This is the second part of a four-part series on Business Continuity Management (BCM).
When many people think of Business Continuity Management (BCM), they think of extreme disaster events. Often, to gain the attention of management and highlight the need for such an initiative, those developing the business case for the program may cite examples of headline-grabbing events. While the major disaster events such as hurricanes, terrorism or hacking get more attention in the news, it is far more likely that an organization will need plans to deal with less newsworthy events such as situations arising from a local power outage, a key supplier being unavailable, or even a careless employee.
Small Actions Can Produce Big Consequences
How could an employee initiate a BCM event? Even without any malicious intent, an employee could cause significant problems for an organization that, without some form of a plan, could cause irreparable damage. For example, something as simple as an employee unknowingly unplugging a printer in the middle of a major print-run to recharge their mobile device could have a disastrous effect on the relationship with a key customer.
Having a BCM plan is vital for every organization, because threats can truly be that common. Without some thought and planning, an organization may find itself dedicating far more resources, time and energy to a situation that could have been easily resolved had a simple plan of action been in place.
Small Steps to Solve Big Issues
Many believe launching a BCM program is often a large undertaking involving several resources and requiring significant time commitments. However, it doesn’t have to be complicated, only thoughtfully considered, analyzed and documented. It’s always better to have a plan and not need it, then to need one and not have it – even if it’s not “perfect.”
The major focus of a BCM program is to conduct a holistic examination of the business to identify the major risks, the resulting impacts and the best way to address them. Then to gather that information into a simple, concise document that is available to the appropriate people during an unplanned event to ensure key operations can continue.
In fact, for many situations, it is very likely the organization has already done some form of business continuity planning, maybe without even realizing it. For example, most organizations have probably considered what to do in the event of a power outage and have put together a plan to continue operations. The same can likely be said for an event in which a key supplier is unavailable for an extended period. The idea is to expand this approach with a detailed procedural analysis of the entire organization and develop an appropriate response, taking into account costs and the risk appetite of the business.
Of course, it’s impossible (and expensive!) to have a plan for every possible event; the point is to identify the most impactful and likely events, and develop an action plan or some procedures to manage them.