Amit Prakash is a Business Continuity Management Professional with 14+ years of rich industrial experience in planning, implementing and managing of Business Continuity Management System, Disaster, Emergency & Crisis Management programmes across Banking, Finance, Aviation, Media Entertainment, Insurance, Information Technology, Airport Operations and Government Services in India and abroad.

A disruptive event, however insignificant, can wipe out businesses if not handled efficiently and systematically. Given the uncertainties of the 21st century where a minor dislocation somewhere can have a cascading effect on the business and thus, on the national, regional, or global economy, there is a need for business continuity management. BCM has been at the forefront of corporate planning in recent years because businesses existence is continuously being challenged due to the complex and dynamic environment, they operate in. Hence, there is a need to implement Business Continuity Management System (BCMS) – a systematic response mechanism customised to operational requirements.  

Little did anyone know back in March 2000 that a lightning bolt-induced-fire lasting 10 minutes could wipe out one of the world’s largest mobile phone manufacturers, Ericsson. A classic case of supply chain disruption, and eventually a business continuity failure, caused Ericsson to lose its market share to Nokia, which was coincidently and similarly impacted. The incident-turneddisaster cost the Swedish company $400 million in lost sales and forced it to quit the mobile phone business, leaving Nokia to cement its position as the European market leader. This story is no different for countless other establishments that suffered irreversible damages and/or permanent shutdown after the World Trade Center attack of 2001, the Bangkok flood of 2011, the great Tohoku Earthquake, and the triple disaster of Japan in 2011, and many more such catastrophic events. The period from 2005-2015 has witnessed about 700,000,000 human fatalities, and economic losses in the range of $1.3 Trillion (UNISDR, 2015).

The Sendai Framework for Disaster Risk Reduction states, “Reduce direct disaster economic loss in relation to the global gross domestic product (GDP) by 2030” as one of the seven global targets agreed upon by its signatories. It reinforces reducing economic costs from loss of business as one of the expected outcomes of this 15-year commitment. This calls for the development of greater resilience among businesses to reduce impacts to their operations during disruptive events and thus, limit losses. Business Continuity Management (BCM) is one such management practice that aims to enable businesses to continue their operations during disruptive events. This article highlights the importance of BCM and its ability to contribute towards the fulfilment of this goal at the local, regional, national, and global levels.

History of Business Continuity Management

While the world witnessed the revolution in information technology in the late 1950s, the period also marked the beginning of risk management. However, the application of risk management was limited to insurance policies against potential calamities such as fire, theft, and natural disasters. Risk managers could not ignore the most significantly growing threat to their business operations: the failure of IT systems making crucial data storage and processing functions unavailable, or possibly losing data permanently. In the early era of information technology, full-service vendors were contracted for building, maintaining, and troubleshooting hardware failures and data backup errors. Terms regarding system restoration began to be included in contracts. This was the beginning of disaster recovery.

Disaster recovery programmes focused on hardware failures, database corruption, or accidental deletions by employing appropriate redundancy and backups. However, businesses realised that it was not enough to safeguard only the continuity of technology operations. What if the office building or the data centre is hit by an earthquake? Disaster recovery programmes could not address the non-IT aspects of the business. Thus, BCM was born as a formal discipline. Business continuity, in its nascent stage, was not fully embraced by many organisations until the attack on the World Trade Center happened in 2001. Many enterprises in the U.S. were permanently shut, and many struggled to survive. It was then that the U.S. Government created and strengthened regulations and guidelines requiring business continuity planning for companies that play a critical role in supporting its economy, such as those involved in securities and financial trading markets.

Thereafter, there has been a constant evolution in BCMS with the establishment of many standards, guidelines, and regulations specific to a country, region, or industry’s condition. I will refer to one such global standard, ISO 22301:2019, throughout this article.

BCM Framework

Business Continuity can be described as an organisation’s ability to continue its critical business functions with as little disruption as possible. In other words, it is about making plans to help organisations avoid crises and disasters and to be able to quickly return to ‘business as usual’ should disruptions occur. As a part of business continuity, various proactive and reactive strategies are implemented to mitigate the disruption of business functions. A good BCM system identifies and implements measures to prevent or recover from operational disruptions. Such strategies enable the organisation to resume an acceptable level of business operations within a predetermined timescale following a disruption.

In general, a BCM system is organised around the following requirements:

• Planning: Know what parts of the business need to be covered

• Business Impact Analysis: Prioritise those business functions in order of criticality

• Risk Assessment: Identify risks associated with business functions and establish risk reduction methods

• Recovery Strategy: Determine the best strategy to resume those critical businesses

• BCP: Develop plans based on the strategies

• Training & Testing: Make employees aware of the plan, and validate the plans

• Monitoring: Monitor effectiveness and continuously improve the plans

Planning

While an organisation determines what part of its business must be covered by the business continuity programme, it is imperative to identify the key stakeholders, their needs, the legal and regulatory requirements on the organisation and the internal/external environments that influence the objectives of BCMS. This analysis is key to determining the boundaries and the applicability of BCMS, and it further establishes the part of the organisation and the products and services to be included or excluded from the programme.

For such programmes that have a strong influence on an organisation’s strategic objectives, the planning phase requires a leadership commitment and an intent to implement the BCMS. This may be through:

• establishing an organisational policy on BCM

• developing standards and procedures to support the policy

• defining the roles and responsibilities of personnel undertaking BCM

• ensuring the competency of personnel

• spreading awareness to all employees on the various aspects of the BCM programme

Business Impact Analysis

A business is a complex environment with multiple processes and activities supporting the business functions. Though all of them are important for business, they all may not be time-sensitive. Hence, due to limited resource availability, it becomes critical for a business to identify its time-sensitive functions that cannot wait for long after being disrupted. This requires organisations to perform a systematic analysis of the impact on their business should the functions become unavailable. We call this exercise business impact analysis (BIA).

A BIA is a process that allows us to identify critical business functions and assess the consequences a disruption of those functions could have.

It also allows us to gather information needed to develop recovery strategies and limit the potential loss. The key result of a BIA is the identification of the following timelines:

• Maximum Acceptable Downtime: The point in time by which recovery must be effective before irreversible damage is done to the organisation.

• Recovery Time Objective: The period within which critical processes must be recovered to an acceptable level.

• Recovery Point Objective: The acceptable amount of data (measured in time) that an organisation is prepared to lose while recovering from a disruptive event. A BIA also assists in determining the minimum operating requirements of the business function to resume its processes following a disruptive event. These requirements are primarily identified against the most important process enablers that follow:

• People

• Facility

• Technology/systems/ applications

• Third-party/vendors

• Vital records/critical data

Risk Assessment

Once an organisation identifies its time-critical functions through a BIA, it is of utmost importance to assess the risks that may prevent recovery of those functions by disrupting its process enablers. BCM uses the process of risk assessment (RA), which enables an organisation to identify, analyse, and evaluate those risks. These risks may be due to a wide spectrum of threats, such as natural calamity, cyber-attack, or an act of terrorism.

• Risk identification: Through this step, organisations identify the sources of risk, areas and extent of impacts, and type and likelihood of threats. This step aims to generate a comprehensive list of risks based on those threats that might prevent the recovery of timecritical business functions.

• Risk analysis: Risk analysis involves developing an understanding of the risk. The result of risk analysis is risk levels or categories that are quantitatively determined based on risk likelihood and impact.

• Risk evaluation: Determining risk levels is key to identifying the most appropriate action for management to take on treating the risk. Hence, the onus is on management to evaluate the cost to benefit analysis and other business considerations to identify the most optimal risk treatment solution.

Recovery Strategy

BIA and RA give a foundation to business continuity planning that requires the businesses to determine recovery strategies. Before implementation of a BCM strategy, the business should consider:

• whether functions are enabled to recover to an acceptable level within agreed timelines • whether functions are well protected from internal and external risks

• the likelihood of disruptive events, as well as whether the period of disruption is shortened

• whether resources are optimally deployed during disruption

• whether key businesses are safeguarded against severe impacts

Though the BCM strategies are greatly influenced by the needs and expectations of stakeholders and the size and complexity of the business environment and the resources at its disposal, some of the industry’s best practices solutions could be implemented to recover the BCM enablers. However, these solutions are for reference only and vary from one organisation to other owing to each organisation’s BCM unique objectives.

1. Unavailability of Office

2. Unavailability of People

3. Unavailability of IT Systems or Applications

4. Unavailability of Third Party/ Vendors

5. Unavailability of Vital Records/ Critical Data

Business Continuity Plan

A business continuity plan is a documented procedure specific to a business/business function/ process or activity detailing the recovery requirements, procedures, resources, and communication structure. A business continuity plan typically contains (but is not limited to and not necessarily in the same order as) the following:

• Business functions under the scope of the plan

• Details of the response structures, including the roles and responsibilities of BCM team members

• Communication protocols and mechanisms before, during, and after a disruption

• Escalation thresholds

• Plan activation procedures

• Immediate response procedures

• Recovery solutions for each process or activity, along with resource requirements and key contacts. This is informed by the BIA, RA, and BCM recovery strategies

• Internal and external dependencies

• Procedures to get back to business as usual

While the business continuity plan focuses on the recovery of people, facilities, third parties, and vital records, an IT disaster recovery plan focuses on the recovery of technology, system, and application dependencies, and it is typically administered by the technology team of an organisation.

A business continuity plan differs from other contingency plans, such as a crisis management plan, incident management plan, emergency response plan, or an information technology disaster recovery plan. The following graph shows the relationship between the various plans.

Training and Testing

A plan is as good as its weakest link. Hence, it is of utmost importance that all stakeholders are aware of the contents of their plan along with their responsibilities. This may be done through structured training and awareness programmes at an organisation, business, or function level.

At the same time, validation of a plan is critical to its success to prevent being caught unprepared in an actual emergency. There are various methods of testing and exercising a plan – with the most rudimentary being the walkthrough or seminar. The complexity of exercises may be increased based on the maturity of the BCMS of the organisation. Complexity may progress from a table-top to partial or full-scale simulations involving one or multiple partners. An exercise helps validate the procedure laid out in the plan. It also presents an opportunity to improve the plan, in case there are loopholes or high-risk issues identified. Any risk thus identified must undergo a course correction through suitable corrective action plans.

Monitoring and Continuous Improvement

BCMS is critical to effectively continuing the operations of the organisation through or after a disruption. To ensure that the programme is efficiently managed, regular performance evaluations, audits, and management reviews are a must. Such monitoring allows the programme to constantly evolve and keep up with the dynamically changing business environment. Also, owing to the ever-changing global, regional, or country-level legal and regulatory requirements, coupled with real-time incidents with major impacts on operations, it becomes imperative for senior management to reassess and realign the BCMS to the organisation’s strategic objectives.

Current Scenarios

COVID-19 has sent shockwaves to the global economy. Due to travel restrictions and frequent legal and regulatory changes, organisations across the globe are struggling to ensure they have adequate resources to perform effectively. As businesses scrambled to react, business continuity planning — previously an often-overlooked subject — suddenly became a top priority. The pandemic has also reminded us that economic survival can hinge on a single concept: preparation. Having a business continuity plan in place certainly benefitted many organisations, as it had, at least, allowed the business to consider measures to take in the event of more foreseeable disruptions. COVID-19 has reinforced the need for businesses operating in today’s complex, interconnected environment to expand their scenario planning beyond the common.

COVID-19 is a great example of a complex scenario. It may have started as a health and safety event but quickly went well beyond that, with cataclysmic impacts. In today’s digitised and globally connected organisations, businesses do not exist by themselves — they exist within complex economic and societal systems, and within integrated business ecosystems. The pandemic is a grim reminder to businesses to go beyond traditionally reactive measures to proactive ones. While business continuity planning adds to the resiliency of an organisation, it has significant potential to contribute towards reducing economic losses for businesses, one of the primary targets of the Sendai Framework for Disaster Risk Reduction.