It is not always clear how the key organizational functions of business continuity management and risk management relate to each other. In this article we explain the connection between these two concepts. In doing so, we consider:
Business continuity management (BCM) means preparing an organization to deal with events that might otherwise prevent it from achieving its objectives. These events could be a natural disaster, a pandemic, a major IT failure, or something else.
There are various other terms that relate to business continuity management in some way. These include:
Disruptive events need to be managed through BCM because of the risk they pose to the organization. This raises questions: Is there a need for separate risk management and business continuity management? What is the precise connection between the two?
International Standards (ISO 31000) have defined risk as the “effect of uncertainty on objectives”. ‘Risk management’ is therefore the management of that uncertainty. While specific risks will differ from organization to organization, they can be placed in the categories of ‘strategic’, ‘financial’, ‘operational’, and ‘compliance’ risks.
In risk management:
Risk assessment and – management can be integrated into various stages of BCM:
With risk assessment involved at various levels of BCM, putting in place a robust risk assessment process might be the one best thing an organization could do to improve its BCM: once you have completed your risk assessment you will have most of the data you need for your BCP, BIA and your DRP.
There is no one set process for BCM that your organization must follow. However, we find it useful to take the following steps in order:
1. Strategic Risk Assessment. There are dozens of different events that could disrupt business continuity. But which ones should you focus on? For example, organizations in New Zealand or Japan will need to think about the effect of major earthquakes on their operations. Organizations with significant data holdings will need to consider the impact of IT server failure. It will depend on the organization in question and their own risk assessment process;
2. Business Impact Analysis. As mentioned above, once potentially disruptive events have been identified and assessed, the next step is BIA. At this stage, the precise impact of disruptive events on the organization are set out. This is, in some respects, a more in depth version of examining the consequences of a particular event in a regular risk assessment;
3. Disaster Recovery Plan. Following the BIA, organizations need to look at the resources that are needed for the organization to recover from the potential interruption as quickly as possible. This is set out in the DRP. This includes ‘gap analysis’ of the distance between the business recovery goals and current capabilities. At this point a set of recovery objectives (including time objectives), should be set. In addition, critical staff and financial resources for recovery need to be estimated;
4. Business Continuity Plan. A formal BCP needs to be constructed with input across the organization and from all relevant stakeholders. The BCP is a broad summary document of the organization’s key BCM processes. Unlike the DRP, it does not look just at recovery, but also looks at prevention and mitigation. At a high level, it should summarize the results of the strategic risk assessment, BIA and DRP;
5. Training. There should be ongoing training and development for both the BCM team (if there is a distinct team), and the general workforce, on BCM. This training should make employees and contractors aware of possible key disruptions to the organization and what they can do in response. This training should identify who is responsible for business continuity and where relevant documentation (e.g., BCPs) and contact numbers are to be found;
6. Regular testing, review, and monitoring. This might be the most underrated step in the process, while it is a crucial one. A “bad” BCP that works is still better than a perfect BCP that only works in theory. It is therefore, for example, good practice for an organization to go through a test run of the DRP every year to check that it is fit-for-purpose and that recovery objectives can actually be met.
In short, we can summarize BCM as an overarching activity of risk assessment, business impact analysis, disaster recovery planning, training, and ongoing review/testing.
It can be helpful to explain the importance of BCM, and its relation to risk management, with a concrete example. We use our own case. For a Software as a Service (SaaS) company, one of the most catastrophic possible events is the loss of client data. But as is human nature, it is easy to downplay potentially disastrous events, if their chance of occurrence is low.
During the early years of our company, 10+ years ago, we of course, thought ‘that will never happen to us’. In our case, the failure came from the end of our server provider. A flaw in architectural design, unbeknownst to us, led to a faulty backup system. At a certain time, we attempted to hotfix a bug, and in the process deleted current data. However, we did not have access to the backup data to quickly fix the problem. All of us were in shock that we actually lost/deleted client data.
Thankfully, our existing BCM processes kicked in, and the small amount of data lost was recovered with an expensive data recovery specialist.
But after this experience, we learned to pay closer attention to risk assessment in our BCM processes. Unlikely events, given a long enough period of time, tend to happen, so an organization’s risk management practices need to be well-prepared for these eventualities.
In the final sections of this article we set out key tips we have learnt over the years for improving BCM, based on our experience in the field, as well as useful templates you might employ in developing your own BCM processes.
1. Assign an Owner of Business Continuity Management
All major business functions need an ‘owner’ of the process. This is the person responsible for that function within the organization. Who this is will depend on the size and resources of the organization: some large organizations will have devoted BCM teams, in others this will be part of risk management, or in very small organizations, the responsibility of directors themselves.
Make sure that ownership is clear and that it is accountable to the board of the organization (usually through the board’s risk committee).
2. Collaborate in Business Continuity Management
When doing initial risk assessments, or when carrying out the BIA, a convergence of expertise is required. It is unlikely that just one person will have perfect knowledge of risks that could disrupt an organization, as well as its broader impacts.
Whoever owns BCM within the organization needs to facilitate broad input from across the organization and from key stakeholders (such as the board). This will help determine which potentially disruptive events, and which impacts, need to be a BCM focus.
3. Integrate Risk Management and Business Continuity Management
We have mentioned that a BCM is impossible without risk management and vice versa. In light of this, organizations should take steps to ensure these functions are aligned.
For example, continuous risk management might identify increased likelihood of lockdown events in the COVID-19 pandemic environment. As a result, continuity through a lockdown event should be prioritized in BCM.
4. Introduce Technological Tools
There are a range of tools that can contribute powerfully to BCM. Examples include:
5. Keep Business Continuity Plans Simple and Actionable
The BCP, by its nature, is implemented in emergency situations. It is not just an internal document which is filed away for occasional update. This means an overly complex and detailed BCP can impede practical use. We recommend:
6. Testing, testing, testing
Run the drills set out in the BCP and test the procedures in the DRP. Make sure everything works when things get bad.
Once the organization has decided to implement or improve its BCM processes, where should they start?
Business Continuity Plans
There are a range of useful templates available online, depending on the needs of the organization. We have found the following templates useful when constructing BCPs:
Business Impact Analyses
When carrying out a BIA we recommend the following templates:
Disaster Recovery Plans
We devised our own DRP with the help of the following templates:
While business continuity management and risk management are separate processes, they are interrelated: one task with the organization cannot be carried out without the other. In this piece, as well as explaining the connection between the two, we have set out some simple steps to improve and better ‘join up’ your risk and business continuity management processes: Assign ownership, collaborate, integrate, employ technology, keep it simple and regular testing.
We hope the templates we have identified can provide you a kick-start for your own business continuity management. Other useful tips and templates are welcome!