Everything you want to know about Business Continuity
eBook - ePub

Everything you want to know about Business Continuity

  1. 260 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Everything you want to know about Business Continuity

About this book

Everything you want to know about Business ContinuityĀ will show you how to develop a modern response to the operational risk landscape and how to prepare your organisation for interruptions to your key activities, minimising the impact on your bottom line, reputation and credibility. You will be able to identify and assess the risks to your company and put in place a ā€˜fit-for-purposeā€™ business continuity plan which will enable you to meet the expectations of your customers and stakeholders in the event of an unforeseen incident.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Everything you want to know about Business Continuity by Tony Drewitt in PDF and/or ePUB format, as well as other popular books in Computer Science & System Administration. We have over one million books available in our catalogue for you to explore.

CHAPTER 1: THE OPERATIONAL RISK
LANDSCAPE FOR BUSINESS AND OTHER
ORGANISATIONS

Most people in management and senior jobs have a good understanding of risks: what they are, how they are managed and even how to measure them. But there remains in many organisations a blurring of definition about types of risk and who is responsible for them, as well as all sorts of risk that havenā€™t even been identified.
Like not having insurance, this is usually only a problem if something actually goes wrong, and in the minds of most people that is really rather unlikely. The majority of people tend to be concerned about things that have gone wrong beforeā€“and not for others, but for themselves. That is human nature.
Typically, in commercial or ā€˜for profitā€™ organisations, risk is divided into ā€˜core businessā€™ and ā€˜otherā€™ categories. Core business risks nearly always get far more attention and usually quite rightly. But letā€™s look again at the three types of risk put forward in this book:
1Ā Ā Ā that the organisation ceases to be viable due to adverse levels of business, profitability, cost fluctuations and compliance with relevant legislation, contracts and codes;
2Ā Ā Ā that the organisationā€™s viability is jeopardised because it engages in some activity that its customers havenā€™t directly asked for;
3Ā Ā Ā that the organisation is viable, but its ability to operate is reduced or removed by some unexpected situation, incident or materialised threat.
These risk types arenā€™t concerned with the cause, or hazardā€“that comes laterā€“but they should enable most people in an organisationā€™s management to decide whether all risks should be dealt with by one person or department, or whether there are some different groupings of risks that fall into separate areas.
The business of risk management is not necessarily as straightforward as some other organisational activities; there is no single approved method, either statutory or otherwise. The Institute of Risk Management (IRM) puts forward ā€˜A Risk Management Standardā€™ as opposed to ā€˜The Risk Management Standardā€™ or even just ā€˜Risk Management Standardā€™.
This standard refers to internally and externally driven risks and suggests a number of specific risks in each of four types (see Figure 1).1
image
Figure 1: Risk types suggested by AIRMIC, Alarm & IRMā€™s structured approach
The Business Link website refers to the risk types shown in Figure 2:2
image
Figure 2: An alternative approach to risk types suggested by Business Link
Most of these approaches actually concern themselves with threats, which is a useful starting point when thinking about operational risks: the risks that the organisation is prevented from doing what it exists to do. But before looking at the sorts of risk that are relevant to business continuity, itā€™s worth considering a couple of examples of threat types that transcend both core business and operational risks:

Weather

Exceptional weather conditions can affect companies in a number of ways:
1Ā Ā It can affect the demand for products or services
In 2010 the UK experienced its coldest December for 120 years, coinciding with expected peak demand in the retail sector. The effect on the ā€˜high streetā€™ was significant and despite the impending increase in the VAT rate from 17.5% to 20% due on 4 January 2011, retail sales dipped substantially whereas, many might have expected them to increase as shoppers anticipated the post-Christmas VAT increase (Figure 3).
image
Figure 3: UK retail sales index, Nov 2009ā€“Jan 2010.
Source: National Statistics Online
This is an example of a core business risk driven by the environmental threat of extreme weather.
2Ā Ā It can cause a disruption to the companyā€™s operational capabilities
The same threat presented an operational risk for the Royal College of Nursingā€™s RCN Direct service based in South Wales, as both its telephone call centre and substantial mailing activities were suspended.3
So a number of retail companies will have recorded extreme or adverse weather conditions as a threat, and, therefore, risk, to core business, whereas other organisations like the RCN would have treated the same threat as a cause of operational disruption and, therefore, an operational risk.

Energy

The supply and price of hydrocarbon fuels used in electricity generation can affect companies in at least two ways:
1Ā Ā Most companies, especially manufacturers, use electricity. But as the demand for hydrocarbon fuels rises, which then leads to increases in price, so the cost of electricity, which forms part of the cost of manufacturing products, rises also. As a result, some manufacturers may face the risk that they can no longer remain competitive in the market. This is an example of a strategic core business risk.
2Ā Ā There also exists the risk that, as demand for hydrocarbon fuels increases, the ability of generators to convert those fuels into electricity may become unstable, potentially leading to electrical power cuts and the inability to manufacture products. This is an example of an operational risk with the same root cause as the previous strategic risk, the hydrocarbon fuel market.

Operational risk management

It is for each organisation, when considering all of its risks, to decide which are to be treated as interruption risks and so form the basis of the business continuity arrangements. Clearly no organisation should put contingency arrangements in place for a threat that it does not face, but at the same time it should also be aware that certain threats may result in more than one type of risk.
But there are some risks which may be considered operational that are unlikely to give rise to an actual interruption to, or significant reduction in, operational activities. These may include, for example:
ā€¢Ā Ā Ā health and safetyā€“in terms of accidents and incidents;
ā€¢Ā Ā Ā securityā€“such as the theft or loss of equipment, facilities or information;
ā€¢Ā Ā Ā efficiency or productivity.
Again, it is for each organisation to decide whether it wants a fully integrated ā€˜enterpriseā€™ level risk management system or a number of independent systems, or frameworks, that deal with specific types of risk. The fully integrated approach may make sense in some respects, but in others it is probably counterintuitive for a system that on the one hand deals with the fast-moving risks of something like foreign exchange trading (including in organisations for whom foreign exchange trading is not core business), and on the other with risks, such as health and safety, employment law or information security.
In a probable majority of organisations, there will already be some existing risk management arrangements in place covering a number of aspects of the organisation, and as business continuity gets onto the corporate agenda it may well be ā€˜addedā€™ onto the responsibilities of an existing team or manager and so almost by default acquire its own risk frameworkā€“if, indeed, risk management is to include any kind of formalised approach.
But the opportunity to integrate disparate risk management activities should not be overlooked. There might well be opportunities to improve the efficiency and effectiveness of risk management, and it is often the case that directors and senior managers acquire a better understanding of the organisationā€™s overall risk profile if they can see everything in a consistent format. There are also examples of a risk control, or mitigation, measure being put in place for one type of risk that then presents a new, or increased, risk in another category. For example, changing an escape route to reduce a fire-related risk could present a new information security risk.
The introduction of business continuity as a new activity or management discipline is often a catalyst for the organisation dramatically to improve its management of risks, particularly those which have previously been paid little attention and of which the Board has limited awareness.

The risk management process

A fairly common failing on the part of directors is that although they are aware of certain risks and may have decided to tolerate them for the time being, they donā€™t keep any written record of these risks and, in the event something goes wrong, they cannot then account for the fact that one of these risks materialised and cause some loss or injury. This is an exposure that the majority of directors simply donā€™t need; ignoring a risk that you could be expected to have known about is not good, but making assessment of a risk and noting that you cannot do anything about it at the moment puts you in a much stronger position if and when called to account for it.
The risk management process is described in some detail in Chapter 7 because it is a key component of a BC management system, but it should be understood that business continuity is a key subset of operational risk, which itself is a key component in enterprise risk management, illustrated in the diagram in Figure 4:
image
Figure 4: Business interruption risks in the context of enterprise risk and activities
Needless to say, the example risks in this diagram are just that; some of the operational risks may represent business interruption risks also, but it is likely to vary between organisations.
A BCM programme is likely to be the most successful if it is not allowed to exist in a ā€˜siloā€™, and is seen by everyone in the organisation as a key part of the enterprise (or organisation-wide) risk management process. This is more than likely to bring gains in terms of efficiency, conflict avoidance and reduction in expenditure (or executive time).
Ā 
1 A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO31000 (AIRMIC, Alarm, IRM, 2010).
2 Business Link is the Government-funded business advice agency.
3 RCN website, news section.

CHAPTER 2: WHAT DOES BCM ACTUALLY
ACHIEVE?

The recent economic downturn has taught many in the business continuity world that BCM is treated as a ā€˜discretionaryā€™ activity by many people running organisations of all types.
Do we now wear seat belts in cars...

Table of contents

  1. Cover
  2. Title
  3. Copyright
  4. Preface
  5. About The Author
  6. Acknowledgements
  7. Contents
  8. Introduction
  9. Chapter 1: The Operational Risk Landscape for Business and Other Organisations
  10. Chapter 2: What Does BCM Actually Achieve?
  11. Chapter 3: An Incredibly Short History: Early DR to 2011 BCM
  12. Chapter 4: The Role of Standards and Independent Validation
  13. Chapter 5: The Management System Approach versus a Simple BC Plan
  14. Chapter 6: Planning the BCMS
  15. Chapter 7: Identifying the Organisationā€™s Requirements
  16. Chapter 8: Strategy and Options
  17. Chapter 9: Incident and Crisis Response
  18. Chapter 10: The Assurance Process
  19. Chapter 11: BCM as a Competitiveness/Assurance Tool
  20. Chapter 12: Tools and Software
  21. Chapter 13: The New World of Sustainability
  22. Chapter 14: How to Do It
  23. Appendix 1: Acronyms
  24. Appendix 2: Business Continuity Policy
  25. Appendix 3: A Simple Risk Register
  26. Appendix 4: Incident Response Plan
  27. Appendix 5: Scenario Plan
  28. Appendix 6: Activity Recovery Plan
  29. Appendix 7: Document Review and Control Procedure
  30. Appendix 8: Corrective and Preventive Actions Form
  31. Appendix 9: Exercise Methodology/Procedure
  32. Appendix 10: BCM Software Vendors
  33. Appendix 11: Suggested Software Enquiry Form
  34. Appendix 12: BCM Audit Programme and Procedure
  35. Appendix 13: IT Disaster Recovery Plan/Procedure
  36. ITG Resources