Business Continuity and Crisis Management - Literature review Example

Business Continuity and Crisis Management Student’s name Course Tutor’s name Date Business Continuity and Crisis Management In the concluding years of the 20th century, organisations (both in the public and private sectors) became increasingly reliant on information systems. As the year 2000 approached however, the public feared that the dreaded ‘Y2K bug’ would crash all the information systems, especially those hosted on computer systems. Consequently, managers and security leaders throughout the world developed disaster recovery plans that mainly sought to ensure that systems would continue even if the Y2K bug was to become a reality (Reynolds 2004). According to Reynolds (2004, p.7) huge budgets were dedicated to the creation of disaster recovery plans, because “the prospect of conducting business without the availability of critical systems was too much to endure for many CEOs”. Although Y2K passed with barely any hitches, it left lessons that were viewed differently by the private sector and governments. According to Peck (2006, p. 7), players in the private sector questioned the need to spend huge amounts of resources preparing for things that would probably never happen, while governments saw business continuity (BC) planning as a “template for dealing with other potentially disruptive events”. According to Hiles (2007), BC planning was and is part of the business continuity management (BCM) discipline. The underlying concepts of BCM were started in the mid-1980s, specifically for purposes of recovering from an IT-related disaster. In the wake of the 9/11 terrorist attack in the US however, governments and organisations realised that not only were business systems prone to disasters, but that vital assets such as employees, buildings, customers and valuable data among other things could be destroyed through man-made or natural disasters (Reynolds 2004). Such realisation according to Reynolds (2004) marked the beginning of comprehensive deliberations on how to ensure that business continuity would be managed properly even when disasters occur. Prior to the 9/11 terrorist attack, business continuity had been discussed in literature as a one-off thing rather than a management process. Reynolds (2013, p.13) however observes that with BCM, a process through which business continuity plans would be executed was established. Through BCM, Reynolds (2004, p. 13) further observes that benchmarks were laid for business continuity plans requiring them to be “maintained and kept up-to-date”. Since the 9/11 terrorist attack on the American territory, BCM realigned again, and by 2003, it had included mission critical activities at its focus, thus aligning the entire concept to cover corporate governance agenda and corporate risk management (Peck 2006, p. 7). Elliot et al. (2002, cited in Pitt and Goyal (2004, p. 87) has described BCM as an evolving concept, whose genesis is in information systems. The 1970s mindset where continuity planning revolved around the need for protecting computer systems eventually gave way to the auditing mindset common in the 1980s. According to Pitt and Goyal (2004, p. 87), the latter mindset was necessitated by technological changes that made auditing important for purposes of enhancing responsibility in PC usage. In 1990s, a value mindset took precedence, and with it came the recognition that BCM was important for purposes of adding value to the organisation (Ibid.). The British Standards Institution (BSI 2006, p. 1) reflects the changing meaning of BCM and has thus defined the concept as the: “Holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputations, brand and value-creating activities”. From the BSI (2006) definition above, it is clear that BCM is involves the management, recovery, and/or continuation of businesses where a disruption has occurred. According to BSI (2006, p. 1), the BCM programme involves training, reviews, and exercise, which are geared towards ensuring that continuity plans are updated regularly. Notably, BCM is “business-owned, business-driven” and seeks to enhance a business entity’s resilience to disruptions, provide a rehearsed way of restoring a business entity’s supply of goods and services, and provide a management approach for protecting the business entity’s brand and reputation (BSI 2006, p. 6). Without proper management, even the most well laid out plans would be ineffective. But how can BCM can help an organisation manage challenges presented by the complex, risky and uncertain business environment? Well, According to HM Government (n.d., p. 5) an effective BCM programme management includes three steps namely: “assigning responsibilities; establishing and implementing BCM in the organisation; and ongoing management”. In the first step where responsibilities are assigned, people in an organisation need to work together to make BCM effective (Botha & Solms 2004, p. 329). In other words, there must be a senior management buy-in, and the workforce must be willing to join in too. When such happens, there is internal cohesion within an organisation. Additionally, since the responsibility to advance the BCM agenda (and make sure it is updated and current) is under individuals or a group of people, these parties are dedicated towards ensuring that it becomes a success since their efficiency in the workplace is ultimately based on how well BCM programmes are. If any challenge related to abrupt disruptions in the business occurs, the organisation would be ready to handle the same and revert to normalcy with minimal consequences on their bottom-line or on their reputation. The second step, which involves the establishment and implementation of BCM, includes: informing internal stakeholders (e.g. shareholders, employees, and suppliers) about the programme; training staff; ensuring BCM-related activities are complete; and testing the BCM arrangements (HM Government n.d., p. 5). Such activities would help organisations to overcome challenges in the internal and external business environments because they inspire trust among different shareholders in a manner that would enable the organisation to handle the challenges effectively. For example, through training staff, organisations are well prepared to take up abrupt challenges hence meaning that valuable response time is saved and by so doing, the organisation’s image is projected positively to the external stakeholders. Shareholders who are well aware of the BCM would also be less likely to sell of their stake with the company based on slight problems experienced by the organisation; instead, they would probably give the organisation time to recover from disruptions in the operating environment. The third step (ongoing management) ensures that people in charge of the BCM responsibility review and update the BC plans and documents. Additionally, it ensures that the people in charge of the BCM task promote BC in the organisation on a continuous basis in addition to administering tests. Finally, those responsible for BCM need to include lessons learned (either internally or externally) to the BCM programme in addition to upholding best practice (HM Government n.d., p. 5). Through ongoing BCM management therefore, organisations are better prepared (through building internal capacities to manage business continuity) to handle challenges in the risky, complex, and uncertain business environment. Notably, the benefits of using BCM in a complex, risky and an uncertain business environment have been discussed widely by scholars, business analysts and government agencies as well. According to BSI (2008, p. 6) and Botha and Solms (2004, p. 330) for example, BCM gives firms a competitive advantage. Specifically, the ability of an organisation to provide assurance through a BCM plan to stakeholders that a business will continue even if a disaster hits it is likely to provide the organisation with a competitive edge. BSI (2008, p. 6) specifically states that “being able to demonstrate that, even in the most trying circumstances, an organisation is capable of maintaining operations, can impress clients” immensely. Moreover, BCM can strengthen relationships with existing clients while attracting new ones to the organisation. In addition to being a competitive benefit, BSI (2008, p. 7) observes that there is an emergence of a commercial approach to BCM in addition to being perceived as a disruption management mechanism. More so, the rule of the jungle where only the fittest survive is seen to make some sense to clients, who increasingly want to be associated with organisations that manage disruptions effectively. BCM is also increasingly becoming a prerequisite to attaining business through tenders. As BSI (2008, p. 7) notes for example, more companies want to see the BCM plan of bidders before awarding contracts. This could be interpreted to mean that contractors do not want to award business to organisations whose continuity in the event of a disruption cannot be guaranteed. Subsequent to this, some governments (e.g. the UK government) give advice to large businesses about business continuity planning as indicated by Roberts (2006). Another advantage of BCM is that it can preserve and enhance the reputation of an organisation. As BSI (2008, p. 7) notes, “reputational risk is considered by many organisations to be the number one risk they face”. Unfortunately, the reputation that can be destroyed in a short time often takes years to build. With good BCM plans however, organisations can limit their exposure to disruptive events in the market and also enhance their abilities to return to normalcy in the event of a disruption. By so doing, organisations are able to preserve, and in some cases, enhance their reputations. Another benefit of using BCM is that in cases where disruptions occur, the effective management of such scenarios often affect the share values of the organisation positively in the long-term. BSI (2008, p. 7) observes that while share prices may initially crash, managing a disruption effectively is often ‘rewarded’ with share value “not only return to pre-incident levels, but actually rise above them”. In contrast, organisations that fail to manage disruptions effectively often never recover their share value. Overall, BCM enables organisations to take a comprehensive look at their external and internal environments, and by so doing, derive the twin benefits of understanding risk exposures and understanding the organisation. As BSI (2008, p. 7) observes, BCM is a worthwhile investment because through a comprehensive understanding of the risk and continuity management in a business, the organisation can effectively save monies spent on insurance, protection measures and can even reduce the budgets allocated to business continuity management plans. Such budget reductions would be made without compromising the organisation’s overall protection. Closely linked to the aforementioned is that through BCM, organisations get a better understanding of their business processes. Most of the understanding created during the BCM process stems from the risk and business impact analyses performed. Specifically, the processes create understanding in matters related to the critical business functions, fundamental dependencies – which include human resource, capital, knowledge and skills, the potential cash and non-monetary losses, and the time window by which a business can recover the losses without the impact having a significant effect on the operations (Elliot, Swartz & Herbane 2010, p. 34). As illustrated in figure 1 below, understanding the organisation is a core component of the BCM lifecycle. In other words, an organisation cannot come up with a business continuity strategy, plan or programme without understanding itself comprehensively first. Through such understanding, organisations can streamline or enhance processes for purposes of facilitating stability in operations. Additionally, and as organisations seek to understand themselves, they engage in developing and documenting their findings. According to BSI (2006, p. 8), such processes of self-reflection and self-awareness enable organisations to understand their relationships with other stakeholders such as the regulators and competitors, and by so doing, they become aware of the relative positions, strengths, weaknesses and competitiveness in the industries they operate in. Wong (2009, p. 64) further observes that BCM enables an organisation to engage in long-term planning, and by so doing, contributes to future success and competitiveness. Overall, BSI (2006, p. 8) observes that through an effective BCM programme, organisations can effectively succeed in the complex, risky, and uncertain business world by identifying and protecting their main products and/or services for purposes of continuity. Further, organisations develop and enable capabilities to manage incidents through effective responses. Another important aspect that emerges in the BCM process is that organisations understand the essential nature of effective communication. Additionally, they appreciate the need to secure the supply chain, protect their reputation, understand stakeholder requirements and deliver on the same, and understand the importance of complying with regulatory and legal obligations. Figure 1: BCM lifecycle Source (BSI 2006, p. 9) The value of having BCM is perhaps better realised in the wake of an abrupt (unexpected) disruption to business. As Bird (2007, p. 567) infers, it is such disruptions to business that trigger awareness of “what business continuity is and why it is so important to corporate survival”. In other words, the presence (and effective application) of BCM can determine whether or not an organisation survives an abrupt disruption in its business. As Warren Buffet (cited by Bird 2007, p. 567) notes, “it can take 20 years to build a business and 15 minutes to destroy”. The value of effective BCM is also evident in how organisations handle not just the incident, but also the representation of the incident. Another indirect source of BCM value is related to the marketing potential that good disaster management has. As Hiles (2007, p. 531) notes, “Seamless integration with the customer is often crucial to retention of market share”. In other words, organisations cannot simply fail to supply products or services to customers just because a disaster hit them. Closely tied to the marketing value is the financial value which is a direct consequence of the time lapse that is between the unexpected incident and the resumption of normal operations by the company. Ideally, the shorter the delay in resuming operations, the better the expected financial results would be. As Hiles (2007, p. 531) notes, “many contracts contain liquidated damages or penalty clauses”, and even force majeure defences are increasingly being contested on the argument that subject organisations should have foreseen, and used safeguards to eliminate and/or limit damages they expose their customers to. On the financial value, HM Government (n.d., p. 10) also notes that insurers now recognise the value of BCM and therefore offer premiums to reflect the protection afforded to an organisation by its BCM programmes. Quality is also another source of value that BCM brings to organisations, since the quality of services should ideally remain the same (at least from the consumer’s perceptive) even during and after the disruptive event. An illustration of how quality is affected by unexpected event is offered by Peck (2006), who observes that any disruptions in the supply chain of the food and drink industry could lead to losses, and/or dissatisfied consumers. With BCM plans in place however, disruptions can be countered with effective interventions, which would ideally mean that the quality of products would not be affected, and if affected, losses incurred by retailers would be minimal. Business continuity management faces different challenges in different contexts. In some organisations, it might be cultural, economic, or simply the environment contexts where they operate in ways that pose challenges. This in turns means that even the guidelines offered by organisations like the BSI can only act as pointers, and each organisation must customise the guidelines to fit individual contexts. Even the lifecycle framework indicated in figure 1 above has to be applied to each organisational context. As indicated by Hiles (2007, p. 380), “the lack of clarity about the role of risk management in a BCM context has hindered the development of software that has any real value to a BCM professional”. In regard to proper BCM implementation, BSI (2011) observes that if organisations do not “integrate business management with risk management”, the two might counteract rather than complement each other. However, the two need to be complementary because while risk management often focuses on identifying risks and ways to effectively manage them, BCM is more concerned with what needs to be done to keep a business running should an identified or unidentified risk occur. For BCM to be implemented properly, BSI (2011, p. 10-11) recommends the use of workshops and training programmes to embed business continuity in the organisation; self assessment tools “to enable organisations to evaluate their existing BCM arrangements in line with the requirements of BS 25999-2”; gap analysis to provide an independent view of the BCM in an organisation; and an independent assessment to check compliance with existing BCM standards. As indicated in figure 2 below, an effective BCM unifies the different aspects in an organisation, including risk, emergency, facilities, supply chain, environmental, crisis, and knowledge management. Security, communications and public relations, human resources, health and safety, and IT disaster recovery are issues that an effectively implemented BCM must address. As indicated by Elliot et al. (2010, p. 65), BCM ideally concerns itself in the development of emergency plans, which would cope with different crisis scenarios. Similar sentiments are shared by Smith (2005, p. 312), who observes that BCM (and crisis management) puts emphasis “on actions to be taken by organisations” in response to potential crisis scenarios. Overall, it must be noted that BCM is a comprehensive process that considers any possible disruption in the business and strategizes on how to effectively ensure that business goes on despite such interruptions. For it to be effective, and as illustrated in the BCM lifecycle diagram in figure 1 above, an organisation must understand the business, develop business continuity strategies, develop (and implement) responses to disruptions, build and embed a BCM culture, and exercise maintenance and audit of the BCM process (Smith 2003, p. 31). Figure 2: BCM's unifying role Source: Smith (2003, p. 28) In conclusion, the contemporary business environment that organisations operate in presents different risks that if not managed properly, would lead to corporate failure and collapse. As illustrated in this paper, BCM enables organisations to prepare for eventualities that may disrupt their normal business operations, and by so doing, it not only ensures that organisations return to normalcy quickly but it also presents several advantages to organisations. Such include the fact that an organisation is able to understand itself better, stakeholders trust in its ability to recover after experiencing a disruption in the business, and the fact that BCM can strengthen existing relationships with clients and even attract others. As indicated above however, BCM is not without challenges, especially considering that it must be applied to fit the context of each organisation. This means that organisations need to dedicate time and effort towards developing an effective BCM. In the end, the effectiveness (or lack thereof) of BCM depends on how comprehensively it was modelled to cover disruptions in business. The effectiveness of the BCM strategies and plans is however ultimately gauged by whether or not business continuity is present even after a disruption in business has occurred. Overall however, and considering the risky, uncertain and often complex contemporary business environment, organisations should have comprehensive BCM, which should indicate what to do and how to do it if different disruption scenarios were to happen. After all, those who do not plan are ultimately caught unawares should the unaccepted happen. References Bird, L 2007, ‘Business continuity management: an international perspective from BCI’, In Hiles, A & B Barnes (Eds.), The definitive handbook of business continuity management, pp. 565-572 Botha, J. & Solms, R V 2004, ‘A cyclic approach to business continuity planning’, Information Management & Computer Security, vol.12, no. 4, pp. 3328-337. British Standard Institute (BSI) 2006, ‘Business continuity management- Part 1: Code of Practice’, BS 25999-1, viewed 20 February 2013, . BSI 2008, ‘Business continuity management and risk- the role of standards’, Talking Business Continuity, viewed 20 February 2013, . BSI 2011, ‘Business continuity management and risk management- the role of standards’, BSI Brochure, June, pp. 1-16, viewed 21 February 2013, Elliot, D, Swartz, E & Herbane, B 2010, Business continuity management, second edition: a Crisis management approach, Routledge, New York. Hiles, A (ed.) 2007, The Definitive handbook of business continuity management, 2nd edn, John Wiley & Sons, Chichester. HM Government n.d., ‘How prepared are you?’ Business Continuity Management Toolkit, version 1, viewed 20 February 2013, . Peck, D 2006, ‘Final report to the department for environment, food and rural affairs’, Department for Environment Food and Rural Affairs (DEFRA), viewed 20 February 2013, < http://ccwebcorp-2.dmz.cranfield.ac.uk/cds/departments/deas/pdfs/defra%20final%20report.pdf>. Pitt, M. & Goyal, S 2004, ‘Business continuity planning as a facilities management tool’, Facilities, vol. 22, no. 3/4, pp. 87-99. Reynolds, J W 2004, ‘Business continuity management: developing a process, not just a plan’, Sans Institute GIAC practical repository, version 1.4b, option 1, pp. 1-15. Roberts, J 2006, ‘Business continuity planning advice for businesses with over 250 employees’, Guide for Large Businesses, pp. 1-15, 28 February 2013, http://www.london.gov.uk/sites/default/files/guide-for-large-businesses.pdf. Smith, D 2003, ‘Business continuity and crisis management’, Management Quarterly, January 2003, pp. 27-33. Smith, D 2005, ‘Business (not) as usual: Crisis management, service recovery and the vulnerability of organisations’, Journal of Services Marketing, vol.19, no. 2, pp. 309-320. Wong, W N Z 2009, ‘The strategic skills of business continuity managers: Putting business continuity management into corporate long-term planning’, Journal of Business Continuity & Emergency Planning, vol. 4, no. 1, pp. 62-68. Read More