There isn't a day which goes by, when we aren't concerned about things such as market share, branding, competitive intelligence, revenue streams, supply chain efficiencies and human capital. But what tops all these issues is a question that underlies all our concerns at a fundamental level: How do we keep our business running in the face of things like:
- Strict legislative mandates and/or regulatory requirements?
- A deadly computer virus that can bring the network down?
- Two cyclones in one year?
- All commercial air traffic being grounded for 72 hours?
- The actions of a disgruntled employee?
- Absenteeism due to an epidemic?
A well-thought-out business continuity management (BCM) plan is the answer which will help to keep a company moving in such unforeseen circumstances. Basically, the business continuity management lifecycle has six phases to it: program management, understanding the organization, determining the BCM strategy, developing and implementing a BCM response, exercising the response, as well as maintaining, reviewing and embedding BCM in the organization's culture. Here are the six steps of a business continuity management lifecycle. Awareness and training should happen at each and every stage.
Step 1: Since BCM is crucial, it should have the top management's nod. Therefore, the first step in any business continuity management lifecycle is to get the top management's commitment. A policy has to be created since the entire project will be executed by them.
Step 2: The next step in the business continuity management lifecycle is to communicate this policy to all key stakeholders including vendors and outsourced parties.
Step 3: Identify a BCM sponsor who has the authority to implement business continuity management as per the policy. He can have a team and formulate a framework which covers activities identified under the BCM software's scope. Under the scope of BCM service, key products and services have to be identified. Additionally, the BCM objective should be aligned with the organizational objective. This should include the acceptable level of risk, as well as legal, regulatory and contractual obligations in order to meet the interests of the stakeholders.
Step 4:The next step to follow in the business continuity management lifecycle is to analyze the basic impact to identify critical functions under the scope of BCM and carry out a risk assessment of those critical functions. After this, depending on the results, you have to look at alternative responses and recovery strategies. This should be followed by putting in place an incident management plan with an incident response structure. This should be followed by a business recovery plan and a disaster recovery plan. Implementing these plans is the next phase.
Step 5: After implementing all the above plans, create an exercise program to cover different plans in line with the plans' objectives, review the plans, and ascertain their limitations or gaps. Update these plans based on any gaps.
Step 6: The next step in the business continuity management lifecycle is to carry out the plan-do-check-act cycle. This includes managing the program through periodic management review, internal audits and self-assessments; embedding the BCM culture; carrying out exercises; and carrying out preventive and corrective actions to show continual improvement.
In today's competitive economy, customers are becoming increasingly intolerant of lapses in service. As more business gets outsourced to other countries, organizations which continue to deliver services at the agreed levels (continuity) and without fail (repeatability) will continue to thrive.
Following the business continuity management lifecycle is a sure-shot solution for organizations to continue delivering their key products and services during a disaster—and surviving thereafter.
About the author: R Vaidhyanathan is vice president and head of BCM practice at the Business Continuity Management Institute. He is a business continuity certified expert, BS25999 technical expert, and auditor (CBCP, ISO 27001, ITIL).
(As told to Anuradha Ramamirtham)