Business continuity management in ERM

ISO 31000:2018 16 Minutes
https://preteshbiswas.com/wp-content/uploads/2024/12/Business-Continuity-Management-in-Enterprise-Risk-Management.wav

In recent years, there has been growing interest in resilience, initially driven by governments and local authorities. This focus emerged in the 1990s and 2000s, as it became clear that society and communities needed to be better prepared for civil emergencies and natural disasters like earthquakes and extreme weather. Although resilience was first seen as a way to handle large-scale events, it has since expanded to cover a broader range of concerns. This shift is reflected in the development of standards. For example, British Standard BS 25999:2006, which focused on business continuity, was replaced by ISO 22301:2012, emphasizing societal security and business continuity management. Other international standards are also being created, including the Organizational Resilience Standard (ASIS SPC.1-2009) from the American National Standards Institute. This standard promotes an enterprise-wide view of risk management, helping organizations prepare for, respond to, and recover from disruptions. It integrates with ISO 31000 and aligns with other ISO standards like ISO 9001 and ISO 27001. The key idea is that a resilient organization must “prevent, protect, and prepare” while also being ready to “respond, recover, and review” when crises occur.

Resilience is defined in ISO 22300 as an organization’s ability to adapt in a complex, changing environment. However, resilience also involves how an organization handles crises. A broader definition could be the capacity to maintain or return to a desired state after changes or disruptions. This view includes crisis management and the ability to handle less severe but disruptive events. The rise of resilience provides an opportunity for risk management and business continuity professionals to work together more effectively. To achieve resilience, organizations should focus on three key behaviors: staying aware of changes in their environment, protecting and preparing their resources (such as assets and relationships), and being able to respond quickly and adapt after disruptions. Another trend is the adoption of the “plan–do–check–act” (PDCA) approach in risk management and resilience standards. This method aligns well with the “plan, implement, measure, learn” (PIML) approach in ISO 31000, which emphasizes a more comprehensive and analytical process. As resilience becomes increasingly important, organizations are receiving more guidance on how to strengthen it, such as advice provided by the UK government’s Cabinet Office. Integrating organizational resilience into governance helps ensure that risks to critical infrastructure—such as those from natural disasters, major accidents, or intentional harm—are properly addressed by the board. This approach ensures that resilience is factored into key decisions, including investments, procurement, risk management, and discussions with supply chain partners. It allows infrastructure owners and operators to better understand how resilient their systems are, regularly assess the effectiveness of their strategies, and make adjustments as needed to maintain operations or align with changing goals. Integrating organizational resilience into governance helps ensure that risks to critical infrastructure—such as those from natural disasters, major accidents, or intentional harm—are properly addressed by the board. This approach ensures that resilience is factored into key decisions, including investments, procurement, risk management, and discussions with supply chain partners. It allows infrastructure owners and operators to better understand how resilient their systems are, regularly assess the effectiveness of their strategies, and make adjustments as needed to maintain operations or align with changing goals.

Business continuity management

British Standard BS 31100 defines BCP as “[An] holistic management process that identifies potential threats to an organization and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organizational resilience with the capability for an effective response to safeguard the interests of its key stakeholders, reputation, brand and value-creating activities.” Business Continuity Management (BCM) plays a critical role in Enterprise Risk Management (ERM) by ensuring that organizations can withstand and recover from unexpected disruptions. ERM focuses on identifying, assessing, and managing risks across an organization to achieve strategic objectives. Within this framework, BCM is a vital component that addresses operational risks related to business interruptions. BCM provides structured plans and processes to maintain critical business functions during and after a disruption. These disruptions could stem from natural disasters, cyberattacks, equipment failures, or supply chain interruptions. BCM complements ERM by not only mitigating the impact of these risks but also aligning continuity strategies with the organization’s overall risk appetite and objectives. In practice, BCM involves identifying essential business processes, assessing potential threats, and developing strategies to maintain or quickly restore operations. It includes creating and testing Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs). These plans ensure that essential services continue with minimal downtime, safeguarding the organization’s reputation, customer trust, and financial stability.

Integration of BCM within ERM enhances organizational resilience. By embedding continuity planning into governance structures and risk assessments, organizations can proactively address vulnerabilities and improve decision-making. This integrated approach helps prioritize resources, optimize response strategies, and ensure alignment with long-term goals, making BCM an indispensable part of a comprehensive ERM framework. Recently, there’s been growing interest in business continuity planning (BCP) and disaster recovery planning (DRP). Many global standards emphasize the role of BCP in risk management. This concern is fueled by the potential for major disruptions from extreme weather, terrorism, civil emergencies, or pandemics. Essentially, BCP prepares organizations for incidents that could threaten their operations. These incidents range from local issues like fires to larger events such as earthquakes, security threats, or global crises. For severe incidents, like losing access to premises or a key part of the business, having a clear and tested disaster recovery plan is crucial. DRP often focuses on restoring IT systems, finding alternative facilities, and ensuring clear communication with employees, customers, and the media. BCP complements this by planning for a return to normal operations, reducing the impact of incidents, and controlling recovery costs. Disaster recovery is a subset of BCP, focusing on infrastructure restoration, such as recovering lost data or fixing system failures. Crisis management, on the other hand, deals with the broader response, including external communications and managing public perception. For example, a printing firm might prepare for IT failure by contracting a mobile emergency computer service to ensure business continuity. Different organizations debate whether BCP and DRP are primarily corrective or directive controls. Regardless, they are essential for managing the aftermath of incidents rather than predicting their likelihood. Just as seat belts protect passengers during accidents without assessing accident risk, BCP and DRP prepare organizations for when disruptions occur. Many organizations now view BCP in three stages. First, a crisis management plan is activated to address the immediate crisis and communicate with stakeholders. Next, the disaster recovery plan is implemented to restore critical systems and operations. Finally, the focus shifts to long-term business continuity, ensuring full recovery and a return to normal operations. An example of this approach is a major road accident. Initially, emergency services handle the crisis by addressing injuries and securing the scene. Once the immediate danger is under control, the disaster recovery phase involves clearing wreckage and repairing the road. Only after these steps is normal traffic flow restored, addressing the continuity aspect. For companies involved in such incidents, like transport firms, crisis management extends to demonstrating social responsibility and supporting affected stakeholders, such as injured drivers’ families. Throughout the disruption, clear communication and effective crisis management are vital to minimize reputational damage and support recovery efforts.

Business continuity standards

Business continuity standards provide a framework for organizations to develop, implement, and maintain effective business continuity management systems (BCMS). These standards are designed to help organizations prepare for, respond to, and recover from disruptions, ensuring the continuity of critical operations. Below are some key business continuity standards widely recognized across industries:

  • ISO 22301: Business Continuity Management Systems (BCMS): ISO 22301 is the international standard for business continuity management. It provides a comprehensive framework for establishing, implementing, maintaining, and improving a BCMS. Key features of ISO 22301 include:
    • Identification of critical business functions and associated risks.
    • Development of business continuity and recovery strategies.
    • Clear communication and documentation of plans.
    • Regular testing, maintenance, and review of BCMS.
  • ISO 22313: Guidance for Business Continuity: ISO 22313 provides guidance to support the implementation of ISO 22301. It offers detailed explanations of best practices and practical advice to help organizations establish effective business continuity processes.
  • NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity: Developed by the National Fire Protection Association (NFPA), NFPA 1600 outlines criteria for disaster and emergency management, including business continuity. It emphasizes risk assessment, resource management, and crisis communication.
  • . BS 25999 (Replaced by ISO 22301): The British Standard BS 25999 was one of the first comprehensive standards for business continuity management. It has since been replaced by ISO 22301 but laid the groundwork for modern business continuity practices.
  • ASIS SPC.1-2009: Organizational Resilience: Published by the American National Standards Institute (ANSI) and ASIS International, this standard takes a broader view of organizational resilience, integrating business continuity with risk and crisis management.
  • ITIL (Information Technology Infrastructure Library): While primarily focused on IT service management, ITIL includes guidance on disaster recovery and business continuity within IT systems, ensuring the continuity of digital operations.
  • COBIT (Control Objectives for Information and Related Technologies): COBIT provides a framework for IT governance and management, including risk mitigation and business continuity for IT functions.
  • 8. FIPS 199 and FIPS 200 (US Federal Standards): The Federal Information Processing Standards (FIPS), developed by the National Institute of Standards and Technology (NIST), focus on the security and continuity of federal information systems. These include guidelines for contingency planning and disaster recovery.
  • DRII Professional Practices for Business Continuity Practitioners: Published by the Disaster Recovery Institute International (DRII), these practices provide a practical approach to developing and implementing business continuity and disaster recovery programs.
  • ISO 31000: Risk Management: Though not solely focused on business continuity, ISO 31000 provides a general framework for risk management, complementing BCM efforts by integrating risk-based approaches.
  • Local and Industry-Specific Standards: Many industries and countries have their own standards and regulations for business continuity, tailored to specific risks or compliance requirements (e.g., healthcare, finance, or energy sectors).

ISO 22301 follows a structure that is becoming standard for management systems. It uses a plan–do–check–act (PDCA) approach, similar to the plan–implement–measure–learn (PIML) method. The standard outlines a business continuity management system (BCMS) lifecycle with five key steps: identifying critical risks already affecting the organization, understanding its needs and obligations, establishing and maintaining the BCMS, evaluating the organization’s ability to handle disruptions, and ensuring compliance with the business continuity policy. Most large organizations see business continuity planning as essential. Governments also encourage businesses, particularly small ones, to develop and implement effective continuity plans. One major change in ISO 22301 compared to its predecessor, BS 25999, is its adoption of a high-level structure common to all new management standards. This makes it easier to integrate multiple systems. It also shifts from “preventive action” to “actions to address risks and opportunities” and emphasizes setting goals, monitoring performance, and using metrics to align business continuity with strategic management. For a business continuity plan (BCP) to succeed, it should be comprehensive, cost-effective, practical, effective, well-maintained, and regularly practiced. The plan must cover all the organization’s operations and locations to ensure a full return to normal business. It should also be proportionate to the risks the organization faces to ensure its cost-effectiveness.

A business continuity plan (BCP) should be straightforward and easy for staff and others involved to follow. It needs to clearly outline which business functions are urgent and assign responsibilities for getting things back to normal quickly. For the plan to work well, it must be regularly tested, updated, and practiced. Staff should understand how the plan works, and training should be provided. Any lessons learned during tests or practice sessions should be used to improve the plan’s effectiveness. Testing is crucial to make sure the plan will work when needed, but it can be time-consuming and sometimes disruptive or costly. For example, even a simple fire drill can interrupt daily operations, showing that testing plans will often affect regular activities

Key activities in business continuity planning

  • Assess company activities to identify critical staff, materials, procedures and equipment required to keep the business operating.
  • Identify suppliers, shippers, resources and other businesses that are contacted on a daily basis.
  • Plan what to do if any important buildings, plant or store were to become inaccessible.
  • Identify necessary actions to ensure continuity of critical business functions, especially payroll.
  • Decide who should participate in compiling and subsequently testing the emergency plans.
  • Define crisis management procedures and individual responsibilities for disaster recovery activities.
  • Co-ordinate with others, including neighbours, utility suppliers, suppliers, shippers and key customers.
  • Review the emergency plans annually and when the business changes and/or new members of staff are recruited.

A business continuity plan (BCP) should be simple and easy for employees and anyone else involved to follow. It must be effective by prioritizing critical business functions and assigning clear responsibilities to quickly get operations back to normal. To ensure the plan works, it must be regularly tested, updated, and practiced. Employees should be trained on how the plan works, and any lessons learned from these tests should be used to improve the plan. Testing the BCP is essential to make sure it is suitable and effective. However, testing can take time and may disrupt regular work, sometimes leading to additional costs. For example, even a basic fire drill can interrupt daily activities, showing how testing impacts normal routines.

Covid Pandemic

The COVID-19 pandemic highlighted the critical importance of Business Continuity Planning (BCP) for organizations worldwide. Here’s how BCP played a vital role during the crisis:

  • Ensuring Operational Continuity: During the pandemic, lockdowns and social distancing measures disrupted normal business operations. Organizations with robust BCPs quickly shifted to remote working setups, ensuring continuity of essential functions. Companies without a BCP struggled to maintain operations, leading to significant financial losses and, in some cases, permanent closure.
  • Managing Supply Chain Disruptions: Many industries faced supply chain issues due to global manufacturing shutdowns. Organizations with BCPs had contingency plans, such as alternate suppliers or stockpiling critical resources. This reduced downtime and ensured that businesses could continue to deliver products or services to customers.
  • Safeguarding Employee Well-being: Companies with BCPs had pre-established health and safety protocols, including remote work policies and health monitoring, minimizing the risk to employees. Protecting employees ensured sustained workforce availability and maintained productivity during the crisis.
  • Maintaining Customer Trust: Organizations that effectively communicated their continuity strategies and maintained service levels retained customer confidence. For instance, e-commerce platforms managed increased demand by leveraging their continuity plans. Consistent service during uncertain times builds long-term customer loyalty.
  • Financial Resilience: BCPs often include financial contingency plans like maintaining cash reserves or securing lines of credit. During COVID-19, these measures helped businesses weather sudden revenue drops. Financial preparedness ensured survival during periods of reduced income or increased expenses.
  • Adaptation to Changing Business Models: Restaurants pivoted to delivery and takeout services, while fitness centers offered online classes. Organizations with flexible BCPs adapted quickly to changing market demands. Adaptability allowed businesses to find new revenue streams during the pandemic.
  • Post-Pandemic Recovery :Companies with effective BCPs recovered more quickly by implementing phased return-to-work plans and revising operations to align with the “new normal.” Faster recovery minimized long-term impact and positioned businesses for growth as markets stabilized.
  • A- Major incident, such as a fire or long-term power cut
  • B-Limited emergency operations commenced at a back- up site, as planned by the disaster recovery plan
  • C- Start-up of operations at an alternative emergency site, but the back-up site operations are disrupted
  • D-Full recovery from this point

This example shows how Disaster Recovery Planning (DRP) and Business Continuity Planning (BCP) work in practice. It focuses on a broadcasting company that faces a major disruption at its main facility (point A on the timeline). The disaster recovery plan allows broadcasting to resume quickly, but only as an emergency service (point B). This example doesn’t include the cost of fixing the damaged facility. After a short time of emergency operation, the company can switch to full operation from a backup location (Facility B). However, using this alternative means losing some capabilities. At point C, service improves but doesn’t fully return to the previous level because the original facility (A) is still out of service. The incident brings higher operating costs. These include the cost of implementing the disaster recovery plan, running emergency broadcasts, and moving to Facility B. While using Facility B, extra costs arise, such as temporary housing for staff and additional technical resources. Eventually, at point D, the damaged Facility A is repaired, and normal operations resume. This scenario illustrates the challenges organizations face after a major incident. Service levels may remain below normal for a while, and operational costs will be higher. Insurance might cover some of these extra costs, but only within the time limit set in the policy. However, insurance likely won’t cover losses due to reduced service unless specific types of losses were previously insured.

Business impact analysis (BIA)

BIA is the process of determining the criticality of business functions, assessing the potential impact of interruptions, and identifying the resources required for recovery. It helps prioritize recovery efforts by highlighting the most important processes and their dependencies.Business Impact Analysis (BIA) is a key process in business continuity planning. It identifies and evaluates the potential effects of disruptions to critical business operations, processes, and systems. The goal is to understand the impact of various disruptions, such as natural disasters, cyberattacks, or supply chain failures, on the organization’s ability to operate effectively. A key step in creating effective business continuity (BCP) and disaster recovery plans (DRP) is conducting a Business Impact Analysis (BIA). The BIA helps determine how critical each business function is by evaluating the consequences of any disruption. This information is essential for developing suitable strategies to maintain continuity for those functions. A BIA is similar to a risk assessment, but with a different focus. While risk assessments look at potential events that could cause disruptions, a BIA focuses on the importance and urgency of each business function. Despite this difference, both processes are connected and can be done together. For instance, a risk assessment identifies threats to business continuity goals, while a BIA ensures critical activities meet those goals, such as a TV company aiming for 99.9% broadcasting continuity. The BIA serves three main purposes:

  1. Identify critical functions and recovery timeframes: Determine which activities are essential and how quickly they need to be restored after a disruption.
  2. Assess recovery needs and potential impacts: Understand the resources required to recover critical functions within the set timeframe.
  3. Align impacts with the organization’s risk appetite: Ensure that the expected disruptions and recovery plans fit the organization’s tolerance for risk.

A BIA often examines disruptions related to the 4Ps: People, Processes, Premises, and Products. Once potential sources of disruption are identified, the BIA process becomes more straightforward. The main focus is usually on business processes since maintaining these processes is crucial for protecting stakeholders, reputation, and the organization’s value.

Key Components of BIA

  1. Critical Activities: Identifying essential business functions that must continue during a disruption.
  2. Impact Assessment: Analyzing the financial, operational, reputational, and legal consequences of a disruption.
  3. Recovery Time Objectives (RTO): Determining how quickly critical functions must be restored.
  4. Recovery Point Objectives (RPO): Defining acceptable data loss in terms of time.
  5. Dependencies: Identifying key systems, suppliers, and staff necessary for critical operations.

Importance of BIA

  • Prioritizes Resources: Ensures focus on the most crucial functions.
  • Informs Strategy: Guides the development of effective business continuity and disaster recovery plans.
  • Minimizes Downtime: Helps organizations quickly resume critical operations.
  • Supports Risk Management: Identifies potential risks and their impact, allowing proactive measures

Business continuity and ERM

Business Continuity Planning (BCP) plays a vital role within the broader framework of Enterprise Risk Management (ERM). While ERM aims to identify, assess, and mitigate risks that could impact an organization’s objectives, BCP focuses on ensuring that critical business functions can continue during and after a disruption. In this way, BCP complements ERM by providing practical strategies for maintaining operations when unforeseen events occur. ERM provides a comprehensive approach to managing risks across the organization, from strategic risks like market changes to operational risks such as IT system failures. BCP fits within ERM by addressing specific risks that could disrupt operations and detailing how to respond effectively. For instance, ERM might identify the risk of a cyberattack as a high-priority threat. BCP would then ensure that the organization has a disaster recovery plan in place to restore IT systems quickly, minimizing downtime and protecting critical data. Moreover, BCP and ERM share a common goal: safeguarding the organization’s core processes and stakeholder interests. While ERM emphasizes risk identification and mitigation to prevent disruptions, BCP ensures operational resilience by outlining the steps to take when disruptions occur. This dual focus on prevention and recovery strengthens the organization’s ability to withstand a wide range of risks. By working together, ERM and BCP create a robust framework for organizational resilience. ERM identifies potential threats and their impact, while BCP ensures that practical, actionable plans are in place to maintain operations during crises. This integrated approach not only protects the organization from financial and reputational damage but also helps it quickly recover and return to normal operations after an incident.

There is a clear connection between Business Continuity Planning (BCP) and Enterprise Risk Management (ERM). ERM focuses on managing risks across the entire organization, while BCP ensures that plans are in place to maintain operations during disruptions. BCP looks at how to keep the organization running as a whole, which aligns with ERM’s goal of maintaining core processes. However, BCP is just one part of ERM, not its entirety. Both approaches share a common goal: ensuring the organization’s critical processes remain effective and efficient. ERM emphasizes identifying risks that could affect core operations, while BCP focuses on determining which business functions must continue to keep the organization running. These methods complement each other and work well together in managing risks and ensuring continuity. For instance, a pharmaceutical company might treat the constant availability of prescription drugs as a core process. Using ERM, it identifies risks that could disrupt this process, blending ERM and BCP to meet stakeholder expectations. Scenario planning plays a key role in both BCP and ERM. It involves preparing for possible future events, including unlikely crises, and helps organizations build resilience. In financial institutions, this includes “stress testing,” where they assess how much capital they would need during severe financial difficulties, like those experienced during the 2007-2008 global financial crisis. By practicing scenario planning, organizations can better anticipate unexpected situations and improve their ability to respond effectively. This, in turn, strengthens the overall resilience of the organization.

Standards can be created to set a minimum level of resilience, ensuring that a system or network can continue running during extreme events without major disruptions to essential services. By outlining the worst-case scenarios that could reasonably happen, infrastructure owners and operators can evaluate how well their systems can handle such events. This helps them identify any weaknesses or gaps between what their systems are currently designed to handle and what might actually happen. For events more severe than these worst-case scenarios, the organization’s overall resilience will determine how well they can manage and respond. In addition, business continuity plans should include how quickly services can be restored after a disruption, even if the disruption comes from unexpected or more extreme events not specifically accounted for in the original scenarios.In many countries, local governments are required to help ensure that businesses can continue operating during major emergencies. These emergencies could be caused by natural disasters like floods or earthquakes, or by events such as terrorism, civil unrest, or health crises like pandemics. The ISO 22300 standards focus on societal resilience, highlighting the growing importance of helping communities and businesses prepare for such situations. Governments and trade associations often provide guidance to businesses on creating effective business continuity plans (BCPs). For example, the U.S. government offers useful resources online, while small business associations provide practical advice on how to respond during civil emergencies. Local authorities usually have legal responsibilities to respond to emergencies. Businesses such as factories and warehouses might have resources like equipment or facilities that can be useful, while retail shops can supply essential goods like food, bottled water, and blankets. Schools and other public buildings may also be repurposed as emergency shelters, especially during widespread disasters like flooding. Encouraging businesses to develop their own continuity plans helps reduce the burden on local authorities during emergencies. For small businesses, understanding which disasters pose the greatest threat allows them to prioritize protecting their most critical operations. This often includes safeguarding their premises, machinery, and other essential equipment, as these are vital for long-term survival.

Published by Pretesh Biswas

Pretesh Biswas has wealth of qualifications and experience in providing results-oriented solutions for your system development, training or auditing needs. He has helped dozens of organizations in implementing effective management systems to a number of standards. He provide a unique blend of specialized knowledge, experience, tools and interactive skills to help you develop systems that not only get certified, but also contribute to the bottom line. He has taught literally hundreds of students over the past 5 years. He has experience in training at hundreds of organizations in several industry sectors. His training is unique in that which can be customized as to your management system and activities and deliver them at your facility. This greatly accelerates the learning curve and application of the knowledge acquired. He is now ex-Certification body lead auditor now working as consultancy auditor. He has performed hundreds of audits in several industry sectors. As consultancy auditor, he not just report findings, but provide value-added service in recommending appropriate solutions. Experience Consultancy: He has helped over 100 clients in a wide variety of industries achieve ISO 9001,14001,27001,20000, OHSAS 18001 and TS 16949 certification. Industries include automotive, metal stamping and screw machine, fabrication, machining, assembly, Forging electrostatic and chrome plating, heat-treating, coatings, glass, plastic and rubber products, electrical and electronic equipment, assemblies & components, batteries, computer hardware and software, printing, placement and Security help, warehousing and distribution, repair facilities, consumer credit counseling agencies, banks, call centers, etc. Training: He has delivered public and on-site quality management training to over 1000 students. Courses include ISO/TS -RAB approved Lead Auditor, Internal Auditing, Implementation, Documentation, as well as customized ISO/TS courses, PPAP, FMEA, APQP and Control Plans. Auditing: He has conducted over 100 third party registration and surveillance audits and dozens of gap, internal and pre-assessment audits to ISO/QS/TS Standards, in the manufacturing and service sectors. Other services: He has provided business planning, restructuring, asset management, systems and process streamlining services to a variety of manufacturing and service clients such as printing, plastics, automotive, transportation and custom brokerage, warehousing and distribution, electrical and electronics, trading, equipment leasing, etc. Education & professional certification: Pretesh Biswas has held IRCA certified Lead Auditor for ISO 9001,14001 and 27001. He holds a Bachelor of Engineering degree in Mechanical Engineering and is a MBA in Systems and Marketing. Prior to becoming a business consultant 6 years ago, he has worked in several portfolios such as Marketing, operations, production, Quality and customer care. He is also certified in Six Sigma Black belt .

Published

Leave a ReplyCancel reply