Business continuity management made simple
Ideally, Plan A always works, all business processes always run smoothly. Sometimes, however, Plan B becomes necessary: When an emergency occurs, there must be clear procedures in place so that you as a company can quickly regain your ability to act. Business continuity management (BCM) is designed for this case.
In this article, you will find an exemplary contingency plan as well as assistance to make it easier to implement BCM in your company.
What is Business Continuity Management?
Business continuity management describes the management process which ensures that business operations can be resumed as quickly as possible in the event of an emergency. Interruptions and their impact are reduced. Companies with a strong BCM have a high level of resilience, as they can cope well with any damage that has occurred.
As safe as you may feel, every company is exposed to risks. Possible dangers include natural disasters (e.g., fire or flood), power or personnel failures, delivery bottlenecks, machine damage and, increasingly, cyberattacks.
A BCM provides for specific measures and an emergency management plan for each of these incidents. Thanks to these, failures can be responded to quickly, emergency operations can be initiated, and a return to normal operations can be started promptly. In this way, contractual deadlines and legal requirements can continue to be met, losses can be reduced, and the company’s own reputation can be preserved. The supply and safety of customers, business partners and employees are also important. The level of damage that can be tolerated depends on the organization concerned. For example, critical infrastructure organizations need a particularly strong BCM, because the health and basic services of the population depend on their continuous operation.
For whom is Business Continuity Management relevant?
According to the Institute for Business Continuity & Resilience Management e.V. (IBCRM e.V.), almost half of all companies are regularly affected by cyberattacks. No one is completely protected from force majeure or technical disruptions, either. Operational security is relevant for everyone.
For critical infrastructure companies, the introduction and implementation of business continuity management is even required by law. Critical infrastructures are those that are of major importance to the state. These are, for example, providers from the transport and traffic, health, and food sectors. The definition already shows that critical infrastructure operators always must maintain their operations. However, just because critical infrastructure operators are the only ones legally obligated to do so, does not make a well-developed BCM any less important for other companies.
The exact design of the BCM measures is not specified. You are on the safe side if you comply with ISO standard 22301 “Security and resilience - Business continuity management system – Requirements”. It applies to all crisis and emergency situations. The ISO/IEC 27001 standard is also specific to information technology security. The requirements of ISO 27001 contain many overlaps with those for business continuity management. Anyone seeking certification must therefore take care of their BCM beforehand.
The single steps of the emergency response plan
A Business Continuity Plan (BCP) contains all emergency strategies related to facilities, customers, and personnel.
If an emergency occurs, the priority is to find a workaround. This should enable emergency operation with the most important tasks. However, depending on the nature of the incident, this is not always easy to achieve. In the case of a fire, for example, no production (on site) will be able to take place until remediation or relocation. Nevertheless, the focus is always on restoring normal operations as quickly as possible.
Here’s how an emergency response plan works:
Occurrence of a damaging event:
Operations come to a standstill. For example, because the main supplier of a production company is down for several weeks due to a strike. Without this supplier, nothing can be produced. However, the company itself is a supplier for other companies. It now runs the risk of having to pay hefty contractual penalties and losing valuable customers.
Immediate actions:
Once the emergency has been identified, the worst must be prevented by executing immediate actions. In the event of a supplier failure, a replacement supplier should be commissioned. This emergency contact should have been created beforehand while setting up the BCM. If this supplier cannot deliver to the same extent, the orders must be prioritized.
Declaring an emergency:
Once the situation is clear, employees and customers must be told what has happened. In the example, it is honestly communicated that deliveries may be delayed. Some of the staff may have to be put on short-time working because not all employees are working to capacity in the emergency operation.
Reaction time:
This is the period during which the incident is responded to, the immediate actions are carried out and the SSO (Special Structure Organization) is activated. During this period, operations are at a standstill. An SSO is a temporary organization that is responsible for managing the emergency and is divided into staff and an emergency response team.
In addition to the reaction time, a recovery time objective had to be defined. This determines the maximum length of time for which the business operation can be down without jeopardizing the continued existence of the company. The emergency operation must start within this time frame.
Restart:
The emergency operation is initiated by the staff. Production restarts slowly. In the example case, work is carried out with a substitute supplier, thus enabling at least a reduced level of production. Some employees are on short-time work.
Restoration:
If something has been damaged, it is repaired or replaced during this phase in parallel with the emergency operation so that normal operation can be resumed afterwards. In our case, the company finds out how long the main supplier's strikes are likely to last. If this is unclear, a permanent alternative must be found. If it is clear, arrangements are made for the period after the strike. At the end of the restoration period, it should be possible to return the emergency operation to normal operation.
Repatriation:
During this phase, measures are taken for the specific transition back to normal operation. In the event of a power outage, the emergency power would be shut off and the usual supply would be reactivated. In the example case, the strike ends, the old supplier is active again, and the emergency supply from the replacement supplier can be discontinued. Alternatively, a new main supplier would have been contracted in the meantime or the replacement supplier would have been won as a permanent main supplier with a higher supply quantity.
Normal operation:
Production or services are running again as before the damaging event. Employees can be brought back from short-time work. However, overtime may now have to be worked to make up for the lost time and work that has been left undone.
Rework:
The incident is discussed conclusively, the helping hands (the replacement supplier) are thanked, and any outstanding issues are dealt with. Depending on the case, this may take some time and further delay the real normal operation. For the next case of damage, the emergency plan is improved. Thus, follow-up work always includes an analysis of the BCP and its implementation.
Establishment and supporting measures
You can make it easier for yourself to build a business continuity management system.
The first step in doing so would be to act as preventively as possible: Strengthen your security measures with regular audits and continuous compliance management. Adhere to national, international, and industry standards. Train employees regularly and encrypt your data.
Not only critical infrastructure organizations, but every company should strive for ISO certification in IT security (ISO 27001) and general resilience (ISO 22301). In addition, there are other standards such as ISO 31000 for risk management or ISO 9001 for quality management. Once the requirements of these standards are met, a large part of the work is done.
Don't wait until damage has occurred to think about what needs to be done; instead, create a BCM during normal operation. To do this, first identify time-critical processes. Perform a business impact analysis based on the risks you have identified in risk management. This will determine the impact of all disruptions.
Setting up a BCM also involves defining clear responsibilities and roles. Responsible persons for emergency management must be defined so that everyone can react immediately and correctly. For this purpose, create a special structure organization (SSO) and conduct regular emergency drills.
A good BCM plan follows the PDCA cycle: Plan - Do - Check - Act. This means that all measures in your emergency plan are regularly tested, checked and improved. The current plan is then handed out to all those involved, both digitally and in analog form. Storage should also take place both locally and online to ensure constant access.
BCM as part of a GRC tool
A BCM system benefits significantly from the applications and synergies of a GRC tool (Governance, Risk & Compliance). Comprehensive GRC software accesses a central database, which saves valuable time when entering data in the various applications. It helps to identify and analyze risks, on which a BCM can optimally build, calculates probabilities and damage levels, and presents them clearly. Weaknesses become visible in reports and an already existing risk management can be easily integrated. All this enables you to implement your compliance requirements in a gap-free and documented manner.
GRC software is therefore indispensable once a company reaches a certain level of complexity. With this software, you can concentrate on the essentials and be able to act again more quickly and efficiently in an emergency.