Simplifying Business Continuity
Business Continuity is often mistaken for some form or Emergency Management, with the responsibility for its implementation left to the Emergency Management team within an organisation. Whilst there are clear synergies between the two, they have two clearly different aims.
The primary aim of Emergency Management is the safety of people after an incident, followed by the securing of assets. This is usually documented in an Emergency Management plan with the requirements governed by legislation.
The focus of Business Continuity, on the other hand, is on the continued operations of the business. With clear linkages between this process and Emergency Management (especially for service orientated organisations) there needs to be an agreed delineation of responsibilities and accountabilities to ensure both disciplines achieve their required objectives, both during and after an incident or disruption.
Business Continuity is defined as the capability of an organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident, with Business Continuity Plans (BCPs) containing documented procedures that guide organisations to respond, recover, resume, and restore to a pre-defined level of operation following disruption.
A BCP should thus be a succinct, easily readable document that is able to guide the management team through the phases of the business disruption to a return to service. All too often BCPs are overly complex, lengthy and contain a lot of background information that is not central to actually managing a business disruption, when in the midst of a crisis.
In most cases, the senior management team that coordinates activities during a business disruption is not made up of business continuity specialists; it comprises managers who are conversant with their areas of responsibility. Most BCPs use terminology and acronyms that are not part of day to day business and are thus are not familiar to the people that have to implement the BCP when in the midst of a crisis.
While an organisation may have a cycle of annual training, and managers may be competent, in reality the only time most senior managers will refer to a BCP is during or potentially immediately prior to a disruption event.
This fact increases the importance of setting out, in a concise and understandable manner, the requirements to continue business operations.
The language of business continuity has evolved to include terminology such as:
- maximum tolerable period of disruption (MTPD)
- Maximum Acceptable Outage (MAO)
- Recovery Time Objective (RTO)
- Recovery Point Objective (RPO), etc.
These terms (while part of the industry jargon and used within ISO 22301 Societal security — Business continuity management systems — Requirements) are not used in day-to-day business.
Instead of developing documents for the purposes of compliance, it makes more sense to develop them for practical understanding. Instead of using overly complex terminology and jargon, stating actual requirements simply will facilitate a better understanding and therefore an easier uptake. To this end, the following vocabulary is suggested as a more practical alternative:
- What can’t we do? (The critical function)
- What do we need to do? (The workaround)
- When does it need to be done by? (The Maximum Acceptable Outage)
Should you require assistance or information in developing a Business Continuity program, reviewing an existing one or testing its efficacy, please contact QRMC for more information.