RISK insight

Business Continuity Management May 2009

Risk insight Business Continuity Management (BCM) | 2

Managing your Business Continuity Management (BCM) risk

the strategies and decisions made by organisations are based on assumptions they will continue to operate. if these assumptions are affected by a significant disruption, it may impact on the organisations ability to fulfil its objectives. A study by Marsh shows1: 43% of businesses experiencing major disasters never re-open, and 29% close within three years less than 50% of organisations have business recovery plans, and at least 90% never test their plans 75% of businesses would be unable to function without it/telephony after 14 days recovery time is invariably underestimated costs of recovery are not always recovered by insurance.

Introduction
BCM is concerned with considering what to do when it all goes wrong, and making sure that people and clients are not inconvenienced or put at risk when something does goes wrong. it should be undertaken by an organisation to manage its business and service continuity risks and to respond to community emergencies. it should be based on a whole-of-organisation approach, whereby all parts of the organisation must be involved in BCM.

the primary objective of BCM controls, strategies and plans is to ensure the uninterrupted availability and resilience of key or time sensitive resources, so that it supports the organisations critical business processes, operations and services. in essence, BCM is a holistic but integrated management process that provides a robust framework for building resilience with the capability for effective responses to potential events, regardless of cause, which affect the organisation. BCM also seeks to protect the interests of key stakeholders, organisational reputation, brand and value-creating activities.

the case for implementing strategies to manage BCM is compelling. Risk management is concerned with putting in place controls and treatments that seek to prevent or mitigate continuity risk, encompassing the establishment of appropriate strategies and plans. For the last two years, VMiAs Risk Framework Quality Review (RFQR) results have shown that BCM is an issue for a large number of our clients, particularly in relation to their dependence on it systems and lack of contingency planning. the following documents may provide further guidance on BCM: As/nZs 5050 Australian and new Zealand standards for Business Continuity Management, standards Australia (Draft). hB 221:2004 Business Continuity Management, standards Australia. hB 292:2006 A Practitioners guide to Business Continuity Management, standards Australia. isO/PAs 22399:2007 societal security: guidelines for incident preparedness and operational continuity management. Emergency Management Manual Victoria (February 2005).

1 Marsh, Business Continuity Management: Keeping your business in business, Phil Hobson, September 2006.

Risk insight Business Continuity Management (BCM) | 3

to be effective, we need to pay attention to the following principles2: BCM is part of the organisations risk management that considers a wide range of strategic and operational risks that have the potential to disrupt the achievement of organisational objectives BCM is an important contributor to the overall organisational resilience. BCM assists organisations to continue achieving its objectives. BCM drives organisational preparedness for managing disruptive events, proactively treating risk and establishing capability to manage potential impacts. BCM builds organisational capability to mitigate the likelihood of events occurring, and to respond to, manage and recover from these events. BCM seeks to understand organisational requirements for people, processes, information, assets and technology that will contribute to the achievement of its objectives through the conduct of BCM. BCM is an iterative process that is continually monitoring and reviewing external and internal contexts for change and responding to that change. BCMs iterative process drives continual improvement so that it contributes to organisational preparedness and resilience. BCM is focused on the understanding of uncertainty and how organisations could respond to and manage that uncertainty. BCM provides an analytical framework which assists decision makers in making informed choices on the management of continuity risk and events.

Figure 1: BCM process

tools and templates can be downloaded from the VMiAs website www.vmia.vic.gov.au. BCM is a cyclical risk management process as described in isO 31000 risk management standard (draft). it is an iterative process whereby the outcomes of each stage are used to challenge and review the assumptions and outcomes of previous stages, through the monitoring and review process. the process for BCM is represented in Figure 1 above3. BCM goes well beyond implementing a simple process and writing business continuity plans. the plans need to be flexible and decision makers need to appreciate the uncertainty and complexity. BCM should reflect the organisations culture and comprise a comprehensive set of activities that are appropriately integrated into organisational learning and improvement.

Integrated BCM process

BCM should be integrated with the organisations overarching organisationalwide risk management framework and processes. Risk management guidelines,

2 Draft AS/NZS5050 BCM standard. 3 Draft AS/NZS5050 BCM standard.

Risk insight Business Continuity Management (BCM) | 4

Overlapping clusters of activities

there are overlapping, non-linear, clusters of activities that organisations have to consider doing before, during and after a disruption or an emergency. these depend on the circumstances, impact, organisational context and maturity. they overlap because one or more activities can be activated concurrently and/or sequentially, in no particular linear order or sequence. the six overlapping clusters of activities are represented in Figure 2 below: risk management prevention and risk mitigation response immediate management (in response to an event) recovery recover interim/ partial services and operations restoration restore to full service and operations resumption normalisation, back to business as usual services and operations control and/or command governance structures that manage these overlapping clusters of activities. A BCM program involves an integrated organisational-wide process of: establishment of the program/ project development of the BCM policy and framework risk assessment and impact analysis establishing structures for incident command, recovery and support development of cost-effective BCM strategies aligned to objectives development and testing of plans reviewing, maintenance, training and auditing.

Due to inter-dependencies with other government agencies, an integrated, multi-agency organisational response at local, regional and national level may also be required if a community emergency does occur.

Criticalities
A committed Board or delegated management should be satisfied that sufficient infrastructure, budgetary and other resources are allocated and maintained in order for your organisation to be able to fulfil the objectives of a BCM program, and to continuously develop, maintain and implement relevant continuity plans throughout the life of your organisation. the BCM program is a continuous journey, rather than an end in itself. For BCM to be successful, it is necessary to focus on the following performance drivers: structured co-ordination - highly structured co-ordination arrangements ensure that all planning and systems, from the first response to recovery (restoration and resumption), are aligned and well understood and communicated, with roles and responsibilities clearly defined and documented workforce capability - develop workforce capability and competencies through plans, skills training and adequate provision of technical equipment and committed resources capacity building - build capacity planning dimensions into services and operations, including escalation processes and systems to manage possible surges in demand for services

Figure 2: Cluster of activities

Risk insight Business Continuity Management (BCM) | 5

there are overlapping, non-linear, clusters of activities that organisations have to consider doing before, during and after a disruption or an emergency. they overlap because one or more activities can be activated concurrently and/or sequentially.

always put the health, security and safety of all people first always seek to provide factual, rapid and transparent communications.

BCM strategic options include, but are not limited to: process transfer or relocation involves transfer of critical and/or time sensitive activities either internally (e.g. to another part or location of the organisation) or externally (e.g. to a third party location), independently or through a reciprocal/ mutual-aid agreement agreement to share resources through mutual aid arrangements (e.g. shared data centre) temporary/ manual workarounds as an alternative to transferring or relocating a process, it might be feasible to adopt a different way of working that provides an acceptable result in the short to medium term (e.g. using the stairs rather than lifts) change, suspend or terminate services, functions or processes that conflict with the organisations key objectives, statutory compliance or stakeholder expectation insurance for financial compensation for losses, used in combination with other strategies.

the exercising of continuity plans is essential. it ensures that disconnections, omissions and dependencies within plans are fixed before they are used in reality. As such, it is important to: test the system exercise strategies and plans ensure people are rehearsed in how to respond.

BCM Strategies
A critical concept in BCM is the recovery time objective (RtO). this is an agreed time between the point of a service disruption (occurrence of the event) and the point in which time-critical organisational processes, systems and infrastructure should be operational and updated to normal status. the applicable BCM strategy needs to have acceptable recovery time objectives that are aligned with the organisations objectives, risk management framework and risk appetite, and in compliance with applicable regulatory and contractual service obligations.

inter-operability of plans - ensure inter-operability of both planning and operational activities, with diverse arrangements and inter-connectedness with other component parts of the system.

All decisions on how organisations respond to incidents, regardless of cause, should be driven by the following basic principles:

Risk insight Business Continuity Management (BCM) | 6

BCM Plans
Continuity plans, as represented in Figure 3, collectively bring together the following topics and planning into either one single document (for smaller organisations) or several documents (for larger organisations). risk management planning overarching steps to establish the context, identify, analyse, evaluate, treat, monitor, and review risk, and communicate and consult crisis management planning steps taken to maintain reputation and to execute the relevant communication strategy or protocols response planning - steps taken to immediately respond to disruption or community emergency, ensuring human safety and security contingency planning - steps taken to activate or restore alternate processes, systems and physical locations, where appropriate and necessary recovery planning - steps taken to restore specified critical or key infrastructure requirements such as utilities, communications and technology restoration planning - steps to provide limited to normal business services and operations resumption planning - steps to bring service levels, operations and/or facilities back to business as usual, or providing back-to-normal services to clients from minimum service levels.

Figure 3: BCM plans Conclusion

Continuity plans are living documents that should be continuously tested, refined and trained with to maintain their relevance, effectiveness and positive impact. sustainability of the BCM program after the initial continuity plans have been developed is vital for a successful response and recovery after an incident. Once started, the continuous commitment of the Board and senior management is vital to ensure that the organisation can recover from an incident with up-to-date business continuity strategies and plans. the higher investment costs in BCM upfront may off-set any potential recovery costs if a disruption does occur. By spending time and effort to create a comprehensive set of continuity strategies plans upfront, there is a higher chance that the organisation is more prepared to face and respond to a disruption, and to recover from it in the shortest possible time, at a lower cost and at the least inconvenience to clients and stakeholders. Otherwise, more money may be spent during and after the crisis to recover the organisation, if it is not too late altogether.

the continuous commitment of the Board and senior management is vital to ensure that the organisation can recover from an incident with upto-date business continuity strategies and plans.