Emergency planning and Business Continuity Management - Research Proposal Example

Page Essay Emergency planning and Business Continuity Management and how they may be integrated with Security Risk Management Mark Cowan Date of completion: 11 March, 2011 Word count: 4,950 Abstract Business environment has become complex. Various internal and external factors contribute in this complexity. Organisations have no choice but to determine and manage the risks. Business continuity management system is a wide fit-for purpose standard. This standard entails the fundamental components essential to guiding an organisation on different organisational matters. On the road to progress, emergencies and disasters cannot be avoided or wished away. For them emergency planning can be done to deter or prevent the effects of any emergency. 9/11 changed the world and brought the fear of security, locally, regionally and globally. Organisations have no choice but to manage the risk and ensure the stability of all stakeholders with the use and application of corporate governance and other standards. The integration among business continuity management, emergency planning and security risk management proves to be the only reliable way to attain and retain the corporate objectives. Emergency planning and Business Continuity Management and how they may be integrated with Security Risk Management. Introduction The global business environment doesn’t remain the same! Much has changed and much has become complex too. In this environmental complexity, a huge role is being played by globalisation. The developed world undoubtedly observes the saturation of markets. Consequently, the corporations need to search out new investment and business avenues to ensure their corporate existence in the corporate world. The markets of America; and most of European countries have less chances of facilitating the needs of large and big organisations in terms of goods and services; organisations have no other choice left except for taking on more risky investment destinations; such as Asia, Latin America and Africa. As a result, various security risks and challenges would be faced while doing business in these risky investment destinations. Additionally, as the security risk becomes wider and deeper practically and psychologically as well, different measures are pursued, and introduced; among these measures; corporate social responsibility and corporate governance are more heard and are more demanded by security and regulatory authorities. As the issue of security is becoming a more and more challenging in each passing day, organisations need different and applicable ways to handle and minimise the risks that directly or indirectly threaten the existence of their businesses. Some standards, such as Business Continuity Management System (BCMS) are mostly used by the organisations. With the adoption and implementation of the BCMS, an organisation becomes in a position to handle and even withstand business damaging events that may endanger the attainment of its strategic objectives and so on. This standard enables the top management of an organisation to manage the unfavourable business events as well. This capability is highly required and needed under the current complex business environment situation. The BCSM standard possesses capability to direct and guide an organisation to constantly and continuously pursue and apply the concept of improvement within the organisation. As the wave of change cannot be withered away and nor can it be avoided, this standard would be of a great help to adjust the organisational objectives in the most appropriate way. Due to its comprehensiveness, BCMS standard safeguards the interests of internal stakeholders and the interests of external stakeholders. The applicability and use of this standard cannot be limited to a particular industry or to a particular organisation; instead, this standard can be understood and adopted by any type of organisations. This standard incorporates such features in its structure that are not particular to any specific type of organisation; rather, regardless of structure, scope, size of organisations, this standard is well equipped enough to adjust and accommodate a variety of organisations. The geographic, social, cultural, jurisdictional and operational environments are equally adjusted and accommodated by this standard. Various factors determine the ultimate benefits from the application of the BCMS. For instance, to determine the success of a BCMS, the strategic management needs to be active in its role. By actively engaging in the organisational activities, the top management would be in a position to ensure the attainment of proper and required level of benefits from the standard of BCMS: Any compromise or any lack of commitment from the side of strategic management would only bring compromises on the attainment of corporate objectives. The security risk has huge and diverse implications; consequently, the concept of emergency planning can also be a way to address and manage the implications in the most appropriate way. Emergency does not come alone; it brings the occurrence of unpleasant events that may be in a form of significant injuries to customers, employees or to the public (Fema, 1993). Under this situation, it would be nearly impossible to predict the level of loss that comes along with the occurrence of emergency. Emergency can put a business on hold; hitting severely at the heart of a business or disrupting business operations, causing environment or physical loss, or endangering the financial position or current level of public perception. According to Fema (1993), emergency could occur in any one of the following events: Flood, hurricane, tornado, fire, earthquake, winter storm; and failure of communications, civil disturbance; and loss of key supplier or loss of customer. The occurrence of any of the above mentioned factors may require a different set of response and different type of handling and management. A one operational strategy cannot be selected for all of above mentioned emergencies: Each requires a different operational strategy for the purpose of management. For instance, if an organisation totally depends on the skills of employees, and a considerable amount of success depends on the services of the employees; in this type of situation, the top management must have a back-up plan in case of losing a key employee. As the loss of key employee can have a substantial amount of effect on the life and earnings of the organisation, the tool of emergency planning can be of a great value and significance to minimise or withstand the possible and probable business losses or business risks in the most required and appropriate way. The possibility and occurrence of unpleasant business events cannot be ruled out. Security risks have become a part of today’s business environment. Threats, like organised civil and corporate crimes, the menace of terrorism and information security have become so real that their existence cannot be underestimated or overlooked or neglected. Undoubtedly, today’s complex business environment pushes organisations to do business by managing security risks and other security related factors. For the smooth and continued existence of business, an equal and appropriate risk management policy needs a sufficient amount of management. This piece of essay writing is going to analyse the integration of BCMS, emergency planning and security risk management. Is this integration necessary? What is the way to ensure the attainment and retention of corporate objectives with the help of security risk management? These are the basic questions, which are answered below. Business Continuity Management System (BCMS) A Business Continuity Management System (BCMS) is an organisation-wide process that determines a strategic, fit-for-purpose and operational framework (Briggs, 2006). BCMS consists of some fundamental components that determine the aggregate structure of BCMS. Basically, there are four fundamental components: 1- A policy providing a fundamental framework for management’s business continuity objectives and expectations; 2- A set of definitions of roles, resources and responsibilities; 3- A descriptive management process relating to: a- Policy; b- Strategic planning; c- Business continuity planning and procedural adoption, implementation and operation; d- Assessment of performance; e- Review of management; and f- Continual improvement. (Briggs, 2006). 4- A documentary set providing auditable set of evidence defining and explaining a method of implementation and repeatability. This standard provides a sufficient amount of guidance. The BCMS enables and equips an organisation to identify, understand, devise and adopt internal and external policies. Internally, this standard gives a comprehensive set to determine different roles and their responsibilities, and this standard helps to use resources in an appropriate way. The provision of these basic terms and their conceptual clarity provides a sufficient amount of help for organisations in their quest for the attaining and retaining strategic and operational goals and objectives. Additionally, for any organisation, a definition and a role of policy possess a paramount importance. Since organisations need practical and understandable policy mechanism to run and manage the affairs of the business, the role and use of policy cannot be underestimated. Understanding of the organisational policies ensures that all pillars of an organisation are working and performing their part according to their organisational expectations. It is the role and function of organisational policy to determine an appropriate use of a specific resource. Since organisations have multiple resources like, time, employees, physical infrastructure and so on, any ambiguity or absence of policy on a use of a particular resource would only bring compromises on organisational objectives. Due to complex business environment, organisations are not in a position to further sustain and afford the costs of compromises. More importantly, strategic planning receives a profound importance from the strategic management of organisations. Strategic planning is defined as the art and science of formulating, adopting and evaluating the cross functional decisions that enables an organisation to attain and sustain its objectives (David, 2005). More clearly, the concept of strategic planning explains integrating management, marketing, finance, production, operations, research and development and computer information systems to attain and retain the corporate objectives of an organisation. Strategic planning seems putting and showing its presence in almost each and every action that is performed and taken inside the boundary of an organisation, or that action directly or indirectly belongs to the organisation. It is a rope of strategic planning that does not allow disintegration of the organisational objectives under any condition. Rather, this rope of strategic planning ensures the close integration and coordination among the different constituents of the organisation. Uses of BCMS Multiple uses are offered by the standard of BCMS. First, risk minimisation can be obtained. Risk minimisation is achieved when an organisation adopts an appropriate policy and strategy. This depends on the identification of the risks. On the basis of identified risks, the organisation develops and implements a risk minimisation policy. Also, risk mitigation policy is also developed and used in the same way. Besides, a room for improvement is always open. Organisations learn from their experiences. Sometimes, this experience remains positive and sometimes negative. But, organisations learn from both types of experiences. The positive experience is used for the purpose of organisational improvement; and the negative experience is used to learn a lesson from it. Limitations of BCMS standard No standard can be a model of perfection. Consequently, there are some limitations attached with this standard. The implementation of this standard does not ensure the sufficiency of preparedness, continuity and outcomes of response. Furthermore, a cost benefit analysis must be carried out before implementing the standard of BCMs. Sometimes, the implementation of the components of BCMS may not be providing more benefits than the costs. Also, this standard does not provide absolute requirements for continuity, response, preparedness or recovery performance. This means that an organisation must not consider this standard as an example of absolute recipe for the fulfilment of organisational needs and requirements. Although, some basic rules and criteria are mentioned and given in this standard, but these standards do not pass the test of self-sufficiency. But, this standard only helps organisations in complying with a set of relevant and applicable legal and regulatory requirements, which organisations are bound to comply with. Emergency Planning Emergencies can happen anytime. There is no particular tool to exactly predict the nature and type of emergency and the scale of devastation. Even if one is able to predict a possibility of emergency in the shape of natural disaster like tornado or hurricane, that one would not be in a position to exactly prescribe and suggest the magnitude of devastation and death toll associated with that natural disaster. Here, this description identifies human’s limitations to deter the occurrence of any sort of natural disaster or emergency. But, that does not mean that humans have no options! The concept of emergency planning brings a ray of hope. Emergency planning has many steps. The subsequent implementation of these steps ensures the attainment of expected objectives. In this dynamic process training, testing equipment, conducting drills and coordinating activities are carried out. More importantly, some important steps can be identified and they are: 1) establishing a planning team; 2) analysing and evaluating capabilities and hazards; 3) devising and developing the plan; and 4) implementing the plan. Availability of resources determines the role of a planning team. The resources are the fundamental factors. Many organisations do not have sufficient resources. And they are given limited resources to run and manage the affairs. For small and medium enterprises, a shortage of required resources is one of the biggest hurdles. As a result, for small and medium enterprises, developing and maintaining a planning team pose a great challenge. Even some large organisations avoid developing and maintaining a planning team due to the cost factor. The size of planning team depends on the resources, requirements and facility operations. Since manpower, physical equipment, training material, appropriate and required level of knowledge and application of knowledge are the fundamental parts of a planning team, an organisation must plan and develop a planning team under a supervision of safety officer. Analysing capabilities tends to be a difficult task. Gathering information about the current level of capabilities of planning team is not an easy process; and evaluating the chances of possible emergencies is also a difficult process. It is necessary for organisations to gather information about the capabilities of planning team and to evaluate chances of possible emergences. This gathering of information would help an organisation to properly understand its existing level of capabilities. On the basis of this information, the organisation would become in a position to determine its current and future planning on the planning team. Devising a plan to respond an emergency requires the use of some basic information about some of the relevant hazards or threats. For instance, if an organisation is involved manufacturing some hazardous material like nuclear fuel. The risk of emergency for employees working in a nuclear laboratory becomes a possible threat. In this type of situation, the organisation must have sufficient information about the relevant and related hazards of nuclear material; and it must have a plan to manage any possible emergency. Implementing an emergency plan depends on the subsequent execution of the previous steps. If an organisation has established a planning team equipped with information and knowledge and training, and that planning team is also fully equipped with the necessary elements of emergency backup, in that case, that organisation would become in a position to implement the emergency plan. Security Risk Management Interestingly, there is no one single globally accepted definition of the term ‘risk’. According to the Oxford English Dictionary,’ the possibility that something unpleasant will happen’ can be called as risk. Additionally, the term risk is defined and understood in different contexts with different meanings. For instance, Hay-Gibson (2009) defines risk as … a chance of an event’s happening in terms of its possibility and likelihood, mostly with a negative and unpleasant connotation. Risk and security are normally heard collectively. The word ‘security’ is linked with a certain level of insufficiency and incompleteness and vulnerability (Howie, 2009). Additionally, security professionals and scholars on security study have no disagreement that security can rarely be totally impenetrable and 100 per cent reliable (Wood and Dupont, 2006; Zedner, 2003). In a similar vein, Friedland and Merari (1985) explained that terrorists sought to invent a perception of terrorism unequal and disproportionate to any actual and real threat or danger posed. The events of 9/11 revitalised the concept of security globally. Even after three years, a survey highlighted some startling facts. In the year of 2004, MORI poll was conducted about the existing level of security and its implications. In this poll, 97 per cent were still felt that security was a major concern for them. 82 per cent revealed that they spend more on the maintenance of security now than they did five years ago. Additionally, 57 per cent expected to be spending more in the coming five years (Business Security Survey, 2004). The same poll suggested that 87 per cent of investors understand and feel that if a company fails to handle and manage a security issue quickly and effectively it would push them to change their perception about the company; more seriously, 61 per cent of investors felt that in case of a security breach, a negative image would be attached with the company’s corporate brand and its reputation; half of them were of the opinion that the share price would be affected, and while 45 per cent were of the view that the company would lose customer loyalty. Corporate Governance Security and risk are no more considered to be a minor issue. They have become one of the major issues faced by the companies locally, regionally and globally as well. In the business world, to manage risk and security issues, organisations have established the corporate security departments. They are made responsible to enforce appropriate security measures and ensure the measures are functioning accordingly. And the most important areas of security and risk are corporate governance, information assurance, business continuity, crisis management, and reputation management as well. These all are fundamental and highly significant aspects of security. Among them, the most important one is term corporate governance, which is more clearly defined as “the system by which business corporations are controlled and directed” (Sir Adrian Cadbury as quoted in Organisation for Economic Co-operation and Development, 2004). More importantly, corporate governance is considered to be a relationship between three parties. In which, three are responsible to understand and perform their role in accordance to their given standards. Three parties are: the board of directors, shareholders and management. And shareholders are mostly concerned with the profit maximization (Freeman, 2011). Since the shareholders are those people whose financial interests are involved, and they are managed by the board of directors and the management, this situation requires the determination and establishment of certain security measures that ensure the financial interests of the shareholders are safe and secure. The shareholders must be given a sort of feeling that ensure that their financial interests are safe under the strong regulations and other measures. The debacle of Enron, WorldCom and Tyco considerably decreased the level of trust on organisations. These high profile corporate failures raised many questions on the prevalent and provided corporate regulations, guidelines, protocols and other voluntary and compulsory codes of best practice. The emergence of such colossal financial debacles highly created a trust deficit between all the relevant stakeholders and shareholders. Ciancutti and steding (2001) said that any organisation in which people earn one another’s trust and confidence, and that commands trust from the public, has a competitive advantage. It can draw the best people, inspire consumer loyalty, reach out successfully to new markets, and provide more innovative products and services. At the beginning of the previous decade, some 43 states of the world directly subscribed and published the codes of corporate governance. Additionally, OECD, International Monetary fund and the World Bank were not back in this attempt of security risk management: They discussed, developed and issued their policy papers describing and highlighting the important guidelines on the issues of security risk and security risk management. Most importantly, the Turnbull Report in the United Kingdom came out with the requirement for the publicly listed and publicly traded companies to issue a report on the risks and related strategies of risk management in their annual accounts (Institute of Chartered Accountants, 1999). The year of 2002 was very much importance from corporate security point of view. The Sarbanes-Oxley Act (SOX) came in response to the collapse of Enron and other giant organisations in the United States of America. After a huge and considerable examination and investigation behind the debacle of Enron, this Act came into force. This Act truly highlighted the grave issues that could really cost the lives of big and large corporations like Enron. This Act entailed issues such as the development and establishment of a public company accounting oversight board, corporate responsibility, and independence of auditor and enhanced financial disclosures (The Sarbanes-Oxley Act, 2002). In the same direction, the role of banks has become more responsible and critical too. Basel II was developed to highlight the role of banks in the context of risk. After consuming a sufficient amount of time and energy, Basel Committee on the issue of Banking Supervision provided some recommendations. Basel Committee had established Basel II, which is a set of recommendations on the issue of Banking Supervision in which the issue of governance of loss is discussed and provided (Basel Committee on Banking Supervision, 2005). This Basel Committee separated loss events into seven general categories, some of them fall within the range and ambit of corporate security: External fraud, employee practices, safety of workplace, internal fraud, clients, products and business practice. Management of security has become a part of corporate governance. The operating practices and security risks have become interdependent; this fact has necessitated the need of convergence of corporate governance and security risk management. As a result, many organisations do not operate without taking into account the security implications. Organisations have a very strong sense of realization that their operating practices cannot be executed in the required way and they may not be able to ensure the achievement of their corporate objectives without the help and support of the establishment of required level of security. Many causes require the convergence of corporate security and operating practices. Among these causes, the most important are risks like fraud, negligence, information security and information assurance, money laundering, employee conduct, business continuity planning, and corruption. Integration of Security Risk Management and Business Continuity Management Security risk management is integrated to the Business continuity management system. Their integration ensures the attainment and retention of corporate objectives and corporate goals. With their integration, organisations are required to include some additional features and components in their list of corporate objectives. These new components tend to be related with the aspects of risk and its management. There is no way to avoid incorporating aspects of risks in the corporate objectives. It is highly needed for organisations; their entire corporate existence and corporate business continuity management greatly depends on it. It is like developing a fence around the corporate objectives of an organisation in the shape of security risk management. This fence helps to ensure the attainment and retention of corporate objectives as the organisation expects the achievement of these corporate objectives. In this situation, it is highly vital to understand the real factors that have made the convergence and integration of security risk management and business continuity management. On the whole, there are five fundamental factors that have played a significant role behind the convergence of these two factors: 1) rapid increase of the enterprises;2) migration of value from the physical aspect to knowledge-based and intangible assets;3) emergence of new technologies; 4) new regulatory and compliance based requirements; 5) constant push for cost reduction (Briggs,2006). Rapid increase of the enterprises Globalization and expansion of organisations has added to complexity. This complexity, now, seems to be a part of a global economy. And in this global economy, businesses are observing mergers and acquisitions. Additionally, outsourcing is also increasing with an unstoppable speed and pace. There could be other various reasons that push organisations to increase and expand in other parts of world. Mostly, the big and large organisations exist in the developed world like Europe and America, Where organisations have been considerably successful to attain and retain their objectives in a way they want to. Now, since expansion and expansionary steps are the integral parts of large and big organisations, organisations have to move out beyond their traditional commercial grounds. Attaining and retaining these strategic corporate objectives would not be an easy adventure for most of the organisations. Asia, Africa, Middle East have a considerable amount of potential. The potential in the sense that it can cater the corporate objectives of those organisations wishing and planning to expand; and this potential cannot be availed without the help of comprehensive security plan and risk management. The recent history suggests that these parts of world have no such type and no such level of security that is normally observed and experienced in the regions of Europe or America. Migration of value from the physical aspect to knowledge-based and intangible assets Intangible assets constantly outshine the significance of tangible assets. And this situation pushes shifting the concept of value from the components of tangible assets to the parts of intangible assets. Previously, we were considerably and sufficiently depending on the use and application of physical assets. The physical assets could be any type of asset that can be physically touched, and it must have an economic value. Most of these assets are used to facilitate the attainment and retention of corporate objectives by the different organisations. By using the physical assets, organisations become in a position to continue doing their businesses. It is the support and use of physical assets that have constantly worked in a way to support the operational and corporate objectives. Since the physical assets are mostly facilitating the process of achieving the corporate and business objectives, organisations find it reasonable and appropriate to value them and incorporate them as their significant parts supporting the business operations. But, world is changing now and values are shifting from physical assets to non-physical assets. Emergence of new technologies The colossal impact of technology on organisations is indelible. Each and every component of business world is being modified in a way to accommodate its virtual value and virtual existence. Technology has been successful to define many business activities in a technological shape and in a technological way. This situation requires organisations, which are operating physically in the non-virtual world, to modify their traditional business style and virtualise themselves on the land of technology. Willing or unwillingly, organisations have no choice: Their continued business existence is now attached with the adoption of means of technology. By not following or by not understanding the importance of technology and technological needs, organisations would not be able to ensure continue doing business as they are currently doing in the commercial world. But switching from physical world to the virtual world is not risk-free. This means, the use of technology cannot assure the safety and security of business existence in the upcoming virtual technological world. Here, new types of risks are waiting for organisations. In the initial phase of technology, organisations would not be fully aware of possible threats or hazards that have their existence in the technological world. But, they have to identify potential risks and develop their risk management strategies on the land of virtual world. New regulatory and compliance based requirements Regulations require compliance of certain standards. Various reasons require the compliance of regulatory standards. In order to avoid and deter new and possible threats in business interactions, it is mandatory to follow certain rules of compliance. It is the force of regulations that ensure the integration of security risk management and business continuity management. Recent history has provided such examples in the shape of Enron debacle and so on. These huge corporate scandals took away a huge amount of money of shareholders. Nowadays, investors are more worried about their investments. They are fearful about the possibility of terrorist attacks. Shareholders do not trust on the board of directors and management as much as they used to trust before the events of the debacles of Enron, WorldCom. Furthermore, it would not be incorrect to say that the events of 9/11 have also increased the security fear of shareholders and investors and other interested people. The issue of security is attached with every business concept nowadays. The threat and perception of security is real and perceivable. Now, in order to increase the confidence and build up the trust of shareholders and investors, the regulations are made and enforced. This regulatory enforcement would ensure that organisations should devise and implement such corporate policies in which the incorporation or inclusion of security risk management and with business continuity management is ensured. For the attainment of that colossal objective, the relevant security agencies and relevant regulatory authorities are ensuring the compliance of relevant security related standards are properly made and carried out by the organisations. Conclusion Business environment has become complex. This complexity is mostly contributed by many new emerging players and factors on the map of the corporate world. Among them, security risk and emergency planning are the prominent one. Business continuity management is a comprehensive term: It is wide and deeper in its sense, meaning and in its application as well. This business continuity management entails the components like policy, a set of definitions of roles, resources and responsibilities; strategic planning, operational procedures, performance assessment, management review and continual improvement. Emergency planning has become a part of today’s businesses. For internal emergencies and other aspects of small emergencies, the tool of emergency planning is used by organisations. On the other hand, there are other threats and hazards that could threat the entire existence of an organisation externally. In order to handle and manage such threats and risks, organisations, nowadays prefer to integrate the business continuity management with the security risk management. By managing their risks and security issues, organisations could easily be able to obtain its strategic objectives and goals. Undoubtedly, the integration of business continuity management, emergency planning and security risk management ensures the attainment of corporate objectives. References 1. Freeman, LN2003, ‘Poor corporate governance makes business headlines’, Ophthalmology Times, Advanstar Communications, High Beam Research,[Accessed on: 8 March, 2011] [Available at: http://www.highbeam.com] 2. Fema, 1993, ‘Emergency Management Guide for Business and Industry’, Available at: http://www.fema.gov/pdf/library/bizindst.pdf] [Accessed on: 7 March, 2011]. 3. Briggs, R 2006, ‘The business of resilience: corporate security for the 21st century’, London England: Demos.   4. David, FR 2005, ‘Strategic Management: Concepts and Cases’, Delhi, Pearson. 5. Business Security Survey 2004 6. Organisation for Economic Co-operation and Development 2004, ‘definition of corporate governance’, [Available at: http://www.oecd.org/dataoecd/18/47/34080477.pdf ] [ Accessed on: 9 March, 2011] 7. Ciancutti, AR, Steding, TL 2001, ‘Built on Trust: Gaining competitive advantage in any organisation, Burr Ridge, IL: McGraw-Hill Education. 8. Institute of Charted accountants ,1999, Internal Control: Guidance for directors on the Combined Code (the Turnbull Report), London: The Institute Of Chartered Accountants in England & Wales 9. The Sarbanes-Oxley Act of 2002, (Pub.L.No.107-204, 116 Stat.745), commonly known as the Public Company Accounting Reform and Investor Protection Act of 2002. 10. Basel Committee on Banking Supervision 2005, Basel II: International Convergence of Capital Measurement and Capital Standards: a revised framework 11. Howie, L 2009, ‘A role for business in the War on Terror’, Disaster Prevention and Management, 18(2), 100-107.   12. Wood, J, Dupont, B2006, (Eds),’Democracy, Society and the Governance of Security’, Cambridge University Press, Cambridge, 13. Zedner, L2003, ‘The concept of security: an agenda for comparative analysis’, Legal Studies, Vol. 23 No.1, pp.153-76. 14. Hay-Gibson, NV 2009, ‘A river of risk: a diagram of the history and historiography of risk management’, The Northumbria Working Paper Series: Interdisciplinary Studies in the Built and Virtual Environment (2), Northumbria University, Newcastle upon Tyne, working paper, pp.148-58. 15. Friedland, N, Merari, A 1985, ‘The psychological impact of terrorism: a double-edged sword’, Political Psychology, Vol. 6 No.4, pp.591-604. Read More