The Key Aspects of Business Continuity and Crisis Management - Essay Example

Business continuity and crisis management Name Subject Instructor Institution Date Abstract The key principle for Business Continuity Management (BCM) is the responsibility of company management to ensure continuation of the business operation. Business Continuity Management is a holistic management process which aims at identifying potential threat to a company and, the impacts to the operation of a business. Realization of company threats might cause a framework for building company resilience with ability to effectively respond to interest that, safeguard its key stakeholders, value creating activities, brand and reputation. Moreover, BCM is established as a preparation process for possible threats posed to a company, whether from the company internal system failure or company external emergencies such as; terrorism, extreme weather, or infectious disease. This paper gives an overview of Business Continuity Management drivers and the compelling reason for an organization to implement it. Table of Contents Table of Contents 3 1 Introduction 4 1.1Insurance 4 1.2Auditors 5 1.3 Legal/Regulatory Requirements 6 1.4Government Policy 6 1.5 Time 7 1.6Corporate governance 8 1.6.1Civil Contingency Act 8 2. A Structured Approach to Business Risk Assessment 10 3 Risk Management Standards 11 3.1External drivers 11 4 Compelling reasons for an organization to implement BCM 12 5 Conclusions 16 1 Introduction Business continuity and crisis management forms one of the vital aspects in disaster recovery, crises and risk management and controls as well as in technological recovery (Wilsh, 2006). Moreover, this sphere explores available approaches in Business continuity during disasters by ensuring the outputs have been maximized while minimizing the use of available resources. This argument suffices that, Business continuity is an imperative facet in the realm of medium and large business enterprises globally. Apparently, global trends indicate that, most mega businesses or even small enterprises have persistently been presented with relentless disasters that triggered massive losses rendering them causalities of the situation. There are many drivers that force organization to implement business continuity management. These include factors such as: 1.1Insurance Insurance is a risk transfer or sharing element which reduce organization exposure to financial risk as a result of losses, accident, or other liability arising in relation factors like; Cost arising from staff injuries or death, visitors, and contractors while undertaking organization duties, when in business premises, or during travel tour conducted on behalf of the business or in a business car. Cost of replacement or temporary staff if the existing staff prove incapacitated. The cost of replacing damaged or obsolete assets. Risks in business sectors have increased due various factors such as; globalization of supply chain, centralized distribution and focused factories, reduction in supplier base, trend to outsourcing lack of control procedures and visibility, and volatility of demand as noted by Cerullo and Michael (2004, p.76). The influence of insurance companies on business continuity management is paramount. In the event of business interruption, insurance is a major way of covering business revenue lost following a disruption. Recently, insurance linked the interruption in business to building insurance. They have been seeking to sever this link due to dramatic increase in business interruption losses. Underwriters are trying to find evidence an effective business continuity programme important in reducing risk exposure to different business disruptions. Insurer insists that a company must demonstrate that they posses reasonable measure to reduce risk and a comprehensive working programme. Insurance reduce the scale and duration of business losses. Insurance in BCM is a factor because it affects the company estimated loss. Companies with BCM are a representation of better quality risk. 1.2Auditors Consequently, the auditor looks for evidence that an effective BCM is in place to meet legislation and regulations. Auditor approach is to check for evidence that business continuity plan has been rehearsed and that business continuity management has been promoted in the organization. Motivated by this driver, the company finds the need to properly mange principal risk indentified in the organization. In case of disaster or business disruption, effective handling of business crisis as a way of ensuring that critical business function has been resumed is fundamental in any organization. Understanding that disruptions have negative impact on business has captured the attention of auditors and aim to use BCM to inform the organization the procedure that can be adhered for a successful implementation of business continuity plan. 1.3 Legal/Regulatory Requirements Industry legal requirement and regulations are becoming increasing impact drivers for an organization to start a business continuity management programme. Regulators are aware that business should have effective business continuity management programme in place for customer protection as asserted by Jacques and Rossouw (2004, p.328). Since the New York incidence on 11 September 2001 where the World Trade Centre was attacked finance regulators throughout the world have set conditions for Business continuity management expected to regulate the activities of businesses. Apparently, there are a number Acts, which directly or indirectly require Business continuity management to be put in place or, to make it a requirement for each business by implication. Data Protection Act (DPA) of 1998 clearly mandates the need for BCM as data protection principle. This states that, appropriate organization and technical measure shall be taken on any unlawful or unauthorized processing of personal data and also against destruction or accidental loss of personal data (Everest and Roy, 2008). Data Protection Act notification process further expand this being a means through which organization declare to the public the reason why and the way they process personal information. Statement related to compliance with 7th principle asks the company to clarify if they have a BCM plan. 1.4Government Policy The Central Government and concerned public bodies have adopted security and policies requirements such as, company Manual for Protective Security. Many of this security and policies requirement are based on, requirements of BS 7799: British Standard for Information on company Security Management or requirement of ISO 27001 - the International organization standard (Hiles, 2007). Cabinet Office has mandated all Government Departments to comply with BS 7799 for success of key business processes. BS 7799/ISO 27001 has eleven clauses covering the breadth and the nature of information security management. Company 10th clause, which is numbered as No. 14 in the Standard basically covers BCM and provides clear mandate and, guidance requirements to cover Business Continuity Process Gibb and Buchanan (2006, pp. 128-132). In these requirements, a statement clearly stipulates that, business management planning have to be based on a company Risk Assessment. While public bodies may fail to be directly accountable to company shareholder, it should be understood that, they are accountable to the public. Failure for public bodies to provide services to the public as promised ultimately lead to loss of public confidence, which may even lead to the change of government. 1.5 Time Time is a key driver to business continuity management. Business Speed has changed and most of times, there is very little time to allow gradual business recovery. Lack of customer loyalty and Emergence of e-commerce have changed requirement for business recovery to that one of availability. According to Hiles (2007), different organizations experiencing this must ensure that services they are offering to their customers are available seven days a week without failure. Time dimension is the factor that has created the change to business continuity management. Time is the main differentiator between continuity management and business risk management. Many people argue that business continuity management should be taken as a subordinate to business risk management. Risk management function sits within business management while separate risk management activity may sit outside this function. This deals with day-to-day business threat and risk when conducting its activity. This varies from one business to another and from one organization to another. 1.6Corporate governance Corporate governance is another significant driver for business continuity management. Throughout the world, there has been a tremendous increase in legislation and regulations in these areas. In the United Kingdom revision of the country stock exchange listing rules emphasize on different internal controls in managing and controlling principal risks that are daily faced by business as noted by and Hägerfors (2010, p.249) . The guidance set out concern framework for best practices in learning a business, based on control and assessment of significant risk. In the activities of many companies BCM programme try to address key business risk and assist them in arriving at compliance. 1.6.1Civil Contingency Act Civil contingency act is another driver for BCM. It is considered separately for it a clear mandate for public authorities. The Act was introduced resulting from high profile event like fuel crisis, foot and mouth outbreak and fuel crisis in 2000 and 2002. The government found the need of reviewing country emergence planning arrangement (Hiles, 2007). Civil contingencies Act of 2004 was designed to deliver a business continuity management framework, which is divided into two parts. Part 1 considers local arrangement to establish statutory framework of responsibilities and roles and civil protection. Part 2 considers the established framework for legislative power necessity and the emergence of powers. Part 1 place a clear statutory business continuity management requirement on different public bodies, broadly split it in two responders groups based on the level of involvement in the government civil protection work. The first category of responder depends on their level of civil protection work involvement. For the first category responders, that is, those who are at the core of response such as local authorities and emergency services are required to Assess various risks that might occur and use this as a base to inform contingency planning. Provide advice and assistance to voluntary organization and businesses about business continuity management. Make sure that emergency plans are in place Make sure that business continuity management is in place. Share helpful information with other businesses and organizations. Make sure that arrangement to avail information to the public is in place. The second category of responders includes public transportation bodies, utilities providers and government agencies. Government agencies have less duty and responsibility to share and cooperate in exchange of organization information. The first category of responders are the primary onus in risk assessment methods and the information sharing capabilities that provide coherent, uniform response to an emergency. 2. A Structured Approach to Business Risk Assessment In the heart of business continuity management plan, there is need for risk assessment. Risk management and assessment is subject in the security community. Undertakings in risk analysis have been presented in key documents for example in the British Standard Institute (BS 7799) and the Guide in Risk Assessment- PD 3002 incorporated in BS 7799, which is part 3 of ISO 27005 Trsozt (2010, pp. 404-407). Different risk assessment methods are available for use in risk management and analysis. In risk management three stage approaches are comprehensive Business Impact Assessment, which seek an understanding on the impact of breaching security in the business integrity, confidentiality or availability of information on business processes. In spite of the fact that Business Continuity planning is likely to focus on available information and service impact, organization with clear comprehension on fast services will be restored. Threat and Vulnerability Assessment, which is essential in understanding what threats are, how often they occur, their relevance to the organization and how they can result to business impact. Review of Business Impact Assessment through Threat and Vulnerability Assessment- results are obtained together to define risk level and amount of exposure. Level of risk exposure may either be expressed in plain language or as numeric variables. No matter the expression used to show the level of business risk exposure, proper highlight of areas of counter measures should be focused clearly to meet areas that portray the highest risk. Risk Management Assessment, which uses risk exposure level to identify areas where security measures should be implemented in an ideal manner. Some methods recommend counter measures which are specific to the level of risk and the type of the threat. Step by step assessment undertaken is to implement a standardized business continuity management plan that meets the standard required. 3 Risk Management Standards There are different standards available for risk management. This includes: i. BS7799/ISO 27001 ii. UK Government Manual for Protective Security closely aligned to the BS 7799 iii. BSI –Baseline Protection Manual for German Federal IT In all these standards BS 7799 is probable the best choice due to the fact that it has recognition both in the United Kingdom government and has been adopted internationally via ISO version (BSI: 2011). Moreover, this standard can be assessed independently and has been certified against other standards to demonstrate that, robust information on security management system is in place. 3.1External drivers Fig1. Percentage of risk management by finances (Blyth, 2009) Today, there are more clear drivers for public bodies to implement a comprehensive business management plan based on business risk assessment with confidence that it will consider and comprise all areas of risk as noted by Ashton (2005, pp.7-12). Business continuity management cost money and it would only make sense if the business focuses their expenditure on the areas of highest risk, there is no reason in investing money to protect the company against earthquake when in the real sense earthquake case has never been experienced before in the area the business is located. If a company wishes to implement countermeasure to meet Business Continuity Management requirement, it should do so to map them to meet the requirement of recognized standards. Motivated by this drivers and the desire of managing business principal risks, different businesses have identified that their main dependence are supplier who ensure their continuity. This being the case, business continuity management pressure has been mounting pressure down business supply chain from customers. According to Lindström, Sören and Hägerfors (2010, p.249), future drivers in business continuity may include; banks and investors who have the desire of seeing continued learning and existence of business and that this is built on comprehensive business plan. Banks and investor also wish to see continuity of emergence service and pubic authorities. 4 Compelling reasons for an organization to implement BCM Business Continuity Management is an important tool for both private and public sectors for an organization to be able to function effectively and efficiently even in times of a disaster. Business Continuity Management identifies the possible impacts that potentially and continuously threaten a business (Wilsh, 2006). BCM provides a framework through which resilience and effective response can be built to safeguard organization interest, brand, reputation and value. It identifies and assesses threats which are critical to the functioning of the business. Businesses require BCM to measure and eliminate threat by developing plan to manage and mitigate them. Business require BCM as the continued existence of a business is a critical process, with supporting applications and required resources being key for the continued viability of the business. Taking an example of an emergency service business, though the principles are applicable to all other businesses equally, it is critical for a business to be able to respond to incident threatening the employee and business safety (Thiel, 2007). The adopted strategies must respond effectively, efficiently and with speed to threatening situations. To do this, manager with responsibility of providing theses service should use the company highly motivated and skilled staff to support operation processes. These staff should be given access to all the critical areas as denial of asses can significantly degrade use of critical resources cause severe impact to effectiveness of operations. Many organizations are adopting BCM because its effectiveness is not only concerned in minimizing the likelihood of an event occurring, but has capability of recovering the business in case of a disaster. Lack of an effective business continuity management plan can have serious implication to the business including: Liability for loss of life or injuries Loss of Public and Customer Confidence Liability and predominantly in litigious society leads to heavy financial penalties, which may have impact of reducing the business funding available for developing and managing the business operations and staff. As a manager with role of making sure that systems are available to operational staff when required, not having BCM plans in place is seen as negligent and could have severe and detrimental effect company future prospects (Wilsh, 2006). Depending on the area of operation, managers are directly accountable for business efficacy and, if ignored, can have detrimental effect to the business affairs. Due to superior customer service, operation efficiency and brand reputation being arguably most critical drivers for business profitability, ability to avoid business risk and disruption through uncontrollable and unforeseen events becoming imperative for any organization. By adopting BCM the structural problems in an organization may be rectified and understood. These may include; badly organized workflows and processes shifting from the original purpose in the business organizational model. By using BCM, a clear understanding of different processes in a business can be obtained by carrying out a business impact analysis in a Business Continuity Management programme. Enhanced understanding can ensure process optimization through programme that result in expenditure reduction as noted by Jacques and Rossouw (2004, p.326). Reductions in expenditure are helpful in justifying BCM program. After-effect of business interruption to the normal learning of the business result in severe business backlogs built up whilst the business management attention engages in tacking abnormal situations. The unexpected Backlog Trap is tackled by business continuity management programme. In an organization, the possibility of recovery from risk is related directly to simplicity of business processes. Business continuity management is significant in simplifying business processes ensuring that they are easy to recover in the moments of crisis. In many businesses, rational structure might be overlooked if growth of the business becomes most significant driver. Business continuity management is helpful in rectifying this problem by proper mapping the business structure. This is helpful in highlighting where inefficient and bureaucratic structures have been developed. Inherently, all business hierarchy levels may be affected. Successful business continuity management plan is essential in creating effective and fast communication system which can be used in daily incident management. In addition, using business continuity management programme that is compliant with PAS 56 ‘levels for continuity of business through minimum service levels used in mission critical activities determined throughout the business is very important. This allow business service level be monitored throughout the organization and in case the service falls below minimum, the company recovery intervention can be undertaken (Wilsh, 2006). Understanding recovery time objective for critical activities and recovery point objectives are important in business application. This understanding is essential to cost effectively focus the business budget for maximum resilience. If such business continuity methods fail, business expenditure could be directed in the wrong direction and potentially misleading business capital. In addition, understanding vital records and forms supporting critical business activities, provides a way of identifying storage needs. Storage cost is a major drain on business budget and the good business continuity management plan is essential in setting business priorities. 5 Conclusions In conclusion, discipline is important in protecting business physical security, risk management, logical security, and insurance. It is significant if conducted in conjunction with a programme for business continuity management emphasizing business critical activities. On the other hand, Business continuity management ensures response preparation. Proper response to business crisis requires teams to support response and recovery operations. Business continuity management provides reassurance to business external and internal stakeholders that the business operations have the capacity of meeting the needs of the customers and that the business is prepared for any disaster that may arise. A robust business continuity management programme requires collaboration and upgrading of key business suppliers, which will significantly improve the entire supplier chain. Ability to fight diversity gives the business an edge against competitors. BCM is thus, more than insurance to a company with capability of recognizing sustainable and reliable business partner, enhanced business reputation, improved consumer confidence, assets protection, business infrastructure security, maintaining business operations and minimizing financial impact during business crisis. By increasing business resilience, Business continuity management further boosts a country economic status as a trustworthy business hub. This significantly attracts external and internal investors creating more opportunity for business growth. Business preparedness for crisis and disaster collectively enhance its resilience to problems. References Ashton, B., 2005. "The Audit of business continuity management." Edpacs, 32(8), pp.7-12. Blyth, M., 2009. Business continuity management: Building an effective incident management Plan. Hoboken, NJ: J. Wiley & Sons. Cerullo, V. and Michael, C., 2004. "Business continuity planning: A comprehensive approach." information systems management 21(3), pp.70-78. Everest, D. and Roy, G., 2008. Business continuity Management. Altamonte Springs, FL: Institute of Internal Auditors. Gibb, F., and Buchanan, S., 2006. "A Framework for business continuity management." international journal of information management 26(2), pp.128-141. Hiles, A., 2007. The definitive handbook of business continuity management. Chichester, England: John Wiley & Sons. Jacques, B. and Rossouw, V., 2004. "A cyclic approach to business continuity planning". Information Management & Computer Security, 12 (4), pp.328-337. Lindström, J., Sören S. and Hägerfors, A., 2010. "Business continuity planning methodology." disaster prevention and management 19(2), pp. 243-255. Trsozt, C., 2010."Business Continuity Management Für KMU." Datenschutz Und Datensicherheit – DuD, 34(6), pp. 404-407. Thiel, D., 2007. Business Continuity Management: Part 2 : Specification. London: British Standards Institution. "What Is Business Continuity Management? - BSI Business Continuity Management." Business Continuity Management and BS 25 999 Resources - BSI Business Continuity Management. Web. 30 Oct. 2011. . Wilsh, H., 2006. Business continuity management. London: British Standards. Read More