How Can You Improve and Align Your Risk Management and Business Continuity Management?
It is not always clear how the key organizational functions of business continuity management and risk management relate to each other. In this article we explain the connection between these two concepts. In doing so, we consider:
- What is business continuity management?;
- The difference between business continuity management and risk management;
- The key steps in business continuity management (including business impact analysis);
- A personal case study of RISKID and business continuity management;
- Six key tips for business continuity management;
- Several useful templates for business continuity management.
What is Business Continuity Management?
Business continuity management (BCM) means preparing an organization to deal with events that might otherwise prevent it from achieving its objectives. These events could be a natural disaster, a pandemic, a major IT failure, or something else.
There are various other terms that relate to business continuity management in some way. These include:
- Business Continuity Planning. In order to ensure robust BCM, organizations need to have a plan (BCP) in place, ahead of time. We discuss the process of forming such a plan in detail in this article;
- Business Impact Analysis. This process, also part of BCM, means examining each potential event for the impact it would have on key functions and processes in the organization. As part of the Business Impact Analysis (BIA), the organization needs to determine what resources would be needed to support those key functions;
- Disaster Recovery Planning. A Disaster Recovery Plan (DRP) is related to, but distinct from, a BCP. Rather than focused on the ongoing survival of the business, the DRP deals with the specific steps that must be taken to immediately get a business up-and-running, particularly after a loss of data, or a catastrophic IT infrastructure failure.
What Is the Difference Between Risk Management and Business Continuity Management?
Disruptive events need to be managed through BCM because of the risk they pose to the organization. This raises questions: Is there a need for separate risk management and business continuity management? What is the precise connection between the two?
International Standards (ISO 31000) have defined risk as the “effect of uncertainty on objectives”. ‘Risk management’ is therefore the management of that uncertainty. While specific risks will differ from organization to organization, they can be placed in the categories of ‘strategic’, ‘financial’, ‘operational’, and ‘compliance’ risks.
In risk management:
- Risks are identified according to their causes and consequences;
- Risks are then assessed or ‘scored’ based on their significance to the organization (likelihood and impact);
- Mitigations and processes are put in place to deal with identified critical risks;
- Mitigating actions are executed, monitored and reported on;
- Ongoing re-evaluation of risks and mitigations occur continuously/at periodic intervals.
Risk assessment and – management can be integrated into various stages of BCM:
- Risk assessment is crucial in working out which potentially disruptive events BCM should focus on: there is probably no point in considering the disruptive effect of a snowstorm, if an organization is based in Florida;
- BCM is itself a risk mitigation. Risk management means putting in place measures to deal with identified risks. BCM is the key mitigation tool for risks of business disruption;
- When carrying out BIA, risk assessment is a natural part of the process. A disruptive or disastrous event will have many different possible impacts. For example, a major cybersecurity breach could bring down an online customer service portal. But how significant that impact is (and the focus it should receive in the BIA), depends on how easily that organization can switch to non-online customer service;
- Continuous risk assessment within the organization could bring up new risks of disruption which require updating your BCP.
With risk assessment involved at various levels of BCM, putting in place a robust risk assessment process might be the one best thing an organization could do to improve its BCM: once you have completed your risk assessment you will have most of the data you need for your BCP, BIA and your DRP.
What Are the Key Steps in Business Continuity Management?
There is no one set process for BCM that your organization must follow. However, we find it useful to take the following steps in order:
1. Strategic Risk Assessment. There are dozens of different events that could disrupt business continuity. But which ones should you focus on? For example, organizations in New Zealand or Japan will need to think about the effect of major earthquakes on their operations. Organizations with significant data holdings will need to consider the impact of IT server failure. It will depend on the organization in question and their own risk assessment process;
2. Business Impact Analysis. As mentioned above, once potentially disruptive events have been identified and assessed, the next step is BIA. At this stage, the precise impact of disruptive events on the organization are set out. This is, in some respects, a more in depth version of examining the consequences of a particular event in a regular risk assessment;
3. Disaster Recovery Plan. Following the BIA, organizations need to look at the resources that are needed for the organization to recover from the potential interruption as quickly as possible. This is set out in the DRP. This includes ‘gap analysis’ of the distance between the business recovery goals and current capabilities. At this point a set of recovery objectives (including time objectives), should be set. In addition, critical staff and financial resources for recovery need to be estimated;
4. Business Continuity Plan. A formal BCP needs to be constructed with input across the organization and from all relevant stakeholders. The BCP is a broad summary document of the organization’s key BCM processes. Unlike the DRP, it does not look just at recovery, but also looks at prevention and mitigation. At a high level, it should summarize the results of the strategic risk assessment, BIA and DRP;
5. Training. There should be ongoing training and development for both the BCM team (if there is a distinct team), and the general workforce, on BCM. This training should make employees and contractors aware of possible key disruptions to the organization and what they can do in response. This training should identify who is responsible for business continuity and where relevant documentation (e.g., BCPs) and contact numbers are to be found;
6. Regular testing, review, and monitoring. This might be the most underrated step in the process, while it is a crucial one. A “bad” BCP that works is still better than a perfect BCP that only works in theory. It is therefore, for example, good practice for an organization to go through a test run of the DRP every year to check that it is fit-for-purpose and that recovery objectives can actually be met.
In short, we can summarize BCM as an overarching activity of risk assessment, business impact analysis, disaster recovery planning, training, and ongoing review/testing.
A Personal Case Study on RISKID and Business Continuity Management
It can be helpful to explain the importance of BCM, and its relation to risk management, with a concrete example. We use our own case. For a Software as a Service (SaaS) company, one of the most catastrophic possible events is the loss of client data. But as is human nature, it is easy to downplay potentially disastrous events, if their chance of occurrence is low.
During the early years of our company, 10+ years ago, we of course, thought ‘that will never happen to us’. In our case, the failure came from the end of our server provider. A flaw in architectural design, unbeknownst to us, led to a faulty backup system. At a certain time, we attempted to hotfix a bug, and in the process deleted current data. However, we did not have access to the backup data to quickly fix the problem. All of us were in shock that we actually lost/deleted client data.
Thankfully, our existing BCM processes kicked in, and the small amount of data lost was recovered with an expensive data recovery specialist.
But after this experience, we learned to pay closer attention to risk assessment in our BCM processes. Unlikely events, given a long enough period of time, tend to happen, so an organization’s risk management practices need to be well-prepared for these eventualities.
In the final sections of this article we set out key tips we have learnt over the years for improving BCM, based on our experience in the field, as well as useful templates you might employ in developing your own BCM processes.
Six Tips for Business Continuity Management
1. Assign an Owner of Business Continuity Management
All major business functions need an ‘owner’ of the process. This is the person responsible for that function within the organization. Who this is will depend on the size and resources of the organization: some large organizations will have devoted BCM teams, in others this will be part of risk management, or in very small organizations, the responsibility of directors themselves.
Make sure that ownership is clear and that it is accountable to the board of the organization (usually through the board’s risk committee).
2. Collaborate in Business Continuity Management
When doing initial risk assessments, or when carrying out the BIA, a convergence of expertise is required. It is unlikely that just one person will have perfect knowledge of risks that could disrupt an organization, as well as its broader impacts.
Whoever owns BCM within the organization needs to facilitate broad input from across the organization and from key stakeholders (such as the board). This will help determine which potentially disruptive events, and which impacts, need to be a BCM focus.
3. Integrate Risk Management and Business Continuity Management
We have mentioned that a BCM is impossible without risk management and vice versa. In light of this, organizations should take steps to ensure these functions are aligned.
For example, continuous risk management might identify increased likelihood of lockdown events in the COVID-19 pandemic environment. As a result, continuity through a lockdown event should be prioritized in BCM.
4. Introduce Technological Tools
There are a range of tools that can contribute powerfully to BCM. Examples include:
- Risk assessment tools that keep track of ongoing risks and identify which ones need to be prioritized, and which ones are due for review;
- Integrated data flows. Continuous and real-time data on any major IT issues or other business disruptions can be used to improve ongoing BCM.
5. Keep Business Continuity Plans Simple and Actionable
The BCP, by its nature, is implemented in emergency situations. It is not just an internal document which is filed away for occasional update. This means an overly complex and detailed BCP can impede practical use. We recommend:
- Keep the plan itself relatively short. More detailed DRPs, risk assessments and detailed BIA, can be contained in separate documents;
- Focus on directions and concrete actions for staff, as well as key regulator/vendor details to contact in an emergency;
- Ensure that the owner of BCM, and thus responsibility, is clearly identified on the plan.
6. Testing, testing, testing
Run the drills set out in the BCP and test the procedures in the DRP. Make sure everything works when things get bad.
Is There a Useful Template to Follow?
Once the organization has decided to implement or improve its BCM processes, where should they start?
Business Continuity Plans
There are a range of useful templates available online, depending on the needs of the organization. We have found the following templates useful when constructing BCPs:
- The Federal Emergency Management Agency (FEMA) (United States), provides a relatively short template, but requiring significant additional documentation. This would be useful for larger organizations with significant resources to contribute to BCM;
- The Manchester City Council (United Kingdom), has created a lengthy template with an emphasis on actionable steps;
- The Wellington Region Emergency Management Office (New Zealand), has a simple and highly actionable template. This template (developed with regional earthquake risks in mind) is useful for immediate implementation in an emergency.
Business Impact Analyses
When carrying out a BIA we recommend the following templates:
- FEMA’s template provides a simple layout for a BIA;
- The European Union Agency for Cybersecurity offers a more extensive template focused on cybersecurity, though it would be straightforward to apply this to other operational areas.
Disaster Recovery Plans
We devised our own DRP with the help of the following templates:
- This template is highly recommended; it is also the main template we used for our DRP;
- Info-Tech Research Group’s detailed template for ICT DRPs;
- Another ICT DRP from Search Disaster Recovery.
Conclusion
While business continuity management and risk management are separate processes, they are interrelated: one task with the organization cannot be carried out without the other. In this piece, as well as explaining the connection between the two, we have set out some simple steps to improve and better ‘join up’ your risk and business continuity management processes: Assign ownership, collaborate, integrate, employ technology, keep it simple and regular testing.
We hope the templates we have identified can provide you a kick-start for your own business continuity management. Other useful tips and templates are welcome!