Assessing Business Continuity Preparedness
February 12, 2015 - Kestrel Management
Business Continuity Management (BCM) is moving rapidly up the Boardroom agenda. With the increase of incidents and disasters over the past few years—both natural and man-made—BCM has assumed a much higher profile. Corporate governance requirements and industry standards have insisted that both Board members and Senior Management take BCM seriously. Insurance is also a key driver, with many insurers now insisting that organizations demonstrate that they have reasonable risk reduction measures and a working BCM Program implemented.
Examining the Risks
Organizations must examine all the risks and threats to which they are exposed and consider how best to deal with them should an incident occur. BCM is not concerned with plans and procedures for the everyday things that go wrong; rather, BCM involves managing the significant (and unplanned) incidents that may considerably impact the core activities of the organization, and ensuring response in a planned and rehearsed manner. This encompasses planning; engaging appropriate personnel; writing, accepting, and owning a Business Continuity Plan; and conducting thorough testing—all of which are essential prerequisites of an appropriate response.
Regardless of the type of threat, the goal of Business Continuity Planning is to ensure the safety of personnel and assets during and after a disaster. With this in mind, one of the first steps in preparing a Business Continuity Plan is to conduct a Business Continuity Assessment to evaluate the “readiness” of the organization’s current BCM efforts. A Business Continuity Assessment is designed to help companies understand the business continuity work that has been done thus far and to identify potential gaps and opportunities to complete/improve, standardize, and document the needed processes.
The ten questions below provide a starting point for organizations to establish where they fall in relation to their BCM readiness:
- Does the company have a written Business Continuity Policy and Plan?
- Has a Risk/Threat Assessment been performed to identify potential threats to the organization and the likelihood of the occurrence of the threat?
- Has a Business Impact Analysis (BIA) been conducted to determine which critical functions and/or operational processes need to be restored in the event of an incident?
- Have the critical resources that support critical functions and/or operational processes (i.e., people, supplies, equipment) been identified?
- Have alternate office/processing facility(s) where business operations can resume in the event of an onsite incident been identified and documented?
- Have specific roles and responsibilities of various recovery teams (e.g., IT, crisis management, critical functions, critical support) been defined in the Business Continuity Plan?
- Is there a training plan for new/existing employees regarding the BCM Program to explain roles and responsibilities in the event of a disaster?
- Has the process for communicating to employees, customers, suppliers, and the general public in the event of a disaster been defined and documented?
- Is the Business Continuity Plan tested on an annual basis (at a minimum)?
- Does a third party audit the Business Continuity Plan to determine its effectiveness?
These initial questions will allow a company to get a preliminary idea of the status of their existing BCM efforts. Completing a more detailed Business Continuity Assessment should help in pinpointing specific areas needing improvements. This Assessment then paves the way for creating a robust BCM Program that can help companies to:
- Identify the human, property, and operational impacts of potential business threats.
- Evaluate the potential severity of associated risks.
- Estimate the likelihood of business threats occurring.
- Create strategies that proactively mitigate the most pressing business threats, take advantage of opportunities that lie ahead, and provide for a more resilient and sustainable future.
Submitted by: Ted Bleifuss