Implementation of a Business Continuity Management System
Ensure the smooth operation of your business.
The steps to your BCM system
Define the basics
First of all, it is necessary to define and create the necessary framework conditions for the Business Continuity Management System:
- Determining the sites, business areas and processes that are to be brought into scope in the short, medium and long term.
- Define the responsibility for establishing the system, conducting the assessments and auditing the implementation of measures.
- Developing the methodology for the assessments - in particular time stages, criticality classes, calculation logic and thresholds.
- Selecting the tools for documenting the assessments, for consolidation and subsequent reviews, as well as for controlling the implementation of measures and tracking tasks.
- Development of the necessary guidelines, instructions and support to achieve reproducible and traceable results.
Define the basics
'What do we need to secure?'Evaluate business processes
The assessment of the criticality of business processes identifies the impact that the interruption of a business process has on the company. The focus is not so much on the importance of the business processes, for example their strategic significance, but rather on the effects on the operational business.
For the evaluation, the foreseeable consequences of a failure with a duration of a few minutes, hours, days up to weeks are assessed and based on this an overall criticality is determined.
In particular, the following aspects of impact are considered:
- Impact on business operations (other business processes, products, customers, ...).
- Financial impact (direct and indirect damage).
- Legal consequences (violation of laws, contracts, regulatory obligations, ...).
- Impact on image / reputation (trust of stakeholders, existing target groups, new target groups / interested parties, ...).
Â
Evaluate business processes
'Which business processes are critical?'Evaluate resources
Business processes depend directly on the proper "operation" of the required resources, also called supporting assets. The failure of a resource can lead to a more or less significant impairment of one or more business processes or even to a complete standstill.
An assessment of which resources have a significant impact on (critical) business processes identifies the elements that are really important from an availability perspective.
Relevant resources include:
- Buildings / areas and rooms.
- Infrastructure (e.g. power supply, water, internet / communication connections).
- IT systems (hardware, software, cloud services, ...).
- Personnel (specialists, minimum number of employees, ...).
- Service providers / suppliers (e.g. logistics companies, suppliers, processors).
- Information (specific know-how, order documents, ...).
Evaluate resources
'How do I avoid standstill?'Preventive measures
Resources that have been identified as particularly critical, meaning that their failure can have a significant impact on business operations, must be protected as good as possible against disruptions and failures.
This can be achieved - depending on the resource - in the form of redundantly designed components / systems, with the help of maintenance measures, with sufficient resources or numerous other preventive measures.
A targeted and comprehensive consideration of preventive measures already taken and comparison of (further) possible measures is the focus of this phase in BCM. After all, decisions have to be made and action taken, if necessary, before a disruption and thus a possible interruption of business operations occurs.
Preventive measures
'How to avoid the disruption'Reactive measures
In addition to preventing outages through preventive measures, reactive measures for critical resources should be prepared as part of BCM.
If there is a outage, there is usually no time to calmly look for alternative solutions, discuss options for emergency operation, or even for developing a coordinated plan for restarting operations.
That is why it is important, in 'times of peace', meaning before a serious disruption has occurred, to
- think about options for action depending on realistic scenarios,
- document important contacts / specialised persons and related contact details,
- develop communication strategies for internal and external supporters,
- describe recovery procedures for IT systems or instructions for replacing necessary resources, and
- consider options for solutions based on the experience of other companies.
Reactive measures
'How to react in the event of a disruption'Review measures
The approach and measures in the context of BCM are as dynamic as the business operations and the associated processes and resources.
Accordingly, a professional approach requires a regular review, at least annually, and adjustment as needed if relevant changes are identified.
In addition to reviewing the methodology and approach, the business processes in particular must be checked for completeness and correctness and in respect of criticality assessment. Afterwards, the (critical) resources relevant to the business processes must be validated and new ones added, obsolete ones removed and, if necessary, the assessments readjusted.
In addition, this theoretical preparatory work for an emergency situation should also be verified in the context of tests and exercises in order to find gaps before Day X and to achieve a certain routine.
Review measures
'Practising the disruption case'What is BCM all about?
Business continuity management is about ensuring that critical business processes run smoothly. To achieve this, it is important that resources that are urgently needed for these business processes function as intended, i.e. that they are implemented as resilient as possible and / or that workarounds and alternative options are available.
In order to achieve this goal, it makes sense to evaluate the processes and associated resources, focusing on the essential elements. For these elements, it is important to check the measures already in place to reduce outages and to prepare measures to keep unavoidable outages as short or as low as possible.