[an error occurred while processing this directive]

Protecting Your Business From Interruption:
The Value of Business Continuity Management

by Robert Giffin, CBCP


The Need For Business Continuity Management

All businesses face the threat of an unplanned business interruption. While the causes vary from natural disasters to IT service interruptions, many organizations lack the capability to respond in an effective way. As a result, thousands of businesses large and small are crippled every year by unplanned business interruptions. However, there are cost effective protections that every business can establish to avoid this risk. Many of these protections are focused on isolated risks; for example, if a company has a critical product that has to be shipped no matter what Ė they may choose to store that product in two locations, thereby protecting it. However, such an approach ignores the broader purpose of risk management: to examine these risks in a structured approach will result in a comprehensive understanding of the organizationís risks, thereby optimizing its investment to limit those risks.

The structured approach needed for business interruption risks is business continuity management Ė a process that analyzes an organizationís risk of business interruption and takes actions to reduce it. While this is often achieved through a continuity plan, simply writing a plan will not substantially affect your businessís exposure to interruption risks. A business continuity management process is the key to identifying which activities will reduce risk and eliminating the activities that are less beneficial. By taking a structured approach to managing business interruption risk, an organization maximizes its risk reduction while minimizing costs and focusing its efforts on critical areas that are worth protecting.

If itís not a plan, whatís the outcome? Organizations that embark on developing and implementing business continuity management processes often create well-rehearsed, documented business continuity plans. But they also create something more valuable: a wellaligned risk management culture that learns to proactively recognize business risk and take action, and when an issue persists, apply reactive frameworks to control the resulting impact.

The remainder of this article describes the business continuity management process and how each part of the process drives the effort towards value-added activities. Also offered is a simple, straightforward process to initiate business continuity management, and a number of key success factors.

The Process

Business continuity management is often daunting because of the number of ways it can be completed. With so many options, itís easy to get lost and tempting to just start doing things without an understanding of what you are trying to achieve. To better understand the basic building blocks of business continuity management and how each generates business value, here are the five key tasks that make up a solid business continuity management program and the strategic benefits they provide:

1. Identify critical activities and associated dependencies
This provides the analysis needed to focus the business continuity management process on the areas that will provide the most benefit. During the analysis, every area of the company should be evaluated to identify critical activities and dependencies that may not be immediately obvious. This typically includes an estimated cost of downtime and prioritization of when each activity would be recovered after a widespread disaster, thereby focusing business continuity management efforts on the shortest timeframes. The longer timeframes are not neglected, but they are activities that could likely be prepared for during an interruption due to the long lead time allowed.

2. Identify likely causes of failure and protections against failure
Some causes of failure are pervasive across every critical activity, such as natural disasters or power outages. Those causes can be protected with facilitywide plans to respond to the event and communicate the response to stakeholders. In addition to pervasive causes, each critical activity may have some unique causes of failure, such as equipment failure, loss of a specific technology or loss of key personnel. These unique causes may be controllable through redundancy or other protections like cross training. When the potential protections compare favorably to the estimated cost of downtime identified in task, a business case can be built for implementing the protection.

3. Develop alternate modes of operation for critical activities based on likely causes of failure
Critical activities that cannot be adequately protected from failure will need to have alternate modes of operation defined. For office personnel, this typically involves alternate work space or manual workarounds in the event of technology downtime. For more complex environments, this typically involves a process to redistribute work to other locations. It is likely that departments across the organization have theorized about how they would continue to work in the event of an interruption. These theories should be gathered, analyzed, documented and agreed to for critical activities. While some alternate modes of operation may have little increased cost (such as using unused office space for recovery), others will have significant cost (dedicated alternate office space for 200 employees). Each of the decisions made for alternate modes of operation should also be compared to the cost of downtime (identified in task 1) to determine the most cost effective option that matches managementís tolerance for risk.

4. Document plans to implement the alternate modes of operation and manage the overall process of responding to a disaster and performing a recovery
Individual recovery plans will need to be developed to define the details of how each critical activity will deploy its set of alternate operating modes. In addition, executive level plans will need to be developed. These documents will identify the people responsible for making decisions, the resources needed and the methods of communication that will be used.

5. Exercise the plans
Even though it is the last step, exercising plans provides some of the greatest benefit to the organization. Exercising ensures that the personnel critical to the recovery effort are capable of implementing the companyís plans. Exercising will also provide the most detailed and focused review of your strategies and plans.

The Result

Using the process above to analyze and evaluate the risk management options for an organization results in reliable and repeatable results. In addition, processes will result in the following key outcomes:

  • An executive level crisis management plan that guides the process of responding to a disaster and allows executives to focus on their area of responsibility
  • Formalized alternate modes of operation that can ensure organizational goals will continue to be met
  • Trained personnel that are knowledgeable of their responsibilities in the event of an interruption

Business continuity will never be a silver bullet that protects the organization from every interruption, but it can allow an organization to make smart investments in protecting against the most likely and most severe threats.

Getting Started

Starting any new process in an organization is challenging, but the key is always the same: have the right people involved and moving to achieve a central set of objectives. This often takes both time and diplomatic effort, so patience will be needed. Here are three key steps to getting a business continuity management process off the ground:

1. Understand Expectations
The best way to begin the conversation about business continuity is to have a conversation with your executive team about expectations regarding the organizationís ability to respond to a disaster. Their response will probably be something like: ďI think weíre fine, our people are used to responding to a crisis and figuring out how to get product out the doorĒ or ďI havenít spent much time thinking about it, but Iím not sure we would know what to do or how to react.Ē The criteria identified in the table below can be a guide to how other organizations like yours are approaching business continuity and provide some basis for why business continuity is important or how you should approach it. Many times, thatís all that is needed to get executives interested in business continuity. With these expectations as a guide, the program will be supported by the executive team and provide the answers they are looking for.

2. Establish Accountability
Clear accountability for business continuity activities should be established to ensure their progression in the correct direction. This frequently resides under the CFO with a Director, such as Director of Risk Management or Insurance. Occasionally IT is given responsibility for business continuity; however, they often struggle with effectively connecting with the business.

3. Conduct A Pilot
When starting out with business continuity, most organizations conduct a pilot of one facility to understand the constraints and demonstrate the benefits of the program. Frequently, the pilot is the corporate headquarters so that senior executives can be involved and incorporated into the executive crisis management plan. Once the pilot is successfully deployed, the scope can be expanded to all facilities which house critical activities.

Conclusion

The use of business continuity management in organizations continues to expand and evolve in parallel with the broader discipline of risk management. Like risk management, business continuity management is a flexible process that is meant to be used in a way they best fits the organization. While using this process, each step will contain its own individual business case for continuing. As a result, the cost and benefit of business continuity management will vary from organization to organization. However, nearly all organizations should deploy some form of it to meet their obligations to stakeholders.


About the Author
Robert Giffin is a Director and co-founder of Avalution Consulting. Rob specializes in the development of business continuity programs in the manufacturing, healthcare and consumer products industries, as well as in government. Rob can be reached via email at robert.giffin@avalution.com or at 800.941.0381.

[an error occurred while processing this directive]