For many businesses their Business Continuity Plan is a document. It is crucial for ensuring that a business can keep running smoothly in the face of challenges like emergencies, damage or supply chain issues.
It needs to be operational, deployable and operable by your team because it's designed to “protect the business when it is vulnerable and its existence is threatened. When its invoked, it needs to perform at its best. Remember, Brand/Reputation can be significantly enhanced by the way a crisis is managed, and it can also be massively damaged.
But what happens when the paper document isn’t regularly updated, can’t be shared easily with the team when most needed or doesn’t include essential BC components to get back up and running with minimum disruption?
And how does the “document” ensure that you have visibility over your business continuity arrangements and that if you have to “break glass in the event of….”, that the grab bag resources haven’t been co-opted for some other task, or the laptops you're planning to use haven’t run a Microsoft update for 6 months!
Your BCP is a real functioning business process that needs to be operable by your people. In this article, we look at whether a “digital” Business Continuity Management System (BCMS) can offer more than a paper-based alternative and the key differences between both.
First, let's look at what is a Business Continuity Management System (BCMS).
A BCMS pulls together all of the components of your business continuity arrangements, such as:
- A policy outlining the Scope, Objectives, and Management Processes for Business Continuity, including review, testing, and exercises.
- A Risk Register and Risk Assessments for documenting and evaluating threats to the organisation.
- Business Impact Analysis to understand Business Continuity requirements.
- Establishment of a dedicated Business Continuity Team.
- Implementation of risk management policies, safeguards, and procedures, including environmental, health and safety, cyber, and quality measures, to minimize potential disruptions.
- Business Continuity measures to ensure the recovery of Assets and Resources within specified timeframes.
- An Incident Response Plan is a comprehensive document detailing the steps to follow in the event of an invocation.
- Communication Plans and associated resources for maintaining stakeholder certainty, including contact databases, prepared scripts, and event action plans.
- Necessary resources for managing an invocation when primary infrastructure is lost or inaccessible.
- Workforce management plan for guiding employees through the event.
- Continuity Plans detailing the reinstatement of product or service supply through Business Continuity planning, such as transferring functions to alternative sites.
- Recovery Plans for restoring operations to normal.
- Replication of some of these elements for multiple sites or processes, especially in the IT domain.
So, what might a digital BCMS provide over and above a paper-based BCMS?
If it's cloud-based, then it's already providing resilience by not being dependent on the business infrastructure.
It will produce a “printed output” of all the business continuity arrangements recorded in the system.
The principal benefit is that it’s a one-stop shop system that allows you to manage all of the elements of your BCP’s in one place, probably across multiple plans.
Here are some of the deliverables you can expect.
- All of your Continuity Team members are able to access all the relevant Business Continuity information in one place.
- It will use the data you have recorded about business functionality/assets and resources, such as recovery times, to allow you to carry out Business Impact Analysis at any time, comparing recovery times to your MTPD.
- It will allow you to undertake Risk Assessments and identify and implement risk controls to minimise disruption.
- It may provide you with incident management functionality allowing your team members to record the actions they have taken against your IRP, notifying them of one another’s updates, at the same time running an editable Incident Log to monitor progress. And when you stand down carry out an Incident Review.
- Its Task Management functionality will allow you to schedule the ongoing activity to maintain and review your BCP as well as track further improvement and corrective action.
- It can provide an ongoing process for monitoring and testing your business continuity arrangements (in line with the Plan Do Check Act), with individuals assigned tasks to carry out monitoring/testing and reporting a pass/fail of the test.
- It will provide ongoing visibility of the deployability/availability of your business continuity arrangements.
- If you are ISO22301 Certified, it will support all of the underlying processes of an ISO standard.