![]()
CHAPTER 1: WHAT IS BUSINESS CONTINUITY?
In any organisational endeavour, be it a business, public body or not-for-profit organisation, a key factor of success is that it can operate without being interrupted by unforeseen factors. To do this, organisations develop contingencies to ensure that resources and productivity are not disrupted by everyday events.
Everyday events are one thing ā significant disruptive incidents are quite another. Most contingencies are developed on an intuitive basis and are intended to deal with short-term problems; when the problems are longer term, or of a scale or nature not anticipated by the designer, they often fall short of what is needed to ensure continued operation, putting the organisation at risk.
Business continuity management is a systematic process of risk management and planning designed to ensure that an organisation can quickly return to an acceptable level of service after a disruptive incident.
Why does business continuity matter?
Many people regard business continuity as a form of risk management or insurance; a means of ensuring that, if something goes wrong, there is a way of limiting or even eliminating the impact.
However, there are other important reasons, outlined below, why organisations should have a business continuity management programme.
Licence to operate
Most businesses are allowed to do what they do provided they operate within the law. However, many public bodies and an increasing number of businesses (for example, in the financial sector) operate under some form of licence, permission or authority that could, under certain circumstances, be withdrawn.
For many, this can be considered an operational risk, and a risk to operations is a risk to the organisationās ability to continue to function. Critically, each organisation must decide, as a matter of policy, whether risks associated with its licence to operate should be included within the scope of its BCMS (policy and scope are described in more detail in chapter 4).
Competitive edge
As the risk of suppliers falling victim to operational issues becomes more visible, many organisations are seeking formal assurance that their suppliers will be able to continue supplying them in the event of a disruptive incident. Operational resilience is a common requirement in supplier due diligence processes (alongside other criteria including financial stability, quality management systems and information security), yet many organisations still treat it as an afterthought.
The existence of a recognised business continuity standard provides a real benchmark against which organisations can satisfy themselves as to their suppliersā operational resilience. For suppliers, this means that having a BCMS that complies with ā or, better still, is certified to ā ISO 22301 can amount to a significant competitive advantage.
Insurance
Many organisations have business interruption cover as part of their business insurance portfolio. This cover will usually compensate the organisation for loss of profit in the event of an interruption for a period called the āindemnity periodā, which can range from just a few months up to one or two years.
Unfortunately, interruption cover does not compensate for any loss outside of the indemnity period, rarely includes major events such as terrorism or pandemic threats as a matter of course (at least, not without paying an additional premium), and does not compensate for the loss of future business that so frequently follows a major disruption. Even if you are compensated for the earnings lost during the disruption, the customers you lose are unlikely to return.
While useful, business interruption cover usually comes at a significant cost to the organisation, and rarely offers much protection against a truly serious disruption. While insurance remains an important component of any organisationās resilience in the face of operational risks and interruptions, it should always be seen as complementary to business continuity management (BCM), not as a substitute. The existence of a BCMS, however, often provides an opportunity to reduce the amount of cover that is needed and, therefore, the insurance premium.
Corporate governance
Corporate governance is frequently referred to as a reason for ādoingā business continuity, but often without a proper explanation of its significance.
The UK Corporate Governance Code 2018 includes a requirement to āmonitor the companyās risk management and internal control systems and, at least annually, carry out a review of their effectiveness and report on that review in the annual reportā.2
The Guidance on Risk Management, Internal Control and Related Financial and Business Reporting (which provides specific guidance on compliance with the Corporate Governance Code), while focusing significantly on financial controls, is clear that the organisation must ensure it is able to ārespond appropriately to risks and significant control failures and to safeguard its assetsā.3
While neither the letter of the Corporate Governance Code nor the Guidance state that listed companies or...
