M.ISRM, CAPPS

Business Continuity Management (BCM) in an organisation is defined as the preparation and planning to swiftly recover and operate as per usual after a disaster has occurred. For BCM to succeed, every business has to identify their critical function and resources (e.g. people, supporting systems, infrastructure, technology, funding), as well as physical assets which are absolutely necessary to execute business on a day-to-day basis. Not to forget, third-party providers – such as IT or programming vendors which are integral in one’s daily business – should also be included.

 

Business Continuity Management makes a business more resilient to challenges and increases the ability of a company to recover from a setback.

 

 

The following are the key elements of Business Continuity Management which organisations can follow.

One of the most important of which is to perform risk assessment. Risk assessment is used to ascertain the potential risks and consequences arising from situations where critical functions are disrupted. Unassuming risks and consequences when ignored, can eventually morph into colossal problems and cause the entire business operation to fail. Risks can arise for different reasons and from different sources such as technology or even natural disasters.

 

After which, implementing risk control measures speedily would be the next required move. Doing so does not necessarily equate to spending big bucks – there are cost-effective preventive measures that can be undertaken. For instance, risk transfer options such as insurance is one means of sharing/transferring the impact of risks with another party at nominal costs.

 

Next, organisations must make it a priority to conduct business impact analysis to find out what is the expected or acceptable downtime (i.e. Maximum Tolerable Downtime) before business recovers and resumes business as usual. To make the Maximum Tolerable Downtime as accurate as possible, it is imperative to consider the impact and ease of recovery for each department, function or even systems.

 

When preparing for back-up resources to help the business recover, businesses tend to forget about the needs of their remote functions or external vendors. In actuality, risks within the primary functions of a company can spread very easily to external ‘wings’ or even third parties like joint venture companies or service providers which the company is highly dependent on. Hence, to ensure smooth restoration of business, back-up resources have to be prepared for these parties.

 

While we concur that risks would always be present, it is possible to prioritise risks in their seriousness and tackle them systematically. For whatever remaining risks there may be, businesses can review the Maximum Tolerable Period of Disruption (MTPoD) to ascertain the time allowed for these risks to fester before actions to curb them are taken.

What if there are situations that go out of control – beyond what the Business Continuity Management measures can anticipate? In such dire straits, a Disaster Recovery Plan (DRP) would come in handy. DRP is the ‘revival plan’ that any company can take to restore business after a critical business unit or operation has been completely affected or stalled. There is no short-cut to developing a DRP. Organisations have to constantly review their business units, systems, software, hardware and all resources to make sure that management is familiar with the business through-and-through so they can strategise and execute a DRP in times of need.

 

Scenario

ABC Company is a financial institute serving the APAC region and has multiple operational sites. A typhoon category 1 is expected to make a landfall within the next 48hrs in Cebu, Philippines. Unfortunately, the company has a critical function in Cebu, Philippines – that is an ATM operation centre servicing for Asia Pacific.
The Typhoon is forecasted to disrupt Cebu for more than 24hrs, bringing about flooding, strong wind, landslide, land & air transportation disruption, power outages, internet & telecommunication outages, and infrastructural damages. The landfall is likely to occur approx. 100km away from ABC company.

 

Having being alerted of the possible arrival of the typhoon, ABC company activated their Business Continuity Team (BCT) and an initial BCT briefing was immediately conducted to determine the threats and risks that the company may face. Afterwhich, DRP response strategies were implemented and everyone kept a close eye on the situation while trying to gather more facts and information of the expected Typhoon.

 

The relevant information at hand was disseminated to all relevant business units and pre-nominated ‘crisis management champions’. Clear directives were provided to the different business units to help decide when an evacuation may be required. In the meantime, the company wastes no time to set up their emergency command centre and critical operations at an alternative site. Critical operations are to remain operational at the alternative site until the primary site has been restored.

 

All learnings gathered from this event would be used to update the company’s DRP and would serve as a case study for future BCP/DRP training.