Business Continuity Management (1): Policy and Governance

Business Continuity Management (BCM) has evolved out of the disaster recovery arrangements that organisations put in place as they became ever more dependent on their system infrastructure.
There is no universally agreed definition but the one we shall use for these articles is:

Business Continuity Management (BCM) is the process of ensuring that an organisation is capable of surviving through a period of major disruption to its normal mode of working.

BCM is an umbrella term that encompasses the preventative measures that can be taken, the management of the crisis as it happens and the recovery process.

Embedding BCM in the Organisation's Culture (click to see enlarged view).

The various aspects of the BCM lifecycle that will be looked at in turn are:

1. Policy and Governance
2. Business Impact Analysis
3. Threat and Risk Assessment
4. Business Continuity Strategy and Plans
5. Testing and Exercising the Plans
6. Preparation against specific threats/risks
7. Crisis Management plans and training

1. Policy and Governance

The policy statement for an organisation should be a clear statement of the level of business continuity that it sets out to achieve.  It should include:

• The organisation’s commitments.
• Its operational framework and principles for BCM.
• Its priorities (e.g. staff welfare and key customer services).
• The responsibilities of senior management.
• Minimum standards for planning documentation, recovery times, service disruption etc..
• Details on how the organisations state of readiness for a Business Continuity incident will be measured. (e.g. KPI’s and KRI’s)

It is useful to include a summary of the policy points, a half a page of A4 that can be distributed to everyone.  It should give a clear statement of the company’s priorities following a Business Continuity Incident and enough indication of recovery expectations to direct all of the subsequent strategizing and planning.

Unless the organisation is very small and has a very simple business or has decided that following a major incident it will simply cease operating, the business continuity strategy is going to be non-trivial. Thus the policy statement should not attempt to specify the strategy or recovery details; these will be covered in the plans. Policy statements that start to become too detailed have a habit of evolving over time into the massive old fashioned monolithic plans that ended up gathering dust in someone’s cupboard.

Some organisations have turned their policy statement into a competitive differentiator.  If your business relies heavily on your client’s perception of continuous high quality service then setting targets of worst-case service interruption of a few minutes is well worth shouting to the world.  Of course you will need to deliver on your promises and be able to prove it.

However challenging your company’s culture is, it is always worth remembering that the policy statement needs to be achievable. Zero downtime statements usually render the whole document meaningless.  Business Continuity Incidents are very rare, but by definition, potentially catastrophic for an organisation. If you get a serious problem, what is your realistic recovery period? Which activities need to be prioritized? What are the short term workarounds?  If everything is predicated with ‘we don’t tolerate business interruptions’, these issues are never addressed and real-life interruptions are likely to be much disruptive than they need be.

The concept of governance for the whole business continuity management cycle is a relatively new concept. What started as an IT function, moved into Operations, then Change Management and then latterly into Information Security, has rarely been enthusiastically owned by the senior echelons of power.

It is critical that Business Continuity as a capability is owned by the revenue earning parts of an organisation and the departments that directly support them.  It must be their judgment on what level of interruption is acceptable to their revenue generating activities.

However business managers are not always sensitive to the low probability, high impact risks and even if they are, almost certainly they will want a strategy and solution geared to their interests rather than the organisation as a whole.  This is where the policy comes in and why there needs to be a central point of accountability to the owners of the business to reassure them that there is a consistent approach to protecting the value of the business following a business continuity incident.

There are many different views (driven by recent legislation such as MiFID or Sarbanes-Oxley) on whom that central point should be, such as the CEO, the CFO, the director in charge of risk and others.  In practice it depends very much on how the organisation is structured. However, someone at board level must take responsibility for ensuring that the organisation is as well protected in their view against a business continuity incident as it would be by using insurance against other types of risk.

If the organisation has a non-executive presence on the board, business continuity is something in which they too should take an interest in order to meet their obligations to protect shareholder value.  The implementation and day-to-day management of business continuity is likely to be carried out below board level in all but the smallest organisations.  The board should be reviewing the business continuity KPI’s and KRI’s supplied and leaving the details to their managers. 

The answer to the question of whether there should there be a dedicated Business Continuity Manager depends on the size of the organisation.  These days smaller organisations tend to group business continuity in with Information Security and this hybrid role has become commonplace in the job market.  Business Continuity though is a discipline in its own right as is Information Security and such hybrid roles tend to be filled by Information Security specialists and report back to into IT.  This is not ideal.  Preferably, Business Continuity should be run by managers experienced in their organisation’s business, with accreditation/training/professional qualifications by professional bodies such as the Business Continuity Institute (BCI).  These managers will be aware of the various standards such as PAS56 or BS25999 and have the experience to know just how much to implement them in their particular organisation.

Business Continuity is a risk management discipline and therefore works best when it fits in with but is not dependent on the other risk management activities of the organisation such as Compliance.