In recent years the adoption by organisations of sound corporate governance processes to meet requirements laid down by the Combined Code, Sarbanes Oxley and Basel II has dictated the need to implement business continuity management. Even for those organisations which do not need to comply with such directives and legislation, there is a moral and ethical imperative to ensure that staff welfare is safeguarded and the future of the business is secured should the unthinkable happen in today’s uncertain world.
Definition of Business Continuity Management
According to the Business Continuity Institute (BCI UK):
Business Continuity Management is “an holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities”
Business Continuity Objective
The overall business continuity aim of an organisation is to maintain production and operations in a safe and environmentally responsible manner, where feasible.
The general objectives of the Plan are to ensure that in the event of an incident or crisis situation:
- There will be a logical recovery of the business
- Impacts will be kept within acceptable levels as defined by the business department representatives
- Business will continue as usual, as far as possible
The Plan will address the following planning priorities:
- Staff health & safety
- Safeguarding of assets
- Continuity of key business activities
- Protecting the Environment
- Maintaining cash flow
- Fulfilling obligations
It is the policy of an organisation to: –
- Maintain a strategy for reacting to, and recovering from, adverse situations which is in line with senior management’s level of acceptable risk
- Maintain a programme of activity which ensures the company has the ability to react appropriately to, and recover from, adverse situations in line with the business continuity objective
- Maintain appropriate response plans underpinned by a clear escalation process
- Exercise response and recovery plans at least annually
- Maintain a level of resilience to operational failure in line with the risk faced, the level of negative impact which could result from failure and senior management’s level of acceptable risk
- Maintain employee awareness of the company’s expectations of them during an emergency or business continuity threatening situation
- Take account of changing business needs and ensure that the response plans and business continuity strategy are revised where necessary
- Remain aligned with best practice in business continuity management
Business Impact Analysis
Critical business processes have been identified and required resources determined to keep these processes running effectively. This analysis will be maintained over time to take account of the changing business.
An assessment of the threats which could prevent key offices being utilised has been conducted and appropriate, cost justified controls have been put in place to manage those threats should they occur and to reduce the likelihood of them happening in the first place.
Business Continuity Strategy & Plans
Operations can continue to be supported in the event of a complete loss of a single office, contents and infrastructure through utilizing a combination of unaffected offices and data centres together with business recovery site seating secured under a contract agreement.
Formal emergency response and business continuity plans exist to allow incidents to be managed effectively and for return to business as usual status in the optimum time. This includes a technical plan for recovering IT systems, telephones and data communications. Plans are tested at least annually and reviewed at least quarterly to provide confidence that they would work in practice should they need to be used in earnest.
Emergency Response and Crisis Management Teams are in place, comprising a mix of key individuals and managers from across the business, to oversee the appropriate response to any adverse situation, supported by a clear and fast escalation process to ensure that incidents are assessed quickly and dealt with correctly.