Business Continuity Management

It is well known that more and more organisations are now taking more interest in the field of Business Continuity Management (BCM), in particular with regards to business continuity and disaster recovery. Any form of BCM is an important aspect of any organisation and one that is linked in part to Risk Management or Enterprise Risk Management.

What is Business Continuity Management or Planning?

British Standards BS 31100:2011 defines BCP as:

A holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response to safeguard the interests of its key stakeholders, reputation, brand and value-creating activities.

So, we can see from the above definition that the purpose of business continuity is just that, to identify what is going to affect an organisation and how it is going to be affected although above and beyond that build resilience. Business continuity planning is the actual planning process or document designed to ensure that an organisation can continue to operate in the event of an incident, and forms part of business continuity management.

It is difficult to understand why it is only in recent years that many businesses have understood the value of BCM and why it is so important in terms of business and strategic goals. Larger organisations have ensured that they have the necessary skills, experience and knowledge in terms of business continuity planning and will either recruit BCM specialists internally or outsource to one of the experienced consultancies. Smaller organisations must follow suit and ensure that they have the relevant planning and responses in place, and this is where experienced BCM consultants can assist.

What is crisis management and disaster recovery?

If we look at the process of business continuity management then we can outline what the correct responses are, and how each stage interacts with the next.

For a successful organisation who has taken time in acknowledging and preparing for a range of threats to their business, then any major event will action them to start their crisis management plan. This plan will detail the relevant responses to such an event including ‘decision-making’ and also communication to internal and external stakeholders.

Once the crisis management plan has been actioned, then the organisation can attempt to recover from the event as best as possible and this includes actioning the disaster recovery plan. Remember, that the organisation must firstly ensure that the crisis management plan has taken effect and that the crisis is understood and that measures are in place in terms of decisions and communication across the organisation. It may be that the disaster recovery plan is initiated parallel to the crisis management plan and the two are able to run alongside each other although disaster recovery should always be considered as ‘post’ crisis plan activity where possible.

Once the crisis has been contained and the crisis management plan is successful, and the organisation has commenced the disaster recovery stage then the organisation will be able to start to concentrate on business continuity.

Having knowledge of this subject could well indeed differentiate one person from another and would be highly regarded by many organisations, in terms of qualification and knowledge of the subject including the relevant standards. Business continuity planning is vital to ensure that business operations continue without fail and that stakeholders are aware of what is occurring at every stage. Further information on Business Continuity management can be found here.

It is also worth noting and exploring the relevant business continuity standards available:

– BS 25999 Part 1 (2006) Code of Practice for Business Continuity Management
– BS 25999 Part 2 (2007) Code of Practice for Business Continuity Management

These have now been replaced by an internationally accepted standard:

– ISO 22301 (2012) ‘Societal Security – Business Continuity Management Systems’