Implementation of a Business Continuity Management System

The assessment of the criticality of business processes identifies the impact that the interruption of a business process has on the company. The focus is not so much on the importance of the business processes, for example their strategic significance, but rather on the effects on the operational business.

For the evaluation, the foreseeable consequences of a failure with a duration of a few minutes, hours, days up to weeks are assessed and based on this an overall criticality is determined.

In particular, the following aspects of impact are considered:

• Impact on business operations (other business processes, products, customers, ...).
• Financial impact (direct and indirect damage).
• Legal consequences (violation of laws, contracts, regulatory obligations, ...).
• Impact on image / reputation (trust of stakeholders, existing target groups, new target groups / interested parties, ...).

Business processes depend directly on the proper "operation" of the required resources, also called supporting assets. The failure of a resource can lead to a more or less significant impairment of one or more business processes or even to a complete standstill.

An assessment of which resources have a significant impact on (critical) business processes identifies the elements that are really important from an availability perspective.

Relevant resources include:

• Buildings / areas and rooms.
• Infrastructure (e.g. power supply, water, internet / communication connections).
• IT systems (hardware, software, cloud services, ...).
• Personnel (specialists, minimum number of employees, ...).
• Service providers / suppliers (e.g. logistics companies, suppliers, processors).
• Information (specific know-how, order documents, ...).

Resources that have been identified as particularly critical, meaning that their failure can have a significant impact on business operations, must be protected as good as possible against disruptions and failures.

This can be achieved - depending on the resource - in the form of redundantly designed components / systems, with the help of maintenance measures, with sufficient resources or numerous other preventive measures.

A targeted and comprehensive consideration of preventive measures already taken and comparison of (further) possible measures is the focus of this phase in BCM. After all, decisions have to be made and action taken, if necessary, before a disruption and thus a possible interruption of business operations occurs.

In addition to preventing outages through preventive measures, reactive measures for critical resources should be prepared as part of BCM.

If there is a outage, there is usually no time to calmly look for alternative solutions, discuss options for emergency operation, or even for developing a coordinated plan for restarting operations.

That is why it is important, in 'times of peace', meaning before a serious disruption has occurred, to

• think about options for action depending on realistic scenarios,
• document important contacts / specialised persons and related contact details,
• develop communication strategies for internal and external supporters,
• describe recovery procedures for IT systems or instructions for replacing necessary resources, and
• consider options for solutions based on the experience of other companies.

The approach and measures in the context of BCM are as dynamic as the business operations and the associated processes and resources.
Accordingly, a professional approach requires a regular review, at least annually, and adjustment as needed if relevant changes are identified.

In addition to reviewing the methodology and approach, the business processes in particular must be checked for completeness and correctness and in respect of criticality assessment. Afterwards, the (critical) resources relevant to the business processes must be validated and new ones added, obsolete ones removed and, if necessary, the assessments readjusted.

In addition, this theoretical preparatory work for an emergency situation should also be verified in the context of tests and exercises in order to find gaps before Day X and to achieve a certain routine.