During the development and evolution of a Business Continuity Management (BCM) program, every organization will face its own unique set of challenges. However, despite these differences, there are some general guiding principles that can help ease the process.
As with any large initiative, it is of course important to follow the correct procedures to achieve the desired results. Much of the work in putting together a business continuity plan comes from the data gathering and analysis phases that provide the foundation and key inputs into the plans, primarily the Business Impact Analysis (BIA) and Risk Assessment (RA). These are critical components that confirm or establish what matters most to the business and the key activities, as well their interdependencies, that support them. Without doing these properly, the business continuity plans are likely to be of little value during an unplanned event and, more importantly, could potentially threaten the existence of the company.
While it can be helpful and may provide insight, it is not enough to just populate a template or use the outline from another organization’s business continuity plans. Every organization, even direct competitors with the same products and services in the same geographical area, will have their own distinct set of requirements and risk appetite, which will define how its plans will look.
Regularly Test & Validate Plans
It is also crucial to view business continuity as an ongoing program, not a single, one-time project. As the business and the environment in which it operates changes, so to must the plans. At a minimum, plans should be tested and verified annually, to confirm that any changes to information systems, people, processes, organizational structure, buildings or the business environment have not affected the plans. Additionally, once the plans have been developed or updated, it is essential to test them, revising as necessary, to ensure they function as intended. The tests do not have to be overly complex and may just entail a simple walkthrough, but the business continuity team needs to validate that the plans are providing the intended outcome.
Undertaking a BCM program in the first place is an important proactive step to be better prepared for unplanned circumstances. Without it, staff may approach adverse situations with the best intentions that may in fact be detrimental to the organization. Without knowing the big picture and the interdependencies among functions and activities, mistakes and errors are bound to happen, especially under the high-pressure conditions that are present during a disaster.