Business continuity management is undergoing an evolution. While it began as a practice focused on keeping the lights on in the face of cyber attack or natural disaster, business continuity management today is an integrated discipline that focuses on multifaceted approaches to the identification and remediation of risks and actionable plans to address those risks when necessary.
When exploring the evolution of business continuity management, readers can see the discipline growing to meet an ever-increasing array of threats, along with the increasingly complex responses necessary to ensure companies remain vigilant, resilient, and responsive.
Keeping Cool – Figuratively and Literally
Business continuity management began in earnest in the 1970s. At the time, the work focused on keeping massively large data centers and computers cool. Those mainframes were cooled using water-cooling pipes.
Protecting the pipes from intrusion became a key component of business continuity, as the solution to protecting the mainframes was in itself a threat to the data and systems stored within.
While the massive mainframes of the past have been replaced with racks of servers, the need for cool has not changed. Today, the servers may take up a fraction of the space from previous acres of mainframes.
However, the rooms where those servers reside are lined with cooling systems that surround the space with chilled air. Keeping temperatures and humidity low continues to be a key element of business continuity management 40+ years later.
Business continuity became a more formalized discipline in the 1980s, with a clearly defined mission to protect the organization. This notion was largely executed by looking at the employees, technologies, and business processes used by the company and determining what was needed to keep the company operationally sound.
Gap analyses and risk assessments have been a part of business continuity management since the 1980s, when the focus was on protecting data and paper files. These assets needed to be secured in the event of a natural disaster to ensure businesses continued to exist when faced with potentially catastrophic events.
In the 1990s, the U.S. government issued standards for federal agencies, all of which today have continuity of government and continuity of operations plans to ensure the work continues.
Process and Function
Today, the needs of modern organizations continue to focus on data integrity and continued operational functionality. However, business continuity management is focused more on the processes and procedures necessary in a landscape with myriad threats.
Business continuity management today begins with the development of enterprise goals, needs, and measures. These guidelines, often referred to as enterprise risk management, determine why business continuity is important, and the procedures and processes that will be used to assess, identify, ameliorate, execute, and evaluate plans, both in theory and practice.
These planning guidelines also determine the roles, identify the teams responsible, and provide clear guidance on how business continuity is managed. It is the broad framework an organization establishes under which an array of other activities is done.
Enterprise risk management is the umbrella under which other activities fall, with business continuity being the most critical. It is one measure of an organization’s appetite for risk and its approach to how risks are viewed within the organization.
Enterprise risk management, specifically the risk assessment component, has four steps.
- Identification. The enterprise identifies potential risks and assesses the severity of each, including the potential consequences if the risk is actualized. This analysis is best done across business units and in coordination with other areas of the company. Doing so ensures that risks are approached from multiple vantage points. In addition, the consequences of those risks can be evaluated from different areas of the enterprise. The totality of risks then needs to be ranked, with determinations made about the likelihood and potential deleterious impacts of each risk articulated.
- Design. Once the potential risks have been ranked, it is critical to identify potential solutions to mitigate each risk and come up with actionable solutions to each risk. These solutions, like the risks themselves, also need to be ranked, factoring in the costs to deploy and the consequences of not deploying.
- Implementation. Once solutions are agreed upon, time needs to be taken to build, implement, test, and assess those solutions. Implementation timelines need to be factored into the assessment and ranking phases.
- Validation. Testing is a critical component. Enterprises need to be sure that the risk mediations are functional and actionable, even if those assessments can only be done within a conceptual framework. It is important that measures of efficacy be determined for each risk solution and those measures factored into the assessment phase.
Business Continuity Management Today
While enterprise risk management has become an overarching methodology, business continuity is itself still a critical component. Business continuity management is about the tactics used by an organization during an incident. It is about the actualization of the plans used and the personnel who will ensure that operations continue with little to no interruptions to the business itself and its customers.
Business continuity management means deploying an array of plans and executables once an incident is declared. At that moment, systems, backups, remedies, and contingencies are put into action.
A key component of business continuity today is the ability to monitor the fast-moving, multi-layered components of the plans. Senior team leaders need to understand what is happening, how solutions are being deployed, and how the business is continuing to operate or not.
Among the elements of a business continuity plan today are a comprehensive array of communications. Communication management, often referred to as crisis communications, is critical once an incident is declared. Notifications, updates, and information need to be relayed to employees, customers, stakeholders, executives, and in some cases, the general public or media. These communications need to be coordinated and follow previously developed protocols.
In some businesses, communication about regulatory compliance or risk must also be communicated.
What is the main difference between enterprise risk management and business continuity management? The former is about the development and monitoring of procedures and processes that are enacted. The latter is about the operational execution of those procedures and processes.
Organizations need to ensure that the efforts of enterprise risk management and business continuity are coordinated and integrated. There are certainly overlaps among the two practices, and one does not work effectively without the other.
What does business continuity management mean to today’s organizations? A 2014 IBM report noted that 75 percent of business executives believed business continuity management was one of the top IT responsibilities within their organizations.
However, the same report showed just 17 percent of organizations have formal business continuity management plans. Among those with a plan, just 25 percent integrate it into their broader business strategy.
The consequences are significant for companies that turn a blind eye. Downtime in some industries can reach $2.8 million per hour or $67 million per day, according to the IBM report.
The other consequence is on the employees who need to take action with business continuity. The resilient enterprise today looks at risk as not just a threat, but possibility. Workforces that can identify risks and categorize them, consider the potential upsides, and act accordingly, are better able to innovate and see any number of “risks,” such as digital disruption, nontraditional competitors, or consumer expectations, as a chance for growth.
One researcher describes business continuity management as “the management of impacts.” It is an apt descriptor. The resilience of a workforce comes to bear fully when faced with a crisis, whether a cyber attack or natural disaster.
“The effectiveness of (business continuity) depends not only on acceptance, awareness, and capability of people, but also on its ability to match systems that exist in the organization,” states the Bucks New University research. “We should also consider that the organization cannot function without an organic and inbuilt continuity capability. If that is not the case then it is an equally safe assumption that the organization will suffer failures.”
There are other related disciplines that tie in closely to business continuity and have begun to mature in recent years. Incident management is one, defined as the way in which the enterprise or its customers declare an incident to be active and in play. Complex organizations need policies that define an “incident” and allow other interested parties to do the same.
Another area gaining traction is vendor risk management. With increasingly transparent and integrated supply chains, enterprises need to understand the risks inherent not just in their own organizations but in those that provide materials or services.
Vendor risk management ensures that the contracts, service obligations, and assessments of vendors are documented and tracked. When an incident occurs, vendor risk management plays a component in business continuity, such as when certain customers may be given priority due to service level agreements.
As more businesses move to the cloud, business continuity becomes even more compelling an issue. At Denovo, we help companies with cloud-based managed IT services that are secure and reliable. To learn more about how Denovo’s managed IT services keep data and systems protected and secure, contact us.
Explore the history of business continuity management and how it has evolved as part of a broader risk management schema @DenovoCloud #BusinessContinuityManagement.