We define BCM as a management process that identifies risks, threats and vulnerabilities that could affect ongoing operations. Business continuity in the event of an incident provides a framework for building organizational resilience and the ability to respond effectively and efficiently. Keep things running with these seven tips.
1. Rely on a standardized procedure
Business continuity management includes strategies and measures to protect processes in such a way that damage to personnel and the company can be kept to a minimum. It is advisable to rely on a standardized procedure. Otherwise, important aspects may be forgotten. BCM best practice procedures and guideline documents are available from a number of professional associations. These include the Federal Office for Security (BSI), the Business Continuity Institute (BCI), the Disaster Recovery Institute International (DRI) and the Institute of Risk Management (IRM). We recommend the Good Practice Guidelines (GPG) 2018 of the BCI.
The Good Practice Guidelines contain the terminology of ISO 22301:2012 and represent the current global status quo of good practice. The GPG draws on the academic, technical and practical knowledge of BC professionals from across the BCI membership. The GPG is subject to rigorous quality assurance processes to ensure that the Guidelines continue to promote the highest standards of BC practice worldwide.
2. Find out more about risk management
Business continuity management comes under the umbrella of risk management, as it is also a holistic process that identifies potential risks and minimizes their impact – but with the aim of maintaining business operations. The bad news: nothing is completely risk-free. The good news is that risk management is clearly defined. The first step is to identify, assess and prioritize risks. This is followed by the coordinated and economical use of resources to minimize, monitor and control the probability or impact of unfortunate events. At the same time, opportunities should also be maximized. You can find out more about risk management here.
Possible scenarios for incidents:
- Failure of hardware, software or the network
- Building failure/power failure
- Failure of production facilities
- Hacker attack (e.g. ransomware, phishing)
- Natural disasters (e.g. flood disaster)
- Pandemic (COVID-19)
- Staff absence (illness or dismissal)
- Failure of partners and service providers
3. Regularly review your emergency and crisis plans
Like the overarching discipline of risk management, business continuity management only really came into focus with the COVID-19 pandemic. COVID-19 remains the largest pandemic event most organizations have ever experienced. It is changing the way society, organizations and people work in general. Few organizations were prepared for a pandemic on such a global scale and lasting for months. The typical period for which organizations planned business interruptions was between seven and 30 days.
Some organizations used plans from 2009 that were created for the H1N1 virus (swine flu). These plans called for employees to be relocated from the affected production facility to a location in the same geographic region. Problem: No one planned for a complete lockdown including travel bans in some regions. This situation rendered even well-documented contingency plans for dealing with the workforce ineffective.
4. Test your crisis plan regularly
Exercise this plan like a fire alarm – at least once a year. The only means by which organizations can evaluate the effectiveness of recovery and continuity controls is by testing or living through emergencies and crises and executing BC plans. Organizational certification provides no guarantee that the organization will effectively recover from an actual disaster. It merely confirms the maturity of a BC plan and its management. Also test how well your plans interface with other disciplines to achieve a high level of organizational resilience.
5. Plan ahead and know the services you need
For many companies, BCM was not an issue before the pandemic. Shortly after the outbreak of the pandemic, there was a flood of job advertisements – everyone wanted to hire risk managers. During the pandemic, many companies did not know which products and services were crucial for their business. The result was hectic and chaotic reactions. The actions wasted time and money. Resources that could have been saved if companies had known and prioritized their content and production resources. This also includes knowing which services are used for the IT infrastructure and are absolutely essential. An asset analysis and a business impact analysis can help here.
6. Your BCM program and team should be decentralized
Your BCM program and team should include representatives from all business units and all geographic regions. COVID-19 showed how challenging it can be just to work with healthcare organizations in different (federal) countries. There was a lot of conflicting information to process from different authorities. At the same time, you need to be prepared to communicate appropriately to external stakeholders in different countries about the availability of products and services that are expected for delivery.
7. Conduct a Business Impact Analysis (BIA) to visualize the impact on business operations
The results of a business impact analysis are key to a controlled response to a pandemic or other crisis. Before COVID-19, many organizational leaders were unaware that some business processes, employees, facilities, IT services and suppliers or third parties were critical to their organization’s missions. Example: In the early days of the pandemic, employees were indispensable, sometimes working weekends to transport the necessary equipment for remote work to colleagues’ home offices. An important component of the BIA is the status of employees:
- Who is essential for the introduction of Remote Work and at what stage?
- What is the minimum staffing level for the individual business units?
- Who is normally onsite – but could work remotely but is not equipped?
- Who is normally onsite – but is best equipped for remote?
- Plan for multiple business disruptions that occur simultaneously.
Then create similar documentation for business processes, facilities, IT services and suppliers.
Good business continuity management requires the resources of time, personnel and expertise. Digital management systems can help to reduce their use to a minimum. Doing without BCM altogether can mean literally having to close up store in an emergency. Operating BCM effectively and efficiently will give you a clear advantage over the competition throughout the crisis.