The global threat environment has intensified resulting in business continuity, disaster recovery, crisis management, and emergency response becoming an area of focus for board of directors, executive leaders, clients, customers, and regulators.  This increased focus has resulted in greater maturity and heightened expectations around response, recovery, and communication capabilities.

Business continuity management identifies these potential threats and impacts to your business, creates the organizational resilience and recovery capabilities for an appropriate level of response, and safeguards the interests of your customers, employees, reputation, and value.   Potential threats include items such as natural disasters, technological failures, data breaches, human error, fire, terrorism, lawsuits, misconduct, acts of violence, labor action, or drop in share price.

There are multiple components encompassing a robust business continuity program, in addition to several ancillary items such as event/incident management, disaster recovery, crisis management, and emergency response. The terminology used within industries, by regulations, and across vendors is inconsistent at best, so we recommend focusing on the components rather than debating the nomenclature.  Below are the components.

  • Business Continuity Management Framework
    • The framework defining the organizational vision to ensure continued business function, in case of a disruptive event, through resilience, recovery, and contingency measures.  This includes management of policies, roadmaps, risk tolerance, awareness, legal considerations and regulatory requirements.
  • Compliance and Oversight
    • The structure and oversight that continually confirms compliance through monitoring, exception tracking, risk reporting, threat assessment, and response. This is typically managed through a governance committee with key business and information technology stakeholders.
  • Business Continuity Plan (BCP)
    • The plan that guides the response, resumption, recovery and contingency to restore operations, to a predefined service level, following a disruptive event.  The plan includes items such as the scope, reference artifacts, responsibilities, contacts, triggers, activities, and communication channels.
  • Business Impact Analysis (BIA)
    • The identification of how operational activities are impacted by a potential uncontrolled and non-specific disruptive event.  This includes defining service levels for Maximum Acceptable Outage (MAO), Recovery Time Objective (RTO), Recovery Point Objective (RPO), and Maximum Data Loss (MDL).
  • Risk Assessment (RA)
    • The process to identify the inherent risks that may cause a disruptive event. The assessment includes evaluating the likelihood and impact of the inherent risks as well as the controls and effectiveness to mitigate and address any residual risk.
  • Incident Management
    • The management and process for handling alerts and events that can lead to the loss of operations, services, or functions.  Incidents can escalate into a crisis or emergency, although incident management is typically broader in scope than only business continuity related activities.
  • Business Recovery
    • The planning and execution of proactive and reactive measures to maintain or resume business functions in the case of a disruptive event.  This is primarily focused around personnel, equipment, suppliers, facilities and supporting operations and will incorporate disaster recovery strategies.
  • Disaster Recovery
    • The planning and execution of proactive and reactive measures to maintain or recover information technology infrastructure, applications, and data following a disruptive event.  These practices coincide with a defined level of service identified during the business impact analysis and risk assessment.
  • Crisis Management
    • The management of an event with the goal of avoiding or minimizing damage to the organization’s profitability, reputation, or capability to operate.  This covers the actual event but also plans to anticipate a crisis before it happens as well as managing the fallout once the dust has settled.
  • Emergency Response
    • The procedures for an unexpected event requiring immediate action due to the potential threat to human life or health, environments, or property.  This includes preparing to handle an emergency, responding safely to an emergency, and preventing residual effects.
  • Vendor Management
    • The management of your vendors to ensure they meet business recovery requirements by conducting due diligence reviews and performing strategic and tactical partnering during exercises.  In a nutshell, an organization cannot outsource their business continuity risk.
  • Monitoring and Reporting
    • A set of established controls, a checks and balances, to ensure risks are being identified and addressed according to the risk tolerance thresholds.  A proper set of controls will help ensure the program is working as planned, accountability has been established, and provides overall confidence.
  • Test and Exercise
    • When a crisis occurs, organizations need confidence the planning and preparation activities work, and they can effectively manage the situation. This is achieved through proper exercising to help validate everyone understands their role and drives value to fully optimize the investment.
  • Training and Awareness
    • Awareness and training are used to maximize your business continuity management value and to minimize cost. Best-in-class programs create awareness and training for executive response, role-specific training, and general employee awareness and education.