Business Continuity: Surprised, Powerless or Prepared
I am SURPRISED that these past years, unfortunate situations and events are giving us alarms and reminders how unpredictable and devastating both man-made and natural disasters can be. Who would have known that there is a place called Fukushima or Yolanda (Typhoon Haiyan) is not a name of a girl next door. Manila can be mostly flooded for a few hours, but not as long as Thailand flood could. If I happen to smell smoke, I would try to find the source because there should be fire, however, that smoke came from Indonesia to Singapore.
For most of us, we are just observers to the realities that life is fragile and businesses are vulnerable, no matter how perfect our systems are. For most of us, we ask, “What we could have done to have prevented these from happening?” However, in the end, we realise that we cannot do anything, and just expect that the worst might happen—simply POWERLESS. Experience in disasters will, yes, make survivor organisations resilient, but most would pass on the offer to be met with any kind of disaster. You may indulge in making your fortunes better by visiting your local ‘Fen Shui’ expert, in which case, is there still a figment of a doubt?
Enter ISO 22301:2012 Societal Security: Business Continuity Management System or simply BCMS brings about a certification standard which signifies that the organisation will prevail and continue doing business even during actual disasters. Most organisations who adapted or got certified in this standard can proudly guarantee their customers with a ‘peace of mind’ to continually receive the vital products and services at the minimum acceptable levels even during disasters.
The BCMS certification standard allows for organisations to be PREPARED to prevent unacceptable consequences from happening which may affect the organization’s reputation, financial stability, and customer confidence among other things. How will ISO 22301:2012 achieve such?
Looking at Figure 1 below, it will show how the PDCA model can be applied in implementing the BCMS Processes:
- Establish business continuity policy, objectives, targets, controls, processes and procedures relevant to improving business continuity in order to deliver results that align with the organisation’s overall policies and objectives. By understanding business continuity commitments, the organisation will come to realise the business continuity plans and resources to implement and effectively respond to pre-determined disruptions. The objective of which is to maintain acceptable levels of products and services for the customer. Having an effective response also translates to faster recovery towards business normalcy. With effective planning, critical decisions during disaster will become pro-active and easy rather than being surprised and resulting to finger-pointing.
- Implement and operate the business continuity policy, controls, processes and procedures. Expect robust plans, activities and arrangements to take on a disaster or disruptions will actually work and be responsive to the needs of the business to continue. By conducting realistic risk assessment, business impact analysis, developing business continuity strategy and recovery plans, the business continuity team will know exactly how to react and respond. The planned arrangements will also ensure that reaction and responses are fully supported by the necessary resource requirements. As an added benefit, the organisation will also avoid over allocation of manpower, materials, infrastructure and related needs for business continuity which could be otherwise put to better use.
- Monitor and review performance against business continuity policy and objectives, report the results to management for review, and determine and authorize actions for remediation and improvement. Does the business plan work? This cannot be known until actual disruptions occur, right? However, for ISO 22301:2012, it is not required to wait for an actual disruption, but, the plans will have be tested by practical means to ensure effective reaction and response to a disruption. And for the BCMS, regular audits would be part of the organisation’s activity to ensure conformance to the requirement of ISO 22301:2012 to ensure effective BCMS.
- Maintain and improve the BCMS by taking corrective action, based on the results of management review and reappraising the scope of the BCMS and business continuity policy and objectives. Regular improvements are part of the BCMS. By acting upon findings from regular business continuity plan test and drills, findings from internal audits and keeping up to date to the needs of the times effect on the organisation’s business continuity need, the organisation becomes continually more resilient.
The above components will facilitate a systematic approach for Business Continuity and its Continual Improvement. In order to be PREPARED, Neville Clarke has the complete solutions.