Business Continuity Management
Business Continuity Management
Business Continuity Management
Differences between Business Continuity Planning and Risk Management Planning
Business continuity planning (BCP) is an important process which deals with recovery and prevention of all threats facing a company (Zwikael, 2007). Risk management planning (RMP) on the other hand is a process where a project manager foresees various uncertainties, indicate responses to different issues and make estimates to their impacts. BCP involves continuing with operations when a firm is faced with a certain disaster. It involves different aspects which include the process of recovery or relocation. This often happens when there is flooding, theft issues or natural disasters. During such instances, businesses relocate to other regions where they can recover from their misfortunes. An RMP helps the businesses in question to develop early estimates and define the responses that are required during uncertainties.
Zwikael (2011) confirms that risks are events which need to be curtailed before they impact a business’s operations negatively. It is vital to note that there are also other risks that are usually positive, and able to streamline or make changes to the operations of a business enterprise. Risks can occur in any business, hence the need for business managers to make plans that are vital to address them when they occur. Risk management planning is thus an important tool that allows businesses to have an analysis of the likeliness of the risks involved in the business. The planning involves analysis low and high impacts together with other strategies that can mitigate the risks to ensure continuity of the project at hand. All risk management plans should be reviewed periodically by the project managers to make sure the analysis is not outdated. Potential threats can never be reflected when an analysis becomes stale.
BCP ensures that all events that impact business operations negatively are listed in various plans of loss or supply chain. Risk management is often put as part of BCP to ensure minimal breakages or problems when running different operations in an organization. Most corporations in the US refer BCP as continuity of operations planning. In the year 2006, a standard for BCP was introduced by the British Standards Institution referred to as BS 25999-1. Before this introduction, most users of BCP relied fully on BS 7799, which was an information security standard. It had the mandate of ensuring improved security measures within an organization and not risks. Later in the year 2007, a new publication of BS 25999-2 was introduced and it dealt mainly with the overall continuity of business (Nemzow, 1997).
Risk Management Planning is used by the US Defense Department as a plan to mitigate risk in their projects. It is, however, vital to note that the general desire of RMP is to indicate the relevant risks that need tracking and documenting them. The process is also integrated with different processes that are relevant to the project in question. The processes involved in RMP often shift over a period of time to suit different situations that affect businesses.
BCP, on the other hand, is used in the UK under BS2599-1 and BS 25999-2. BS 25999-2 is used among all organization in the region, and this includes all sectors and industries from the UK (Lindström et al., 2010). The standard is deemed important because it provides frameworks that are needed to keep businesses on the going concern even when faced with external and internal threats. The document used for this process provides practical information that is important in the event of eventualities. These uncertainties might range from the sickness of employees, terrorism and failure of the IT system in an organization. The use of BCP in the UK became outdated, and in its place the BS ISO22301 was used.
The emergency of BCP was necessitated in the year 2004 after various crises in the UK. The government decided to amend the Contingencies Act, which ensured civil protection. The first part of the Act focused on national arrangements for protection, where a framework was set for all local workers. The second part has its focus is on emerging issues and here it provides a framework for serious emergencies. The Act is vital as it informs users that there is a need to have measures of continuity to ensure survival.
A Risk Management Plan helps emergency personnel, police and the area fire brigade to respond to emergencies when they occur. The plan should also be made public to ensure minimal accidents among employees and improve working conditions. It is a plan that is set to different industry standards and codes to ensure safety while operating in different sectors and industries. A Business Continuity Plan, on the other hand, is essential to business as it ensures minimal disruptions that may lead to losses. When businesses suffer loss, they usually reduce the amount of profit they receive and this often impacts negatively to their overall returns (Cerullo, 2004). There is a need to have a BCP in place for purposes of relocation or other measures that are necessary to ensure business continuity. Both BCP and RMP are essential for business growth and advancement. They work better together and can yield high profits in the long run.
Concepts of Risk Management, Risk Identification, and Risk Assessment
Risk management involves identifying, assessing and making priorities of the risks within a business. After these processes are completed, there is also the need to coordinate and provide resources that can minimize their occurrence. The main goal of risk management is to ensure that the risk does not jeopardize the smooth running operations of a business or project.
Risks are known to emerge from different sources like uncertainties from markets, accidents, legal liabilities, credit and natural causes. When dealing with risks there are usually two important events namely positive and negative; positive events can be termed as opportunities while those that are negative are risks (Olson, 2010).
Ward (2003) confirms that there are different risk management standards that are in play currently to ensure the minimal occurrence of risks within organizations. Some of the standards include project management institute, ISO standards, National Institute of Standards and Technology and actuarial societies. All these standards are set by different nations to ensure minimal risks and continual operations of different functions within firms. Their operations and goals are different in accordance with the methods of risk management used in the varied industries and sectors available.
The sources of risk are not only placed in the context of technological and tangible assets but also in decision-making and other human factors. The coexistence between the tangible and human factors when considering risks makes human factors as the most known driver of risk management. It is important to understand how human beings operate in the environment, and how they take risks. The problem with risks is that they are usually analyzed wrongly, and this might lead to minimal solutions to their uncertainties. This facet makes the human part of risk management more heavy compared to the technological and tangible concepts. There are different strategies that can be used to mitigate risks and they include reducing their effect, avoiding them or transferring the available threat to other parties.
Risk identification is a way of knowing those risks that can prevent an organization or program from achieving their set goals and objectives. This information is usually communicated and documented by the concerned parties. Risk identification is vital as it ensures early identification of different events that take place in an organization or project, with negative consequences. Such outcomes are detrimental because they deny the program or enterprise the ability to continue their operations as required (Tchankova, 2002).
Risk assessment has many facets that may include program assessment, assessment for decisions, making analysis for various alternative and uncertainty of cost. All these assessments need to have a matching risk identification processes to ensure an informed decision. For example, when making analysis for a program, it is vital to know the requirements for success before any plans are made. This provides the scope through which risks are assessed and identified. The many sources of risk and program coordinators need to have a deep scope of the programs, costs, challenges, expectations, performance and parameters. Other crucial information that should be handled by the program coordinators includes cost deviations, expectations, vulnerabilities, integration and support mechanisms.
Risk identification is a process that is iterative because as different programs continue to operate, more information is usually gathered during this time. This makes it easier to change the risk statements to align them with the current provisions. Any new risk that comes out during the process can easily be noted and documented within a short period of time. Managers and coordinators have the mandate of understanding the various capabilities they are supporting to ensure smooth running of their operations (Carr, 1993).
Understanding the capabilities is essential as it helps in understanding the magnitude of the risks and their impacts to the users. This can be referred to as the most important facet of risk analysis because it makes plain the impacts that can occur when various operations are under way. It is vital to note that most users often accept some form of risk when they are able to accomplish their mission without problems. The users need to understand the different risks that are in play and also assess the various options available to mitigate them.
Assessment of risk involves the qualitative and quantitative measurements of risks that are associated with a particular project and a known threat. This procedure is usually possible through calculations that are made by the coordinators and project managers to assess the overall risk (R) and potential loss (L), and the probability (p) that the risk will occur. Risks that are acceptable are those that are usually understood by managers and leaders and are usually tolerated due to their difficult nature when it comes to their elimination. Usually, the costs associated with their countermeasure are high compared to their expected loss (Fairbrother, 2007).
In the event of using systems that are complex, managers usually use reliability and safety engineering to safeguard life and minimize accidents. Industries that have histories of using risks assessment include the oil, aerospace, nuclear and military industries. Other sectors that are also known to make use of risk assessment on a continual basis include the food industry and hospitals. The various methods of assessing risk often differ from one industry to another, and this depends on the operations that are undertaken in such industries (Abt, 2007).
Risk assessment has a major task of evaluating risk, where different uncertainties and assumptions are presented and considered before their final documentation. The only difficulty in risk management is the part where quantities are required for risk assessment procedures. The idea of potential loss or the probable nature of occurrence is often hard to measure. There are always high chances of making errors when measuring different concepts that are associated with risk management.
Risks that are known to have high potential losses and low occurrence needs to be calculated differently compared to that which has a low potential loss and high occurrence rate. Both risks can be said to be of equal priority, but cannot be easily interpreted as required because of the increased time limits required to conduct the processes of risk assessment. Mathematically they are expressed as:
Fig 1: Financial point of view risk assessment
Most decisions in the insurance sector usually have an expression in the form of dollar amounts that are lost. When there are losses in the health sector, managers need to quantify the losses in some form of measure which is valid and understood by the users of the information. The health sector can only indicate losses in decisions that are verbal in accordance with their outcome like the prevalence of malnutrition or incidences of cancer in a particular region. Such risks can be expressed as
When risks make use of the total number of people who are affected or exposed it is usually stated as population risk, and often expressed in units over a period of time. When the risk does not include the number of individuals who are affected, it is usually indicated as an individual risk and indicated as a unit over a period of time. Risks that are associated with populations are usually beneficial because they ensure measurements that pertain to costs and benefits of the risks and whether they can be acceptable in the project or firm (Whitman, 2012).
Contingency planning process through perception of Business Impact Analysis
Contingency planning is essential as it helps organizations respond positively to emergencies. Such planning ensures early preparations in terms of finances, communication and coordination procedures that are usually vital to reduce the occurrence of risks in organizations. Understanding the effects of an occurrence is often important for contingency plans to work as required. The effects can only be understood through the use of a Business impact analysis BIA, which evaluates and determines the effects of an accident or interruption of a particular project to the organization’s operations. It is known to be an important tool in the continual business operations of an organization (Gruber, 2007).
When businesses operate while focusing on BIA they usually have tools that indicate various vulnerabilities and components that are geared towards reducing the occurrence of the risk. After evaluations, the business needs to come up with a report that indicates the potential risks and also make recommendations on how they can be mitigated. The contingency planning process relies heavily on BIA as most operations in a business depend on one another for purposes of continuity. However, there are some components that are crucial, and as such management needs to allocate more funds to them to ensure continuity (Tenhiälä, 2011).
Incident Response and Disaster Recovery
An incident response plan is essential for any organization or project, and this should be added to the already existing disaster recovery plan. Most incidents can easily turn into a disaster, and this can happen when there is minimal planning initiated at the start of the project in question. Abnormal conditions ought to be recognized early before they tamper with the normal function of the organization or project operations. Assessment of out-of-normal conditions should be done immediately they are noticed for purposes of initiating various responses that can save the situation (Paton, 2003).
According to Paton and Smith (2011) situations can be either disasters or incidents, and good considerations need to be made to differentiate the two while operating a project or business. The best way to measure the two is to make considerations on their likelihood of ending early. An incident is known as a form of event that can lead to the disruption of business operations and which may lead to both losses and a crisis. Incidents can be in the form of leaking pipes, which can escalate into the disaster when they eventually burst. Another example can be the introduction of viruses into a network system, here it can be treated as an incident, but later become a disaster when the various software are used with fail to eradicate the virus. Incidences turn into disasters because of the severity of the situation that often leads to disruption of operations in a business setting (Chen, 2008).
Managers and all those who are responsible for projects need to have planning modalities that are geared towards ensuring continuity of business in the long run (Hammond, 2001). Planning involves collecting data and other information that pertains to the response team and their associates. Having information about the team and their competitors is essential as it can help individuals choose among the best service providers. When collected data of the response team members the manager should include their full names, phone numbers and addresses. They should also have information about other alternate contacts that have security details of their systems in case the owners are not around. The information will help the manager get quick responses when needed during periods of disaster (Cox, 2011).
An authority on the local region ought to be included in the planning phase for purposes of decision making. The person should be well versed in the business under operation and the system’s unavailability. Information about the system will be of great help to the organization as they will be able to make use of it when need arises without wasting time. References to such information or their locations should be well enumerated through the use of network diagrams or data flow diagrams. They will also need to indicate information that pertains to the system inventory and the logging data for ease access when the manager is not present (Schmidt, 2010).
The planning process will also indicate how procedures are handled and the people to contact for various facets (Ritchie, 2010). Lastly, the planning phase will need to have precautionary measures that will help users of the information not to tamper with any evidence that will lead to the realization and ultimate recovery of an incident or disaster. Planning is essential as it can help administrators make timely decisions and avoid delays while executing different responses.
Information security is essential as it helps immediate communication that is geared towards solving different weaknesses that are associated with running of the business in question. Systems can be communicated easily to allow for quick responses and actions which can help organizations come out of disasters easily (Lindell, 2011).
Detection involves the first assessment of an incidence and the idea of prioritizing them by their severity. This can be done through the use of Information Security and Policy, which is a framework that is used to detect problems in systems and define their probable solutions. Managers need to articulately ensure that the problem is well stated and measures put in place to curb any future incidences.
Decision making by administrators allows for quick resolutions that are geared towards ensuring continuity of an organization’s operations. Timely decisions need to be made on the part of those that are supposed to work on the processes and the exact portions to be handled. The manager will also need to define the scope of their problem and the needed adjustments to provide a vivid picture to the contractors of what is expected of them while dealing with the crisis in question. Projects that embark on recovery and maintenance without decision-making process often end up having more problems in the future due to few loopholes that might have been left without their knowledge due to minimal expertise.
Response strategies allow for detailed analysis of the problem in question and relevant solutions that will lead to normal operations. The administrators will have to decide on the specific strategies to be used to ensure increased profitability and minimal losses in the long run. Prioritizing on the response activities that are needed in the event of solving a problem will make the business achieve their objectives and work on the real problems first. This phase involves the presentation of evidence and the activities that are contained in the processes as a whole. The information will be helpful to the contractors who will work on the disaster as they will be aware of the business needs and this will affect how they will present their solutions to the problems.
After the processes are completed, the contractors will need to ensure recovery of the system through the use of different modalities that are suitable for the problem in question. The recovery process will entail mitigating the overall impact of the disaster by doing away with different activities that are not wanted and later recovering from the situation. This phase often allows going back to the detection and analysis stages that are essential to the whole response planning process.
Maintenance is the last phase of the process, and this allows for better functioning of the system as it were in the beginning. The contractors will need to document the total costs of the incident and its cause together with the different steps that were used in mitigating the incident. The document should also indicate the various steps that can be used in the future to ensure minimal or zero incidents.
It is important to inform all the employees and contractors the steps that should be followed when an incident occurs and how they are usually handled. The staff should be informed to report any abnormal operations in their departments for purposes of quick responses from those concerned with the preservation of the firm’s interests.
Disaster recovery: preparation, implementation, operation, and maintenance
Disaster recovery is vital and involves various policies that are usually set by the organization to ensure recovery and eventual continual of business. This happens after an incident or disaster which can be human induced or natural. All incidences and disasters are treated in a similar manner to ensure operations of systems without problems. Disaster recovery is often aligned under information technology and other systems that are known to be the backbone of different business operations. This is different from incidence response which usually focuses on the continuity of business operations. Disaster recovery falls under incidence response when dealing with the continuity of business operations (Berke, 1993).
Disaster recovery involves preparation, implementation, operation, and maintenance of systems to make them work better in the organization in question. It deals with the security planning, which usually help organizations work through events that are negative in nature. The events that are negative in any organization might include all those that put the operations of the organization at risk. Some of the events that can pose security threats and risks to organizations include natural disasters, earthquakes, and hurricanes, failing equipment and cyber attacks.
Through the disaster recovery plan, managers are able to have policies that govern their operations while executing different procedures in their organizations. The plan for disaster recovery involves procedures and other policies that are essential in limiting the overall disruption of an organization’s activities. Negative effects can easily be deterred when using a disaster recovery plan in a business environment. The business can resume business and enjoy their usual working parameters without problems.
Under the preparation, the administrators can indicate the probable problem in their system and contact the relevant personnel with full information of how they used to function before they broke down (Alhazmi, 2013). After the preparation process, they can then implement the various processes that had been laid down for the functioning of the system and other input from the experts. The administrators at this stage will give full support to the professionals to allow them complete the procedures in accordance with the various requirements. The system will then be left to operate with intentions of doing different tests and later ensure maintenance. The idea of maintenance can include the use of antivirus systems to deal with malware that disrupt the normal functioning of the systems that are in use in the organization.
Under information technology, the steps of disaster recovery may be the overall restoration of mainframes and servers, though the use of backups. The contractors can also make use or reintroduce private branch exchanges or putting local area networks to ensure excellent business operations in the long run.
Business continuity is different from disaster recovery as the latter entails different procedures that organizations put in place to ensure normal functioning after a disaster has occurred. The idea behind the recovery is emphasized more on the operations of the business as opposed to the infrastructure of information technology. The two are related and have in the past been merged as disaster recovery and business continuity. Disaster recovery can be implemented with ease by the administrators when they work closely with their contractors and staff members.
Issues affecting Business Continuity Planning
Different events in a business setting that are not planned can affect a business operation adversely. Crises like sickness, fire, damaged property or failure of the business system can lead to adverse effects and may stop its continued operations in the long run. Such events can be minimized if proper measures are put in place by the company to ensure safety and continuity after their occurrence. The unplanned events can lead to reduced number of customers because of the little faith they will have towards the provisions made by the corporation as a whole. Better planning is essential for the survival of any organization as it will make it possible for business to counter any incidences or disasters before they incapacitate the operations of the business in question. Planning can also assist the business to identify risks before they happen and put measures that can stop them before they happen (Snedaker, 2014).
The failure to understand the organization or industry is a recipe for failure and problem to BCP. Most business continuity experts try to put down different tools and applications in a hurried manner without considering the needs and requirements of their organization and industry as a whole. This can be a major problem for the organization in the event of incidents and disasters because understanding the organization is key to making changes and other transformations that are crucial for the business going concern.
The idea of business continuity is to mitigate the risks that occur in the organization. All the risks must be categorized by the management before they are minimized. There is a need to identify the risks and their source for ease elimination. It is vital to note however that it is never easy to eliminate all risks, hence the need to prioritize on the ones that affect the organization adversely. To ensure proper mitigation of risks professionals must understand the organization and industry before laying down different policies for making changes. The information should be collected from the higher level management because they are often in charge of any operations and have in-depth information about their operations.
Unrealistic objectives set for recovery can also affect BCP, because most business operations require that every unit to be independent in the process of defining their objectives. Combining objectives that rely on the whole organization can be less effective when doing the analysis. Failing to have a culture of business continuity is also a major aspect that can lead to failures while implementing the required tools and systems.
Concept of Crisis Management
Crisis management is known to be the process which helps organizations deal with events that are harmful to their operations, workers, the public and their stakeholders. Crisis management desires the implementation of different strategies that are geared towards helping a firm to deal with sudden events that are negative in nature. Crises often occur as a result of an event that was not easily predicted by the organization or a consequence that was not seen due to a particular potential risk. Such problems often require the intervention of the managers in the organization to make timely decisions to avoid damage. When there is a crisis in any organization, the first step to recovery is always to find a suitable candidate for the post of a crisis manager (Pearson, 2012).
Before a crisis is encountered administrators need to think how it may impact their operations and those of their workers. They also need to consider the general public, their suppliers, customers and their overall value in the external environment. Such information will make the company realize the need to make changes which will impact their productions in their future operations. The different steps that constituted crisis management include but not limited to planning, employing a crisis manager, being honest, keeping all the workers informed of the situation at hand, keep all customers and suppliers informed and also ensure that quick responses are made towards the issues to be addressed.
Crisis management desires clear roles and processes set with the aim of desiring to achieve better results. The company in crisis needs to have responses in crisis assessment, crisis termination and crisis prevention. The facets are essential for business operations as they ensure continuity in the long run and increased profits.
Abt, E., Rodricks, J. V., Levy, J. I., Zeise, L., & Burke, T. a. (2010). Science and decisions: Advancing risk assessment. Risk Analysis, 30(7), 1029-1036.
Alhazmi, O. H., & Malaiya, Y. K. (2013). Evaluating disaster recovery plans using the cloud. 2013 Proceedings Annual Reliability and Maintainability Symposium (RAMS), 1-6. IEEE.
Berke, P. R., Kartez, J., & Wenger, D. (1993). Recovery after disaster: achieving sustainable development, mitigation and equity. Disasters, 17(2), 93-109.
Carr, M., Konda, S., Monarch, I., Ulrich, F., & Walker, C. (1993). Taxonomy-based risk identification. Software Engineering Institute, (June), 1-24.
Cerullo, V., & Cerullo, M. J. (2004). Business Continuity Planning: A Comprehensive Approach. Information Systems Management, 21(3), 70-78.
Chen, P. (2008). Building assessment during disaster response and recovery. Proceedings of the ICE – Urban Design and Planning, 161(4), 183-195.
Cox, R. S., & Perry, K. M. E. (2011). Like a Fish Out of Water: Reconsidering Disaster Recovery and the Role of Place and Social Capital in Community Disaster Resilience. American Journal of Community Psychology, 48(3-4), 395-411.
Fairbrother, A., Wenstel, R., Sappington, K., & Wood, W. (2007). Framework for metals risk assessment. Ecotoxicology and environmental safety, 68(2), 145-227.
Gruber, M. (2007). Uncovering the value of planning in new venture creation: A process and contingency perspective. Journal of Business Venturing, 22(6), 782-807.
Hammond, J., & Brooks, J. (2001). The World Trade Center attack. Helping the helpers: the role of critical incident stress management. Critical care (London, England), 5(6), 315-317.
Lindell, M. K. (2011). Recovery and reconstruction after disaster. Encyclopedia of Natural Hazards, 812-825.
Lindström, J., Samuelsson, S., & Hägerfors, A. (2010). Business continuity planning methodology. Disaster Prevention and Management, 19, 243-255.
Nemzow, M. (1997). Business continuity planning. International Journal of Network Management, 7(3), 127-136.
Olson, D. L., & Wu, D. (2010). Enterprise Risk Management. Risk Management, 12, 1-13.
Paton, D. (2003). Stress in disaster response: a risk management approach. Disaster Prevention and Management, 12(3), 203-209.
Paton, D., Smith, L., & Violanti, J. (2000). Disaster response: risk, vulnerability and resilience. Disaster Prevention and Management, 9(3), 173-180.
Pearson, C. M., & Clair, J. a. (2012). Crisis Management Reframing. Management, 23, 59-76.
Ritchie, L. A., & MacDonald, W. (2010). Enhancing disaster and emergency preparedness, response, and recovery through evaluation. New Directions for Evaluation, 2010, 3-7.
Schmidt, G. (2010). Web 2.0 for Disaster Response and Recovery. Journal of Web Librarianship, 4(4), 413-426.
Snedaker, S., & Rima, C. (2014). Business Continuity and Disaster Recovery Planning for IT Professionals. Business Continuity and Disaster Recovery Planning for IT Professionals (pp. 369-411).
Tchankova, L. (2002). Risk identification – basic stage in risk management. Environmental Management and Health, 13(3), 290-297.
Tenhiälä, A. (2011). Contingency theory of capacity planning: The link between process types and planning methods. Journal of Operations Management, 29(1-2), 65-77.
Ward, S., & Chapman, C. (2003). Transforming project risk management into project uncertainty management. International Journal of Project Management, 21(2), 97-105.
Whitman, M. E., & Mattord, H. J. (2012). Principles of Information Security. Course Technology (pp. 1-617). Course Technology.
Zwikael, O., & Ahn, M. (2011). The Effectiveness of Risk Management: An Analysis of Project Risk Planning Across Industries and Countries. Risk Analysis, 31(1), 25-37.
Zwikael, O., & Sadeh, A. (2007). Planning effort as an effective risk management tool. Journal of Operations Management, 25(4), 755-767.