Business Continuity Planning Essentials

What are Business Continuity and Disaster Recovery, in relation to Risk Management?

First Things First

Planning essentially involves balancing risk reduction with mitigation against risks, and preparing contingencies for situations where those risks are realised. Optimising the resources required, even within a tight budget, will leave you more confident in your response to actual events. However, these kinds of activities can easily be mis-directed without correct prioritisation.

Living with Risks

Risk for an organisation is the likelihood of it failing to achieve its objectives within cost, schedule, and many other constraints.

Business Continuity is more narrowly concerned with managing the risk of loss, interruption, or disruption which may affect an organisation’s services or products. It should be completely built into service delivery.

Business Continuity caters for problems ranging from relatively familiar incidents which are usually well understood risks within the organisation, to rare but quite severe events, which are more or less ‘random’ in a mathematical sense.

There are many guides to Business Continuity Management. These provide a wealth of detail and, importantly, approaches to making BCP work within an organisation. However, underlying this complexity there are just two key areas for consideration, which it helps to keep distinct. They are akin to inputs and outputs:

Understand your Business (inputs)

From the Business Continuity viewpoint, this means identifying and focusing on your main services and products to:

1. understand dependencies or single points of failure - keep a risk register
2. assess the impacts of disruption to elements of the business, especially their time sensitivity
3. state recovery targets and priorities .

Control your Risks (outputs)

Following the ‘Understanding Your Business’ phase, managing risk becomes a continual process of:

1. risk mitigation – a technical or organisational response – where it is cost effective
2. acknowledging risks in situations where recovery targets are not assured
3. planning for emergencies – from crisis management immediately after an incident, through resumption of business within targets, and to longer term recovery matters such as insurance claims, salvage, etc.

Eliciting this information based on 'objective' measures requires careful consideration and management. Organising and reducing the outcomes equitably into prioritised, actionable responses requires both good science and good judgement.

Maintaining and proving the responses requires commitment underscored by method – amounting to a combination of experience and working knowledge of the processes in the Best Practice guides.

These are the key areas where our professional experience and know-how can give your project a real boost.