the various phases of a BCM framework at a high-level, and
4. Anyone else who would like to just read and know about BCM.

I wondered what a good intro to BCM would be and noticed myself looking back to an event that nearly wiped out 2 years from our lives- the COVID-19 pandemic. While it took a while for all of us to figure things out for ourselves, we eventually found a way to sail through the days, attempting to get back to our normal lives. People stocked up resources for the household to be able to sustain till any uncertainty lifted off.

When finding domestic help was not an option, families got together to split daily chores. Each one worked hard, took tough decisions, and found various solutions to make sure that no matter what, living doesn’t stop. Things weren’t quite different in the corporate world as well, isn’t it? Most businesses that had an on-site/work-from-office model realised the option of remote working and have fully adopted a hybrid working model till date.

As living beings, one thing that is in all our DNA is the survival instinct- the ability to adapt to changing circumstances to make sure that we can continue to live our lives the way we did earlier, and that is exactly what every organisation will use to make sure that the business “continues”. While taking decisions impromptu is a good skill to have, it’s always better to be prepared and well equipped to face any untoward situation.

Let’s dive deeper into some of the technical aspects of BCM for businesses!

Business Continuity

Business Continuity, as the name suggests, deals with how an organisation can ensure the continuity of its business at the time of a crisis with minimal impact to its people, process, resources, and overall operations.

One thing we all must keep in mind is that for an organisation, all decisions made MUST align to the business objectives and aid in the progress, if not, aim to sustain the business. Keeping aside human sentiments out of the way for the time being, the most important thing for a business, is the survival and progress of the business itself. What I mean by this is that be it for daily operations or strategic planning, all decisions must be taken to aid the growth of the business. Everything else follows next. (Being a cybersecurity professional, I would like to use this chance to sneak in a point here to say that in the present age and time, ‘Business’ and ‘Security’ go hand-in-hand and one cannot (and should not) exist without the other).

Having understood Business Continuity, let me take you one step further in understanding the bigger picture.

Business Continuity Management

For an organisation to be able to continue business during a crisis, one needs to be equipped with the right information and resources and ensure that the information is periodically reviewed and updated to stay up to date.

BCM involves the following aspects:

1. Understanding the business requirements

2. Identifying potential threats that could disrupt the operations

3. Analysing and minimising the impact and downtime to the organisation in case of any disruption

4. Sustaining business and continually improving the resilience

5. Increasing awareness on the steps to be followed as part of business continuity and emergency response to minimise confusion

6. Initial response to ensure safety of life, property, environment

7. Survival of entity

8. Maintaining favorable public image

Oh before I forget, one very important aspect we need to keep in mind is that in any given situation, safeguarding human lives is of utmost importance. I know that I had earlier mentioned about aligning every decision in the favour of the organisation, but people safety should be at the top of the list.

Okay let’s explore!

The Lifecycle (framework)

The lifecycle of a BCM program, which also constitutes the framework that an organisation would use to setup its BCM program, begins with understanding the potential impact to the organisation in case of any downtime/disruption to its processes and operations, and how it increases with time. Only with understanding the potential impact, can one determine how critical a particular resource/process is, right? Let me explain this here with a small example.

Imagine you’re a student preparing for two important events on the same evening:

1. Once-in-a-Lifetime Concert: Your all-time favourite band, which you’ve been a fan of for years, is performing a rare, once-in-a-lifetime concert in your city tonight. Tickets to this concert sold out within minutes, and you managed to snag one. Missing this event would be a huge disappointment, and you may not have another chance to see them live.

2. Important Final Exam Review Session: The following day of the concert, you have a final semester exam in one of the subjects and you have worked very hard throughout the year. Your professor is hosting a review session tonight, which will cover the most critical topics that will likely be on the exam. Attending this session could significantly boost your chances of ranking first in your batch.

On a normal day when you had all the time in the world, you would attend the concert and then go back and study. But this time you’re faced with a challenging situation and you need to make a decision:

1. If you prioritise the final exam review session, you might excel on your exam, rank first in your batch and contribute to a better GPA. However, you’ll miss out on the thrilling concert experience.
2. If you choose to attend the concert, you’ll have an unforgettable night filled with music and fun, but you risk not being as well-prepared for the upcoming exam.

The right decision should be made based on the potential impact to your life if you pick one over the other and this can be identified based on the importance of your academic performance and your passion for the band. While this decision is more fun than critical in the traditional sense, it still involves weighing the importance of two activities and prioritising one over the other when time comes.

Coming back to discussing about BCM for businesses, now that we know which process is crucial, the only thing we need to do is to make sure that no matter what, we get the operations running. There may be 10 different ways/strategies that you could adopt to recover operations to ensure minimal impact to the business, but it is essential to identify these so that we’re well prepared to choose any of the 10 ways based on the situation. What is important is the timeliness of invoking the right strategy.

Think of it this way. You’re a big-time follower of F1 and today is race day. You have a ritual of going to your favorite pub and watching every race with a pint of beer, but it’s Friday evening and there’s usually 3x the regular traffic. You would be heading there straight from work and do not wish to miss a single minute of the race and have proactively identified a Plan B, Plan C, and perhaps a Plan D- watching the live broadcast in your phone, turning on the radio, calling up a friend to check on the updates, hop into the nearest pub that you identified earlier, or go to your friend’s place to watch.

But to make sure your Plan B, C, and D work, you need to have the right information and/resources, right? You may need a power bank with you in case you decide to watch the race over your phone to prevent the phone’s battery from dying down. You may identify a couple of places that you can go to in case you’re unable to make it to your favorite pub in time. You could also call up your friend (who lives in the same route) to check for their availability or let him/her know that you’d be heading over in case of any delays.

When your fear comes true and you end up getting stuck in traffic, you may choose to adopt any of the above identified strategies, isn’t it? Your preparedness to address each challenge helps you eventually watch your favourite player lift the cup.

Congratulations! You have successfully covered 4 out of the first 5 phases:

1. Assessing the potential impact of going for the concert over your exam review session (Phase 1: Business Impact Analysis). The conclusion of this would be to say that attending the review session has a higher priority than attending the concert.

2. Identifying your alternative plans in case you’re unable to make it to your favorite pub (Phase 3: identifying Recovery Strategies)

3. Identifying the plan of action/methodology for implementing each of your plans with the available resources, such as the power bank or calling your friend (Phase 4: Business Continuity Plan)

4. Finally, making sure the power bank is charged or proactively identifying the list of good alternatives/pubs in the same route (Phase 5: Implementation)

Hold on! We missed an important aspect here. Is traffic jam the only thing that could halt you? First of all, what are the odds of a traffic jam? Let’s say the roads are clear, what are the odds of your vehicle breaking down or the municipal corporation deciding to dig up the road and causing several diversions? What are the odds of a landslide or a tornado striking or potentially a mob destroying all vehicles passing by that road you choose to take? Understanding this would help you gauge the possibility/potential risk of getting stuck on your way and missing the race.

Risk Assessment

That brings us to the 5th aspect- Phase 2: Risk Assessment. A risk assessment is fundamental to business continuity management as it offers identification, prioritisation, and proactive preparation for potential interruptions. Through methodical evaluation of risks, enterprises can bolster their robustness and diminish the effects of unexpected incidents on their operational procedures and standing. In our scenario, if the road if prone to landslide, then it’s best to avoid the road in the first place while if you periodically service your vehicle, there is little chance of it breaking down.

An important point to remember is that from a Business Continuity point of view, more than the actual cause of the disruption (such as a flood, fire, or even pandemic), the efforts to ensure continuity of operations and reaching “Business As Usual” is what is critical. What I mean by that is, while Risk Assessment is important in helping us gauge the possibility of a disruption occurring and can help us take necessary steps to prevent the same, for continuity of the business, identifying the critical processes and resources and ensuring taking timely measures to restore operations for minimal business impact is crucial (Phase 1, 3, 4, and 5).

Training and Awareness

The next 3 phases are pretty simple. For the successful implementation of the Business Continuity Plan, it is essential that all personnel are trained and made aware of their roles and responsibilities and the processes they would need to adhere to (Phase 6: Training and Awareness). Organisations need to ensure that the employees and all relevant stakeholders are made aware of its BCP. As a student attending classes about 5 times a week, who hasn’t wished for the world to be free of exams?

Testing the Plan

Who hasn’t prayed that they get promoted to the next grade without writing the exam? We all secretly know that as much as we may wish otherwise, the only way to assess and confirm that we actually know what we “think” we know is through periodic assessments and tests. And that is the objective of Phase 7: Testing the Plan- to ensure the preparedness of the teams to react during a given situation/disruption and understand the gaps in the current processes to further improve the resilience.

Periodic Review

It is essential for organisations to ensure that it stays up to date in this dynamic world to ensure that it has the highest resilience to counter a crisis. Phase 8: Periodic Review requires an organisation to, as the name suggests, review the existing documents and processes in place pertaining to Business Continuity on a periodic basis. The industry best practice suggests that this be done at least annually. But what do we need to review here? These may include, but are not limited to:

1. The Business Continuity Policy (which includes the rules and requirements that an organisation SHALL follow to ensure adherence to the required BCP processes)
2. Business Continuity Plan (which includes a comprehensive bundle of the necessary actions to take during a disruption along with specific timelines to be met, and contact details of key people involved)
3. The training and awareness material
4. The BCP testing procedures
5. BIA and relevant RTOs and RPOs

Conclusion

In conclusion, Business Continuity Management (BCM) comprises several crucial phases, each essential for ensuring organisational resilience in the face of disruptions. Beginning with Business Impact Analysis and Risk Assessment, organisations identify potential vulnerabilities and prioritise critical processes.

From there, Recovery Strategies are developed to mitigate risks and establish a robust Business Continuity Plan. Implementation follows suit, integrating strategies into everyday operations, supported by thorough Training and Awareness efforts to empower staff.

Testing the Plan validates its effectiveness, allowing for adjustments as needed, while Periodic Reviews ensure ongoing relevance and alignment with evolving business needs.

Through these iterative phases, organisations can proactively prepare for and respond to disruptions, safeguarding their operations and ensuring continuity in the face of adversity.

This concludes our overview of the various stages of BCM lifecycle and hope this was helpful. I have tried capturing the major aspects of BCM at a high-level and will be exploring each of the concepts we encountered above, in more depth.

Meanwhile, do reach out to me if you have any questions or if there are specific topics that you’d like me to cover first. Will be happy to answer 😊.