The objective of business continuity management (BCM) is to provide operational resilience in the face of adverse incidents (even catastrophic ones) and restore a business to its pre-incident state at the earliest opportunity.
Despite the best efforts of our Company to mitigate or avoid risk altogether, there are certain events that are simply beyond our control. Events such as a health and safety disasters, a financial crisis or the loss of key personnel can threaten the very existence of the Company, and senior managers and board members have to plan in advance for “the unexpected”.
Business continuity planning is part of the Company’s overall approach to risk management. No matter how remote the possibility of a major incident occurring is, it should still be planned for – business continuity management is not an optional activity.
Vital elements of a BCP
- There is a fast, conspicuous and authorised response to any major incident
- Damage is contained as far as is reasonably possible
- Damage reports are co-ordinated and issued quickly
- Critical dependencies are identified, duplicated and made operational as quickly as possible following the incident
- Safety, security and financial controls remain operational
- Immediate contractual obligations are honoured
- The reputation of the business or brand is protected from damage
Management of risks
All businesses face a range of risks that they must manage in order to maintain their profitability and survive. To survive losses and major incidents, they must decide to what extent they:
- invest in risk impact reduction
- invest in risk transfer – eg buy insurance
- rely upon continuity planning
The risk appetite of a business determines the level to which risks are retained and the nature of those risks, but if the risks are substantial, they will require a degree of security to ensure that they don’t threaten the very existence of the business.
Killer risks
Risks can generally be classified by their cause or effect, and the origins of a risk (internal or external) will vary considerably. However, despite the differences, the occurrence of a destructive event will trigger a common response from a business, with many activities being identical irrespective of the nature and origin of the event. Certain risks (“killer risks”) – which often have a catastrophic effect on a business or its staff – can be difficult, or even impossible, to insure against. Such risks might affect, for instance:
- The protection of human life and health
- The ability to meet the requirements of customers
- The reputation of the business
- The preservation of key operational resources, such as the IT network
Since the business cannot completely eliminate or insure against such risks, it must formulate a business continuity plan to cope with them.
BCP implementation
Therefore, a BCP needs to be devised that takes into account the following matters:
- Determining what the required minimum level of service should be following a disastrous event
- Developing a plan that would respond to the risks identified as being potentially destructive and sudden. Some regulators recommend that such risks should be reviewed annually, but this may not be frequent enough
- Detailing emergency action planning to deal with the immediate aftermath of any incident by identification of appropriate personnel, and allocation of damage limitation and assessment tasks to those staff members
- Maintaining a record of actions that were taken immediately following an incident for post-recovery review
- Ensuring that a detailed plan is in place that demonstrates how the business can recover to full capacity
- Establishing a mechanism for regularly reviewing and updating the BCP to ensure that it remains responsive to the ever-changing risks faced by the business
Related Training Activities
EIMF offers a variety of courses for those interested in risk training opportunities. The available courses until June 2020 are listed below:
- CISI Risk in Financial Services
- Risk Governance Workshop
- Project Risk Communication Monitoring and Review
- Project Risk Management
- BowTie Risk Assessment for Financial Services
- Risk Management Essentials
- eLearning CISI Risk in Financial Services
- eLearning Fundamentals of Risk Management
For further information about these offerings, please view the EIMF Upcoming Seminars to learn more about the course(s) of your interest.
For any additional details on these offerings, please feel free to speak with an expert learning and development adviser at EIMF at +357-22274470 or info@eimf.eu.