Business continuity management is a big animal and it’s unlikely you’ll be able to digest even one tenth of it at a single sitting. This isn’t too surprising in a discipline that aims to facilitate rebuilding the core of an organisation in just a few short days.
But don’t be dismayed or put off by this; enormity has hidden benefits. It means you can view the subject from many angles, touring it, taking in new perspectives with every turn.
As you become familiar with its shape, form and anatomy you’ll realise that business continuity can be both enlightening and challenging.
This article sets out to offer an introduction to the subject, taking you close but not so close that you lose sight of your objective or get trampled underfoot. It provides a view of the conceptual side, touching upon motivation and methodology as well as the more practical components of analysis and planning.
The art of digesting business continuity comfortably lies in understanding why it exists. It starts with people known as stakeholders. These are individuals, groups or bodies that stand to lose in some way if the organisation fails to deliver on its promises. The makeup of the stakeholder population varies between organisations and can include employees, directors, shareholders, beneficiaries, pensioners, customers (in the widest sense of the word), partners, suppliers, the public and the media. Stakeholders’ interests are similarly diverse, ranging from balance sheet preservation to the avoidance of hurt feelings, from maximising sales performance through to strong workforce morale and the ability to report news.
Most legislatures identify individuals responsible for ‘corporate governance’; that is to say those whose duty it is to ensure that (at least) the formal stakeholders’ interests are upheld. These are usually board directors, trustees or partners who in turn may employ managers to implement their instructions. One part of this broad swathe of responsibility, the protection of stakeholder interests from the uninsurable effects of major disruptive events, falls squarely on the shoulders of business continuity and to a large extent defines its purpose.
The words ‘uninsurable effects’ and ‘major disruptive events’ reduce the scope of what would otherwise be an immense task. Traditionally, they rule out most forms of financial crisis, commercial misjudgement and minor operational events that fall under the ‘business as usual’ banner, whilst allowing stakeholders some financial recompense when they claim against insurance policies. Notably, this scope definition may be set to expand.
You would be excused for believing you must now transform the organisation into an impenetrable Fort Knox, duplicating every piece of data and equipment, insuring to the maximum and training teams of staff to respond perfectly to every incident. The fact remains that as well as benefiting from resilience and the preservation of its integrity, many of the organisation’s stakeholders will also have to fund the protection of their wealth. This is something they will be acutely aware of and reluctant to do unless they are convinced that they will receive a good rate of return on their investment. Most will also have a much firmer grasp of commonsense business finances than ever they will of business continuity. Consequently, the business continuity manager or business continuity consultant is left to juggle three contrary parameters;
- The level of residual risk that stakeholders are prepared to tolerate (i.e. the risk that remains after planned reduction measures have been applied).
- The actual reduction in risk offered by the available continuity measures.
- The budget they are prepared to allocate for prevention and disaster recovery.
These variables substantially define BCM’s role and the hunt for ‘latitude’ amongst them is continuous. Opportunities for improvement present in many forms, for example:
- New products and services are continually introduced, offering greater protection against current threats sometimes at reducing cost.
- Many services are contracted and improved cover or terms can frequently be negotiated with the supplier by tendering and selection.
- Budgets are set according to stakeholder perception of the risks the organisation faces. Continual awareness-raising through education and participation can help align budget with expectation.
On the strength of these alone the BCM must adopt the mantle of researcher, corporate guardian, board-level communicator and canny negotiator.
Typically, tens, hundreds or even thousands of opportunities for risk reduction arise during analysis and as BCM you must decide which of these should be implemented and in what sequence. A simple two-step mindset can be adopted
- Identify and plug the big holes first
- For each hole, identify and apply the best value solutions
Finding the ‘big holes’ in the organisation’s defences is easier said than done. For example it’s easy to see that the mainframe might be a critical asset and that if destroyed, its loss would cripple the business. Less apparent might be that users rely on a front-end device to access the mainframe whose configuration is obsolete and which now represents a single point of failure. Add to this that that the likelihood of the mainframe failing is remote since it is heavily protected and that the front-end device sits in an unlocked closet, dusty and poorly maintained. Which (if any) of the two should we spend our last dollars on? Using this limited information it is of course impossible to tell, although you may have already made an assumption. We can only improve on this guesswork by systematically analysing the ways in which the organisation feels and accumulates ‘pain’ following an incident, usually using a technique called Business Impact Analysis (BIA).
One adventurous way of collecting the data we need would be simply turning off the mainframe and then the front-end device in turn and monitoring the accumulation of stakeholder losses (and lawsuits) arising from each! Joking aside, it is extremely rare that we can measure actual loss and equally difficult to obtain an accurate likelihood figure for the loss of either device. Instead, we are obliged to build a portfolio of convincing guesstimates, a table listing the assets we wish to protect and against each entry, our estimates of impact, likelihood and resulting exposure. We can then set this against the reduction in risk per dollar spent for each measure we decide to evaluate, an assessment of relative value to the business and a basis for comparison. BIA is also used to prioritise recovery from disaster and is a vital component of every business continuity plan. It uses the rate of anticipated loss arising from the non-functioning of an asset or department to determine restoration timeframes, recovery priority and the degree of preparation required. From the business continuity manager’s perspective and despite its vagaries, BIA is a vital tool and a powerful justification for every decision made under the business continuity and risk management banner.
Plat du Jour
The true currency of continuity, the nitty-gritty, the commodity that we strive to manage, is disruption itself. Many excellent books have been written on and around this subject, delving into the nature of chaos, entropy and disorder, providing fascinating background reading. However, the points that shape the continuity manager’s role can be extracted on the strength of a simpler analysis.
Disasters begin with one or more causal events; an accident, an intentional act, a naturally occurring phenomenon or a compound of these. Each has a characteristic ‘footprint’ and if it strikes us severely or in a vulnerable place then it may puncture our defences in a very specific way. For example, a denial of service attack that penetrates the firewall may disable a server by deluging it with incoming mail. This footprint, combined with the likelihood of the event occurring defines it as a threat to our business and something we must take into account. Once on the ‘inside’ the threat begins to disrupt operations in a particular way, affecting the parts of the operation it touches and potentially causing it to fail in a certain predictable way called a failure mode. All business assets (tangible and intangible) have one or more failure modes. For example, the server could also fail because of a disk crash, an operating system error or a power supply burn-out. Failure modes represent weaknesses and an awareness of these can help highlight opportunities for improvement by the continuity practitioner.
Business assets are there for a reason – either they generate direct benefit or they add value by supporting other assets or processes. So when our server fails, there is an inevitable knock-on, a cascading effect where this single malicious act now affects hundreds or thousands of desktops, depriving staff of email services, affecting departments and ultimately reducing service to customers. This escalation through the organisation is a function of ‘causality’, a unique characteristic with many time constants and dependencies. The causal net can be modified to halt propagation by building-in firebreaks and duplication of critical assets; it is another important consideration for the business continuity manager.
If the net effect of threat propagation results in the operation being damaged so severely that it rapidly results in intolerable loss to stakeholders, then a disaster can be said to have occurred. The cumulative end-effects of the threat’s propagation again tend to present in a characteristic way that is unique to the organisation, allowing them to be classified as ‘scenarios’ e.g. ‘medium-term denial-of access to building A’. In each case recovery must be affected and the business continuity manager must be prepared and know how to respond. From this much-simplified explanation, we can see that an organisation’s exposure to risk can be reduced at three stages in the cycle:
- Before incidents occur, by managing down the likelihood or severity of certain threats arising e.g. training staff not to make operational errors, using CCTV as a deterrent to vandals
- During incident propagation, by building- or buying-in resilience in individual critical business components, systematically reducing vulnerability e.g. installing uninterruptible power supplies to computer suites, deploying firewalls for internet traffic
- After a disaster has been declared by being prepared and by responding appropriately to facilitate timely recovery e.g. training staff to respond, planning how they should act, providing alternative infrastructure and resources
These points attach two more vital strings to the business continuity consultant or manager’s bow. The first is operational risk management (sometimes called risk analysis or risk assessment) which involves the systematic reduction of risk using tools such as Failure Mode Effects Analysis (FMEA), risk registration and the application of checklists and standards. The second is business continuity planning which has its own panoply of associated techniques, too many to cover here.
From this lightning foray into the world of business continuity it should be evident that the subject is truly multi-faceted; that in addition to being a collection of expert disciplines, it is a living process and a highly interactive management activity touching most aspects of the organisation; that it has a Jekyll-and-Hyde persona, able to switch in an instant from a thoughtful, low-profile peacetime identity to a highly visible source of order, provision and knowledge, a saviour when disaster strikes.
You should know that the business continuity manager must maintain an up-to-the minute, in-depth understanding of the organisation she protects. She must anticipate and keep pace with markets, people, places, technologies, suppliers and information as it moves and changes over time. She is also the sweeper, the ultimate backstop, the safety barrier that one day may save the organisation from calamity. You should also have begun to appreciate the enormity of the task.
To compensate, business continuity managers are entrusted with a unique insight into how the business really works, from power cabling right through to process interactions sometimes on an intercontinental scale. They do this is by constantly accumulating knowledge, digesting it comfortably a piece at a time until they achieve control. A little like eating an elephant.
If you want to find out more about measuring Business Continuity Management then you can download our insightful whitepaper below.