Business continuity management needs to do more than simply meet regulatory requirements.
When one looks at countries that have experienced major disasters, the issue is not only the loss of technology and infrastructure, but also about the loss of people.
When major disasters strike and impact entire cities or even countries, devastation is often vast, and people often need to turn to government for assistance. Governments, on the other hand, generate the bulk of their revenue from the taxes they collect from local business during times of operation, and if business can't resume their operations swiftly, government won't be able to collect taxes and this may result in an economic downturn or even the devastation of a country's economy.
If one considers the consequences of an economic collapse after a disaster, hundreds of thousands of people could be rendered unemployed, not to mention those who will need medical assistance. To implement recovery processes effectively, businesses must operate, food must be grown, factories must produce and taxes are needed to rebuild the economy. If none of this happens, the roll-on effect would see the country's trade partners also negatively impacted, because they can no longer buy from or sell to the country.
A business continuity plan therefore needs to look further than the immediate emergency, taking into account what will be required to get the business up and running as soon as possible, and keep it and its dependants working and contributing to the economy for the long-term. The failure of business continuity management (BCM) affects the company concerned, a number of people who will experience personal disasters when operations cease, as well as government.
From some responses to the previous Industry Insight in the series, it is clear that many correctly believe BCM is not only a risk management process, but also a basic human right that must be supported through:
* Employment continuity - making sure employees have a job/workplace to return to after a disruption/disaster;
* Confidence continuity - ensuring the staff and stakeholder confidence in the ability of the business's recoverability; and
* Operational continuity - ensuring government will not be negatively impacted financially through the non-collection of taxes, which may be required during a disruption/disaster to assist people in their time of need.
Business managers, process owners, strategic planners, project and procurement teams, key suppliers and directors are all involved in risk management.
It goes without saying that in every business some risk-taking is inevitable; however, these risks need to be identified and managed. Once these risks have been identified, it's important to understand their nature, probability and the potential impact they may have should they occur - only risks that have been identified can be managed.
An organisation's risk management strategy needs to be consistent across its entire area of operation. BCM provides a framework that sets the context in which risks are managed in terms of how they will be identified, analysed, mitigated, monitored and reviewed. This framework needs to be consistent and comprehensive, with processes that are embedded in the everyday management of the company.
Whichever way you look at it, the board remains responsible for the process of risk management, and businesses that take enterprise risk management seriously understand the fundamental role that BCM plays in sound corporate governance practices.
It goes without saying that in every business some risk-taking is inevitable.Derek Taylor is a business development manager at ContinuitySA.
BCM is, after all, about being prepared for any form of business disruption and keeping stakeholders satisfied that existing and potential risks are contained.
However, while the board remains ultimately responsible for risk management as a whole, senior management has the responsibility for implementing the operational risk management framework approved by the directors.
This framework should be implemented throughout the whole organisation, and all levels of staff should understand their roles and responsibilities with respect to operational risk management.
In addition, senior management should ensure BCM is conducted by qualified staff with the necessary experience and technical capabilities, and staff responsible for BCM have authority independent from the business units they oversee. Management is responsible to ensure the operational risk management policy has been clearly communicated to staff at all levels in the various business units within the organisation.
BCM is not a matter of preparing for a flood, a terrorist attack or any specific threat; it is a complex process of preparing the business and its employees for anything. When a disaster happens, companies with a well-designed business continuity plan will have critical areas up and running in short order, with the rest of the organisation being brought into operation in an orderly, precise manner.
Implementing a formal, standards-based business continuity plan based on international best practices has the following benefits:
* Minimises the effect of a disruption on an organisation;
* Reduces the risk of financial loss;
* Retains company brand and image and gives staff, clients and suppliers confidence in the organisation's services;
* Enables the recovery of critical systems within an agreed timeframe;
* Meets legal and statutory obligations; and
* Measures the level of compliance to international business continuity standards from the Business Continuity Institute.
Still not convinced? In the third Industry Insight in this series, I will look at a real-life example of what happened to a listed company that didn't think of business continuity management.
Derek Taylor has been involved in business continuity management at ContinuitySA since July 2008. He also completed his BCM training in that year, and is an associate of the Compliance Institute of South Africa (CISA). Taylor is a business development manager (BDM) at ContinuitySA as well as the strategic alliance manager to the Corporate Governance Framework (CGF) Research Institute. He is responsible for generating new business leads and managing client relationships throughout the various service sectors that ContinuitySA works within. Taylor is responsible for all aspects of corporate governance and compliance for ContinuitySA, and has a keen interest and extensive experience in the ever-changing governance, risk and compliance landscape. He is a keen public speaker and has presented at a number of conferences; his presentations include topics on business continuity management, corporate governance, risk management, compliance, IT governance, the new Companies Act and King III. He most recently spoke at the International Banking Conference on risk management, and chaired the Syncom Business Continuity Management and Disaster Recovery Conference, at the Gallagher Convention Centre.