The Key Drivers for Business Continuity Management - Essay Example

 The aim of the paper is to discuss business continuity management and its key drivers from the viewpoint of their importance; moreover, with the increasing role of preventing risk factors in any business performance, notions of continuity management become more popular and applicable. The key words are: business continuity, management, risk, development, standards BCM definition Business Continuity management (BCM) has been defined by various authors and companies in similar, but yet somewhat different ways; it should be noted that there is no single notion of BCM; moreover, each company introducing its principles and implementing them into practice, makes the notion slightly amended according to the nature of company's business performance. 'Business continuity Management, or BCM, as it is more commonly known, is a business organization-driven activity that is concerned with developing the organization's ability to continue providing critical services (or business processes) in the event of an interruption'. (Doswell, 2000) It is essential to understand, that BCM incorporates all aspects of the so-called 'incident cycle' – what it meant here is that BCM scopes the notions of risk assessment, prevention and mitigation activities' implementation, managing incidents when they have already occurred, etc… All these activities are included into the whole cycle of BCM provided by a specific organization. Another author states, that' 'business continuity lacks recognition which it primarily deserves from the boardroom. [..] a cursory glance at how BCM is treated today reveals just how much has to be achieved before it is genuinely considered to be a business issue'. (Elliott, 2005) The Civil Contingency Act (CCA) defines BCM as 'a management process that helps manage the risks to the smooth running of an organization or delivery of a service, ensuring that the business can continue in the event of disruption'. Thus, it is seen that the definitions are similar, but they have slight differences at the same time; moreover, it should also be understood that not a single company will keep to the strict and single definition of BCM, because the area of each company's activity is different, and thus BCM implementation and application will also differ. 'Business Continuity can be seen as a bridge between Risk management and Emergency Planning; it utilizes the risk identification and management processes of formal risk management and the crisis management capabilities of emergency planning'. (Myers, 2006) This note is given by Myers (2006), and though it cannot be called one of the BCM definitions, but it gives better understanding of the terms and the area of its application. Thus Business Continuity management is aimed to work in both daily and emergency situations; according to the abovementioned citation, it becomes evident, that BCM should both work for the prevention of the critical situations (its primary aim) and for the minimization of the negative consequences for the events which have already taken place. This two-fold role is revealed no matter in which company BCM is implemented. It is difficult to implement BCM notions into the company's performance, but it is even more difficult to make BCM a part of the company's corporate culture. Many UK organizations at present fail to implement effective plan of prevention critical incidents, which interrupt and may threaten their business activity. Disaster planning and risk management, as well as managing company's benefits is the area which is rarely addressed by the modern businesses. The principal question, which the companies ask, is 'why implement BCM notions? How it will positively influence company's performance? Are the minimized risks comparable to the costs involved? In order to understand how important BCM is for the modern companies, it is interesting to look into the 2006 BCM survey which gives the principal lacks (problems) faced by the companies and thus give the reader basic understanding of reasons for implementing BCM principles. 1. BCM implementation protects and enhances company's reputation. Even despite this understanding, the survey has discovered that with 77% of the British enterprises understanding the importance of BCM, less than half (49%) can state that they have anything similar to a contingency plan or that they use the BCM principles in their company. (Chapman, 2006) Enhancing reputation will mean that effective BCM strategy will show the better capabilities of the company to act in the emergency situations and to prevent them, thus displaying higher level of credibility and better business performance. 2. The present economy can be characterized as being digital networked economy, which actually has no clear boundaries and thus is more vulnerable to various undesirable invasions (either computer and Internet viruses, or financial frauds). Such events can interrupt business performance, and this is why with the development of the company and with the implementation of the new technologies, BCM becomes an integral part of these information technologies' effective work. 3. 'In today's economy, it just makes good business sense to interrogate suppliers and potential outsourcers beyond the Service Level Agreement, to get them to quantify in real terms how robust their businesses actually are. Increasingly, this means that companies that ignore BCM best practice are finding themselves unable to gain entry into markets that they have been operating in for years, and this trend is only likely to continue'. (Clair, 1998) Thus, through this opinion, with which the reader should certainly agree, it is still unclear, why only 45 percent of the British enterprises see the so-called 'big picture' of the present-day economic situation. (Chapman, 2006) After London bombings 2005 about one third of the enterprises in London have experienced serious losses, and thus only 42 percent realize the seriousness of terrorist and environmental threats. (Thejendra, 2007) In order to understand the nature of BCM in the UK and why modern firms implement (or don't implement) BCM policies, the key BCM drivers should be considered 1. Legal (regulatory) requirements The CCA requires Category 1 responders (Public entities) have legal duty to ensure that they are able to provide service without any interruption in the case of emergency. These initiatives should also be promoted by these entities to its local bodies on the obligatory basis. CCA is worth considering as a separate driver, because this is the document which provides clear responsibility for the Public Entities in case they don't implement BCM principles and strategies. This Act was introduced after a fuel crisis of 2000 and 2001, as well as other serious events which undermined the business performance of many public entities; among these events was also flooding at Foot and Mouth outbreak. Thus, the Government had to review the emergency planning arrangements of the public entities. The Act divides the respondents into the two main categories: the category 1 responders are those which are at core of response (meaning emergency services and local authorities). These entities are required to assess the risk of the emergencies and to provide contingency planning on the basis of this assessment; to implement emergency plans and to implement BCM arrangements. (Elliott, 2005) Among other requirements are to share information with other organizations, to make the necessary arrangements for making information available to the public; local authorities are also required to provide the necessary assistance and advice for organizations who want to implement BCM. The second category of responders is primarily responsible for sharing the necessary information with emergency bodies. Among this second category, utility providers, some government agencies are noted. However, it is important to note, that there is no legal requirement for the implementation of the BCM in the private entities, but there are also other drivers, which provide compliance to the basic regulatory standards: BS7799 British Standard for Information Security. The implementation of this Standards for many companies appears to be the best means of proving that their performance is robust; especially it relates to the companies working in the sphere of comp0uter and information technologies; though this standard is also relevant for the banks. This Standard is the effective driver for implementing BCM standards, and compliance with this standard serves as the proof for the high level of security in the company. ‘BS 7799/ ISO 27001 encompasses a total of eleven clauses that cover the breadth of information security management. The 10th clause covers Business Continuity Management and provides clear guidance and mandated requirements covering Business Continuity Process’. (Myers, 2006) The driver makes it clear that risk assessment is the basis for the BCM. Comprehensive performance assessment. This driver is also applicable to the public entities and is not obligatory for the private companies; it states that starting with the year 2005 the Audit Commission will check the Local Authorities for the subject of BCM implementation. (Mellish, 2000) Among the other drivers of Business Continuity implementation the following can be listed: a. customer expectations. Customers appear to be increasingly concerned when it comes to the moment when they have to be assured that the company they invest money in (or buy products, which is the same) are able to support their performance without any serious interruption and to store the customer private information without any threat of it being revealed to the side participants. (Freeman, 1994) b. IT Security. This is partially related to the previous driver, and is also connected with some regulatory drivers, among which the BS 7799 has been described. This driver comes into action because companies need informational integrity and security, and these characteristics can be provided only through BCM implementation. c. Business Insurance. ‘Effective BCM can demonstrate to underwriters and insurers that they are pro-actively managing their business risks. It is often a requirement of the policy and can lead to reduced premiums’. (Herban, Elliott & Swartz, 1997) d. Stakeholders pressure. Stakeholders appear to be the driving force making the company work reliably for bringing reliable and sustainable profits and development; this is why stakeholders’ pressure often appears to be one of the most important drivers for the private companies in making them implement the BCM principles. (Freeman, 1994) e. Corporate governance. Corporate governance is what BCM directly supports. It is required for the public entities to produce the annual statement of the internal control; this report is the instrument in identifying and assisting in assessment of the risks and providing clear roles and responsibilities within the company to safeguard the assets of the company. (Doswell, 2000) f. More efficient performance. This driver is not an obligatory instrument, and as it has been seen through the survey (implying that companies prefer using other means for increasing the efficiency of their performance) but BCM is seen as one of the best means to identify the key roles and responsibilities of everyone in the company, which ultimately leads to the better performance. (British Standards Institution, 2003) Thus, through the analysis of these drivers it appears that firms (private firms) implement BMC practice not due to the regulation, as there are no regulatory acts which should make private firms use BCM principles as legal requirements, but the firms mostly implement these practices due to some other considerations; some suppose these principles will increase the efficiency of their performance; others see it as the tool for attracting additional customers and thus increasing the credibility of the enterprise. One of the brightest examples has been given by Elliott (2000) through his analysis and comparison of Coca-Cola and Pepsi continuity management activity – though the number of product contamination crises in the companies has been sufficient, but the level of reacting and managing the issues properly was low. First, organizations need to communicate in an open and consistent manner. A disjointed approach to communication can create serious problems for a company as witnessed by Perrier. Communications should be unambiguous and free from attempts at the projection of blame elsewhere. Scapegoating is often viewed with considerable suspicion by the media and other observers. Second, contingency plans must be tested. Developing such plans without testing them or providing training for staff will severely inhibit their effectiveness.’ (Elliott, 2000) Thus, implementations as it is not enough to make BCM effective; it should be implemented properly and exercise the necessary techniques to work successfully; and it is also essential that there should be certain drivers for the correct implementation of the BCM strategies but they have not been discussed in any literary resource researched. The firms which undertake BCM truly believe it is advantageous despite the additional costs it requires for the implementation of the practice. BCM has not yet become a good business practice and there is still much to achieve for this practice to become widely-accepted and well known. Firms which apply this practice in their performance weight the costs and the benefits which BCM gives to them, and see many advantages. They are not relying on the legal requirements, and probably due to the fact that Governmental policy dos not require private entities to use BCM principles on the obligatory basis the number of the firms which implement BCM is drastically small. The drivers which make firms undertake BCM are various, and among the most effective one may name regulation, stakeholder pressure and probably customer expectation with the IT security. These are the drivers which are seen as the most vulnerable and which may affect the company’s performance the most. It is even worse that the implementation of BCM usually becomes the consequence of some critical situation which could be handled in case the firm had the necessary knowledge and practice for reacting to such situation through BCM. One of the brightest cases is London Bus and Tube bombings – one third of the London firms has been negatively impacted by the incident. (Chapman, 2006) but it is still evident that: 1. less than half of the UK organizations have a business continuity plan in place; 2. inanimate objects are still the key focus for protection, even though a business can’t run without people; 3. employees, suppliers and stakeholders don’t know what to do in the event of disaster. (Myers, 2006) Thus, the drivers which at present exist for the BCM implementation among the private sector of economy are insufficient and ineffective to make the entities implement them and use them for the benefit of their performance. In the light of everything above said, it would be of use and should be recommended for the governmental policies and the entities which consult and develop BCM policies at the state and local levels, to consider the possibility of developing a set of requirements and legal regulations, the implementation of which would be obligatory for every enterprise. The set of these requirements should be balanced and to be as minimal and cost effective as efficient; it should be implied that implementation of this minimum will allow the enterprise to have effective BCM policy, with the rest of requirements being optional and only expanding the scope of BCM principles for each specific enterprise. The minimal set of requirements should be thoroughly chosen on the basis of the most probable emergency situations, and may be either unique, or differ based on the type of the entity, that is based on the risk assessment of each specific entity. This is another proof for the fact that risk assessment and BCM are the two integral parts of one whole notion and are interrelated. Conclusion The work has been designed not only to consider the principal drivers for BCM principles implementation, but its aim has also been to analyze the effectiveness of these drivers and to conclude, whether these drivers are able to make private firms implement the BCM principles into their practice. It is clear that implementation of BCM requires additional costs, and this becomes the principal obstacle for many private entities on their way to implement the BCM principles. Moreover, with the absence of the necessary regulation requirements for the private entities in the sphere of implementation the BCM standards, it becomes evident that the necessary steps should be undertaken at the state level. The governmental policies should address the existing issue and make the implementation of the BCM standards for private firms obligatory; the main conclusion of the work is that the existing drivers are not effective for the firms to implement BCM principles, and this is why the necessary minimum of the approaches should be made obligatory for each company which will increase its kevel of corporate governance and credibility. References British Standards Institution 2003, Guide to Business Continuity Management: PAS 56, BSI Standards Chapman, A 2006 Continuity and contingency management. Available at http://www.businessballs.com/continuity_management_planning.htm (accessed 20 March 2007) Clair, J.A. 1998 'Reframing crisis management', Academy of Management Review 23(1): 59- 76. Doswell, B 2000, Guide to Business Continuity Management, Leicester: Perpetuity Press Elliott, D 2005, Business Continuity Management: A Crisis Management Approach. London: Routledge. Elliott, D., Smith, D. and Sipika C 2001 Message in a bottle: learning the lessons from crisis, from Perrier to Coca-Cola, University of Sheffield mimeo Freeman, R.E. (1994) 'The politics of stakeholder theory: some future directions', Business Ethics Quarterly 4: 409-21. Herbane, B., Elliott, D. and Swartz, E. (1997) 'Contingency and continua: achieving excellence through business continuity planning', Business Horizons 40(6): 19-25 Mellish, S. (2000) 'When a BCP really comes into its own', Continuity 4(4): 4-6. Myers, KN 2006 Business Continuity Strategies: Protecting Against Unplanned Disasters, J Wiley & Sons Thejendra, BS 2007, Disaster Recovery and Business Continuity IT Governance Publishing. Read More