Ask yourself: Can you effectively continue your business after a fire, flood, earthquake or loss of your most important customers or suppliers?
In light of the current spread of the coronavirus on a world-wide scale, it is possible that in many cases business continuity plans will have to be activated. As we know from media reports, many factories and other organizations close to the source of the outbreak were ordered to close for a significant period of time. We can only hope that those affected had some risk management and business continuity implemented, identified and evaluated some pandemic risks and have plans tested ready to be activated. We believe the risk of the pandemic will definitely find its way into risk registers of many organizations.
An accident doesn’t rest, therefore unforeseen things can happen in business to anyone, anytime, including you. Organizations that have not developed a business continuity plan are at high risk, which is why to respond quickly and effectively is the key to survival.
By some statistics, as many as 90% of the businesses that experience some of these incidents cease operations in the next 2 years due to their inability to recover. This is why having some type of a business continuity plan in place is important for every organization, regardless of revenue, size or industry. Such a plan should include a basic organizational structure for your team, as well as the necessary guidance and checklist for your business units.
What is business continuity?
Business continuity is the advance planning and preparation undertaken to ensure that an organization will have the capability to operate its critical business functions during emergency events that would significantly interrupt your business. These events can include natural disasters, malicious code (remember Lekarna Ljubljana?), pandemic, workplace violence, riots, large scale power cuts (caused by sleet) or any event that results in a disruption of your business operation. It is important to remember that you should plan and prepare not only for events that will stop functions completely but for those that also have the potential to adversely impact services or functions.
Why is business continuity important?
Establishing a business continuity system enables you to continue business operations while also providing a sense of security for your clients and customers who depend on the business. Namely, business interruptions due to system failure, natural disasters, etc. can have a significant impact on an organization’s operations, market share as well as undesirable financial and reputational consequences for the organization. Critical business systems account for more than 50% of systems and applications within organizations, making it very important to have a realistic and strong business continuity management system in place.
What does Business Continuity Include?
Business continuity covers the planning and also preparation needed to ensure your organization will be able to perform its critical business functions during emergency events. In times of crisis, your business needs to be able to provide answers to the following questions:
– How you will provide your customers with services or access to the product despite the complications?
– How will you take care of and support your employees?
– What is the required technology to support the business functions and what is the workaround process to use if the technology is not available?
– Where and how to relocate people and processes if this is required?
– Which people, teams or even organizations are needed to carry out the plans and manage emergency events?
– In what scope and in what order you will recover your business processes
– How are you going to recover the data
– Business process dependencies (what, or who does each business process rely upon in order to do their work).
– Regular exercises to validate that plans and actions meet requirements and will be functional in an actual event.
– Ensure staffing levels will be adequate during an event for both external and internal needs
– Documentation of the steps and actions to take during an event to accomplish the items above.
Benefit from International Standard for Business Continuity: ISO 22301:2019
A great tool to help you understand and prioritize the threats to your business is an ISO 22301:2019 international standard. It covers generic requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of respond to and recover from disruptions when they arise.
The requirements of the standard are general and applicable to all organizations of all sizes and types or their parts. Therefore, the tool offers you the possibility of developing an individual approach and methodology, depending on the business and complexity of your organization. For these reasons, the ISO 22301 may be used within an organization to measure itself against good practice, and by auditors wishing to report to management.
Important steps in establishing and maintaining an efficient business continuity management system are:
- Business continuity policy that documents organizations intent to systematically continuity of its operations, providing resources, assigning roles and expressing management support
- Risk identification and assessment that identifies and evaluates risks that could interrupt business, providing directions for further planning
- Risk treatment that explores options for mitigating those risks
- Business impact analysis (BIA) that determines order and timeframes for business processes recovery, defines critical data and recovery point objectives
- Business continuity strategy that defines strategic approaches to resuming operations in event of disruption at an acceptable level and within acceptable timeframes, based on findings in risk identification/treatment and BIA
- Business continuity plans that define accurate steps, roles, and resources for carrying out activities to resume operations in an event of a disruption (process recovery plans, crisis management plans, communication plans, disaster recovery plan, plans for returning to normal operations…)
- Training and testing to ensure plans are up-to-date, feasible, reflect strategy requirements, are familiar to personnel with business continuity roles, etc
The purpose of risk management in the context of business continuity is to:
-Identify and evaluate possible risks that could disrupt business
-Treat risks where risk treatment justified economically or by other criteria to minimize their probability or impact
Risk identification, assessment, and treatment are an integral part of a systematic risk management process and go hand in hand with business continuity efforts. During regular risk management activities, the risk that could interrupt business should be controlled appropriately.
In some cases, the likelihood of risks materializing and interrupting business can be reduced significantly. A good example is a malware risk. There are well-known examples of when ransomware caused an unacceptable long interruption. This risk could be possibly well contained with appropriate measures to prevent malware entering critical systems thus completely eliminating the actual interruption.
And then there are risks that can not be avoided. A typical example is an earthquake. It is practically not possible to implement measures that could prevent the earthquake. In this case, the only real prevention is a systematic response to an event by having business continuity plans prepared, tested and rehearsed so they can be activated and operations continued within defined time objectives.
In both cases, effective risk management, supported with appropriate tools such as SBR is of critical importance.
SBR supports workflows and methodologies that greatly help you to identify, evaluate, assess and rank risks in various risk areas and categories including business continuity. Evaluation and assessment can be done in many ways both financially or using other custom criteria defined by you. Measures that might include business continuity planning can be also evaluated for efficiency and cost-effectiveness. Risk can be monitored through custom-defined key risk indicators and acted upon if required.
P.S.: To refresh your knowledge about systematic risk management, check a few previous articles:
Contact our team if you need help with risk assessment.
Božo is an experienced consultant with a proven history of working in the fields of information technology, communication and service industry. His expertise lies in information security management, and software architecture design and development, and is successfully converted into Silver Bullet Platform.