Business Continuity
Business continuity planning is a recognition that the application of risk management does not remove risk entirely, and that organisations are potentially vulnerable to disruptive events. It allows an organisation to imagine the consequences of large disruptive events and to plan in advance to minimise their impact.
Any foreseeable, material event that could negatively impact operations is included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure, or unavailability of the workforce.
The objectives of a business continuity plan include:
A disruptive event can affect a whole organisation, be limited to a single site (for example, electrical supply interruption, flood or fire) or even just a single process (for example the breakdown of machine). Business continuity planning therefore can exist on a number of levels within an organisation and achieving these objectives requires a strong understanding of the organisation's risks as well as its ability to manage adverse events. The risk register is an important input to the process.
The immediate aftermath of an emergency or crisis is often a critical and confusing time. People may not think clearly nor behave in the way it is expected. They may make poor decisions. Therefore, the process of developing and testing a business continuity plan is as important as the plan itself.
The relevant international standard is ISO 22301:2012 Societal security – Business continuity management systems – Requirements. Other national standards of note include the Australian Standard AS 5050 and U.S standard, NFPA 1600.
The model followed by the ISO standard includes elements that are consistent with ISO 31000 and the ‘Plan-Do-Check-Act’ management model. The standard provides guidance on how to implement a business continuity management system (BCMS). A BCMS is a set of interrelated elements that organisations use to establish, implement, operate, monitor, review, maintain, and improve their business continuity capabilities. These elements include people, policies, plans, procedures, processes, structures, and resources. Similar to many other ISO management standards, organisations can achieve ISO 22301 certification following an audit from an authorised accreditor.
The benefits of an effective business continuity plan include the following:
A good business continuity plan should include the following:
An effective plan takes a significant commitment from management and employees. Rigorous questioning of assumptions in business impact assessments and contingency plans will result in a more robust plan and further educate the organisation about its own business and resilience. It is not unusual for the process to identify areas where the company simply cannot meet the plan objectives for some foreseeable events. Under those circumstances either the objectives must change or additional controls need to be introduced in order to reduce the event impact.
Finally, the plan must be accessible and useable. Excessive or unnecessary detail and complexity are a barrier to use. The most rigorous plan development process often results in the simplest plan, as all unnecessary information is removed.
Any foreseeable, material event that could negatively impact operations is included in the plan, such as supply chain interruption, loss of or damage to critical infrastructure, or unavailability of the workforce.
The objectives of a business continuity plan include:
- to stabilise any disruptive events as soon as possible
- to continue or quickly resume critical operations
- to expedite a return to normal operations
A disruptive event can affect a whole organisation, be limited to a single site (for example, electrical supply interruption, flood or fire) or even just a single process (for example the breakdown of machine). Business continuity planning therefore can exist on a number of levels within an organisation and achieving these objectives requires a strong understanding of the organisation's risks as well as its ability to manage adverse events. The risk register is an important input to the process.
The immediate aftermath of an emergency or crisis is often a critical and confusing time. People may not think clearly nor behave in the way it is expected. They may make poor decisions. Therefore, the process of developing and testing a business continuity plan is as important as the plan itself.
The relevant international standard is ISO 22301:2012 Societal security – Business continuity management systems – Requirements. Other national standards of note include the Australian Standard AS 5050 and U.S standard, NFPA 1600.
The model followed by the ISO standard includes elements that are consistent with ISO 31000 and the ‘Plan-Do-Check-Act’ management model. The standard provides guidance on how to implement a business continuity management system (BCMS). A BCMS is a set of interrelated elements that organisations use to establish, implement, operate, monitor, review, maintain, and improve their business continuity capabilities. These elements include people, policies, plans, procedures, processes, structures, and resources. Similar to many other ISO management standards, organisations can achieve ISO 22301 certification following an audit from an authorised accreditor.
The benefits of an effective business continuity plan include the following:
- an increase in the awareness of the potential for disruptive events
- the ability to maintain a strong focus on the achievement of objectives and priorities while responding to an emergency
- the ability to demonstrate the organisation’s resilience and good governance to internal and external stakeholders
- a better understanding of the organisation’s business and the ability to identify opportunities to improve efficiency and effectively manage risk
A good business continuity plan should include the following:
- high level commitment (e.g. policy document signed by the board chair or CEO)
- defined plan objectives (e.g. ‘To resume all operations within 30 days of any disruptive event and to resume all business critical functions within 48 hours’)
- the location of an event control centre and an off-site alternative
- linkages to emergency response plans
- a formal business continuity team with defined responsibilities including at least one alternate for all positions
- clearly defined authorities to the responsible people (a disruptive event is beyond the capacity of the normal management structure and authority needs to be delegated to the business continuity team)
- contact details for key suppliers, customers and emergency response authorities
- a business impact analysis or equivalent risk assessment that identifies critical and non-critical processes, machines, systems, activities or functions and establishes the maximum acceptable outage
- procedures to alert and recall key personnel
- event assessment forms that allow for the extent and impact of the event to be documented and understood
- a generic response flowchart or checklist applicable to all major disruptive events
- contingency plans for specific events that include the following elements and are designed to achieve recovery within the maximum acceptable outage:
- clear responsibilities defined for each plan action.
- estimates of recovery periods
- links to key contacts (e.g. alternate suppliers, labour contractors)
- links to other contingency plans where applicable.
- adequate resources to implement the contingency plans (for example, if the plan calls for relocation of operations to an offsite facility, does it exist, and can the process be physically relocated in the timeframe specified?)
- identification of resources needed in advance to implement the contingency plans
- communication strategies and pathways including methods and intervals for informing staff, key stakeholders and the media
- offsite access to key records and documents including engineering drawings, financial records, personnel records and the business continuity plan
- evidence of training and testing of the plan
- a post event debriefing exercise designed to understand the effectiveness of the response and recovery phases and to feedback into the plan design.
An effective plan takes a significant commitment from management and employees. Rigorous questioning of assumptions in business impact assessments and contingency plans will result in a more robust plan and further educate the organisation about its own business and resilience. It is not unusual for the process to identify areas where the company simply cannot meet the plan objectives for some foreseeable events. Under those circumstances either the objectives must change or additional controls need to be introduced in order to reduce the event impact.
Finally, the plan must be accessible and useable. Excessive or unnecessary detail and complexity are a barrier to use. The most rigorous plan development process often results in the simplest plan, as all unnecessary information is removed.