When I was tasked with business continuity for a company, I searched the Internet for information but came up with so much that I didn’t know where to start. I was looking for a framework for a business continuity management system that would make everything clear.
Eventually I was led to the ISO 22301 international standard. As I went through the standard things became clear, especially the purpose of a business continuity management system. I subsequently completed training as a ISO 22301 lead implementer and lead auditor and became certified in both areas.
What I learnt is that businesses continuity is not all about natural disasters. It’s also not only about human errors that lead to accidents and cause disruptive incidents. It’s about cyber crime, things going wrong in the supply chain and as we’ve seen health pandemics.
It’s also a myth to believe that because you have a business continuity plan you are ready for any eventuality. The business continuity plan needs to be developed specifically for a business entity and its operations. The plan needs to be updated annually and tested.
Another area where there is confusion is that business continuity plans are the responsibility of IT. This is not so. Business continuity plans are the responsibility of each business entity manager. Each manager must be responsible for the continuity of their business operations following a disruptive incident. They need to have a team in place who can deal with the disruptive incident and know what to do immediately.
A further erroneous belief is that business continuity plans are the same as disaster plans and disaster recovery plans. A disaster management plan is essential for each company and its respective business units. This is a plan to help manage the disaster and ensure minimising loss of life near or on the premises of the business. A disaster recovery plan kicks in when the disaster has been fully dealt with.
A business continuity management system is holistic management process that identifies potential threats to a company and the impact to business operations. It provides a framework for building organisational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities.
In essence, a business continuity plan is there to ensure a rapid response to a disruptive incident, to get the company or organisation back up and running as soon as possible. This needs to be planned beforehand because although you may have excellent employees and other systems, you won’t have time to know what to do during the disaster and how to get the business back up and running after the disaster.
The continuity of your business operations can’t be left to chance. This is why if you look at certain standards like the King IV report you will find that business continuity management falls under Part 5.4: Governance Functional Areas. Risk Governance. Principle 11 states that the governing body should govern risk in a way that supports the organisation in setting and achieving its strategic objectives. Under Recommended Practices 6.e.advices, The establishment and implementation of business continuity arrangements that allow the organisation to operate under conditions of volatility, and to withstand and recover from acute shocks.
If you and your organisation, require advice about business continuity management and business continuity plans, please contact me for quick chat via Zoom.