Tips for Enterprise Business Continuity Management Professionals
Business continuity management (BCM) professionals face complex issues with today's operational disruptions and external threats. The BCM professional must focus on risk mitigation from natural disasters to cyberattacks.
This article reviews the critical focus areas that BCM professionals manage for success. This means moving beyond the typical IT issues. You'll get tips on non-technical operational recovery areas too.
Business Continuity Management
Every enterprise has determined the structure of how they want business continuity managed. The funding tends to follow this structure. Regardless of who owns business continuity, the process starts with a business impact analysis (BIA).
The purpose of the BIA is to map the critical functions of an enterprise. It analyzes potential disruptions, their effects on systems, and the associated costs. The first step is identifying what is worth protecting.
Value Worth Protecting
Every enterprise has inherent value that is worth protecting. These values are often overlooked. They seldom get proper coverage in the business continuity plan.
To play it safe, make a list of the fundamental corporate values, including:
- Key products
- The secret sauce
- And more
Anything you determine is a valued asset needs some form of protection. In some companies, specific roles are critical to a company's future success. You may list a mission-critical application or system necessary to your company's continuity.
Identify Potential Threats
A list of threats seems to get larger each year with new pandemics and internet hackers. The key is to make a list that focuses on how each threat impacts different values. This step needs care in balancing speculation with research.
Some of the more common potential threats include:
- Natural disaster
- Chemical spill
- Technology loss
- Supply chain failure
- Employee absenteeism
- Disgruntled employee
- Building loss
If you don't know how a valued asset or function gets impacted, you won't determine how to protect it.
Prioritize Protection Coverage
The assets or functions must be prioritized for action. The higher the priority, the greater the budget.
To establish a basis:
- Consider the asset or function's value
- Consider the company's need for recovery should a risk event happen
- Document this step for easy access when mapping out your business continuity plan
You can also rank valued assets and functions by short-term and long-term perspectives. Your priorities must set specific actions in place for both sets of circumstances. A catastrophic company event can occur in a few minutes or over months.
Business Continuity Plan
It is a tragedy when business continuity plans turn into a shelved report. Instead, consider the plan as a living document. This type of plan is often gets updated with the latest information.
The value of assets can change. Executives might move the company in a new direction. Functions may vary due to business streamlining or consolidation.
Response protocols might need change with the rotation of vendors. A new implementation of a system for handling conflict resolution might be added. With the participation of many departments, the document must remain fluid and current.
To reduce risk and increase recovery, key employees must hold specific responsibilities. The participants in each department must know what to do, when to do it, and how. Planned reviews or practice dates are critical for your business continuity response team.
The plan must list the duties of each participating employee based on any given risk event. Speed to take action is critical for losses or damages on operations, finances, and reputation. Employees must enact change upon an incident before it becomes a real problem.
Support from senior staff is critical to keep employees accountable for their roles. The employees will need business continuity and recovery training. Trainees should receive a grade for situational performance criteria on their employee review.
The best way to mitigate risk is to regularly monitor all critical areas of the continuity plan. This might include cross-training employees on essential departmental functions. Also, conduct periodic risk assessments of the company's operations and environment.
Another form of risk management includes preventative measures. For instance, you might want to have a secondary location available for certain activities. Having several vendors or operational redundancies can also reduce risk factors.
The goal is to find ways of reducing or removing risk. You can also learn at what level executives are willing to accept a loss. This knowledge will empower you to make quick decisions during a catastrophic event.
There is not a large enough budget to plan for every eventuality. But you can prepare for the top three or four that your industry might face. Some common ones include the loss of:
- Employee availability due to health issues, storms, or strikes
- Building access due to damages, chemicals, or outages
- Supply chain due to strikes, errors, or vendor issues
- Technology due to cyberattacks, outages, or vendors
You'll have to determine what phases of your business recovery strategy you put in place.
Test Continuity Plan
Plans are worthless unless they're tested and proven viable. The business continuity plan testing process also helps you spot gaps and performance issues in your program.
You should test all aspects of the plan. This includes the activities of your business continuity response team.
Testing will reveal how vital each recovery factor is to the company. It will also clarify what level of incident requires specific actions, compared to employees using common sense. Not all problems are about business continuity.
The key is making sure you have clear and well-understood event management protocols. Take time to determine how the internal and external communications will get initiated.
You can base the timing and amount of communication on the level of impact assessed. The impact can also determine who receives communications. This might include shareholders, stakeholders, managers, customers, and others.
Crisis communication management should include an escalation and dissemination structure. Internal communications work best when handled in groups or teams. External communication should go through a predetermined network familiar with the company.
Improving Business Continuity
Business continuity is a process that takes consistent effort to protect company assets and functions. A business impact analysis is critical to ensure all activities mitigate risk. But a recovery plan can fall short unless the participating employees test it.
Your employees will show remarkable resilience in mitigating a crisis by following continuity management guidelines.