DTR004 Business Continuity Management

Downloadable PDF Resources

  1. English
  2. English/Spanish
  3. English/Russian

This module will take you through Business Continuity Management.

  1. Introduction
  2. Objetivos del BCM
  3. Back-Up Facilities
  4. Communications
  5. Decision-Making
  6. Stabilisation
  7. Testing and Verification
  8. Summary
  9. Main Points

The information in this document is part of the Deltar
‘Level 4 Management Award in Advanced Risk and Crisis Management’

Introduction

Given the fact that crises are usually large scale, unexpected and to a large degree outside of the control of the security manager, it is likely that any crisis that does occur will have a major impact on the operations of a company, including widespread disruption or even total collapse.

Business Continuity Planning (BCP) and Business Continuity Management (BCM) are two aspects of the recovery stage of the post-crisis response that will almost certainly involve the security management team. This section will look at some of the basic requirements of any BCP and BCM programme, but for more detailed information you can refer to International Standard ISO 22301:2012, which give a full insight into the requirements of corporate BCM.

The purpose of Business Continuity Planning is to ensure that there is a framework that can be used to maintain the operations of the company under the widest possible range of risks. However, however well they may be planned and written, anything which is more than a routine situation will involve a significant level of disruption and confusion, and will need the written BC plans to be adapted to the reality of the situation that the managers are facing. This is more evident the larger the organisation is, especially when the deployment of the BCP goes beyond a matter of personal discussions, and requires high levels of multi-division coordination. The need to utilise BC plans at the same time as maintaining the core functions of a business’s operations, is always going to be a process that tests a security managers skills to the limits.

As in any security management programme, the first stage in developing a business continuity plan is to carry out a risk assessment, so as to identify what sorts of risks might need to be planned for. Each of these identified risks would affect the operation in a different way, but they all share the common quality that they would cause significant disruption to the ability of the company to manage its business on a normal basis. In a typical city office that might include IT failure, flooding, terrorist threat, transport failure (so that employees can’t get in), rioting, power failure, etc. For a company that runs overseas operations, identified threats might include natural disasters, political upheaval, social unrest, terrorism, organised crime, K&R (Kidnapping and Ransom), or any of the other risks that might be identified depending on the specific geographical, political and social environment within which it is operating.

Objetivos del BCM

The development of a BCP will always be something that involves a high level of collaboration with a wide range of other divisions, and it is the ability to coordinate different divisions that might not normally have a close working relationship that will set the foundation for effective shared decision making and delivery of solutions in the event that a major business disruption was to occur.

Back-Up Facilities

One of the first questions that any BCP will pose is ‘What would we do if our present facilities became inoperable?’. That might be because of something directly connected to the building – a gas leak, for example – or it may be something that you get caught up in that actually has nothing to do with you. There may be a terrorist attack in the next street, but your building is inside the inner cordon that has been set up, and you may not be able to have access to that site for days or even weeks, or you may share your building with a major petrochemical company that becomes the target of sit-in protestors or a hostage situation.

In the event that you did need to move your operations to another site, it is critical to the success of that move that everything that you need is already in place. One weakness of many BCP’s is that they presume that they will be able to do something that actually is not the case. They may presume, for example, that people will be able to access the building in order to retrieve computer files or other documents. However, as a security manager, it is important that you look
at your BCP with honest eyes, and don’t make presumptions that would certainly make your life easier, but actually are not likely to happen if a genuine situation was to arise.

Communications

As in any ‘non-normal’ situation, communication is the absolute key to getting things done. However effective the BCP might be, there will always be the need for a large amount of communication between all the various stakeholders, who will be assessing the situation and adapting the BCP according to the specific and immediate needs. As well as the need to communicate with the other people involved in the BCP – and that is likely to be all employees, in one way or another – there is also the need to communicate with clients and suppliers, to reassure them as to the current situation and as to how long it will take to resume normal operations (or at least, as near to normal as possible).

Decision-Making

As in any crisis management situation, events on the ground may require fast and decisive decision making, and one of the main causes of failures in BCP is the fact that it is not clear who has the authority to make decisions, and to what level. Many of the actions that will be taken will need to be paid for – getting specialist cleaners in to clean up your office after a flood, hiring coaches to take your staff to the new offices, paying for hotel rooms and meals, hiring a third party supplier (TPS) to supply emergency communications networks, etc. If each of these questions leads to significant delays in making the decisions and putting the actions into place, then it is clear that there will be an accumulative delay that will mean that the BCP itself will become increasing ineffective and the situations that you are facing will become increasingly serious and difficult to respond to.

Stabilisation

It is likely that the impacts of the events that lead to the triggering of the BCP will have a ‘long tail’, in that they will continue to affect your operations for a long time after the initial problem. However, even if you may not be able to restore the whole operation to the status that is was before the crisis started, one of your objectives is to reach a stage where normal activities can carry on, as best as possible, whilst the rest of the recovery programme runs in parallel to that.

Testing and Verification

Given the potential level of impact of the failure of any BCM programme, a critical part of any organisation’s BCP is the testing and verification of any BCM programme that has been developed. Although it is clearly impossible to fully recreate the conditions that would be present in a full-blown crisis, it is still possible to test the programmes and the ability of critical staff to implement them through a series of progressively more complex and challenging scenario-based training.

As an example of a simple verification exercise, one of the problems in any BCM plan is that the information is held on it changes. People move jobs or leave the organisation altogether, functions are moved to different offices, there are corporate reorganisations so that reporting chains may change, entry codes to various locations may be changed. This is all critical information that is fundamental to the effective management of any BCP.

Given the level of organisational stress that is involved in any BCM operation, together with confusion and personal pressure, the impact of such out-of-date information is almost impossible to calculate. To phone someone up who is listed as the Business Continuity Director of a particular division, only to find out that that number no longer exists because that person left the company two years ago, is not helpful, to say the least. A significant issue in the testing and verification of BCM plans is that the information that they hold is reviewed, updated and checked.

On a practical basis, the way that BCM plans can be tested (and then improved, based on the lessons learned), is to hold regular table-top exercises that allow people from different divisions to work together in making decisions, putting plans in action and creating a general corporate-wide business continuity capability. These exercises do not need to be overly complicated, and they certainly do not need to be high-tech, but they should bring as many people together as possible to find out how they can best work together, as they identify potential problems, and create enhanced capability at every level of the operation.

Summary

It is in the nature of crises that they tend to be unexpected, and there is never a good time to have one! However, the better the planning and preparation for dealing with them, the more likely it is that the organisation will be able to survive the initial shock. They will then be able to utilise their BCP to deliver a response that will ensure the safety and well being of staff at the same time that they maintain the operational functionality of the organisation to the greatest degree possible. They can then use BCM to stabilise and reassess, making the necessary decisions that will enable them to return to normal operating status as smoothly and effectively as possible.

Main Points

  • The underlying standards for BCM is covered by ISO 22301:2012
  • Effective BCP is something that is on-going, rather than a single event
  • All plans showed be reviewed, checked and updated on a regular basis
  • BCP’s are only paper – it is people that make them work.
  • The more you test and revalidate your plans, through table-top exercises and other similar training events, the more effective your response will be in the event that is it is required