This article is in collaboration with Trinity’s global partner, B.Riley.
Business Continuity Management, or BCM, is a framework for identifying an organization's risk of exposure to internal and external threats. The goal of BCM is to provide the ability to effectively respond to a variety of threats, such as natural disasters or data breaches, and plan for the prioritization and recovery of essential functions. BCM focuses on the operational aspect of an organization, in contrast to Disaster Recovery, which focuses on the restoration of key systems, networks, and access to data.
Among the clearest lessons since the emergence of COVID-19 is that disruptive events must be planned for as a core part of every organization’s long-term strategy. Until recently, continuity and resilience planning were viewed as the purview of compliance or internal audit functions, rarely reaching into strategic plans or Board of Directors agenda. However, the impact of COVID-19 has demonstrated that long duration events with a global reach can arise from a variety of sources. These include wildfires, climate shifts, cyber-attacks, as well as the ongoing threat from virus mutations.
Every organization needs to have a strong BCM and make it a strategic priority. BCM is about creating and regularly updating a plan to support operations during a disruptive event. To be effective, it needs to include involvement of senior leadership, board level updates, and regular planning sessions with key staff. Such planning allows an organization to understand its capabilities to fulfill its mission in the event of an unforeseen crisis.
An effective BCM program must include the following considerations:
- Assessing potential threats: The assessment should involve all levels of the organization and be clearly understood by senior leadership. Careful consideration should be made of the potential impact and duration of each event, including worst-case scenario planning.
- Identifying and prioritizing critical functions: Every organization should have a clear understanding of its recovery priorities and the impact of the loss of a function on the organization’s mission. This includes identifying the recovery time objective for each core function and the resources needed to support the restoration of critical activities. Such prioritization allows for the effective direction of limited resources during an operational recovery.
- Determining options for alternative workflows in the event of disruption: By having a clear understanding of its recovery capabilities, realistic expectations can be set for customers and stakeholders on service delivery. Consideration of options for alternative workflows must include participation from various levels of personnel.
- Documenting and communicating the plan of action: Make sure the plan of action and the supporting team roles are clearly communicated. Each team member needs to understand their role in the recovery plan, particularly those involved in key restoration activities. The goal is to minimize the need for improvisation during a crisis event; and
- Critically testing the plan and evaluating its actionability: Often overlooked is the critical role of testing and exercise of the plan in the creation of an effective resilience program. A thorough test must challenge the plan and the participants to critically evaluate the assumptions on which the plan is based. Communication plans and alternative workflows should be tested using real world scenarios. The results of the exercise should be thoroughly documented with clear steps for plan improvement.
The landscape for BCM planning has changed considerably since the appearance of COVID-19. The expected duration of an operational disruption has increased significantly from those prepared for in most plans. The increased risk of cyber events means that plans must contemplate loss of key systems for weeks and not mere days. The potential for extended supply chain disruption creates a need to affirm key vendors’ resilience capabilities or seek quickly accessible alternatives.
A key part of ensuring a BCM program remains effective is challenging the plan’s assumptions and continually improving the planning process. Experts external to the organization can assess the quality of the planning efforts against best practices. In addition, experts can lead a testing process that is objective and ensure that plan assumptions are in line with the risks faced by the organization. Finally, external expertise can readily share lessons learned by other organizations during recent crisis events.
A BCM program is a critical part of an organization’s risk planning progress. It can no longer be considered a back-office obligation but must be a core part of every strategic plan and be thoroughly communicated within the organization. The above considerations will provide for a dynamic planning process that is attuned to the priorities and requirements of key stakeholders and customers. During an operational disruption, the effectiveness of the recovery plan may determine the survival of the organization.
This is where one of Trinity’s global partners – B.Riley – can help your organization. A diverse financial services provider, B. Riley “helps clients in every industry sector to develop organizational and risk systems to prepare for, respond effectively to, and recover from operational disruptions and to develop the compliance systems necessary to support this capability. Their Compliance, Risk & Resilience team includes professionals experienced in enterprise risk management, cybersecurity compliance, business continuity, disaster recovery, crisis management, and operational resilience”. B. Riley believes that organizations should address these risks by “making operational resilience both a strategic imperative and a competitive advantage, and compliance an intended outcome”.