by Galye Mitcham, Assistant Vice President, Marsh Consulting.

What is Business Continuity Management?
Business Continuity Management (BCM) uses a framework that helps to ensure the continuity of critical services during a disaster or incident. It provides the basis for planning to ensure the long-term recoverability and survivability following a disruptive event. Business Continuity Plans needs need to be clear, concise and tailored to meet business recovery requirements.

BCM in the public sector is referred to as Continuity of Operations Planning (COOP). COOP addresses the recovery of critical and essential operations in the event of an incident or emergency which disrupts service to the public.

The planning processes used in BCM and COOP are essentially the same, with the differences being primarily terminology. Since the BCM framework is more widely used and known, this article will focus on the BCM process.

Why it is Important to be Prepared?
Disasters disrupt thousands of businesses and lives every year. Each disaster has lasting effect both to people and property. Some businesses and services never recover when forced to face a disaster unprepared.

Being prepared can reduce fear, anxiety and losses that accompany disasters. For example, communities, businesses, colleges, universities, schools, families and individuals should know what to do in the event of a fire or where to seek shelter during a tornado. They should be ready to evacuate their offices, school or home and take refuge in a safe location. Likewise an organisation needs to be prepared so that it can protect its employees and continue or recover its critical processes and services.

An effective BCM program will go a long way towards helping address these concerns.

Understanding the Threats, Vulnerabilities and Risks

• A threat is something with the intent and/or capability to exploit a vulnerability in an asset. Threats can be natural disasters or man made disasters such as terrorism.
• A vulnerability is a weakness in an asset that can be exploited. An unsecured data centre would be vulnerability.
• A risk is the probability of harmful consequences resulting from interactions between threats and vulnerable assets.

One of the first steps in the development of an effective Business Continuity program is to understand the threats, vulnerabilities and risks your organisation is facing. Typical threats may include blackouts, natural disasters, computer viruses, chemical spills, labour strikes, shooting incidents, pandemics etc. As well there may be unique threats to your university that should also be considered.
Each threat needs to be assessed to determine the probability of its occurrence and the impact should it occur. This will help you determine what threats or risks you can live with and which ones you need to prepare for. Risk is commonly expressed using the following formula:

Risk = Impact x Probability

For the purposes of this formula, impact and probability are defined as follows:

• Impact: Impact on critical services resulting from or caused by a threat such as a natural disaster.
• Probability: The likelihood that this threat will occur. For example, those organisations in hurricane zones would have a higher likelihood this threat occurring. Those threats with a higher risk score should be addressed as part of your BCM planning.
• Plotting the threats on a graph similar to the one below may also be helpful in making the determination of which threats/risks you need to prepare and plan for.

Components of a Business Continuity Program

Overview
Business Continuity Management framework is made up of four main components. Each of them represents an important part of an effective Business Continuity Program.

Very recently another area of Business Continuity Management has come to the forefront – that is Pandemic Planning. Pandemic planning is a threat that must be identified as part of the risk assessment process. From a planning perspective Pandemic can be treated as part of both the Crisis Management and Business Continuity Planning Components. However, due to the projected severity of its impact and the high probability that is being placed on it, most organisations have chosen to look at Pandemic Planning as a separate or fifth component of the BCM framework.

Crisis Management and Crisis Communications
Effective crisis management requires proactive planning to ensure that the appropriate threats are addressed and planned for. Crisis management in the face of a crisis requires the identification of the nature of the crisis, intervening to minimise damage and moving forward with recovering critical services and processes. Crisis management also includes a strong focus on public relations to recover any damage to public image and assure stakeholders that recovery is underway.

Business Continuity and Recovery
Business Continuity and Recovery is a critical component in the BCM framework Critical services need to be identified, recovery strategies developed, and business continuity plans developed and exercised.

While this may be a large undertaking, it can be managed in phases, broken down as follows:

Business Continuity Project Phases

Disaster Recovery Plans for Infrastructure and Applications
The Information Technology Department is a key part of all Business Continuity Management Programs. Most critical services rely heavily on IT infrastructure and applications and therefore their recovery will require an IT component. IT recovery strategies need to be developed that will meet the needs of the business and then detailed step-by-step IT recovery plans should be developed.

Pandemic Planning
Health and Safety are the number one priority when developing a Pandemic Response Plan. Proactive pandemic response activities include identifying vital processes and functions that need to be sustained for as long as possible during a Pandemic, review of HR policies that may be impacted by loss and illness of employees and infection control procedures required to minimise and control the spread of the Pandemic where possible. Crisis Management and Business Continuity Plans are updated to reflect the Pandemic strategies and plans that are identified.

This article has been produced from the CURIE Risk Management Newsletter with the permission of Gayle Mitcham, Assistant Vice President, Marsh Consulting.