3.1 IntroductionThis chapter elaborates on a review of BCM. As the background, it describes the historical development of BCM and its relationships with other concepts. It will be followed by reviews on BCM as a management system, BCM’s main principles, and Business Continuity Planning overview. The next section will describe the implementation of BCM, related with regulations or standards that support the concept and the development of BCM level of preparedness. Several reviews on BC plans from various sectors are elaborated in the final part of the chapter, followed by reviewing the need for BCM in organizations based on its benefits and challenges. Show
3.2 Background3.2.1 BCM Definition and DevelopmentThe Business Continuity Institute (Business Continuity Institute 2007b) defines Business Continuity Management (BCM) as an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner. Moreover, the Singapore Standard for BCM (SPRING 2008) looked at this concept as a holistic management process that identifies potential impacts which threaten an organization and provides a framework for building resilience and the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Foster and Dye (2005) similarly viewed BCM as the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. In this context, top management must take the lead in driving organizational BCM with a view to garnering the collective efforts of all individuals within the organization for this purpose (Low et al. 2008a). The main objectives of developing and implementing a BCM in an organization are (O’Hehir 1999; Health 1999):
Moreover, Smith (2003) stated that an effective BCM strategy should be to ensure the safety of staff, maximize the defense of the organization’s reputation and brand image, minimize the impact of business continuity events (including crises) on customers or clients, prevent impact beyond the organization, demonstrate effective and efficient governance to the media, markets and stakeholders, protect the organization’s assets, and meet insurance, legal and regulatory requirements. Historically, BCM was developed many years ago, where this concept is an evolution of a disaster recovery approach in a firm. Its roots lie in Information Systems (IS) protection although it is argued that it has grown a long way since then. Elliott et al. (2002) developed on these theories in more details explaining that the evolution of BCM has progressed from a focused technical aspect to a broader strategic organizational requirement. They also described the evolution as being linked to three mindsets within organizations which are technology, auditing and value based mindsets. The key features of these mindsets are:
According to Foster and Dye (2005), after the September 11 2001 attacks, an event that hit the World Trade Centers in New York City, many companies had realized that the world is now full of many unknown threats, requiring that business continuity plans be much broader than in the past. Significant threats are now not only confined in the categories of fire, natural disasters and some infrastructure breakdown. Threats such as terrorism, cybercrime, reliance on third-party vendors and suppliers have also become significant. Therefore, business continuity planning should require more robust prioritization efforts for business recovery, proactive development of new and innovative recovery strategies, and a greater dependence on the testing of plans. Furthermore, considerations that need strategic thinking are not only on the location decisions of a company’s own facilities, but also the location decisions of a business partner (such as supplier). All of these environmental changes take BCM into a higher level, which is more focused on building resilience. Smith (2003) also argued that BCM is not only about disaster recovery or responding to a crisis. It should be a business-owned and driven process that unifies a broad spectrum of management disciplines. In addition, crisis and risk management are part of the fundamentals used for developing a BCM concept. Figure 3.1 shows the difference between the old and new BCM approach. Herbane et al. (1997) described the continuum of standard and better practice of BCM and identified a number of dimensions against which practice might be assessed. The first two dimensions refer to the types of staff employed in continuity projects and to the scope of their work. Standard practice is concerned with IT systems and employs only IT staff while better practice organizations employ staff from various backgrounds on a project which is business wide in scope. In standard practice, there was little need for new structures because IT could deal with continuity. In better practice cases, new structures of coordinators were identified with responsibility for the continuity process being delegated to each business unit and the dedicated continuity team providing a supporting role. The final group of dimensions relates to the strategy. Better practice saw continuity as a strategic issue both in terms of protecting its place in the supply chain and in marketing activities. Fig. 3.1 Old and new BCM approach. Source: Adapted from Herbane et al. (1997) Full size image Based on these reviews, it shows that BCM has developed and evolved into a more holistic approach. It has progressed into a broader strategic organizational mindset which focuses on its business values. In the context of definition, it appears that SPRING’s (2008) definition of BCM has incorporated all of these aspects and represents the latest BCM mindset. Other BCM definition from BCI (2007b), Foster and Dye (2005), and Smith (2003) provide similar meanings of the BCM concept, which focuses on the keywords of: processes/procedures for the organization; response to incidents/threats/events; critical functions; and a planned and rehearsed manner. However, SPRING (2008) defined BCM’s critical functions in more detailed aspects which include key stakeholders, reputation, brand and value-creating activities. Moreover, it specified the management process as holistic and the responses to threats/incidents are developed as a framework for building resilience. 3.2.2 BCM and Other Related ConceptsBCM has been considered as part of other concepts for overcoming crisis. There are relationships between BCM and these concepts, such as risk management, crisis management, and disaster recovery. 3.2.2.1 BCM and Risk ManagementThere are differences between risk management and BCM. Risk management focuses on a thorough organization-wide identification and assessment of risks and evaluating risks in relation to their likelihood and impact before identifying an appropriate risk response. BCM is concerned only with events that cause a significant business disruption, where it is not mainly concerned with probability but with the impact of an event and the time required for an organization to return to normal business operations (Collier 2009). Moreover, Goh (2010) mentioned that the relationship between risk management and BCM can be partially explained by referring to the Australian Standard for risk management. BCM efforts focus on addressing those risks which are deemed not acceptable to the organization. Subsequent BCM activities are aimed at establishing the appropriate measures to address these risks. It relegates BCM as part of risk treatment. Business Continuity has been defined “to safeguard the interests of an organization and its key stakeholders by protecting its critical business functions against predetermined disruptions” (BCI 2010, p. 3). The numbers and types of critical business functions in an organization would depend on the nature of the business and its mission as reflected in its Minimum Business Continuity Objective (MBCO). Risk management in BCM should be restricted to those instances where it affects the MBCO of the organization. It is also important to note that BCM is focused on identifying vulnerabilities within organizations, especially those linked to the underlying value they support and understanding the impact of their non-availability over time on the organization (BCI 2010; Hiles 2007). Table 3.1 summarizes the comparison between risk management and BCM. Table 3.1 Comparison between Risk Management and BCM [adapted from BCI (2005, p. 6)] Full size table 3.2.2.2 BCM and Crisis ManagementBCM has strong links with crisis management through the incident management component. In the BCM context, incidents come in different shapes and sizes and will typically invoke the BCM plan. Crisis management is often seen as the domain of communication and public relations (PR) practitioners with the BCM practitioner in a support role, if involved at all. Crisis management is also seen as responding to non-physical as well as physical events such as financial performance and reputation tarnishing incidents (BCI 2010). Moreover, BCM considers any disruption holistically and determines how an organization will respond to the disruption, continue its activities and recover. BCM practitioners consider the media response to an incident or crisis to be an integral part of a full business continuity (BC) programme. Regarding emergency planning that is usually included in incident management, BCM views that this planning is not only seen as the domain of services from police, fire, ambulance and local authorities, but also for the organization in general. The company that adopts BCM would have a specific emergency response team that will coordinate with other external emergency response agencies (BCI 2010). Other relationships between BCM and crisis management were also mentioned by Elliott et al. (2002), where BCM provides principles that use a crisis management approach. A crisis management approach may be defined as one that:
Some studies had made a distinction between BCM and crisis management. BCM refers to the planning and implementation of systems and procedures to enable an organization to sustain normal operations in the event of a disaster or other potential interruption. It is the process of developing advance arrangements and procedures that enable an organization to respond to an event in such a manner that critical business functions continue with planned levels of interruption or essential change. Crisis management is viewed to be a process by which an organization deals with major unexpected events that have already happened. Crisis management focuses on the immediate activities which need to be considered when the incident occurs. At most, the crisis management planning phase deals with the first couple of hours of the incident occurring, detailing who the key decision makers are, who will talk to the customers/clients/regulators and when this will be conducted (Smith 2003; Devlin 2007; Foster and Dye 2005). In addition, BCI (2007a) defined crisis management as the role that senior management have during an incident. It includes the high level command and control aspects of identifying a crisis situation, deciding how and when to respond, communicating both internally and externally, and leading and directing the recovery process. 3.2.2.3 BCM and Disaster RecoveryAccording to Elliott et al. (1999), the difference between disaster recovery and BCM is primarily based on its scope. Disaster recovery is a focus on technology-based problems triggered by external factors. BCM focuses more on adding value, creating an attitudinal change throughout the organization and considering its associated stakeholder groups. It is more concerned with the continuance of the whole business in the face of any unusual or unforeseen event. Moreover, disaster recovery is the implementation of a response capability to a specific type of event that impacts the continuity of the business. BCM is responsible for the overall identification of potential events, the likelihood of the occurrence of the event, and the predicted impact on the organization. BCM puts in place plans to deal with such occurrences. Disaster recovery is essentially a plan, with supporting infrastructure, which is enacted in the event of a disaster. In this way, disaster recovery is a subset of BCM, as is contingency planning, high availability planning, and the like (McCrackan 2005). 3.2.2.4 BCM and Business ResilienceBCM is a relatively newcomer to the business disciplines; however, aspects of BCM may have always been present in organizations, under different names. The vulnerabilities in the business and operating model of an organization can be considered in seven areas, which are reputation, supply chain, information and communication, sites and facilities, people, finance and customers. The nature of the BCM approach is to provide the framework to understand how value is created and maintained within an organization and establishes a direct relationship to dependencies or vulnerabilities inherent in the delivery of that value. This approach is conducted in a holistic and cross-functional manner. A successful BCM implementation would increase an organization’s resilience, where it is defined as the ability to absorb, respond and recover from disruptions. This will eventually contribute to higher corporate performance (BCI 2010). 3.3 BCM as a Management SystemBCM is a system that develops a framework of protocols and sets of procedures and instructions which give structure, order and stability to the particular function being managed. It is in line with the definition of a management system, stated by Griffith (1999), that sets out and describes, for a particular management function, the organization’s policies, strategies, structures, resources and procedures used, within the firm to manage the processes that delivers its products or services (Griffith 2011). Based on its theory development and main principles, it can be seen that BCM adopts several management mainstream theories. In its implementation, BCM adopts the Plan-Do-Check-Act (PDCA) methodology for achieving continual improvement. The BCM policy, objectives, processes and procedures are planned, implemented, assessed, and reviewed regularly (SPRING 2008). PDCA is a key attribute within standards-based management systems that is widely used nowadays. It was established by Deming, who propounded the view of quality management within a cycle of plan-do-check-act. The theories underpinning quality management have influenced systems development and continue to form component parts of systems applications. Historically, quality management was developed from a range of traditional organizational theories such as scientific, human and classical schools of thought. These theories are also pertinent to the evolution, development and implementation of management systems (Griffith 2011). BCM also adopts the view of complexity theory, where an organization consists of a number of components (agents) that interact with each other according to sets of rules that require them to examine and respond to each other’s behavior in order to improve their behavior (Stacey 1996). According to Griffith (2011), due to the extensive and complexity in the arrangement of business activities, processes and resourcing, a management system in an organization should establish an effective framework of responsibilities at various organizational levels. Parts of BCM principles are determining various responsibilities to the BCM members. Based on its definition, BCM is developed and implemented in a holistic approach. The holistic perspective has much in common with systems theory. This theory viewed management system as a central part that directly supports the core business of the organization. Moreover, it is considered that a management system focuses not only on itself but also for the greater contribution that it can make to the organization (SPRING 2008; Griffith 2011; Checkland 1981). According to Lawrence and Lorsch (1967), contingency theory suggests that organizational variables are in a complex interrelationship with one another, where environmental contingencies act as constraints and opportunities which influence the organization’s internal structures and processes. Moreover, decision making are made through considerations of all aspects and situational approach (Olum 2004; Carlisle 1976). In BCM, this approach is adopted by implementing risk analysis and business impact analysis. The consideration of risk is viewed as a key element of the system (BCI 2010). The BCM methodology has strong links with crisis management. Crisis management is often viewed as responding to non-physical as well as physical events such as financial performance and reputation tarnishing incidents. Furthermore, the domain of communication and public relations are important in crisis management. BCM considers any disruption holistically and determines how an organization will respond to the disruption, continue its activities and recover. BCM practitioners also viewed that communication and response to public are part of a full business continuity programme (BCI 2010). Regarding change management, it is also part of crisis management. Lawrence et al. (1976) stated that a visible crisis faced by an organization can be an important force for triggering behavioral change, although such change may have costs derived from it. Essentially, such crisis has an unfreezing impact on the members of the organization, causing them to review and analyze their current attitudes and behavior patterns. Managing change in an organization should be conducted in orderly phases which are diagnosing the problem, planning the change, launching the change, and following up on the change in the organization. In this matter, it appears that these phases are similar to the PDCA approach which is adopted by BCM (SPRING 2008; Lawrence et al. 1976). In accordance with Griffith (2011), a general approach to planning, delivering and implementing any management system consists of the following key considerations, which BCM also provides:
Furthermore, the highly influential factors to be considered in implementing a management system are as follows (Griffith 2011):
These factors should be embedded in an organization for its BCM implementation effectiveness. 3.4 Main Principles of BCMTo implement BCM, each organization must identify the threats and assess their resulting impacts. BCM needs to address issues and concerns in six broad areas in the following order (SPRING 2008):
There are four main components that must be considered in implementing BCM in an organization, which are (SPRING 2008):
Generally, BCM has four main processes which are developed in an organization. The processes are the initiation process (initiating the BCM concept in the firm), planning for business continuity [which produces a business continuity plan (BC Plan)], implementation (implementing the BC Plan through testing and exercising), and lastly the operational management process (maintaining and updating the BC Plan). These four processes can be divided more comprehensively into six phases which are (Pitt and Goyal 2004; Elliott et al. 2002; BCI 2010):
In responding to the changing environment of a business from time to time, the maintenance and updating process should be done in a regular and continuous basis. Based on this review, it is considered that BCM has evolved from a simple reactive disaster recovery planning, to crisis management principally driven by information technology, and finally to a more proactive comprehensive approach. 3.5 Business Continuity Planning (BCP)The main process of BCM is Business Continuity Planning (BCP). BCP refers to the identification and protection of critical business processes and resources required to maintain an acceptable level of business, protection of such resources, and preparation of procedures to ensure the survival of the organization in times of business disruptions. Fundamentally, it seeks to mitigate the impact of a disaster by ensuring alternative mission-critical capability is available when disaster strikes. The process seeks to preserve the organization’s assets in the event of a disaster, which are its capability to achieve its mission, its operational capability, its reputation and image, its customer base and market share, and its profitability (Low et al. 2008; Hiles 2007). This is regarded as the main process due to its vital output for the firm in handling disruptions and overcoming crises. This planning process will be followed by regular monitoring and updates. Before formulating the BCP framework, the following issues have to be considered thoroughly (Low et al. 2008a; O’Hehir 1999; Eternity Business Continuity Consultants 2007; Civil Contingencies Secretariat 2007):
According to Vancoppenolle (1999) and Elliott et al. (2002), the respective elements are included in the operational flow of a company’s operations, which are: (1) Business processes (how the products and services are delivered to the client); (2) Participants (who the participants are, in the execution of the business process); and (3) Infrastructure and resources (what is used in the execution of the business process). These elements are necessary to be reviewed when analyzing a crisis during BCP. Furthermore, upon the occurrence of a crisis, many parties could be affected (Elliott, Swartz and Herbane 2002). It could be the company management or interest groups like investors, suppliers, etc., who have direct or indirect investments in the company. The occurrence of a crisis, if not appropriately mitigated, could lead to adverse consequences such as withdrawal of funds, which is an external factor. Even though investors are not directly involved in the company’s operations, they have an indirect influence on the growth of the company. Therefore, the requirements of the various stakeholders in the organization should also be considered, which include the following (Singapore Business Federation 2003):
Hiles (2007) stated that the company’s BCP should not be driven by eliminating risks according only to their probability, but rather be based on the effects and impacts on the business if an unexpected event were to occur. Such classification according to effects could be:
These effects from an unexpected event may cascade into larger impact levels. Some examples of these effects are damages to infrastructure elements and resources supporting the business operations. The damage can result in impacts such as unavailability of infrastructure elements or resources or loss of information. Loss of information due to a disaster is not limited to data in computers. All of the information stored in binders, folders (with, for instance, customer information), contracts, property deeds, the archives, the legally required vital records, the paper client files, the business knowledge spread over the place, and others can be lost too. Other than impacts on business operations, the long-term impacts of such crises or events may also arise, even after the business has been resumed and operations have returned to normal. The examples of long-term impacts are: loss of market share; lower share price; lower credit rating; loss of brand value; loss of company image, public confidence and credibility; and loss of key staff. Furthermore, the rippling effects of a business interruption should never be underestimated, particularly for companies that are an integral component of a wider supply chain. When a company participating in a supply chain is hit by a disaster, this could ripple down throughout the supply chain (Hiles 2007). 3.6 BCM ImplementationNowadays, BCM is widely used in various types of firms. Firms in banking, telecommunication, oil and gas, and retail industries had developed a BCM concept in their management systems. BCM is developed based on their respective business strategies and activities. Due to the different business environments, the firms developed different procedures for overcoming different types of crises. Some of them had also focused not only on their business continuity, but the service continuity to their customers. This shows that they had developed the program based on the value mindset (Elliott et al. 2002). Herbane et al. (2004) also found that BCM has evolved to encompass wider participants, threats, techniques and responses. It has been applied in the financial service industry, vehicle breakdown services, gas suppliers, water utilities, supermarkets, and local authorities. All of these organizations recognize that in the face of internal and external threats to the continuity of operations, a socio-technical approach (beyond IT disaster recovery) is essential to improve business recovery from crises. They also have linked BCM to strategically important dimensions of their operations. When implementing BCM for the first time in an organization, project management practices should be adopted. The practices of project management that may usefully be employed include the identification of deliverables, timescales and deadlines, and budget and work effort control. Other knowledge in project management such as communications, risks, procurement and human resources management are also needed for establishing effective BCM components (Business Continuity Institute 2007a). 3.6.1 Legislation and Standards Relating to BCMElliott et al. (2010) elaborated that the earliest legal provisions to influence disaster recovery and business continuity (BC) ideas can be found in the 1977 Foreign Corrupt Practices Act, which is the US financial services sector’s provision. It is often cited as an important development in firm’s reorientation of the perceived threats and impacts. Since then, the US financial services industry has developed various regulations and legal requirements to impose greater requirements on BC provisions. Although the acts do not refer specifically to BC, they specify the importance of countering the increasing risk of external threats to digital resilience, which is one of the dependencies on BCM. Moreover, the introduction of BCM-specific regulations in the financial services sector is not only applied in the US. The Australian Prudential Regulation Authority (APRA) Standard on BCM APS 222 (for deposit taking institutions) and GPS 222 (for general insurers) published in April 2005 (APRA 2005a, 2005b) requires Australian financial institutions to implement a whole of business approach to BCM. Elsewhere, the Reserve Bank of India (RBI) set out a requirement for Indian banks to fully implement BCP, presents a planning methodology, and further specifies a template for plan content. Banks are required to submit recovery time objectives for critical systems to RBI’s Department of Banking Supervision at the end of each financial year and to report major failures and response activities or prevention measures on a quarterly basis (Parthasarathi 2005; Elliott et al. 2010). In several countries such as United Kingdom (UK), United States of America (US), Switzerland, Australia, New Zealand and Singapore, BCM had been developed into a national standard, where every firm from various sectors is encouraged to have this system in its organization (Elliott et al. 2010). In Singapore, the SS540:2008 standard has been formally used as the standard for implementing BCM in a firm. This Singapore Standard is applicable to all organizations regardless of their size. This standard emphasizes resilience and protection of critical assets, in the human, environmental, intangible and physical domains. It focuses on continuity management and recovery of critical business functions (SPRING 2008). Up to now, Singapore is the only country in Asia that has established a BCM standard, whereas other BCM standards came from Europe, North America, and Australia (Elliott et al. 2010). In the UK, the Business Continuity Institute (BCI) has developed a certification standard for business continuity practitioners. Besides that, a BCM standard (BS25999:1-2006) as a Code of Practice for Business Continuity Management was also published by the British Standards Institution and can be viewed as an implementation guide and a definitive text for those intending to understand BCM principles and practices in a more comprehensive manner (Business Continuity Institute 2007a). Moreover, the American Chapter of the Business Continuity Institute (BCI) and BSI America have joined forces to help businesses better prepare for disasters by encouraging the adoption of BS 25999 (Business Continuity Institute 2009). This standard is also in line with US’s national standard for business continuity, which is NFPA 1600:2007 (National Fire Protection Association 2007). Furthermore, ISO has officially launched ISO 22301, “Societal security—Business continuity management systems—Requirements”, the new international standard for Business Continuity Management System (BCMS). ISO 22301 has been developed in 2012 to help organizations minimize the risk of business disruptions (St-Germain et al. 2012). This standard is similar to the previous BCM standards, but it has some improvements for BCM implementation such as (St-Germain et al. 2012; SPRING 2012):
According to Goh (2010) and St-Germain et al. (2012), the standards from various countries have similar contents. The differences are on how the standards develop the detailed components in the BCM planning process. In general, each standard has the same BCM planning methodology, which are: Risk analysis and review; Business impact analysis (BIA); Recovery strategy; BC plan development; Testing and exercising; and Programme management (some standards incorporate project management in this phase). All of the above standards have the common objectives, which are to guide the users to recover from any disasters that have occurred in their business environment and still continuously focus on the continuity of their business processes. Furthermore, the standards also help the users in identifying the potential impacts of various disruptions to the firm and be able to prioritize the efforts in aiming to achieve resilience. Table 3.2 illustrates the main aspects of the BCM concept being grouped into six categories. These aspects are summarized from various standards. Table 3.2 The main aspects of BCM principles Full size table 3.6.2 BCM Level of PreparednessRegarding implementing BCM in an organization, several agencies from various countries had developed assessment levels of BCM preparedness. These levels are useful to assess whether an organization has adopted a complete BCM concept or not. From understanding the position of the company within these levels, the organization gains feedback from its current BCM preparedness level and may increase its effort for a better BCM maturity level. Levels of preparedness assessments have been proven to be an effective evaluation method (Scott 2007). In general, this type of assessment can help the organization to verify what they have achieved relative to the topic assessed. The organization’s current achievement can also be determined by describing their current activities. In addition, it can assist the organization in prioritizing the necessary improvement based on their assessment results (Peng et al. 2011; Stevanovic 2011). The Ministry of Finance in British Columbia, Canada (MOF-BC 2007), had developed the BCM maturity assessment for every financial agency in the province. There are three levels of criteria involved, which are:
The Australian National Audit Office (2009) had also developed characteristics of better BCM preparedness for public sector entities. There are two levels, which are (1) Basic level, that is generally found in small, non-complex or less time-critical entities and (2) Mature level which is found in large, complex, geographically dispersed or critical entities. The characteristics that are described and assessed in each level are:
Also in Australia, Lansley and McAtee (2009) had established a six-level BCM preparedness model for companies, which are:
Smit (2005) had studied and defined another BCM maturity model that can be applied to organizations. According to the study, there are six level of BCM maturity, described as follows:
Furthermore, other BCM preparedness level model from a risk consulting firm in Canada (Marsh Risk Consulting 2010) had been developed. The level of preparedness with its label, overview of the preparedness level description, and the organization’s ability to respond can be seen in Table 3.3. Table 3.3 Marsh BCM preparedness level Full size table Last but not least, the Singapore Business Federation (2011) provided a BCM preparedness assessment, based on the company’s level of understanding about business continuity. Red level shows that the organization has a minimal understanding of BC, whereas Yellow level shows the organization has a basic understanding of BC, and finally Green level describes the organization has an advanced understanding of BC. The assessment are conducted through rating the firm’s understanding and preparedness towards risk analysis and review, BIA, strategy development, BC plan development, tests and exercises, and programme management. According to a study from New York University (2006), most businesses, particularly small and medium sized ones, are lacking formal BCM programs. Only one-quarter of the companies surveyed have formal, written continuity plans. Moreover, only four in those companies provided BCM training to their employees. These four companies had prepared the concept within their organization due to regulatory forces, which are risks to employees and business operations, legal liability, and insurance requirements. From this study, it is recommended that an organization should analyze its own case for BCM preparedness and invest accordingly. 3.7 Reviews of BC PlanVarious sectors have developed their BC plans based on the functions of their business and impacts that may occur from certain crises. There are general principles that can be gained from these plans that may provide insights on developing a BC plan. 3.7.1 BC Plan from Financial Services SectorAs mentioned before, the financial services sector is the pioneer of developing and implementing BCM. In general, the main principles that are established in their BCM policy are as follows (Monetary Authority of Singapore (MAS) 2003; Bank Van De Nederlandse Antillen (Central Bank) 2010):
3.7.2 BC Plan from Education Institutions: A Case StudyOn April 16, 2007, Virginia Polytechnic Institute and State University (Virginia Tech) experienced one of the most horrific events in American university history. A double homicide had occurred, followed by a mass shooting that left 32 students and faculty killed, with many others injured, and many more scarred psychologically. Families of the slain and injured as well as the university community have suffered terribly from this event. One of the main recommendations from the tragedy is to update and improve the university’s emergency response plan. It is recommended that the plan should be more systematic, including conducting risk analysis (threat assessment) in advance and choose a level of security appropriate for the campus. Along with that, the university should update and enhance the plan where students, faculty and staff should also be trained annually about responding to various emergencies (Tridata Division 2009; Flynn and Heitzmann 2008). In 2010, the school had developed a comprehensive emergency response and continuity plan. The brief description of the plan is as follows (Virginia Polytechnic Institute and State University 2010):
In addition to these groups, there are also essential roles who will direct these groups, supported by essential personnel.
3.7.3 BC Plan for Influenza Pandemic: A ReviewA pandemic is an epidemic or outbreak of infectious disease that spreads through populations across a large region; for instance a continent, or even worldwide. A flu pandemic could occur when a new flu virus emerges and starts spreading as easily as normal seasonal flu. As the virus is new, the human immune system will have no pre-existing immunity. This makes it easier for people to contract the new flu and experience more serious symptoms than that caused by normal seasonal flu. Current viruses that had spread across a large region (particularly in Asia) are the influenza A (H1N1), the SARS incident in 2003, and the avian flu (H5N1) (SPRING 2009). According to some studies, no one could predict when a flu pandemic will occur. When it does occur, the impacts may be felt in various ways. Regarding its possible general impact, public gatherings may be discouraged, people with flu-like symptoms may not be allowed in public places, public transport may be disrupted and regular updates and clarifications may be necessary. As for the business impact, supplies may be disrupted, the number of customers may drop, likely increase of electronic communications use which may lead to overloaded communication systems and some staff in any organization may be absent from work (SPRING 2009). Based on these likely impacts, companies are encouraged to ensure their business remain viable in the event of an outbreak. BCP should be developed with further considerations on how to operate their business with minimal face to face contact between staff, staff and customers, and with suppliers; how to operate business effectively with key members of staff being absent from work; and how to operate if supply chains are disrupted. Moreover, the key risks to the company that need to be addressed in BCP are (SPRING 2009):
The Singapore government had proactively taken an approach to overcome this crisis through initiatives such as the Flu Pandemic Guide for small and medium-sized enterprises (SMEs) in 2006. The BC guideline developed by a Singapore standards agency provides these contents particularly for handling flu pandemic (Low et al. 2010a; Singapore Business Federation 2006; SPRING 2009): 3.7.3.1 Annex sectionThis section describes:
3.7.3.2 BC Plan for Flu Pandemic Contents
3.8 The Need for BCMAccording to a survey on trends in business continuity, it was found that BCM has become mandatory to maintain customer confidence and a competitive edge. The threat of interruption and the need to respond promptly has manifested itself, where a vast increase in regulatory requirements and a mandate from customers for BC plan development has occurred. Organizations are expected to manage the BC process more collaboratively, be driven to complete their BC plans and include it in Requests for Proposals (RFP) and Requests for Information (RFI) (BUCORIM 2008). There are several sources of external influence that are encouraging an increased focus on business continuity. According to respondents questioned for a report conducted by the Economist Intelligence Unit (EIU 2007), customers are the stakeholder that is viewed as most important in driving decisions about business continuity, with 59% citing them as a significant influence. Moreover, in the supply chain relationships that are getting complex and more dependent, customers will most likely ask about a detailed scope of BC plan, whether the supplier has it in place and would request evidence of compliance with particular policies. In addition to customers, pressure from regulators is also becoming more distinct. Regulators are viewed as the second most important external influence over decisions about BC, with 58% seeing them as significant in the regard. This figure rises to 72% from respondents who are in the financial services sector (EIU 2007). 3.8.1 Benefits of BCMPrevious section of this chapter had described the relationships between BCM and other concepts. Table 3.4 summarizes the distinction between these concepts based on their main focus and key methods. Table 3.4 BCM distinction with other related concepts Full size table Whilst BCM is able to help firms to have a response for major disruptions that may threaten their business activities, the Business Continuity Institute (2007a) found that there are other benefits that can be gained by embracing BCM as a management discipline in an organization. Firstly, BCM will help address some key risks in the firm and help them achieve compliance. Secondly, BCM can be used as a competitive advantage to gain new customers and to improve margins by using it as a demonstration of “customer care”. Thirdly, a thorough review of the business through Business Impact Analysis (BIA) can highlight business inefficiencies and focus on priorities that would not otherwise have come to light. And last but not least, firms providing services or goods recognize that keeping customers through a more reliable service is cheaper than tempting back the deserters after an interruption. Other studies have also found various benefits of implementing BCM in an organization. Table 3.5 shows the BCM benefits from various studies. In addition, the table shows that BCM’s main focus and key method of conducting Business Impact Analysis plays an important role and provides positive implication for an organization that implements BCM. Table 3.5 BCM benefits Full size table 3.8.2 Challenges in BCMAlthough BCM is considered as necessary to be implemented in organizations, there are several issues regarding the challenges of its implementation. Robinson (2009) viewed that the recent economic recession would be a challenge in implementing BCM. Recession has delayed or reduced BCM uptake; with top management viewing it as a discretionary spend. Moreover, only a minority will recognize that recession increases the need for BCM, with cutbacks reducing operational resilience and scarce liquidity eroding financial tolerance. Nonetheless, when a senior management team still has a strong commitment in sustaining its business resilience, and perceiving the recession-BCM link being strong enough, these can be a strong contributory factor to maintain its BCM. Moreover, Molinier (2009) opined that these economic conditions should be viewed as an opportunity to demonstrate how the companies can provide resilience whilst streamlining processes and adopting a cost-benefit approach that demonstrably support business objective. In accordance with Continuity Central’s survey to BC professionals (Continuity Central 2011), the biggest challenge in implementing BCM was lack of resource for the implementation. The second biggest challenge was the difficulties in obtaining senior management support and input. Thirdly, getting the wider organization to buy-in to BC and to provide support to the process was another challenge that needs to be considered. Following these top three challenges, other reasons are: organizational cut backs and changes; technology issues; testing and exercising issues; compliance, regulations and auditing; and culture change. These findings provide important feedbacks to those who have implemented BCM and who are in the phase of initiating it. 3.9 SummaryThis chapter provided a review on BCM, starting from its historical development, its relationships with other concepts, its main principles and methodology, to its implementation in various sectors that shows the necessary need of the concept in an organization. As an act of anticipating incidents that will affect mission-critical functions and processes for the organization, and ensuring that it responds to any incident in a planned and rehearsed manner, BCM has evolved from a technology-based disaster recovery approach to a value-based drive for business resilience. It is also viewed as a unifying process that includes various concepts for overcoming crises. BCM is considered as a management system that, similar with other management systems, needs influential factors such as organizational culture, involvement, resources, flexibility and shared commitments for its effectiveness. Moreover, these approaches are embedded in its main principles and methodology. Currently, BCM is widely adopted in various firms from various sectors. Regulations and international standards have been developed for this concept and methods in assessing the level of BCM preparedness have also been established. The need for BCM is currently supported by various drivers and although there are some challenges in implementing the concept, the benefits of BCM are worth mentioning. What are the 7 steps of continuity management?7 Steps to Create a Business Continuity Plan + Webinar Replay. Step 1: Regulatory Review and Landscape. ... . Step 2: Risk Assessment. ... . Step 3: Perform a Business Impact Analysis. ... . Step 4: Strategy and Plan Development. ... . Step 5: Create an Incident Response Plan. ... . Step 6: Plan Testing, Training and Maintenance. ... . Step 7: Communication.. What is the main reason for testing a disaster recovery plan?Goals of disaster recovery testing
One of the main goals of a disaster recovery test is to determine if a DR plan can work and meet an organization's predetermined RPO/RTO requirements. It also provides feedback to enterprises so they can amend their DR plan should any unexpected issues arise.
What is Recovery plan in business continuity plan?Recovery strategies are alternate means to restore business operations to a minimum acceptable level following a business disruption and are prioritized by the recovery time objectives (RTO) developed during the business impact analysis.
Which of the following is the purpose of business continuity planning Mcq?Business continuity plans (BCPs) are created to help speed up the recovery of an organization filling a threat or disaster. The plan puts in place mechanisms and functions to allow personnel and assets to minimize company downtime. BCPs cover all organizational risks should a disaster happen, such as flood or fire.
|