Business Continuity Management Series II
In the first installment of the BluSky Business Continuity Management (BCM) blog, we covered the high level factors that contribute to the importance of establishing a business continuity program within your organization. We kicked off the first step for establishing the framework for a successful BCM program: the Program Initiation and Management. This first step of ten emphasizes how important it is to garner organizational leadership support of the program. Please buckle your seatbelts as we dive even deeper, covering arguably the most critical operational components of your BCM program; the Risk Assessment and Business Impact Analysis portion! These steps are high level overviews and carrying them out is a complex and resource intense process. Please see www.drii.org for additional reference.
STEP TWO – Risk Evaluation and Control
In a perfect BCM world, not only have you been given the autonomy to create your organization’s program, but your leadership team has blessed this endeavor and they have provided a budget to cover a comprehensive program that supports your enterprise. Once this autonomy is established, it’s time for the nuts and bolts of the job.
Assessing operational risks is a gargantuan task that varies based on enterprise complexity; current process infrastructure; number of assets; and many more factors. You are now tasked with engaging management teams from each business sector to look within their department, operation or facility to identify the risks, threats and vulnerabilities that are both obvious and not so obvious. ALL of these determined risks are catalogued and assessed with respect to the likelihood that they would occur and the potential level of impact to the operational function.
For Example, ABC Electronics has 180 retail store outlets across the western region of the United States. These stores have roughly the same store footprint and daily sales volume, but their individual risk exposures vary based on location. From earthquake hazards in Southern California, to tornadoes in Oklahoma, and hail in Colorado, each threat carries its own timeline for down time, physical damage, and required outside resources for support. Understanding these differences is important.
Assessing all of these risks requires “mining” for all of the vulnerabilities circling each location. The responsible management group—the “owners” of the defined process—will then estimate the level of likelihood the threat will occur and the level of impact the threat will have. Next, they will identify where control, mitigation or management for these risks is currently lacking. An organization can create a Risk Assessment Matrix to help visualize the important areas of focus within their risk assessment: frequency, probability, severity, speed of development, and reputational impact. All of these factors serve as important guides in understanding the holistic nature of your vulnerabilities and the probability of individual risks impacting your organization, companywide.
Risk Assessment and Business Impact Analysis
Equally important is your teams’ role in identifying and evaluating the effectiveness of current controls and safeguards already in place in each department. Are these controls acceptable and within your department or company’s risk threshold? If so, you can begin to allocate your time and resources to create business resiliency strategies for the identified risks. Will these new strategies reduce your locations’ vulnerability, and therefore reduce enterprise wide risk? It will be very important to clearly develop and vet these strategies within the organization, as they will be the back bone for the BCM program and determine the ultimate resiliency of your entity.
After your initial risk and control evaluation, it is critical for each work group to provide recommendations upward for the BCM team’s consideration.
STEP THREE – Business Impact Analysis
Your BCM teams have now worked through all foreseeable risks, threats and vulnerabilities; now it is time to quantify and qualify these risks by using the Business Impact Analysis (BIA) process. The BIA is a powerful tool that will measure and assess the financial, operational, customer, regulatory and reputational impacts. This process should arm you with the decision making data, both qualitative and quantitative, to gather the necessary data to establish quantitative losses (numeric) and qualitative losses (intangible) and identify the impact these losses will have on the organization. Next, choose the BIA methodology that will provide the most comprehensive value to those varying impacts. The methodology will prioritize impacted business functions and processes based on the level of criticality, time sensitivity, and recovery objectives, taking into account whether they are parallel or interdependent activities. After measuring, assessing, and prioritizing the organization’s business functions, it is important to shore up the gaps.
As you calculate the BIAs for each risk, each team will have to determine what the Recovery Objectives are for each business function with respect to time sensitive processes and the requirements to recover them in an acceptable time frame. The results will give your team a good idea of what resources are needed for the defined recovery and resumption of business.
Recovery Time Objective
Recovery Time Objective is the amount of time from the process disruption to the time when the process is operating. It is a predefined threshold to meet. For example, how quickly does the Tulsa distribution center need to be reopened in order to minimize business interruption costs—in 10 hours or in 2 days?
Recover Point Objective
Recover Point Objective is the acceptable amount of data or information loss in relation to the point in time when the last good, offsite backup of data occurred. This is to ensure minimal data is lost in the event of a communication disruption. For example, how long can the company headquarter T1 lines be down? How long can email, data transfer, and other communication lines be disabled before it costs the business?
Understanding the Risks that face your enterprise and the potential impact of these risks to the day to day operations is critical to all aspects of recovery. Unexpected property loss, cyber attacks or supply chain disruptions can cause minor hiccups to operations or they can bring a firm to its knees and have a devastating effect on your reputation and customer base. How prepared is your firm?
Continuing the BCM blog, a high level review of Parts 4 – Developing Business Continuity Strategies, 5 – Emergency Preparedness and Response as well as 6 – Developing and Implementing Business Continuity Plans will be next. Please feel free to contact me with any questions or comments.
BluSky is positioned to be a valuable partner within your organization as you plan for the unknown.
Joseph Berg, MBA
Director – National Corporate Accounts
Certified – Associate Business Continuity Professional – DRII