Do you want to access the full text of articles?

Please see our digital edition archive for the full text of articles.

Alternatively:

If you are a Chartered Accountants Ireland member, please visit the RIS service where Accountancy Ireland is available free of charge via the EBSCO databases.

If you are an Accountancy Ireland subscriber (i.e. you pay each year to receive your copy of Accountancy Ireland) please contact our Subscriptions Department quoting your subscription number and include details of the article you want.

All other users should enquire from their local public or college library about accessing full text Accountancy Ireland articles.

Home / ... / The Road To Effective Business Continuity Management

The concept of a measure of the status of business continuity compliance in an organisation, as indicated in the BCM Self-assessment Questionnaire which featured in the August 2003 issue of Accountancy Ireland, appealed to many. Some organisations have used it to set target figures to be achieved by certain dates. The idea of being able to measure progress in this way proved interesting, and the charting of progress against target in numerical terms is attractive to senior management.

Non-executive directors, who are anxious to get a measure of compliance in the context of their corporate governance obligations, were also interested. If the checklist and scoring system are credible it can be a very meaningful means of monitoring progress - being able to say "three months ago our score was less than 50, our target was to be at the 75 level, and we are now scoring 70". This can be much more convenient for busy executives than having to read a detailed report.

Many organisations found that they scored poorly but still agreed that their score indicated the actual position of BCM within their organisations. How does an organisation move from this situation to one where an effective BCM programme is in place? What are the phases involved and how should it be approached?

The Business Continuity Institute published its Good Practice Guidelines in 2002. Subsequently the British Standards Institute developed a Publicly Available Specification, PAS 56, based on these guidelines. This in effect is a discussion draft of a possible BCM standard. Many expect this to form the basis of a British Standard within the next two years. The further expectation is that it could evolve into a de facto world standard in the way that ISO-17799 has become accepted in relation to IT security. While it is important to have standards it is also important that the standards do not obscure the fact that BCM is essentially a straightforward management activity based on common-sense and good management practice.

PAS 56 now defines BCM as - "a holistic management process that identifies potential impacts that threaten an organisation and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities". This is a development of the earlier BCI definition which defined BCM as "the act of anticipating incidents which will affect mission-critical functions and processes for the organisation and ensuring that it responds in a planned and rehearsed manner". The new definition emphasises that it is a holistic management process. It regards BCM as an integral part of corporate governance but PAS 56 emphasises that BCM should be undertaken because it adds value rather than simply because of governance or regulatory considerations.

In effect BCM is an essential part of good management. However to make management sit up and take notice a more personalised statement of what BCM is all about is useful. One that is directed specifically at management can be very effective in gaining acceptance of the need.

The diagram opposite illustrates the main phases of BCM and the iterative nature of the process.

Getting started As with any other significant project there are certain pre-requisites which must be present if the project is going to succeed. The most important requirement is that there is clear and unequivocal support from the top. The project must be initiated because top management recognise the importance of BCM and are doing so because of that. If they are reluctantly doing it because the auditors have suggested it, or the insurers are insisting on it, or regulatory requirements must be met, it will not be very satisfactory in the longer term. While these are all drivers of business continuity, management must want to do it. Management must designate responsibility and authority for it. It must recognise that it is not a "once-off" activity, and it must also face up to the financial or other implications that the ensuing risk analysis and business impact analysis phases will identify.

Once the project has been launched an appropriate awareness campaign must begin. This is very important. Although the preparation of plans is important, of at least equal importance is the establishment of a risk and business continuity management culture in the organisation. This will influence areas such as capital investment plans - it is generally much easier and less expensive to allow for resilience and contingency at the commencement of a project than to try and retrofit solutions subsequently.

Risk and Business Impact Analysis The risk analysis phase will identify the main risks, the likelihood of the risks materialising, and the impact which they would have should they materialise. It will also identify the existing and required risk mitigation and contingency arrangements.

There are various techniques and methodologies which can be used in risk analysis. These vary from relatively straightforward approaches to the use of sophisticated computer systems. Regardless of the approach taken it involves management decisions which strike the right balance between the likely incident cost and the cost of prevention. This is an informed management decision based on the available data.

Business Impact Analysis (BIA) is an analysis carried out at a reasonably macro level which identifies the impacts of losing business functions and resources. There are various ways of approaching BIA. The approach adopted depends on the nature of the organisation and can involve the use of questionnaires, interviews and workshops. Both risk analysis and BIA impose a structure and a degree of objectivity which should allow the organisation to home in on the things that are important at a corporate level rather than the specific priorities, or "hobby horses", of individual managers.

Following the completion of these phases it is appropriate to develop business continuity strategies. These can range from policies for reducing the dependency on a limited number of key suppliers or customers, through HR issues like succession planning, training and retention of skilled workers, to the use of business recovery centres and geographic dispersion of facilities and offices.

It is only then that the effective development of business continuity plans can commence. It is also worth remembering that if the earlier process is carried out effectively and the right people are involved, this process in itself can be even more important than the actual written plans. Key managers who have been through the process will be aware of strategies, priorities and contingency arrangements and will only need to refer to written plans for items such as contact lists and detailed procedures.

Business Continuity Plans The nature and format of business continuity plans vary depending on a variety of factors - nature and size of the organisation, type of business or industry, organisation culture, etc. There is no template that can be universally applied - even within the same industry - and it can be a mistake to try to use one without modification.

The following are the main elements in any plan - - Plan invocation - when, and by whom, should it be invoked? (What comprises a serious incident?) - Roles and responsibilities of the crisis management team - Contact details for crisis management and recovery teams, senior management, emergency services and other organisations who will be involved in recovery, key staff, customers and suppliers - The business processes to be recovered - priorities, how, where and timescales - Recovery steps - Communications with the media, staff, and business partners - Arrangements and responsibility for exercising and updating the plan.

The work is not finished once the plan is developed - in fact the easiest part of BCM may be the production of the initial plan. The most difficult part is testing and exercising the plan and keeping it up to date.

The rate of change and the ever-increasing technological sophistication of the business environment, in both the public and private sectors, provide significant challenges in keeping plans current.

Having produced the plan it can very quickly become irrelevant. Keeping business continuity plans up to date will only be achieved is there is proper ownership of the plan by those responsible for the daily operation and management of the business unit, department or business process. Clarity in regard to ownership is essential to success.

Many line managers consider BCM to be someone else's responsibility - "isn't that why we have a Business Continuity Manager?" Business management is obviously focussed on business strategy, planning, operations and the day-to-day issues and it can be very tempting to put BCM on the back boiler. If BCP is regarded as part of a manager's job specification and becomes a KPI (Key Performance Indicator) in the annual evaluation and appraisal process it will be more successful. Progress on testing and maintenance is then largely an issue for line management.

The importance of testing / exercising the BCP must be emphasised. Unless a plan is exercised it cannot be said to be a viable, workable, plan. There may be significant faults in it and if it has not been proven the plan on the shelf will provide a false sense of security. These faults may not be discovered until the plan has to be invoked in a crisis - it is then too late.

Just as maintaining the plan is a considerable task, exercising a plan is not a trivial matter. Some plans are never exercised because of the perceived amount of work involved. There are different approaches to the task. These range from a simple call-out check through to a comprehensive large-scale exercise involving considerable personnel, financial, and other resources.

Conclusion BCM evolved from Disaster Recovery Planning which was the responsibility of the IT department. Through various phases it has evolved to its current form where it is now a management responsibility rather than just an IT concern. The emphasis has long since switched from disaster response and recovery to prevention and resilience. It is now concerned with issues such as preserving, and enhancing, the organisation's reputation and addressing supply chain weaknesses.

A successful BCM programme is not necessarily expensive to achieve. However critical to its success is the establishment of a business continuity / risk management culture which results in such issues being an automatic consideration in all significant business decisions.

Corporate governance and regulatory requirements drive BCM. Insurance and audit considerations are also drivers, but increasingly it is being demanded by customers. A comprehensive and effective BCM programme is no longer desirable - it is now an essential element of good management.

Accompanying inserts and illustrations have been omitted from the online version of this article.

Michael Gallagher is a member of the Business Continuity Institute. His book, Business Continuity Management - How to Protect your Company from Danger is published by Financial Times / Prentice Hall in their Executive Briefing series.