Organizations
base their strategies and decisions on assumption that they will continue to
operate. It is therefore compelling to
implement strategies to manage business continuity risk.
Risk
management is concerned with putting in place control and treatments that seek
to prevent or mitigate continuity risk, encompassing the establishment of
appropriate strategies and plans. Business
continuity management (BCM) is concerned with considering what to do when it
all goes wrong, and making sure that customers and other people are not
inconvenienced or put at risk when something does go wrong.
BCM
should be based on an approach that considers the entire organization, all
hazard and all agencies, and should be community-focused. All part of the organizations must be involved
in BCM. The procedure must consider the
organization as part of the community it operate in. The primary objective of BCM control,
strategies and plan is:
·
To ensure uninterrupted availability and resilience
of key or time sensitive resources.
·
And dependencies so that they support the
organization’s critical business processes, operations and services.
BCM
also seeks to protect the interest of key stakeholder. Decisions on how organizations respond to
incidents, regardless of cause, should be driven by these basic principles:
·
Always put the health, security and safety of
people first
·
Always seek to provide and manage factual, rapid
and transparent communications.
BCM
should be integrated with the organization’s existing risk management framework
and processes. BCM goes well beyond
implementing a simple process and writing business continuity plan and
strategies. BCM should also reflect the
organization’s unique culture. It
comprises of a comprehensive set of activities that are appropriately
integrated into organizational learning and improvement.
|
PRINCIPLES OF HAVING BEING
EFFECTIVE WHEN IMPLEMENTING BCM
|
|
·
BCM is part of the organization’s risk management
-
Therefore
Must consider a wide range of strategies and operational risk that have
the potential to disrupt the achievement of organizational objectives.
|
|
·
BCM is an important contributor to overall organizational resilience.
|
|
·
BCM helps organizations to continue achieving its objectives.
|
|
·
BCM drives organizational preparedness for
o
managing disruptive events
o
proactively treating risk, and
o
establishing the capability to manage potential impacts
|
|
·
BCM builds an organization’s capability
-
To prevent adverse events from occurring, and
-
To respond to, manage and
recover from these event should they happen?
|
|
·
BCM seeks to
-
Understand an organization’s requirement for people, processes,
information, assets and technology
that will contribute to
the achievement of its objectives.
|
|
·
BCM is an iterative process that is
-
Continually monitoring, and
-
Reviewing external and internal contexts
For change and responding to change
|
|
·
BCM iterative process drives continually improvement so that it
contributes to organizational preparedness and resilience.
|
|
·
BCM is focused on the understanding of uncertainty and how
organizations could respond to, and manage that uncertainly
|
|
·
BCM provides
-
An analytical framework which assist decision makers in making informed
choices on the management of continuity and risk events.
|
There are 6 overlapping clusters of activities that
organizations have consider doing before, during and after a disruption or an
emergency. They overlap because one or
more these activities can be activated concurrently and/ or sequentially:
1.
Risk management (prevention and risk mitigation)
2.
Response (immediate management)
3.
Recovery
4.
Restoration
5.
Resumption (normalization back to “ business as
usual)
6.
Control.
|
DOCUMENT THAT SHOULD BE IN
PLACE
|
|
1.
Risk management policy and plan
-
Framework
-
Process to communicate
2.
Crisis/media management plan
-
Steps to maintain reputation
-
Steps to execute the relevant communication strategies or protocol/plan
3.
Response plan
-
Steps to immediately respond to a disruptions or emergency, ensuring
human safely and security and maintaining communication
4.
Contingency plan
-
Steps to activate or restore alternate processes, system and physical
location or facilities where appropriate and necessary.
5.
Recovery plan
-
Steps to restore specified critical key infrastructure
6.
Restoration plan
-
Steps to provide basic “normal” business services
7.
Resumption planning
·
Steps to bring services levels operations and facilities back to
business.
|
|
AN INTEGRATED ORGANISATION
PROCESS
|
|
·
Establish the programmer or project
·
Develop organization’s BCM policy and framework
·
Risk assessment and impact analyses
·
Establish government structure for
-
Incident command
-
Management
-
Recovery
-
Support
·
Develop cost-effective intuitive strategies and plans
·
Develop and test strategies and plan
·
Review, maintaining, training and auditing of strategies and plan
|
|
PERFORMANCE DRIVERS FOR
SUCCESFUL BCM
|
|
Structured
Co-ordination
|
·
Ensure all planning
and system are aligned to organizational objective
·
Well understood and
communicated to all stakeholders
·
Roles are
responsibilities clearly and documented.
|
|
Workforce
capabilities
|
·
Develop capabilities
and competencies
·
Skills training and
adequate provision of technical equipment and committed resources.
|
|
Capability
building
|
·
Built capability
planning dimension into their services and operation.
|
|
Inter-operation
of plans
|
·
Ensure coordination
and operational activities.
|
|
Regular
testing
|
·
Is essential
·
Will ensure disconnections,
omissions and decencies are fixed before they have to be used
|
It is important to:
·
Test system’s and dependencies and readiness
·
Exercise and review
·
Rehearsed to respond and fully understand their roles
and responsibilities
·
Update regularly and maintain strategies and plans,
especially emergency contact list
Strategies
and plans need to have acceptable Recovery Time Objective (RTO) and maximum
acceptable outage (MAO) that are aligned with the organization’s objectives,
risk management frame work. Continuity
plans are living document it should be continuously tested, refined, and
trained so as to maintain. The relevance
effectiveness and impact.
Shared
from article by Patrick Ow
Management
and Business,
Accountants
Today,
September
2006
