11 March 2013
Business continuity (BC) shares common goals and objectives with other management activities. When implemented correctly and with maturity, BC can provide significant benefits through the sharing of key information and the prioritisation of activities.
The Business Continuity Institute (BCI), a recognised world leader in setting and communicating best practices for BC, noted that an organisation's vulnerabilities in its business and operating model can be split into seven categories: reputation, supply chain, information and communication, sites and facilities, people, finance, and customers.
It could also be argued that the categories of technology and processes should be included in this list.
Anything that can affect one or more of these categories can potentially disrupt the organisation and, therefore, should be reviewed and/or considered by the organisation's BC function. The existence of this possibility does not mean that the BC function should manage areas that could introduce vulnerabilities in these categories, but it does mean that BC should perform a quality assurance and governance role to ensure that activities that could introduce vulnerabilities are being performed correctly, diligently, and with the necessary controls.
This will ensure that BC remains a pro-active measure within the organisation as well as a reactive one.
Looking at these vulnerabilities in greater detail allows us to build an understanding of their relationship with BC and, therefore, some of the considerations necessary when conducting a BC risk assessment or while performing ongoing business continuity management.
Reputation and customers
Any facilities or roles that are customer facing, such as product or service quality and reliability, help desk, websites, branches, sales people, and reception desks, could impact the customer's perception of the organisation and, therefore, the organisation's reputation and could possibly result in negative publicity, which would require attention from the management and could lead to a more wide-scale impact and greater disruption.
Supply chain
The selection and management of suppliers are important criteria for quality assurance. Get it wrong, and you could place your organisation in jeopardy.
Therefore, conducting due diligence on suppliers and having confidence in their ability to deliver reliable, quality services with their own risk-management and BC processes in place (for the continuance of services to you in case of an incident) is critical.
Being able to monitor and measure supplier performance (for quality and reliability) and ensure that controls are in place will help identify issues early and will enable proactive management before an incident becomes a crisis.
This may require specific contractual clauses in supplier agreements. For business continuity, spreading key supplies across suppliers and identifying alternative suppliers will also help organisations to manage risks.
Information and communication
Ensuring that key information is identified (e.g., during the BIA) and is protected by the necessary controls for safe and secure storage and retrieval will help ensure the information is available if something goes wrong.
Communication is vital in today's world of technology. Maintaining contact details for key suppliers and staff and maintaining contact with them, even following a disruption, is critical.
Problems often occur with communication links (e.g., email, SMS, GSM, fixed line, data links, and satellite links/phones), so controls should be in place to protect these links, and alternative links or methods of communication, which can be relied upon in the event of an incident, should be available.
Sites and facilities
Building and site facilities are essential for the smooth operation of organisations, and numerous resilience options are available, from installing UPS systems and backup generators to spreading work over multiple sites. However, the right controls should also be in place to manage and maintain the sites: Risk assessments should be conducted before maintenance work is carried out, stakeholders should be notified , and only authorised or appropriate people should be permitted to work on-site or gain access to facilities. It should not be forgotten that BC recovery facilities require the same level of maintenance and control as primary sites.
People
People are sometimes referred to as the life blood of organisations; therefore, it is important to develop resilience and protection for them. This should include implementing Health and Safety (HSSE) standards to protect their wellbeing, providing suitable training to remove single points of failure (due to lack of knowledge), improving staff morale and job satisfaction to reduce staff turnover rates, ensuring business continuity requirements are included in job responsibilities, and implementing performance measurement.
Assessing these factors is all part of the BC risk assessment process since they could contribute to creating significant risks for the organisation.
Finance
The financial due diligence of suppliers acts as a control that helps to protect the organisation. However, BC also requires a budget. Without the right budget facility, BC itself can become a risk to the organisation since information and facilities may not be available or maintained as required and, therefore, will not be available when needed, following a disruption.
Also, the information from the BIA should help organisations to prioritise expenditure on risk reduction and resilience for critical activities and facilities to help protect them from disruptions.
Technology
Ensuring that controls and resilience for technology and infrastructure are in place is paramount in protecting an organisation. Such controls should include regular backups of systems, maintenance of IT DR systems in line with primary systems, the use of BC and DR assessments in projects and changes, adoption of security and access controls to provide protection, control and management of the desktop environment at normal and business-recovery locations, and a focus on the critical systems identified during the BIA and CRA .
Processes
A breakdown in a process often results in a disruption to the organisation. Therefore, processes should be designed with controls in place and, wherever possible, alternative methods for conducting an activity. All these processes should be documented with procedures to ensure consistency and to enforce controls, and they should be properly maintained. All of the above should be regularly monitored through the BC function to ensure that the necessary controls are in place, are being managed, and are being maintained as they should be.
The BC function should have confidence that this is happening according to plan and should have the ability to escalate any problems.
BC cannot be implemented and managed in isolation. It holds critical information (from the BIA, RA, and CRA) about the organisation, its critical activities, systems, and suppliers. This should be shared with other management activities, such as Enterprise Risk Management (ERM), IT, procurement, and quality assurance.
It should help to focus controls; ensure prioritisation on expenditure, projects, and so on; and enhance risk reporting. This practice helps organisations to manage risk more effectively and to ensure that informed risk-based decisions are made, reducing the likelihood of disruption and the level of impact if disruption does occur.
This is the proactive nature of BC and where it will truly add value to any organisation.
The author, who has more than 25 years of experience in business continuity, information security, and risk management, is the general manager of Al Mamlakah Services United LLC. The author has been introducing the concept of business continuity in the build-up to the annual global Business Continuity Awareness Week, which runs between March 18 and 22, 2013.
Business continuity (BC) shares common goals and objectives with other management activities. When implemented correctly and with maturity, BC can provide significant benefits through the sharing of key information and the prioritisation of activities.
The Business Continuity Institute (BCI), a recognised world leader in setting and communicating best practices for BC, noted that an organisation's vulnerabilities in its business and operating model can be split into seven categories: reputation, supply chain, information and communication, sites and facilities, people, finance, and customers.
It could also be argued that the categories of technology and processes should be included in this list.
Anything that can affect one or more of these categories can potentially disrupt the organisation and, therefore, should be reviewed and/or considered by the organisation's BC function. The existence of this possibility does not mean that the BC function should manage areas that could introduce vulnerabilities in these categories, but it does mean that BC should perform a quality assurance and governance role to ensure that activities that could introduce vulnerabilities are being performed correctly, diligently, and with the necessary controls.
This will ensure that BC remains a pro-active measure within the organisation as well as a reactive one.
Looking at these vulnerabilities in greater detail allows us to build an understanding of their relationship with BC and, therefore, some of the considerations necessary when conducting a BC risk assessment or while performing ongoing business continuity management.
Reputation and customers
Any facilities or roles that are customer facing, such as product or service quality and reliability, help desk, websites, branches, sales people, and reception desks, could impact the customer's perception of the organisation and, therefore, the organisation's reputation and could possibly result in negative publicity, which would require attention from the management and could lead to a more wide-scale impact and greater disruption.
Supply chain
The selection and management of suppliers are important criteria for quality assurance. Get it wrong, and you could place your organisation in jeopardy.
Therefore, conducting due diligence on suppliers and having confidence in their ability to deliver reliable, quality services with their own risk-management and BC processes in place (for the continuance of services to you in case of an incident) is critical.
Being able to monitor and measure supplier performance (for quality and reliability) and ensure that controls are in place will help identify issues early and will enable proactive management before an incident becomes a crisis.
This may require specific contractual clauses in supplier agreements. For business continuity, spreading key supplies across suppliers and identifying alternative suppliers will also help organisations to manage risks.
Information and communication
Ensuring that key information is identified (e.g., during the BIA) and is protected by the necessary controls for safe and secure storage and retrieval will help ensure the information is available if something goes wrong.
Communication is vital in today's world of technology. Maintaining contact details for key suppliers and staff and maintaining contact with them, even following a disruption, is critical.
Problems often occur with communication links (e.g., email, SMS, GSM, fixed line, data links, and satellite links/phones), so controls should be in place to protect these links, and alternative links or methods of communication, which can be relied upon in the event of an incident, should be available.
Sites and facilities
Building and site facilities are essential for the smooth operation of organisations, and numerous resilience options are available, from installing UPS systems and backup generators to spreading work over multiple sites. However, the right controls should also be in place to manage and maintain the sites: Risk assessments should be conducted before maintenance work is carried out, stakeholders should be notified , and only authorised or appropriate people should be permitted to work on-site or gain access to facilities. It should not be forgotten that BC recovery facilities require the same level of maintenance and control as primary sites.
People
People are sometimes referred to as the life blood of organisations; therefore, it is important to develop resilience and protection for them. This should include implementing Health and Safety (HSSE) standards to protect their wellbeing, providing suitable training to remove single points of failure (due to lack of knowledge), improving staff morale and job satisfaction to reduce staff turnover rates, ensuring business continuity requirements are included in job responsibilities, and implementing performance measurement.
Assessing these factors is all part of the BC risk assessment process since they could contribute to creating significant risks for the organisation.
Finance
The financial due diligence of suppliers acts as a control that helps to protect the organisation. However, BC also requires a budget. Without the right budget facility, BC itself can become a risk to the organisation since information and facilities may not be available or maintained as required and, therefore, will not be available when needed, following a disruption.
Also, the information from the BIA should help organisations to prioritise expenditure on risk reduction and resilience for critical activities and facilities to help protect them from disruptions.
Technology
Ensuring that controls and resilience for technology and infrastructure are in place is paramount in protecting an organisation. Such controls should include regular backups of systems, maintenance of IT DR systems in line with primary systems, the use of BC and DR assessments in projects and changes, adoption of security and access controls to provide protection, control and management of the desktop environment at normal and business-recovery locations, and a focus on the critical systems identified during the BIA and CRA .
Processes
A breakdown in a process often results in a disruption to the organisation. Therefore, processes should be designed with controls in place and, wherever possible, alternative methods for conducting an activity. All these processes should be documented with procedures to ensure consistency and to enforce controls, and they should be properly maintained. All of the above should be regularly monitored through the BC function to ensure that the necessary controls are in place, are being managed, and are being maintained as they should be.
The BC function should have confidence that this is happening according to plan and should have the ability to escalate any problems.
BC cannot be implemented and managed in isolation. It holds critical information (from the BIA, RA, and CRA) about the organisation, its critical activities, systems, and suppliers. This should be shared with other management activities, such as Enterprise Risk Management (ERM), IT, procurement, and quality assurance.
It should help to focus controls; ensure prioritisation on expenditure, projects, and so on; and enhance risk reporting. This practice helps organisations to manage risk more effectively and to ensure that informed risk-based decisions are made, reducing the likelihood of disruption and the level of impact if disruption does occur.
This is the proactive nature of BC and where it will truly add value to any organisation.
The author, who has more than 25 years of experience in business continuity, information security, and risk management, is the general manager of Al Mamlakah Services United LLC. The author has been introducing the concept of business continuity in the build-up to the annual global Business Continuity Awareness Week, which runs between March 18 and 22, 2013.
© Times of Oman 2013
