Business Continuity Management (BCM) provides a framework for an organisation to build resilience into their business operations
Business Continuity Management (BCM) provides a framework for an organisation to build resilience into their business operations. There are several international standards. While, generally, it is not a legal obligation for private organisations to be certificated, it is of benefit to insurance arrangements, marketing, (increasingly becoming a contract requirement), and of course provides comfort to stakeholders – be these shareholders, customers, employees, or suppliers.
Sometimes organisations have the policies and procedures in place - they 'just' need testing! Resolve Risk has developed and run many full scenario and crisis response tests for Local Government, major construction sites, manufacuring and office based commercial organisations amoung other highly specialised operations. These are always bespoke to the organisation and while they have placed the 'players' under pressure for a short period they are always well received, enjoyed and always bring improvements to current policy in one way or another.
Resolve Risk has experience with international organisations in many industry sectors including manufacturing, food processing, services, property management, construction, aviation, healthcare, tourism and leisure, as well as Local Government.
Where there is a pre-existing management system in place Resolve Risk consultants can assist with an external audit, and help running scenarios – to practice and test that the assumptions made in the planning will actually work in the event of a major incident. Working to the principals set out in the current Best Practice Guidelines published from time to time by the Business Continuity Institute.
It is vital to remember it is often a small event that starts a chain reaction leading to a major incident, rather than a major, natural, or man-made catastrophe to which an organisation will have to react.
Anthony Taylor is the author of 'Business Continuity Management, Planning for Business Resilience' Published by RICS (2012).
Planning will include the development of a defined scope that is appropriate for your organisation and the subsequent development of strategy, policy, procedures, roles and responsibilities – effectively defining the appropriate structure for the management of business continuity within the organisation.
It also assesses what the acceptable timescales would be before an event could cause an unacceptable failure in operations (known as the Maximum Tolerable Period of Disruption [MTPD]) and how quickly the process must be returned to full operational capacity, which may include a phased return to service, known as the Recovery Time Objective [RTO].
The BIA will include investigation/discovery of the resources (ie staff skills and equipment) necessary to facilitate the return to operations, and will also investigate IT dependencies and the resilience of data storage and delivery. The exercise also illustrates areas where often simple changes can be effected to immediately reduce risk of failure and will assist in identifying seemingly minor issues that may lead to ‘death by a thousand cuts’.
Having established how the organisation actually operates in practice, its customer's expectations (and what they may find acceptable in the event of emergency), what each organisation expects of its suppliers and employees, the next stage is to develop both an Incident Management Plan and the Business Continuity Plan.
The Incident Management Plan – This sets out who is tasked with what while the event plays out, and will be invoked to deal with the immediate emergency response, (ie: Safety, internal and external communications, salvage and security). There may be specific plans developed to deal with specific events such as flooding, but will always plan for adequate communications.
The Business Continuity Plan (BCP) is effectively the Plan that each business unit, and therefore the organisation as a whole will follow to return the whole organisation back to full operation over time, and according to pre-agreed parameters. Building on the information gained through the BIA, each business unit is coached to develop procedures and access sufficient resources that will enable it to function adequately to keep the organisation in business until such time as it is returned to full operational functionality.
Training is necessarily part of any successful strategy and any standard will require the processes being ‘embedded’ throughout the organisation. This can be by way of blended learning such as seminars, BIA workshops, scenario tests (see below) and, where appropriate, e-learning. If required, Anthony is able to provide coaching in how best to respond to media interrogation, (yes it often feels like that, and the success or failure of the response to the media can significantly affect the outcome and consequences of the event for the organisation.)
As with any worthwhile management system it needs to be checked to ensure it is still ‘fit for purpose’ and is actually being adhered to. This may include investigation of IT response capabilities and data security.
This can be effected by one or more of the following:
Audit
Scenario testing
Emergency/Incident Preparedness testing
Business Continuity Plan testing
All of the above ‘checks’ will be concluded with a full report highlighting what went well and with recommendations in regard to potential improvements.
Resolve Risk has run many and various scenarios, starting with facilitating ‘desktop’ exercises to setting full scenarios involving suppliers, customers and the emergency services.
These will always test communications and can arrange for reporters to undertake telephone interviews and may introduce video cameras to mimic media ‘doorstepping’ techniques.
We can also provide advice as to how best to manage the war of words and images that arrive very quickly on social media sites to enable the organisation to gain the maximum benefit and minimise any potential damaging publication.
One outcome of business continuity planning is to reduce the risk, costs and liabilities that the organisation may accrue in regard to business interruption insurance. Resolve Risk, with insurance industry specialists, is able to provide consultancy services concerning business interruption, including potentially, negotiating with insurers to either reduce insurance premiums or, perhaps, inviting your insurers to support your BCM provision.
Identification of control measures, development of auditing protocols to ensure ongoing control effectiveness
Quantification of risk exposure - leading to controlled ownership and reduction of risk exposure values
Book a consultation.
LOCATION
42 Queen Street, Ashford, Kent, TN23 1RG
CONTACT
+44 (0) 7902 269405
anthony.taylor@resolvegroup.co.uk