The Auditor General’s Report into Local Government published on May 27th highlights how important business continuity activity will be to local Councils for the remainder of 2021. The Report concluded that Council’s plans need to be updated to reflect lessons learnt from the disasters of recent years. The Audit Office will be conducting a performance audit of business continuity planning in the coming months.
Amongst all the doom and uncertainty associated with Covid-19, there was one tangible benefit that emerged for most organisations. That was that they were compelled to review the currency and efficacy of their Business Continuity Management (BCM) framework and implement (in real-time) their Business Continuity Plan (BCP).
While the vast majority may not have included such a significant pandemic event in their BCP, the better-managed organisations were able to quickly address this anomaly, confront the prevailing challenges and are now recovering in a ‘new normal’ operating environment.
While we all certainly hope we don’t face an event like Covid-19 again any time soon, it has shown us the importance of having the appropriate preparations and frameworks in place in case of business disruption. Ensuring you’re aware of the components of a robust and dynamic BCM framework – and that these components are actively reviewed and fit for purpose – has maybe never been more important.
A BCP gives your organisation a structured approach to respond to unexpected business disruptions, such as fires, floods or severe weather events, IT outages, cyber incidents, outbreaks of pandemics or supply chain outages.
When it comes to ensuring your organisation can survive these kinds of incidents, maintain its operations and protect its reputation, brand and shareholder value, there is certainly truth in the 16th Century saying, “forewarned, is forearmed”. Industry research by the USA Federal Emergency Management Agency (FEMA) shows that “40% of businesses that have no plan do not reopen following a disaster and an additional 25% will fail within one year.”
In some industries, Business Continuity Management is mandatory or even regulated (such as financial services). In others, such as the media industry, it’s not even on the radar. Regardless of whether you are mandated to implement BCM or not, there are many benefits for doing so, including:
Of course, some say that the time and cost to implement and maintain business continuity management is not worthwhile. They’d prefer to simply deal with an incident or disaster if and when it arises or hope that all business risks will just ‘go away’. But with the frequency, severity and impact of all types of incidents and disasters on the rise (including cyber incidents, climate-change related natural disasters and the current pandemic), there is an increasing demand for organisations to increase their business resilience and continuity capabilities.
There are numerous local and international standards for business continuity management, as well as those from the likes of the Disaster Recovery Institute .
Regardless of which methodology you adopt, there is consensus that BC projects should be broken into several project stages or phases, as demonstrated in this diagram and detailed below.
While a BCP format varies widely depending on the audience and intended use, a mature Plan will include quick reference ‘aid-memoires’, handbooks, business unit or location-specific plans, and executive focused Command Team’ plans. Increasingly, BCPs are made available online via specialist business continuity software packages, intranet sites and smartphone applications.
When deciding on BC Plan structure, format and content, no one size fits all. Whether you opt for 100+ page documents, BC Summary Handbooks or 1-page Quick Reference Guides, the considerations include:
Ultimately, a combination of various continuity plans may be needed to meet all of your organisations’ stakeholder requirements.
Perhaps the most important aspect of Business Continuity Management is that it is viewed as a “process, not a project”. Point-in-time risk assessments, business impact analysis, business continuity strategies and plans can quickly become out of date, given today’s dynamic nature of business. Changes in business location, structure, staffing, processes, IT infrastructure and applications are all aspects of organisational change that impact continuity strategies and plans. And with out-of-date business continuity plans providing a false sense of security, relying on them can be fatal to business survival.
Therefore, a clear plan of governance and maintenance activities is critical to the ongoing success of business continuity management. This should map out the timing and responsibilities for all activities: risk business impact assessment reviews, business continuity plan updates, revision of education and training for staff and continuity team members and testing and exercising activities.
Industry good practice recommends annual governance and maintenance. The timing of these actions is dependent on many factors (such as company size, industry, regulatory requirements, budget availability and risk appetite). However, in our experience, relying on an annual review is fraught with danger and ideally continuous, or at a minimum quarterly, activities maintenance program should be put in place.
Centium has partnered with a specialist Business Continuity service provider who can carry out all aspects of business continuity planning for your organisation. With over 20 years in business, over 140 clients, and over 450 consultancy projects, our accredited BCM partner can quickly and efficiently develop solutions tailored to your specific needs. Further, they offer an outsourced ‘managed service’ to ensure your plan is actively maintained, is current and always fit-for-purpose.
Combined with Centium’s in-house expertise in resilience, cyber and risk management services, we can provide our State and Local Government clients with a comprehensive and robust business continuity management service. This service is further enhanced by a tailored knowledge sharing and training program, which in turn enhances the effectiveness and timeliness of any identified corrective actions.
Contact our Director Cyber Security & Resilience for a no-obligation discussion on firstname.lastname@example.org or 0402111226.