business continuity management

Key terms Business continuity is Organizational resilience is a Resilience is used to describe used to describe the concept that has become the the outcome provided by good capability of an organization to focus of banking regulation and business continuity, along with continue or recover current academic discourse. The a broad range of other risk operations following term is used to describe an management activities that a disruptive incident. integrated approach to delivering when combined help business continuity alongside organizations prepare for, aspects of what many respond to and recover from organizations would consider disruptive events. operational risk management.

Organizations would typically be able to operate in a value-creation mode – driving towards the delivery of their business plan and strategy. Disruption Value creation Value protection mode mode Normal Following a disruption, however, the organization circumstances will enter into a value-protection mode, which seeks to focus efforts on either recovering or maintaining the delivery of the most critical parts of the organization before a full recovery can be achieved.

operating a process of continuous Identifying the processes and activities that improvement to ensure business continuity are critical to an organization’s ability to capabilities remain up to date and relevant deliver its products and services and meet its objective and therefore should be for the organization prioritized for recovery following a disruption Running regular exercises to Business Understanding the resources rehearse teams and plans and continuity that will be needed to to validate the organization’s capability deliver these critical processes and activities and response and recovery plans then implementing recovery strategies and solutions Providing training to staff involved in Developing and then maintaining a delivering and then maintaining business comprehensive set of business continuity, incident management and crisis management continuity capabilities so that they are plans to help the organization respond to a full competent to do so range of impacts arising from a disruption or a larger crisis

Business Improve continuity management lifecycle Analyse Embed Implement Design

Analyse Business impact analysis is undertaken to identify the organization’s critical processes and activities and determine the priorities for recovery. Mistakes at this crucial stage, either in the form of processes or activities being missed or where their criticality is incorrectly assessed, are likely to result in recovery plans that are ineffective.

This stage involves the development of recovery strategies and their associated solutions for the resources needed by the critical processes and activities for their delivery.

Implement it is only at this stage that a business continuity plan begins to take shape. The outputs from the first two steps of the lifecycle provide much of the detail that will be needed to develop the plan. While there will be a temptation to skip to this step, without undertaking the earlier analysis and design steps, the plans developed will likely be ineffective.

Improve continuous improvement mechanisms will include management reviews, audits, post- incident debriefs and of course exercises designed to validate the effectiveness of the business continuity plans. Each time an improvement is identified through any of these means the processes implemented at this stage ensure the organization’s arrangements are updated to reflect the latest learning and good practice.

Embed This step focuses on the provision of training to staff to ensure they are able to effectively deliver their business continuity duties, but also includes raising awareness among the broader population of staff. While not all staff will need a detailed knowledge of business continuity, they will, however, need to understand their role both in supporting the development of plans and what is expected from them when a disruption occurs.

Guidance on the steps that will need to be followed to implement an effective recovery capability, and provides some tools and tips that will aid in that process Part One: sets out some of the concepts that underpin business continuity and resilience and includes an analysis of the lessons emerging from how organizations responded to the COVID-19 pandemic in 2020/21. Part Two: sets out common approaches to implementing business continuity and resilience; built around the business continuity continuity lifecycle and the ‘plan, do, check, act’ model as described in the International Standard for Business Continuity ISO 22301 (requirements) and ISO 22313 (guidelines). Part Three: provides some templates and tools for use by practitioners when implementing business continuity and resilience arrangements.

ISO 22316 used a broad definition to define resilience as the ‘ability of an organization to absorb and adapt in a changing environment’ and sets out seven of what it called principles that contribute towards an organization’s resilience. These include: 2. An accurate and up-to-date 4. Good governance and 6. Coordination between understanding of the management, as a management disciplines (with organization’s context, providing means to ensure contributions from technical and the intelligence needed to inform effective and disciplined scientific areas of expertise, to investments in resilience and decision-making at all provide a joined-up approach to adaptation requirements. levels of an the management of risk. organization. 1. Alignment of staff 3. The ability to absorb, 5. Diversity in skills, 7. all underpinned by behaviours with a shared adapt and respond to leadership, knowledge the effective vision and organizational change, as a measure of and experience, as a management of risk, purpose, to drive an organization’s way to capture a wide throughout the decisions that contribute capacity to evolve itself variety of approaches to organization. to an organization’s to maintain relevance in tackling problems and purpose rather than a changing world. seeking innovation. running counter to it.

The relationship between organizational characteristic and resilience Charactristic A Influence on reilience Charactristic B Highly innovative Failure may be Failure may be Traditional delivery organisation, regularly expected, even less tolerated, approach, limited explorating ways of doing encouraged in control is key organisational change things order to innovate Low levels of external Significant regulatory Increased scrutiny scrutiny Compliance focus freedom to with limited adapt resilience Generally low-level risk Operating in high-risk- deviation from arrangements activities environments what the regulator expect Greater focus on to see ‘what-if’ recovery Low-risk appetite, planning high degree of focus on prevention

Charactristic A Influence on reilience Charactristic B Highly collaborative Easier to implement More time needed Closed culture, limited internal culture an enterprise-wide to build the internal interaction approach to consensus needed Public-facing services resilience involving to affect change; Several steps away from where a disruption input from multiple implementation may end customers, time would have immediate disciplines be a significant available to respond impacts challenge Low levels of reliability Product and services are Reputation will be expected/focus on purchased for their key and a sure- Revenue drivers may consumables reliability and safety footed, speedy to a be stronger than disruption will be reputation concerns important with end customers Quality Higher tolerance to management, disruption, prevention and increased willingnes disciplined to try new things innovation will be focus, low tolerance to disruption

Pharmaceutical company: highly regulated with innovation delivered in a highly controlled and rigorous way. The focus of resilience may be skewed towards maintaining safety and quality and preventing crises from occurring. The focus of resilience will extend throughout the organization’s supply chain to ensure the raw materials needed for drug manufacturing are always available and supplied to the right standards.

Manufacturing: a focus on safety, quality and efficiency will often be key here. The need for efficiency and margin pressures will cast a significant influence on the amount of resilience the organization is willing to maintain on its balance sheet. Supply chain resilience is also important here, along with a focus on the locations and assets used for production.

Fast-moving consumer goods: efficiency and margin pressures are probably most acute in this sector owing to the fierce competition from competitors.

Financial services: highly regulated with a strong focus on preventing individual firms from harming consumers or undermining the stability of the wider market. These organizations also typically have a high degree of dependence upon technology, meaning resilience activities can be skewed towards IT resilience considerations and take a compliance-based approach to delivery as a reflection of the significant interest from regulators.

• Professional services firms: reputation matters to these organizations – without it the business will be unlikely to survive. Second to reputation are the people whose knowledge the organization is selling to its clients. In these organizations the resilience of physical assets and buildings are less of a focus. Instead, technology resilience to allow mobile working, looking after sensitive data and its people will be the main considerations.

Technology start-ups: innovation is king here; without it these organizations will not succeed. With innovation comes the risk of failure and disruption and for some start-ups this will be expected, even encouraged to push the boundaries of what it means to innovate. In these organizations ideas matter, so people and the knowledge they hold will be the focus. Given

Knowing what is driving an organization’s particular focus and interest in resilience matters. This allows a practitioner to follow a path of least resistance by implementing a programme that is the best fit for the organization’s culture and context. Other approaches are of course possible, but they will likely come with more pain and effort. It is a bit like stroking a cat from its tail to head – it might sit there happily the first time it is done, but eventually it is going to stick its claws in and draw blood.

• Defining how much resilience is enough relies upon a solid understanding of what resilience means for the organization, as set out above. This provides the means needed to identify what resilience outcomes are required by the organization. Recovery planning for an important fixed asset critical for a production process will look quite different from increased inventory held at a distribution centre or deeper capital reserves and insurance coverage needed to pay for a resilience risk that materializes. The trick here is to define a resilience requirement that is realistic, achievable and easily understood by decision-makers and then to use existing performance measures where these are available.

Management System Standard

Plan: Establishing the business continuity policy, Do: Implementing and then operating the business objectives, controls and processes needed to improve continuity policy, controls and processes. The second the organization’s business continuity arrangements. step is where the bulk of the planning and This first step focuses on setting the governance implementation activities take place. structures and processes needed to implement and improve an organization’s business continuity arrangements. Check: Monitor and review performance against the Act: Maintain and improve the business continuity policy and objectives and identify areas that need management system, taking corrective action where further improvement. The check stage is a vital results of reviews and other sources of data suggest component of the process by providing the structures that improvements are needed. The final step takes needed to monitor performance and spot possible the outputs from the check stage to implement issues that need to be addressed. actions that deliver a sustainable improvement to an organization’s business continuity arrangements.

Management system standards also include a standard set of components a policy that sets out the organization’s intent and commits the organization to delivery any specific management Management people with defined system processes relevant system standards responsibilities covering to the organization implementation and management of the management system a set of documents and records that management processes relating to the provide evidence of the organization’s development, maintenance and continual management system, including its improvement of: policy; planning; approach to continuous improvement implementation and operation; performance assessment; management review; improvement

A sustainable process requires: senior management policy direction to the commitment business a set of common information to identify processes to drive areas for continual consistency improvement

Guidance on delivering an effective business continuity capability

How do the board’s needs differ from the executive?

The board: will be looking for assurance that recovery and resilience arrangements are in place, are effective and meet their requirements in managing the risks to delivery and the achievement of the organization’s strategic objectives. The executive: will be more concentrated on the ‘how’. They will expect to be making decisions on how to implement a resilience capability that meets the board’s needs. This means signing off on programme design, policy documentation and other key business continuity outputs.

Key executive-level stakeholders The CFO is the ‘numbers person’. The ‘organizer’, the COO has an Often the perception is the CFO will image of being the no-nonsense say no to any requests for delivery person as they are often investment in the interests of saving Chief finance Chief focused on outcomes and money. A good CFO will be much officer (CFO) operations results. more objective in balancing Chief officer (COO) investment decisions against the technology The ‘enforcer’ – sometimes value that will be realized from their officer (CTO) not full members of an implementation. executive team, these The ‘techy’, the chief individuals bring the legal technology officer is a General counsel and governance expertise to relatively new addition to (GC) and company the table. They ensure that many executive teams, secretary the executive has access to sometimes referred to as the IT director. relevant and timely legal advice and are operating in compliance with Supply chain Chief risk governance standards. officer (CRO) The ‘threats and opportunities The ‘head of the Q branch of business’ – like the CTO, the supply person’, the chief risk officer is chain director can play a highly not a common role on most important role in a business, executive teams outside of the particularly those managing financial services industry. But significant supply chains like those where they do exist they play an found in manufacturing important role in acting as the organizations. conscience of the team by giving the executive insights into the organization’s key risk exposures and the health of the controls.

Maintaining a board or an executive team’s support and interest relies upon five enablers: a credible, professional and competent business continuity and resilience manager; good-quality, relevant and timely management information benchmarking against peers and competitors proof (through objective and measurable evidence) of benefits being realized a senior management sponsor

Good management information would include: the current level of disruption risk that the business is exposed to – if possible, expressed in tangible terms such as revenue at risk; measures of how effective a response or recovery was following a real incident – for example, whether recovery time objectives were met.

Benchmarking The types of organization that will be appropriate to benchmark against variety of reasons: • based on industry, • as a result of • as a result of a as in the financial fierce senior manager’s institutions competition, personal interests example used where one and relationships above; organization is – they might have keen not to fall a preferred list of behind another organizations they rival; like to be benchmarked against.

The circumstances in when an investment is which benchmarking needed, as a means to check if can be a useful tool other organizations have include: delivered anything similar; during a crisis response, to quickly establish how other organizations are planning to respond or are responding; to help build an argument to change a regulation or regulatory rule.