The COVID-19 pandemic is a real-life test for any organization’s business continuity capabilities. Few are prepared, unfortunately. Preparedness levels are ranging from little to no planning, to siloed or spotty readiness, to being fully ready, and everything in between. No matter the size of the organization.
This article will provide guidance on systematically improving your business continuity capabilities. I will make use of the business continuity best practices as they are recommended by ISO 22301. This is the international standard for business continuity management.
Business Continuity: Why does it Matter?
Leadership teams are not looking to good these days of putting the organization’s business continuity measures to the test with the demands that teleworking is putting on the capabilities of the organization’s information technology, or IT, capabilities such as:
- IT infrastructure management, including components such as hardware and network management
- Telecommunication management
- Application management, including components such as license and access management
- Information security management
- Support and knowledge management
- Backup and storage management
IT organizations are struggling with having enough computing power, network bandwidth, software licenses, and access control available to support the increased workload that the sudden spike in teleworking comes with. And, with more demands for remote access, employees who never needed it, are now to be equipped, trained, and facilitated with the necessary hardware, software and knowledge to be able to be productive.
Organizations which never practiced an all-out scenario in which access to the normal office facilities was prevented, are feeling the heat. As a result, valuable resources are lost such as time and productivity of employees.
A major lesson-learned is to beef up on your business continuity capabilities. It is a given that another health scare will arise at one point in time. We just don’t know when.
Business Continuity Explained
A business continuity capability is comprised of the following components.
- Conduct a business impact analysis. During the business impact analysis, you determine the business continuity priorities and requirements. This includes using impact types and criteria for assessing the impacts over time resulting from disruption of activities that support the provision of products and services.
- Conduct a risk assessment. During the risk assessment, you identify risks of disruption (e.g. a pandemic) to the organization’s prioritized activities and their required resources. This includes analyzing and evaluating these identified risks and determining the which risks need treatment.
- Identify strategies and solutions for those risks that need to be treated and implement the selected business continuity solutions. This considers the business continuity requirements, the risk appetite of the organization, the resource requirements, as well as the costs and the benefits.
- Develop and implement the business continuity solutions which include the development and implementation of business continuity plans and procedures. This considers a response structure, warning and communication procedures, business continuity plans for each identified priority risk, and recovery procedures.
- Implement and maintain and exercise a business continuity program. During such program, you exercise and test to validate the effectiveness of your business continuity strategies ad solutions. The results of this is to identify and implement changes and improvements.
- Evaluate your business continuity documentation and capabilities. This considers the suitability, adequacy, and effectiveness of your organization’s business continuity business impact analysis, risk assessment, strategies, solutions, plans and procedures. This includes evaluating your performance after an incident or the activation of the business continuity plans, or when significant changes occur.
A Business Continuity Management System
The business continuity management system, or BCMS, provides a set of business continuity management best practices for the organization to adopt. The diagram below shows the common elements of every BCMS per the recommendations of the ISO 22301 standard.
The capabilities in blue lay the groundwork for the capabilities in red. What that means is that the business continuity management capabilities (in red) are at the core of every BCMS. The other capabilities (in blue) facilitate these business continuity management capabilities. For example, leadership capabilities, communication capabilities, and measurement capabilities are in support of performing business continuity management.
Establishing a BCMS
It takes four steps, or phases, to establish a BCMS:
- Familiarize
- Adopt
- Implement
- Improve
Raising awareness in the organization around the concepts of business continuity, such as the business continuity management system and risk management is what the familiarization step is all about.
During the adoption phase the organization takes preparation steps such as assigning roles and responsibilities, conduct a gap analysis and agree on an implementation roadmap.
The implementation step is all about incorporating the capabilities of the BCMS into the organization’s existing capabilities or defining and implementing new capabilities. In other words, standing up the BCMS and making it part of business-as-usual.
The improvement phase is all about expanding the BCMS and increasing its robustness.
COVID-19 and Your BCMS
Whether or not you have used ISO 22301 when establishing your BCMS, the current COVID-19 pandemic is putting your BCMS to the test. The more your formal or informal BCMS is stressed, the more improvements it needs. Not having to reinvent the wheel is what matters. Not having to rely on the hard work of your team members who are making up for your organization’s shortcomings is what matters even more.
The next health scare is not a matter of if, but a matter of when. Let’s hope the current coronavirus pandemic will be over soon and without it causing too much havoc. And you as a business leader make sure that after it has passed you exponentially improve your organizational preparedness levels with the help of a proven international standard. Benjamin Franklin had it right when he said: “By failing to prepare, you are preparing to fail.”
Call to Action for Business Leaders
- Have INTERPROM conduct a free one-hour ISO 22301 Executive Brief and spread the word of the importance of robust BCMS per ISO 22301; a must-have after this health scare.
- Purchase copies of the ISO 22301 and ISO 22313 (guidance on implementing ISO 22301) at iso.org or ansi.org and create your checklist to establish an BCMS.
- Participate in one of INTERPROM’s ISO 22301 certification training course.
- Conduct a self-assessment to raise awareness and/or identify gaps in the (non-)existing BCMS. Contact us for guidance on how you can do this relatively easy. Or have INTERPROM conduct it for you.
- Allow us to coach your key players of the BCMS or even your business continuity leaders and/or his or her direct reports during the journey of standing up your BCMS.
Good luck with helping navigate your organization during its journey towards establishing a robust business continuity management system!