The Good Practice Guidelines 2013 put out by the Business Continuity Institute offer some great guidelines around some frequently asked questions relating to the discipline.
What is business continuity for? The short answer is “a lot”. In the past, business continuity used to be seen as a way of dealing with massive events that were extremely unlikely to happen, like a typhoon or a fire at your main production facility. Now, however, it’s recognised as a way to build the organisation’s general ability to deal with any crisis, including supplier failure or adverse reporting in the media. In this way, business continuity is becoming more operational and is playing a key role in making an organisation more resilient.
Who can conduct an audit of the business continuity management system? A qualified business continuity auditor is needed as he or she will have the necessary professional skills—just as an accountant is not qualified to conduct an audit. Business continuity professionals, however, are often called in to do self-assessments and peer reviews in preparation for full audits.
Is there any difference between business continuity and organisational resilience? Not much is the short answer, in the sense that organisational resilience—the ability to respond to the unexpected and continue business as usual—is the aim of business continuity. To be very technical, one could say that organisational resilience is more related to strengthening the organisation ahead of any event, while business continuity is more focused on what happens after the event.
Is crisis management separate from business continuity? Business continuity management is defined as the way in which potential threats to a company’s business operations are identified, and the way to build the necessary organisational framework to mount an effective response. Crisis management, which deals with a major event that could damage the organisation or third parties, must be considered in the light of business continuity even though the threat might not directly affect operations. An example would be adverse media coverage.
How do business continuity and risk management overlap? Business continuity must take risk management into account because there might be some mitigating actions the business could take to reduce risk of catastrophes that are outside its control, such as floods. But in reality the only way to mitigate such risks is to take measures to reduce their impact on the organisation. This might include insurance. The analysis phase of business continuity management, which includes business impact analysis and risk assessment, is vital in helping businesses understand where they need to spend money in managing risk.
In our next blog, we’ll conclude with answering some final questions about business continuity.