Business continuity is not an event or a programme that is implemented from time to time. Because it deals with not only identifying the risks the company faces but how to mitigate them, it follows that it has to become ingrained in the way every member of the company performs his or her daily work. Embedding Business Continuity is thus the vital second professional practice within the business continuity management life cycle.
At the most profound level, business continuity management is concerned with protecting the company and thus the investment of its shareholders and the jobs of its employees. Each and every employee needs to understand that, and that understanding must permeate the way the job is done.
Clearly, it all starts with the business continuity policy, which identifies the most important areas of the business. An embedded culture of business continuity means that everybody involved in those areas has to automatically act in ways that protect it. For example, a brokerage’s trading platform would probably be a key asset to be protected. Although the direct responsibility for keeping it up and running, and ensuring there is a contingency, might fall to the CIO, the brokers who use it should do their part by maintaining data security or timeously reporting system malfunctions While IT is responsible for the infrastructure that the brokerage platform run on, the business users almost always have first insight into a potential security or system failure. Weak passwords and logon credential sharing is a business failure, not an IT oversight.
Other examples could include the manager of a production facility that is rated critical to the company’s survival in the business continuity policy. He or she must be careful not to “sweat” the machinery by extending service intervals or running equipment listed as end of life by the manufacturer, even though it might seem like an acceptable risk in return for better quarterly financials. It is all too commonplace for companies to be left stranded by a lack of spares for outmoded equipment. Similarly, the marketing manager must take the trouble to ensure that customer records are adequately backed up because these in fact represent the company’s most valuable asset. This also includes physical contracts [for example] that will render financial agreements null and void if lost.
Embedding the business continuity mindset into the company is not going to be an overnight affair, of course, but it must be done. We believe that if business continuity actions have to be enforced via sanctions, then it is likely the company simply isn’t adequately protected against disaster.
So how to begin? A good first step, as we indicated in the preceding blog, is visible and sustained executive sponsorship. On going in-person talks by the CEO are much more powerful than simply circulating a policy document via e-mail. Just as the policy needs come from the top down, so the actions of corporate leaders must be seen to be protective of the key assets, meaning that long-term rather than short-term thinking must be predominant. Training also has a vital role to play, as in any change management exercise.
One important point to make in conclusion: if operations that are vital to a company’s long-term survival are outsourced, then the company must ensure that the outsource provider’s employees similarly understand this importance, and that business continuity is embedded into its operations. If the outsourcing provider is a weak link, then clearly the company’s organisational resilience is heavily compromised.
Embedding Business Continuity is covered on pages 37-46 of the Good Practice Guidelines. For more information, visit the BCI website to download the Good Practice Guidelines or contact us for BCM advisory.