When the world welcomed Corona Virus Disease 2019 (COVID-19) to its precincts, some Organizations unleashed a strange concept named Business Continuity Plan (BCP). It may have appeared strange since many had not heard of it, and it had previously never been discussed with such intensity. It soon became the buzz word around. So what exactly is a BCP?
Formally ISO 22301 defines BCP as the documented procedure that guides an Organization to respond, recover, resume, and restore to a pre-defined operation level following the disruption. A BCP falls under a wider discipline of Business Continuity Management System (BCMS), which is part of the overall management system that establishes, implements, operates, monitors, reviews, maintains, and improves business continuity. BCMS was originally mooted by the British Publicly Available Specification (PAS) 56 in 2003. PAS 56 was succeeded by British Standard (BS) 25999 in 2007. BS 25999 was later withdrawn in 2012 following the publication of International Standard (ISO) 22301 on ‘Societal Security – Business Continuity Management Systems – Requirements and ISO 22313 – Societal Security — Business continuity management systems — Guidance. The standard (BS25999) provided a best practice framework to minimize disruption and maximize recovery time during unexpected events that could bring a business to a standstill. Further, the standard prescribed a practical plan to deal with most eventualities – from extreme weather conditions to terrorism, IT system failure, and staff sickness.
As has been evident, the subject of business continuity has been active for a while now. However, not so many Organizations were early adopters of the same for one reason or the other.
Breaking down a BCP
Business continuity planning is important for any organization to continue delivering its products or services at predetermined acceptable levels following a disruption. As guided by the ISO 22301, the key components of business continuity planning include the following; Business Impact Analysis (BIA), Risk Assessment (RA), Business Continuity Strategy (BCS), Business Continuity Procedures, and Business Continuity exercising and testing.
Business Impact Analysis (BIA)
In brief, the BIA outlines all critical business processes identified for an organization relevant to supporting its service delivery and production. For each identified process, the BIA further identifies the key success factors necessary for their performance, such as assets, equipment, human resources, policies, and procedures, among others.
Risk Assessment (RA)
The RA further identifies the possible interruption risks to each of the critical processes and the organization as a whole. Such risks are systematically evaluated for their likelihood of occurrence and severity.
Business Continuity Strategy (BCS)
The business continuity strategy outlines the chosen mitigation plans for the identified risks. A key element of the strategy is the information technology recovery plan, popularly known as the disaster recovery plan (DRP).
Disaster Recovery Plan (DRP)
The DRP outlines the recovery steps for information technology, which is usually critical to most organizations’ successful running. To achieve strong DRP, organizations normally set up IT disaster recovery centers (DRC), which are secondary data centers for the IT equipment. Overall, the continuity strategy should be a detailed document outlining how an organization plans to protect its resources during an interruption and reduce both the likelihood and period of interruption.
Business Continuity Procedures (BCPs)
The business continuity procedures provide a stepwise recovery process to be adopted during a disruption. The procedures also provide early warning mechanisms to be monitored, incidence response, which qualifies as a disruptive event, and the modes of communication. BCPs are part of these procedures and can be broken down per functional area for larger organizations.
A critical part of the BCP is the call trees. Call trees are pyramid-like diagrams that allow staff to take a roll call for each other up and down the organization. This ensures all the staff’s status and safety in case of a major incident such as a terror attack. The number one priority of business continuity management is safeguarding human life.
Periodic health checks
BCPs require regular exercise and testing to ensure that they work during interruptions. Tests can take one of three forms.
Tabletop tests, where theoretical simulation is done verbally in a boardroom, going through all the motions of expected outcomes.
Partial tests are designed to test one functional area, such as Human resources or IT. Other areas are impacted only to the extent of their relation to the chosen areas. Routine fire drills fall in this category.
Full tests will involve the entire organization simulating a real-life disruption. The organization and its primary site, including primary IT equipment, are shut down, forcing the DRC activation in all regards.
Micro Small and Medium Enterprises (MSMEs)
What about Micro Small and Medium Enterprises (MSMEs)? The intensity of continuity planning for MSMEs may vary. Whether they require to undertake or not, this is no longer a question; they do. MSMEs need to develop tailor-made BCPs for their operations, thinking through all possible areas of interruption. This may end up saving money for them and prevent them from closing shop during a disruption.
So, do you need a consultant to help you develop a BCP? Likely yes, however, using the ISO 22301 and 31000 guidelines, an organization can develop its BCP internally, particularly if resources are constrained.
COVID-19 has brought about different thinking in many aspects of business continuity planning. The fact that in most organizations, staff can now work from home has shifted the thinking on DRC. The future DRC may be kept more for server redundancy and less for people recovery. Cloud-based services have also gained traction lately and will likely question the need to keep a DRC at all. BCPs remain relevant and critical, especially during the prevailing times. An organization’s strategic planning from now on needs to be informed by business continuity management since this is a critical area for achieving the strategy and sustainability of the business. Let us put it this way, BCM is evolving.
Author: Joseph Njuguna Maina
Get real time update about this post categories directly on your device, subscribe now.