BCM is the development of strategies, plans and actions that provide protection or alternative modes of operation for those activities or business processes which, if they were to be interrupted, might bring about a seriously damaging or potentially fatal loss to the enterprise.
There are three:
Crisis Management is a process designed to enable an effective response to an event. Crisis management processes focus on stabilizing the situation and preparing the business for recovery operations.
Business Resumption Planning, or Business Recovery Planning, involves the recovery of critical business functions and processes that relate to or support the delivery of core products or services to a customer.
IT Disaster Recovery addresses the recovery of critical IT assets, including systems, applications, databases, storage and network assets.
Although a vague question, it is commonly asked and is actually quite valid. A company’s business continuity approach and project scope may vary widely, and are driven exclusively by business requirements (and constraints). However, a number of common project characteristics remain (although the process to meet these project objectives vary):
Business Continuity Program Design and Deployment – including a definition of policies, standards, and tools to support business continuity efforts. In addition, an effective BCM program should include assigning accountability and responsibility for each key area (e.g., crisis management, business resumption, and IT disaster recovery).
Business Impact Analysis – establishing recovery objectives (business and technology), as well as the associated justification for each.
Threat & Risk Assessment – identifying and prioritizing threats and failure scenarios to which the organization may be vulnerable.
Strategy Design and Implementation – identifying and implementing continuity strategies that best meet the organization’s needs, based on a cost-benefit analysis.
Plan Documentation – documenting response, recovery and restoration procedures to enable effective business continuity operations.
Testing – validating and continuously improving business continuity strategies and plans.
Training and Awareness – increasing knowledge regarding business continuity operations, both in terms of response/recovery team members, as well as employees in general.
Compliance Monitoring and Audit – establishing compliance with internal and third-party business continuity standards.
Organizations design and deploy business continuity solutions to manage:
Organizations typically provide leadership to the business continuity program through three roles:
Sponsorship – providing or ensuring organizational and financial support
Ownership – direct responsibility for ensuring support, as well as overall program execution
Custodianship – responsibility for the coordination of BCM tasks that are executed throughout the organization
The sponsorship and business continuity program ownership roles continue to trend toward organizational elements with visibility of the entire business, as well as experience with risk management. Based on these trends, MHA has developed a list of sponsors and owners in an order of decreasing effectiveness:
Finance – The CFO or a direct report, to include risk management or loss prevention
Operations – The COO or a direct report, to include security and Environmental, Health and Safety (EHS)
Executive Council – A member of the senior management team, to include the general counsel, director of human resources or manager of corporate communications
Information Technology – The CIO or a direct report in data center operations (some organizations have a program/project management office, where BCM may reside)
Internal Audit – The director of internal audit enforces the company’s business continuity policies through decentralized execution or dedicated internal audit resources
In the Enterprise Risk Management (ERM) Integrated Framework, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines ERM as:
A process, effected by an entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.
The definition reflects certain fundamental concepts. ERM is:
A process, ongoing and flowing through an entity
Effected by people at every level of an organization
Applied in strategy setting
Applied across the enterprise, at every level and unit, and includes taking an entity-level portfolio view of risk
Designed to identify potential events that, if they occur, will affect the entity, and to manage risk within its risk appetite
Able to provide reasonable assurance to an entity’s management and board of directors
Geared toward achievement of objectives in one or more separate but overlapping categories
BCM is one component of an effective enterprise program designed to manage risk and is, therefore emerging as one of many pillars within ERM.
Since 2001, nearly every BCM regulatory requirement or standard has been enhanced or expanded to address increases in the threat environment, as well as a greater focus on corporate governance. Some of the most commonly used industry standards are:
International Standards Organization (ISO) 22301
Federal Financial Institution Examination Council (FFIEC)
National Fire Protection Act (NFPA) 1600
Business Continuity Institute (BCI) Good Practices
In our view, there are two kinds of situations where it might make sense for a company to do BCM on its own:
When the company is relatively small (say under a hundred employees) and/or has relatively few business units (say 10 or fewer).
When the company (whatever its size and complexity) has a mature BCM program that was set up with the guidance of a professional, to the point where all they are doing now is ongoing maintenance and continuous improvement.
For all other companies and situations, the company will really be better off, in my opinion, if it invests in outside help.
This is especially true in the case of medium and large organizations that are just getting started with their BCM programs.