A BUSINESS’S ABILITY to continue operations following a disaster is directly related to the degree of its business continuity planning prior to the disaster and the quality of the resulting business continuity program. Critical to the long-term success of such a program is having responsibility for business continuity properly placed in the organizational structure. This includes an executive sponsor for the program who not only has authority and visibility throughout the company but who also understands risk management as it relates to the organization, its mission, and its strategic direction. It also includes the individual who oversees and has primary responsibility for the business continuity planning process and the person who then has ongoing ownership of the program.
In a very true sense, every business unit and every employee in the organization is responsible for the ongoing welfare of the organization, even though they may not be decision makers or have direct, specific business continuity planning responsibilities. This also includes everyone who is a part of the organization’s supply chain business units.
Business continuity planning is an initiative that many organizations have undertaken independently, each for their own set of reasons. Other organizations have been encouraged or required to address business continuity by influences outside the organization. Identifying and understanding the business continuity drivers at the onset of the planning project is important in establishing the goals for the process and its outcome. Equally important is the need to periodically revisit the original drivers to determine if new or revised requirements have created a need to revise or enhance the organization’s business continuity approach and strategies.
As a basic principle, the board of directors or the highest executive level of an organization has ultimate responsibility for ensuring that the organization is prepared to manage risk and when necessary recover from a disaster.
Executives and high-level managers all manage risk. The chair or chief executive officer (CEO) manages the organization’s reputational risks. The chief financial officer (CFO) is responsible for managing the organization’s financial risks. The chief operating officer (COO) deals with operational risks, while the chief information officer (CIO) is responsible for the organization’s data center and IT infrastructure risks. Risks from internal and external attacks are largely the concern of the chief security officer (CSO).
Astute board members and executives realize that in today’s increasingly risk-adverse business climate, business continuity planning is an essential element of an overall risk management approach that improves operational reliability, quality, and even efficiency, and thus the bottom line. Where there may be a disconnect is somewhere between the time executives agree that business continuity planning is needed and the time they truly commit to it by personally and fiscally supporting the program and providing the necessary resources.
Executives are continually and understandably concerned about cost justification and return on investment (ROI). Any and all expenditures—whether in the form of cash and/or time or people resources—are always a consideration. The recession that struck in the late 2000s and its challenges have only exacerbated the need for prudent fiscal controls. Showing a traditional direct ROI from a business continuity program can be challenging, as many of the returns are not tangible and do not appear on a profit and loss statement.
Demonstrating the full value of the investment in business continuity planning requires the inclusion of not just the benefits of the program’s chief purpose, which is to manage the risks and disasters that we hope will never occur. It also requires that the day-to-day benefits from the program be rolled into the cost/benefit equation. This may demonstrate that business continuity helps pay for itself well beyond the management of disasters and near disasters.
A business impact analysis (BIA) is conducted during the planning process and includes a full examination and documentation of procedures and processes. The primary purpose of the BIA is to analyze all operations with a goal of identifying and documenting the functions throughout the organization that are most critical to the organization’s mission. For each of these critical functions, the internal and external dependencies, required staffing, IT support, special equipment, and restoration time objective are identified. The results of this in-depth analysis often include identification of opportunities for day-today improvements, better use of shared resources, and even the possible elimination of duplicate resource costs. The identification of departmental interdependencies helps foster relationships between business units, particularly in organizations in which departments and other business units tend to function as silos. Identifying single points of failure that were previously unnoticed or unheeded may prevent future disasters. Cross-training to help ensure post-disaster critical staffing develops more knowledgeable, better qualified employees and allows distribution of tasks as needed on a day-to-day basis. For some organizations, the resulting BIA report also includes information that provides a greater depth of understanding of the organization and how it functions than was ever collectively available before.
From the IT side of the house, establishing the priority order and time frame in which to restore critical systems, applications, processes, etc., is helpful when the small non-disaster data center failures occur as well as in the event of a disaster-caused outage. Identification of potential IT service interruptions during the hazard assessment phase and mitigating these threats with monitoring and tracking tools and procedures can lead to problems being corrected before a system failure creates a disaster.
Today’s supply chain executives and professionals do have responsibility for managing risk. With globalization, worldwide supply chains, and concerns about product safety, supplier risks can threaten an organization’s reputation, security, brand name, and ability to continue operations. While supply chain professionals are not typically assigned primary responsibility for an organization’s overall business continuity program, the success or failure of the company’s strategies to continue or resume operations following a disaster likely depends on the supply chain operating at an acceptable level. A failed link in the supply chain can be the disaster or can prevent the organization from restoring operations following a disaster. Whether business continuity responsibilities are well detailed in your job description or simply included in the “other duties as assigned” category, everyone who carries out supply chain business functions also has some level of responsibility for managing risk. Everyone, therefore, has a business continuity role.
Every day, all employees, including executives, juggle ongoing responsibilities, special projects, and emergencies that require their time, attention, and resources. This can result in a tendency to delay or ignore tasks and assignments that are not directly and specifically delegated, spelled out, or considered to be a priority. Having no assigned ownership and responsibility for business continuity may result in it being on the “when I have more time” list or the “it’s not my job, let someone else do it” list. This is a critical mistake.
Ensuring that business continuity is given the necessary focus begins with one executive taking ownership and assigning qualified people. Without the appropriate organizational structure and the right people assigned to business continuity— beginning with the planning process and then on a permanent sustained basis—the program will quickly begin to deteriorate and ultimately fall apart even if the initial planning process is highly successful.
As previously stated, business continuity is still a relatively new business discipline that has not yet found a permanent home on a traditional organization chart. Disaster recovery— the restoration of the data center and related technology—was founded in the IT department and still resides there. In many organizations, when programs were expanded to include business continuity, IT retained responsibility and ownership. Even today, in a great many businesses and organizations, the expense of business continuity as well as disaster recovery is included in the IT budget. Further, particularly in small to midsize businesses, it is not unusual to see an IT executive or manager in charge of the business continuity program.
With executive leadership more accountable and personally responsible than ever before for protecting the interests of the businesses they lead, there is growing agreement that ultimate responsibility for business continuity lies with the highest levels of the organization—the C-suite and the board of directors. Members of the board have responsibility for protecting the organization’s assets and safeguarding the organization’s survival. While at a minimum the board should review the business continuity program annually, that does not always happen. In some organizations, the highest levels of management may have only a rudimentary understanding of the requirements and benefits of a comprehensive program. In some extreme cases, the board and senior executives may not even know whether such a program exists in their organization.
An increasing number of organizations now have a fulltime business continuity planning manager and/or a business continuity planning group. In the 2008 Continuity Insights/KPMG Business Continuity Management Benchmarking Survey of private sector, public sector, and not-for-profit enterprises, approximately 25 percent of respondents identified the business continuity program coordinator as a director, manager, or VP of business continuity management. In the future, as business continuity planning continues to evolve and mature and is recognized as a core business function, it may not be unusual to see large organizations add a board-level executive, called the chief continuity officer (CCO), to oversee business continuity. For now, the list of job titles of those who have responsibility for it is long and all over the chart as efforts continue to build consensus about where responsibility and ownership best fit.
A very slowly building trend in recent years, particularly in larger corporations, is to combine business continuity, disaster recovery, security, risk management/insurance, safety, and other related business units to form one department. The head of this department reports to an upper-level executive, such as the organization’s CEO, COO, or CFO. While it may at first seem that there is no direct relationship among these functions, the underlying responsibility of each of these business units is the continued well-being and safety of the organization and its employees, facilities, and operations. This combined management approach helps avoid both gaps and duplication of effort.
A business continuity program will succeed only when all elements of the supply chain, beginning with supply chain executives and managers and including all the employees who keep the supply chain functioning smoothly, are included in a comprehensive approach to business continuity planning.
There are numerous reasons for initiating a business continuity planning project, and what persuades each decision maker to support and finance the initiative can be unpredictable and may even seem subjective. Here’s one view of what it takes to sell business continuity: seeing smoke billowing from the building next to your company’s headquarters. Watching flames coming from that building may result in agreement that business continuity planning is necessary. Seeing a “Closed” sign in front of the rubble of the burned-out building on a daily basis will likely foster a true understanding of the need for and an accompanying commitment to the development and implementation of a comprehensive business continuity program.
Realistically, robust business continuity planning may have multiple drivers. Some come from within the organization, based on managers realizing the need for planning to respond to higher levels of risk that have increased the organization’s operational vulnerability. The requirement for a business continuity program might also come from the executive level, perhaps in the form of an organizational policy to ensure the safety of employees and continued service to customers. Still others within the organization may see the development and implementation of a business continuity program as an ethical or moral issue, protecting the interests and well-being of the organization and its employees, owners, the local economy, and all other stakeholders.
In other organizations, the drivers might come from external businesses, organizations, or agencies—such as insurance companies and regulatory agencies—that have a vested interest in your level of business continuity capability. The primary project driver may even be a request from a customer who wants your organization to demonstrate that you have the capability of delivering your product or service should you experience a disaster.
Increasingly, business continuity has become a marketing issue. The heart of business continuity planning is development of the capability to deliver your product or service—all the time, and with no exceptions. Today, beyond price and quality considerations, potential customers want to know that you have plans in place to meet their needs and requirements and to fulfill contracts and service level agreements even when events threaten your continued operations. Such prospective customers may well ask about your company’s business continuity program. In addition, there is every likelihood that competitors are using their capability to continue operations following a disaster as a marketing advantage. That capability may become the deciding factor for a prospective customer when a final selection is made.
Even attempting to gain new business through a competitive bidding process may involve having a business continuity program in place. Some businesses and government agencies require that a company have a validated business continuity plan in place to be eligible to submit a proposal or bid. For example, under the Federal Acquisition Regulations (FAR)—the rules issued by agencies of the federal government to oversee the acquisition process by which government agencies purchase goods and services—the ability to perform during a disaster may be a bidding requirement for some solicitations for products and services.
The motivation for developing and maintaining a business continuity program may also be a financial one. What would one hour of disaster-caused downtime cost your organization? A day? A week? A month? Longer? Simply doing the math may present one of the best possible incentives for developing a business continuity program.
There may also be legal reasons to incorporate business continuity planning into the corporate culture. While I am not an attorney or qualified to give legal advice, here is a simple way to determine if there may be legal requirements for a business continuity program and whether there may be potential liability if an organization does not prepare to respond to and recover from disasters. Business liability is, in part, judged on the basis of:
What a “reasonable person” would do given the probability that a disaster could occur
Whether the risk was known or should have been known
The magnitude of resulting harm and the effort required to institute proper precautions
Based on the types, number, and scope of disasters that have occurred over the past several years, it would seem difficult for any organization to claim that it had no knowledge of the risk potential or the resulting impact on the organization’s ability to fulfill its business obligations should a disaster occur.
For some organizations, the earliest impetus for the development of a business continuity program may have been an audit requirement. Both internal and external auditors are now taking greater interest in business continuity. Both internal and external audits are important to businesses and are required for organizations that are publicly traded, are financial institutions, or are part of healthcare and related industries, as well as for government agencies. In the past, an auditor may have asked whether an organization had a business continuity plan and then checked off a box according to the response. Today, a business continuity audit check may consist of reviewing the plan and perhaps the record of updates and tests, as well as interviews with selected key employees and stakeholders. Other audits are much more complex and stringent and may involve an audit team that reviews and analyzes almost every aspect of the business continuity program. This may include a full analysis of the business continuity planning process, a review of business continuity–related contracts, an examination of business continuity training and testing, and a thorough review to determine how inclusive the plan is, whether it adheres to current best practices, when it was last updated, and when it was last tested. More in-depth audits, such as those required by regulatory agencies, may check the plan and the overall program against a lengthy list of requirements and standards.
Various standards and regulations look closely at business continuity capability. For example, there are a number of relevant requirements from the International Organization for Standardization (ISO). (The ISO is a network of the national standards institutes of approximately 160 countries that provides standards and guidelines for quality in the manufacturing and service industries.)
For many types of businesses and organizations, there are increasingly stringent regulatory requirements for business continuity and/or disaster recovery programs. Again, this primarily includes financial institutions, health organizations, and pharmaceutical companies.
In the United States, a small sampling of the federal bureaus and regulatory agencies to which a company may be required to submit regular reports includes the following:
Consumer Product Safety Commission
Environmental Protection Agency (EPA)
Federal Deposit Insurance Corporation (FDIC)
Federal Trade Commission (FTC)
Food and Drug Administration (FDA)
Joint Commission on Accreditation of Healthcare Organizations (JCAHO)
Occupational Safety and Health Administration (OSHA)
U.S. Customs and Border Protection
U.S. Fish and Wildlife Service
It is likely that based on your industry, you can identify other federal regulatory agencies, as well as state and local bureaus and agencies, to which you must respond and report or with whom you work on an ongoing basis.
As an example, regulations and permits require that a chemical company must comply with the regulations of several agencies if it discharges to local waterways and has stack emissions. Just some of the required filings and reporting include monthly discharge monitoring reports; annual emergency planning and community right-to-know act emissions reports; spill prevention, control, and countermeasures reports; benzene waste water reports; fugitive and point source emission reporting for benzene; air compliance reports; quantifying amounts of annual hazardous waste reports; annual financial assurance reporting; and waste minimization reports.
Noncompliance can result in significant fines, sanctions, and harm to the company’s reputation. In extreme cases, it can lead to the loss of licenses and permits and a forced shutdown of operations. In most cases, requirements for regulatory compliance and reporting continue with little or no latitude following a disaster.
Chapter 10 includes a detailed discussion of these and other business continuity standards and regulations.
As a result of the ongoing evolution of business continuity and risk management, it is not surprising that questions are raised about the relationship between the two. Where does risk management fit in this picture? Is business continuity part of risk management or vice versa? Are they parallel functions? Do they intersect? Do they overlap? An easy response to all these questions would be that it depends on whether you ask the risk manager or the business continuity manager. However, there are no simple answers. Much depends on the business, how the organization approaches managing its risks, and the responsibilities assigned to risk management and to business continuity.
There are many definitions of risk management, with the result that the term is used differently by different people and among different organizations. Here is one simple definition: policies, procedures, and practices involved in identification, analysis, assessment, control, and avoidance, minimization, or elimination of unacceptable risks. As risk is always inherent in business, some risk managers may expand on this definition with an explanation that risk management is not the avoidance of risk. Rather, it is the management of all risks throughout the organization to lessen negative effects to an acceptable level and take advantage of any opportunities that risks may present.
The role and responsibilities of a risk manager are a reflection of a profession where job descriptions have changed over the years and may vary greatly among organizations. Responsibilities may include managing an organization’s insurance program and making recommendations regarding coverage, administering the insurance program, and selection of and negotiation with insurance carriers and brokers. Risk managers may also be responsible for safety programs; providing evaluations of potential risks and losses to financial institutions, accountants, and legal counsel; or evaluating risks associated with new projects, products, and initiatives. Today, as our definitions of risk and risk management continue to morph, it is increasingly common for the risk manager to head up the organization’s more extensive enterprise risk management (ERM) program.
There are several similarities in traditional risk management and business continuity. For example, both:
Address uncertainties
Are proactive
Are systematic and structured processes
Must be customized and tailored to the organization in order to be effective
Must be dynamic, ongoing, and responsive to change
Must be continually improved and enhanced
Create value
There are some logical comparisons in the application of risk management and business continuity processes, as shown in Figure 2-1.
Business continuity may have a solid or dotted line reporting responsibility to risk management, or the two may operate as autonomous silo functions. While both risk management and business continuity have as their core objective protection of the organization, perhaps the principal difference is their primary focus. While risk management has traditionally focused on risks related to financial markets, projects, and legal liabilities, as well as credit risks, the primary focus of business continuity is operational risks and risks to the related support systems. To more completely meet the needs of organizations with both risk management and business continuity functions, it is necessary to define the specific roles and responsibilities and reporting structure of both. This helps to avoid planning gaps, overlaps, and even turf wars and ensures the necessary coordination and integration.
Risk Management | Business Continuity |
Identification of risks and related opportunities; measurement and assessment of identified risks and the related exposure | Hazard assessment/Risk analysis: Identification of risks and their impact on operations; mitigation to lessen impact of disasters |
Determination of target level of exposure (risk appetite) | Business impact analysis (BIA): Identification of mission-critical functions within the organization |
Management plan that includes controls, actions, and fallbacks | Business continuity plan: Documentation of strategies, procedures, and action items |
In the beginning, there were no hard and fast rules, no regulations, and few guidelines to assist in developing a business continuity program. Instead, there was trial and error resulting in a great deal of learning. It was a Nike approach: “Just do it.” That has changed significantly and continues to change in both the corporate and government sectors. There are increasingly stringent regulatory requirements for business continuity programs that encompass disaster recovery requirements. This is particularly true for some types of businesses, such as financial institutions, publicly traded companies, health organizations, and pharmaceutical companies. Wading through the ever changing requirements can be a daunting task.
While not specific to business continuity or disaster recovery, the Gramm-Leach-Bliley Act of 1999, the Health Insurance Portability and Accountability Act (HIPAA) of 1996, the Sarbanes-Oxley Act of 2002, and the Six Sigma business management strategy all have business continuity or disaster recovery implications. More recently, business continuity has been directly tied to disaster recovery planning requirements in both the United States and Great Britain. In the United States, this occurred with the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep), which is mandated by Title IX of the Implementing Recommendations of the 9/11 Commission Act, passed in 2007, an offshoot of the Homeland Security Act. In Britain, the British Standards Institution BS-25999 (also from 2007) outlines standards and guidelines for voluntary business continuity audit and certification. (See Chapter 10 for more information.)
Unfortunately, it is not uncommon to hear, “We need to write a business continuity plan.” Perhaps it is the requirement to have a document to show auditors or a customer or to have a deliverable to complete an assigned project that creates this beall, end-all drive for THE PLAN.
In reality, a business continuity program is needed to effectively protect the organization from disasters. A plan is a document, printed copies of which are typically kept in a three-ring binder, that authenticates a program. A program is a dynamic, ongoing, comprehensive process. It is composed of several key components that encompass conducting a hazard assessment and implementing a hazard mitigation program, conducting a business impact analysis, developing business continuity strategies, conducting training and exercises, procuring needed supplies and equipment, and conducting regularly scheduled reviews and revisions—in addition to developing a printed plan that documents all elements of the program and gives specific guidance as to who will carry out the strategies when a disaster occurs.
Developing a plan is a project with an end; in contrast, a program is dynamic and has no conclusion. Writing, maintaining, and revising the plan is only one part of the program. Without an ongoing process to ensure that the business continuity program is reviewed, revised, and included in the change management process, it is highly likely that a plan document will become static. Without a comprehensive program, even the very best plan quickly diminishes in value over a relatively short time.
A program also includes specific actions to ensure that business continuity is embedded in the organization’s culture and day-to-day operations. Communicating the program throughout the organization, sharing information, and providing awareness training for all employees are critical elements of a business continuity program. Bear in mind that if employees do not know that the organization has a business continuity program and are not aware of their role, however small it may be, the business continuity program does not exist for them.
Some companies have a highly visible business continuity program that is well communicated throughout the enterprise and is an integral part of the organization’s culture. In other organizations, the program is a well-kept secret known only to those who are directly responsible for it and perhaps those to whom they report. In yet other organizations, there is a plan document that is distributed only to the individuals who are expected to carry out the actions outlined when a disaster occurs. To better understand the level of commitment given to business continuity in your company, learn more about where it is located within the organization and what drives the necessity for a program.
Find out who is the executive sponsor of your organization’s business continuity program.
Learn who is in charge of the business continuity planning process and to whom they report.
Discover who has ongoing ownership of the business continuity program and to whom they report.
Ascertain what drives the need for a business continuity program in your organization.
Determine whether your organization has a business continuity program or only a business continuity plan document.
3.15.10.64