Recent man-made and natural disasters, including terrorist attacks, the Indian Ocean tsunami and the threat of pandemic flu, all serve to highlight the critical need for public and commercial organisations alike to address Business Continuity Planning (BCP). While the UK Government’s Civil Contingencies Act stipulates the requirement for thorough Business Continuity Management (BCM), and the new BSI standard (BS25999) will support the process of implementing best practice, it will not overcome some of the implicit major BCP issues. BCP Plan
Arguably the most significant of these is understanding complexity – comprehending the interdependencies and interactions that define the business-critical processes of modern organisations; ensuring stakeholders are fully trained and aware of their roles and responsibilities, and managing the myriad of policies that directs your BCP. BCP Singapore
Effective BCP must be informed by a clear understanding of the critical processes that an organisation must conduct in order to achieve its business aims and key supporting objectives. To ensure processes are adequately protected, Business Continuity planners must have a clear and comprehensive understanding of all business-critical elements in the organisation, including their relationships, inter-dependencies and relative priority/criticality to the business, so risks can be identified, assessed and appropriately planned for. Incomplete Business Continuity Analysis would leave the organisation vulnerable to a critical failure.
The main purpose of BCM is to develop the ability to continue your business-critical activities in the event of a pre-defined disaster scenario occurring. It is essential, therefore, to ensure that your organisation has an effective BCP in place and that any critical third party suppliers also have adequate BCPs to ensure continuation of service to a defined (probably reduced) Service Level Agreement. Once you have addressed the potential threats to your own organisation, you do not want suppliers representing weak links in you Business Continuity ‘chain’.
Without a clear understanding of what your business-critical processes are, or the ability to easily identify the systems, infrastructure elements and people upon which these processes depend, how can you assess how a particular threat will impact them? If you cannot be confident that you have fully understood these areas, how can you be sure that you have not overlooked a business-critical element in your planning process and, therefore, that the Business Continuity and Disaster Recovery plans you have developed will be truly effective? The answer is you can’t!
Enterprise Modelling (EM) is now a recognised technique for making complexity more understandable, by generating an exploitable model of your organisation’s ‘business-critical architecture’. It provides a clear and understandable structured graphical visualisation, enhanced by supporting textual information, of the vital business interactions of your critical staff, assets and processes, the risks that threaten them, and the plans that can be brought to bear to protect them. This will facilitate identification, analysis and understanding of the business-critical aspects of the organisation, and the relationships and dependencies that exist between them. EM can also support incident management and what-if scenario analysis, and help identify BCM training needs and how they are delivered.
A further valuable by-product of using the EM approach is, in taking a group-wide view of all business-critical aspects, EM will identify any key areas of vulnerability, as well as anomalies or duplications of effort, which, once rectified, will improve efficiency.
There is no point spending all the time, effort and cost developing a BCP unless it is effectively communicated to employees, key partners and suppliers, and possibly customers. BCM and BCP are therefore not one-off processes; plans must be distributed to all relevant parties, be read and understood by them, be readily available and practiced at appropriate intervals, and kept up-to-date and relevant to the business.
While responsibility for Business Continuity should lie at all levels within an organisation, ultimate responsibility for protecting shareholder value and the future viability of the organisation lies with the Board of Management. The Board must demonstrate that its Business Continuity and Disaster Recovery plans are properly managed, i.e., distributed, practiced on a regular basis and finally, maintained as relevant to the business as it changes.
The threats posed by humans and nature are ever with us and, some would say, increasing. In order to counter this, in-depth Business Continuity Planning [http://www.vega-group.com/services/informationsecurity/servicelines/index.asp?id=1138,574,4,575] and Management will be critical. Underpinning these plans with Enterprise Modelling can deliver a comprehensive, accurate and coherent model of an organisation’s business-critical elements, and enable managers to produce more effective BCP and more easily identify and address specific areas in both crisis and normal operations.
The addition of a computer-based Policy Management System automates the distribution and tracking of your BCM policy and plans, and further, provides the Board with demonstrable evidence that they are paying due heed to Corporate Governance and Compliance.