Business continuity means contemplating all scenarios and solutions, regardless of the event’s cause and whether it was within our control.
In the current environment, in which businesses of all sizes and types are being tested in unprecedented ways by the coronavirus (COVID-19) pandemic, business continuity and resilience has become a critical discussion in boardrooms and C-suites across the world. The pandemic’s widespread impact has forced organizations to revisit business continuity planning (BCP) and how to embed BCP practices in day-to-day operations. As we consider the changing landscape brought on by the pandemic, it’s important to remember that other business risks continue to threaten business continuity. Natural and man-made disasters, as well as technology risks, abound. How can organizations stay prepared for these events? How can they develop a business continuity management (BCM) program that responds to all crisis types and scenarios? Who is the right person in the organization to own and manage the BCM program? And, what are the critical elements of a business continuity policy?
In Protiviti’s Guide to Business Continuity Management: Top 15 Frequently Asked Questions (July 2020), we answer these critical questions along with many other pressing questions about BCM and related practices. Also included in this edition is a glossary of key BCM terms and definitions.
Pandemic planning or preparedness is an important part of business continuity planning. As COVID-19 has shown, pandemic preparedness presents unique challenges for businesses, given its far-reaching geographic impact and difficulty with predicting its scale and duration. It can also have a wide range of impacts on businesses (e.g., worker displacement, technology constraints, decreased production, and challenges with third-party capabilities). Below we list a few of the critical roles BCM can play in pandemic planning and response:
The health and safety of personnel, the welfare of customers, and concerns about any other human life should be the priority. Continued operation of the business, or maintaining or preserving business assets, must be secondary to preserving human life, health and safety. Once this is addressed, attention can shift to a more traditional risk management process, which focuses on the key people, processes and technology driving the business. Following are some key considerations when developing a pandemic response:
The nice thing about business continuity planning is that the discipline is ever evolving. Most organizations have already launched after-action activities — even though the COVID-19 crisis is not over yet — to understand what happened, what was learned from it and what should change about their response so they can be more effective if it ever happens again.
The core building blocks of any good BCM program are business resumption, crisis management and IT disaster recovery. Each plays an important role in a business continuity lifecycle, which extends beyond the duration of an event. It also addresses how organizations return to normalcy after the event. As an example, the crisis management team that forms during a crisis to make critical business decisions in a timely manner that will direct and guide the response is the same team that will guide activities to restore normal operations.
Simultaneously, the group of IT professionals who helped execute an IT disaster recovery program that allows, for example, an entire workforce to go remote all at the same time, and all of the bandwidth and infrastructure implications that go along with making that a possibility, are also responsible for helping those same individuals return to normalcy.
BCM is the design, development, implementation and maintenance of strategies, teams, plans and actions that provide protection over, or alternative modes of operation for, those activities or business processes which, if they were to be interrupted, might bring about seriously damaging or potentially significant loss to an enterprise. As BCM has evolved, the threat landscape has grown considerably to include both internal and external events, as well as extreme-but-plausible incidents.
BCM consists of three core disciplines:
In addition to the traditional BCM disciplines listed above, many organizations manage other closely related programs as part of their overall BCM program. These programs include:
Finally, due to the nature of business continuity, it is common for several functions to be integrated at various phases of business continuity planning. For example, facilities or physical security teams may engage in emergency management activities, and safety and environmental health teams may have input in developing recovery strategies. Integration of these enterprise-impacting functions, depending on the organization or industry, can be confusing.
The value of BCM lies in risk mitigation — minimizing the risks associated with any disruption to business as usual. In the wake of recent catastrophic natural disasters and the COVID-19 pandemic, business leaders are more mindful than ever of the need to plan for and respond to business disruptions.
The business environment is fraught with risks that can impact businesses’ ability to not only continue operations, but also protect their people and brand, earn revenue, maintain relevance and remain compliant with regulations. Companies need to stay ahead of these risks by understanding priorities, planning for disruptions, employing good business practices, and exercising forethought to increase their ability to course-correct quickly when things go wrong.
Organizations realize value when they proactively design and deploy business continuity solutions to manage a specific risk or multiple risks. For example, understanding and developing contingency plans for the loss of a key supplier can help a business mitigate potential financial, operational and reputational impacts.
Financial risk – This is the most evident and quantitative area of risk. Companies can minimize financial loss and maintain market share by focusing on several factors, including:
To protect the supply chain and ensure that supply keeps up with customer demand, a company may hold its suppliers accountable for disruptions to the supply chain that impact its operations. For example, a company can use contract provisions to hold a supplier accountable for timeliness in delivery of products or services, as well as for quality of products or services delivered.
A company can implement BCM solutions to minimize the potential for huge unexpected costs stemming from single points of failure and critical external dependencies. For example, if a company depends on a single critical supplier that suddenly is unable to provide core products or services, a well-designed BCM solution would provide contingencies to mitigate the financial loss.
Operational risk – This area of risk stems from the inability of companies to produce core products and services as expected. This can include risks associated with equipment or technology obsolescence, a failure in internal functions, and unexpected changes to a leadership team. Other operational risks directly impacting business as usual include:
A company should implement BCM solutions to minimize operational gaps and ensure that the delivery of products and services continues, even during unusual circumstances. Comprehensive implementation of a BCM program will lower risks associated with readiness, planning and response, which can decrease overall operational risk.
Regulatory risk – Regulatory bodies are increasingly holding companies accountable for maintaining validated capabilities, teams and plans, and can issue fines to those that operate without a BCM program. Depending on the regulator, a repeated and unmitigated issue at a regulated entity could result in a reportable item, which could impact the company’s credit worthiness or reputation. Generally, companies that violate regulations or compliance requirements face:
Reputational risk – Bad press can cause a decline in revenue, unwanted social media attention, lower market capitalization and, in the long term, a negative opinion of an organization in the eyes of the discerning public. In today’s 24-hour news cycle, a measured, empathetic, rapid and relevant response to any event is crucial to maintain a positive reputation. A mature BCM program drives value by protecting a company’s brand and adeptly managing the ever-changing business landscape in the face of growing competition.
One of the more confusing aspects of BCM is its terminology. The confusion is mostly due to differences in how regulators and industry groups use and define terms in the BCM lexicon. Below are a few examples grouped according to the core discipline to which they are most aligned.
(Note: The above list is not comprehensive. The practices within a specific industry or regulatory landscape may influence how BCM terminology is used.)
Crisis management is an entity’s overall effort to stabilize and prevent further damage after an unplanned event. Crisis management takes place at all organizational levels, beginning with executive management. It includes initial efforts from all departments, such as communications and public relations; regulatory affairs; environment, health and safety (EHS); human resources; legal; corporate security; and all business units.
Crisis communications is a crucial component of crisis management. It encompasses all communications before, during and after an event, including targeted communications to employees, customers, community, regulatory agencies, shareholders, the board of directors and all others who may be affected by the situation. These communications can be deployed during any type of event that may be deemed a crisis, from a product recall to a data center fire. The trend in crisis communications is to have multidisciplinary teams for internal and external communications working together on messaging. Public relations, sales and marketing, communications, human resources and investor relations collaborate to develop and deliver internally and externally directed messages.
This example illustrates how crisis management and crisis communications can work together:
After a manufacturing director is confirmed to have been infected with COVID-19, EHS notifies the crisis management team that the director’s temperature was on the rise throughout the week but there was no concern about the virus until additional symptoms surfaced. The director oversees two manufacturing plants and is consistently in the corporate office for meetings. EHS informs the crisis management team that the director was on site at all three locations throughout the week. The crisis management core team makes the following decisions:
As shown in this example, crisis communications processes are dependent on decisions made by the crisis management team, which acts as a liaison between the business and internal and external stakeholders.
Although vague, this frequently asked question is a valid one. Business continuity management (BCM) approaches and scopes vary widely; one size does not fit all. The primary driver of a BCM program should always be the recovery requirements (and constraints) of the business. However, several recommended attributes or program characteristics should be integrated with every BCM program. The process of embedding each of these into the program may vary:
A growing number of organizations are developing formal, documented business continuity policies to support their BCM programs. Typically, the content and format of the policies differ based on existing standards and the culture of the organization. Below are the critical elements of a business continuity policy:
These key elements of a business continuity policy will assist an organization’s planning team with gathering the necessary support and resources to manage the BCM program effectively.
When planning for near-term events with business continuity implications, organizations are increasingly implementing creative processes to streamline the rigorous and detailed analysis effort required to complete a formal BIA and risk assessment, which can span many months. Organizations often do not have the time to complete an exhaustive analysis of all environmental, man-made, business process, supply chain and IT continuity risks.
One option to identify risks and prioritize recovery needs is to perform an abbreviated BIA and/or risk assessment through an executive work session. A facilitator leads a high-level cross-functional team to define impacts (at an organizational level, as opposed to a business-function or technology level), which in turn will be used to assist with establishing business-process and technology priority levels, recovery objectives and an order of recovery. This process is designed to reach preliminary conclusions in hours, as opposed to many weeks, using the input of business leaders throughout the organization.
With regard to an alternative for the comprehensive continuity risk assessment, a business continuity steering committee and/or project team can define a realistic worst-case scenario to inform an abbreviated scoping and planning process. The scenario, which should impact the entire organization, can provide a framework to assist planners with developing response and recovery strategies. The value in this approach is found in the streamlined manner of identifying the numerous impacts of a disruption without dissecting each type of triggering event. Many organizations have found that using a worst-case scenario can help them plan for less-impactful events.
While substituting a risk assessment and BIA process with an abbreviated approach will not result in a thorough understanding of all risks and impacts to the organization, the examples noted above provide a way to jumpstart the planning process, particularly when the organization faces a distinct deadline or management has not formally endorsed the BCM process. Going forward, the abbreviated processes should be refreshed with more-thorough analyses that consider information and perspectives from multiple levels within the organization.
As organizations begin to develop their BCM program capabilities and plans, they are confronted with a common question and dilemma: Who should own the overall program? A successful BCM program requires various levels of accountability and responsibility within an organization. While some organizations may ultimately decide to create a separate business function or unit to own the program, many choose to utilize existing resources and/or personnel.
Organizations typically provide leadership to the BCM program through one of three roles: sponsors, owners and custodians. Sponsors provide and ensure organizational and financial support. Given that consistent visibility to the board and senior leadership is essential, sponsors should be executives. Owners have direct accountability or are responsible for ensuring support and overall program execution. BCM owners are department leads with an understanding of strategy and direct working relationships with those implementing the annual plan and managing day-to-day tasks. Finally, custodians have the primary responsibility for coordinating BCM tasks executed throughout the organization. Custodians understand the various roles needed for each aspect of a comprehensive program and are empowered to escalate a concern in a timely and coherent manner.
It is not uncommon for these oversight roles to be aligned to the respective BCM discipline. For example, the CTO, CIO or CISO may own the IT disaster recovery program and the head of marketing may own crisis management. It is common for organizations to have a BCM steering committee or other similar decision-making and governance group providing oversight.
There is no single recommended structure for a BCM program. The nuances of a company’s industry, risk profile, culture and operations can influence the decision about where the BCM should reside. Some examples include:
As a matter of practice, it is recommended that BCM program ownership be maintained at an executive level within the organization so that it remains visible to decision makers and influences enterprise adoption while supporting all aspects of a mature program.
The size and composition of an organization’s business continuity function depends on various characteristics of the enterprise, including:
While it is common for companies to have a few individuals responsible for the organization’s overall business continuity efforts, many businesses have realized that maintaining an effective BCM program truly takes a village. Nobody knows the intricacies of a particular department or underlying business processes like the respective leaders and their supporting team members who are the “boots on the ground.” As such, when it comes to ensuring that a business impact analysis or a resumption plan for a department is current and actionable, the BCM lead (or leads) must solicit input and involvement from those individuals on the ground.
Similarly, a BCM lead must act as a conduit for relaying important recovery priorities to the IT organization and for ensuring that relevant IT disaster recovery plans and supporting technologies are in alignment with the recovery needs of the business. In industries like manufacturing or energy and utilities, where operational technology is not managed in the same manner as the enterprise or corporate aspects of an IT organization, specialized knowledge may not be readily available. These organizations or industries may have critical resiliency and recovery requirements that a BCM lead can help identify and prioritize. Further, the BCM lead can influence how subsequent recovery planning documentation addresses those priorities.
BCM leads must have clearly defined roles and responsibilities, as well as the support and sponsorship of the executive management team. Further, in many organizations, it is not uncommon for some BCM responsibilities to be delegated to several levels of personnel. If this occurs, executive sponsors should be engaged to ensure that all stakeholders remain aligned and that the needs of the organization are the focus when the time comes to manage all aspects of the program.
From an operation model standpoint, BCM programs can be organized into one of three primary models: centralized, divisional and federated.
When not a compliance need, BCM is often viewed as discretionary, since the value of time and resources spent planning, training, documenting, testing and validating all aspects of a program cannot be realized until something truly goes wrong. In the absence of regulatory requirements, audit findings or specific customer demands, the most effective way to convince executive management to fully support BCM efforts is to conduct and share results from an exercise that highlights risk (e.g., the business continuity risk assessment and business impact analysis, or BIA). Results from the exercise, which typically include recovery priorities, corresponding recommendations and industry benchmarking data, should provide executive management a complete view of the organization’s business continuity needs.
Communicating the value of business continuity efforts to executive management can also be accomplished through a cost-benefit analysis. The cost analysis addresses the funding and resources necessary to add resiliency and recoverability to key areas of the existing business and technology environment, while the benefit analysis relates to avoiding the potential impacts of a disruptive event (e.g., revenue loss, downtime, property damage, and reputation degradation).
Another data point that can be shared with executive management is business interruption premium savings from the organization’s insurance provider as the result of implementing a tested BCM program. Program implementation can also help firms realize savings in the cost of procuring directors and officers (D&O) liability insurance. From a fiduciary perspective, if the directors and officers understand that they can be held personally liable for the organization’s response to a business interruption, they are more likely to support and enforce BCM.
BCM regulatory requirements and standards are increasingly being enhanced in response to a growing focus on corporate governance and risk management and the devastating impacts of technology disruptions and catastrophic events. The enhancements are designed to help organizations develop more effective continuity responses to the evolving threat landscape, including providing enhanced protections for employees and all those who depend on an organization’s services (e.g., customers, clients and patients).
Regulations and standards are used to support BCM program development, measure adherence and assess maturity. While regulations and standards often provide guidance on required or suggested areas of focus and approaches to BCM, they rarely dictate specific items, formats or levels of detail in planning documentation. The most comprehensive guidelines and standards are geared toward financial services. Using these more rigorous guidelines, it is not uncommon for other industries to apply the relevant controls and strategies as they model all best practices.
Regulators around the world are developing new rules and expectations aimed at strengthening the operational resilience of the financial services sector, an effort being spearheaded by supervisory authorities in the United Kingdom. Operational resilience defines the ability of an organization to withstand adverse changes in its operating environment and continue the delivery of business services and economic functions. Below are the various approaches through which an operational resilience program can enhance and extend traditional BCM practices and concepts.
Sign up today! Receive the comprehensive Business Continuity Management – Frequently Asked Questions containing over 50 questions and answers and industry perspectives. Coming September 2020.