Abstract
Business continuity management (BCM) allows for development, implementation, and maintenance of policies, frameworks, and programs to assist an entity in managing a business disruption, as well as building resilience from the impacts of a disruptive event. It treats the negative consequences of an event, and can create opportunities for benefit and gain. As most businesses recognize the importance of business continuity planning in turbulent times, they are frantically trying to identify effective ways to manage these projects.
In this paper, we outline organizational practices that are employed to manage business continuity projects and identify approaches that have proven effective. Drawing from literature, a framework for managing business continuity planning projects is presented and discussed. Risk mitigation strategies are outlined while being mindful of the risk combinations that hinder recovery after a disruptive event. Insights for practitioners pursuing business continuity planning projects are offered using case examples.
Introduction
Providing continuity in the face of a disruptive event is an important consideration for senior management in public sector entities, for-profit and not-for-profit organizations alike. This is particularly true since disasters (both natural and human-made) have steadily increased over recent years. Consider the ominous statistics offered by DRII: “Of five businesses that experience a disaster or extended outage, two never reopened the doors…of the three that remain, one will close within two years…60% of businesses experiencing a disaster cease operations within two years” (DRII, 2012, p. 6). According to the University of Texas Arlington Disaster Study, “25% of daily revenue is lost by companies in the first six days after a disaster” (DRII, 2012, p. 6). As suggested in Exhibit 1 (Forrester Research, 2011), the top risks facing today's organizations include technology reliance, business complexity, and extreme weather. Successful business continuity planning, implementation, and management can annul the negative consequences of these disruptions and create gainful opportunities for any business regardless of type, size, location, and complexity.
Business continuity management (BCM) and business continuity planning (BCP) principles are recognized by key organizations in the United States. Disaster Response Institute International, Inc. (DRII), Federal Emergency Management Agency (FEMA), Department of Homeland Security (DHS), and the Institute of Internal Auditors (IIA) among others promote the BCM/BCP framework. Yet, acknowledgement and promotion of BCM/BCP does not guarantee success when disaster strikes. Continuity plans must be uniquely developed, implemented, exercised, managed, and updated on an ongoing basis. Recently, the Project Management Institute (PMI) testified that the disaster response community could benefit from implementing program management practices and expertise to better promote successful outcomes (Learnard & VanOrnum, 2011).
Business Continuity Management (BCM) Defined
BCM can be defined as “a holistic management process that identifies potential impacts that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value creating activities” (DRII, 2012). BCM aims to minimize losses, ensure recovery, and maintain continuity of business operations at planned levels after a disaster or disruption has occurred.
BCP is a critical component of the overarching BCM program. The planning process must be previously conducted with safeguards implemented prior to the disaster or disruption. The actual BC plan includes details about specific procedures and alternative options that enable the business to recover or continue to function at certain acceptable levels as the organization pursues full recovery.
As external threats mount in the current operating business environment, it is not surprising that organizations often find themselves overwhelmed. Where does the executive leadership begin? How can it accurately assess external threats? Moreover, how can it adequately implement safeguards to ensure ongoing operational continuity regardless of the threat? The external threats are further compounded then by internal BCM weaknesses which can lead to a state of paralysis. Some of the more common internal BCP and BCM implementation problems are outlined below:
- Lack of knowledge and support of BCM by executives and senior management.
- Inability to adequately identify threats, assess risks, and prioritize (BCM is more than just IT concerns – it is a comprehensive review of the organization's external and internal business environment).
- Difficulty finding a qualified BC expert or consulting firm.
- Lack of good management processes and procedures (i.e., organizational competency, established emergency protocols, safety programs, etc.).
- Inadequate resource allocations for BCM (budget, staff, time).
- Missing BCP benchmarks and BCM goals (considered low priority).
- Incomplete or inadequate emergency response and BC plans.
- Staffs not informed and trained to respond to emergencies.
- Unrealistic and inadequate rehearsal and exercise of plans.
- Lack of regularly updating the BC plan and maintaining a BCM program
Most of these internal weaknesses could be overcome by applying project management (PM) principles while undertaking a BCM/BCP project.
BCM / BCP Framework
Several frameworks have been offered in the existing literature to explain the BCM/ BCP process in organizations (DRII, 2012; Everest, Garber, Keating, & Peterson, 2008; FEMA, 2013). The generalized framework for BCM/ BCP is outlined as follows:
Pre-planning Phases:
1. BCM Program Initiation and Management Commitment
2. Risk Assessment, Evaluation, and Control
3. Business Impact Analysis and Prioritization
Planning Phases:
4. Develop BC Resilience Strategies
5. Emergency Preparedness & Response
6. Develop and Implement BC Plans
Post-planning Phases:
7. Awareness and Training Program
8. Exercise, Audit, and Maintain BC Plans
9. Crisis Communications
10. Coordination with External Agencies
While the activities covered in pre- and post-planning phases may be argued as routine work for an organization with established BCM/BCP program, the activities listed in planning phases are non-routine and may be part of a project to implement an effective BCM response in organizations facing business continuity threats. Moreover, it does not address unique ways in which project management principles can be successfully incorporated while implementing a BC plan. To effectively link BCM/BCP process to PM principles, we offer a modified framework in the form of a continuous cycle as depicted in Exhibit 2:
The components of modified BCM/BCP framework are discussed below:
1. Project Foundation: The most decisive aspect of a BCM is an organization's senior leadership to see the need for the plan, to buy-in to it, and then commit to developing and maintaining the plan as a living program over the life of the organization. Senior management is responsible, accountable, and liable to all stakeholders in every way for the BCM – legally, ethically, and morally. Leadership's commitment includes making the program a priority and allocating appropriate resources such as an adequate budget, the required staff, and enough time to create and maintain a successful program. The BC planner must gain access to fundamental key documents of the organization. These include the organizational chart, contact information for key personnel in each business functional area, policies and procedures for safety, emergency response and notification, an emergency contact list (or develop one), employee handbook, industry regulations, etc. In this step, management is aligned and scope defined to set realistic expectations, thereby eliminating resistance later on in the BCM project. Appropriate PM tools for this step include charter development for BCM project, identification of BC planner / team members, and creating project plan.
2. Business Assessment: This step includes threat evaluation and business impact analysis. Threat evaluation focuses on identifying the external and internal threats, events, and vulnerabilities that most likely could affect the organization's ability to continue operations. Each potential threat on the list is assessed for specific associated risks and the area of business activity it would affect. All aspects of potential loss and risk associated with that threat should be considered. Government and industry legal and regulatory requirements must be researched and integrated into risk assessments. The risks are then assigned a risk probability consistently using standardized criteria and metrics that quantify the likelihood of that event impacting the organization.
Business Impact Analysis involves careful review of all business functions that are critical to continuing operations of an organization. All aspects of the potential impacts (both quantitative and qualitative) need to be thoroughly investigated and analyzed, and can be done based on Recovery Time Objective (RTO) and Recovery Point Objective (RPO) determination. Quantitative impacts such as morale or corporate reputation may be as valuable to an organization as revenue and property. Appropriate PM tools for this step include development for risk matrix, mitigation response, and mitigation cost review.
3. BCM Strategy Review and Selection: BCM strategies include the refinement of decisions about how to handle the risks identified in earlier steps. Management can opt to: (a) remove a specific risk; (b) mitigate/reduce the risk to some acceptable level; (c) accept a specific risk – do nothing; or (d) some combination of the above. Not all businesses can easily remove risk of business or asset loss. Insurance coverage is one strategy that is frequently used by businesses as a partial solution to mitigate risk to some acceptable level against high impact disasters or disruptions. This step also includes developing and implementing an emergency response plan that acknowledges current laws and regulations and informs employees on appropriate and effective procedures to follow during a crisis event. Appropriate PM tools for this step include stakeholder analysis, BCM project milestone development, BCM project communication planning, BCM project audit planning, and contingency planning.
4. Develop BCM Plan and Implement: This step includes the process of compiling, developing, and documenting all the BC recovery plans (including damage assessments, notification and reporting procedures, recovery teams, required resources, etc.) and continuity strategies for each functional business area previously identified. Other significant components need to be added to the consolidated BC plan such as a Crisis Management and Communication/Notification Plan (to include partners and vendors), identify Incident Command System (ICS) and Emergency Operations Center (EOC) as applicable, roles and responsibilities of the organization's executives, the Steering Committee/Crisis Management Team (CMT), and the BC Planner/Coordinator. The BC plan must be socialized, emphasized, trained, and integrated into the organizational culture before its implementation in order for it to be effective in an organizational context. Awareness and training is the first step of implementing the approved BC plan and involves both the internal personnel in a business and its external contacts. Appropriate PM tools for this step include developing a work breakdown structure, responsibility chart for crises, taking cultural inventory of project organization, critical path analysis, flowcharts, and checklists.
4. Test, Assess, and Maintain: This is a critical step because often times the BC plan is “shelved” after it is completed and the organization continues on with its day-to-day activities. Over time, the organizational decision-makers become oblivious to the criticality of BCM and become out-of-sync with how the situation needs to be addressed should an emergency manifests itself. It requires detailed project planning (coupled with patience and tenacity on part of the organizational decision-makers) to implement this step of the BCM. Developing exercise scenarios and acquiring senior management approval to regularly practice disruptions during business hours is extremely daunting. Yet, it must be done. Exercising the BC plan proves that the plan has shortcomings and reveals the weaknesses and gaps in the response procedures. “The goal of testing and exercising your plan is not to find out how it works, but to determine how it doesn't so you can fix it before it happens for real” (DRII, 2012). Appropriate PM tools for this step include developing a scenario planning, what-if analysis, modified FMEA (Failure Mode and Effect Analysis) for BCM projects, post-mortem analysis.
Recommendations for Making BCM Projects More Effective
The three top issues concerning organizations implementing BCP and developing BCM projects where employing PM methodology can prove effective:
- BCM Program Initiation and Management Commitment: Senior management must agree on the project, set the overall priority for the project, and approve the scope. Providing appropriate and necessary resources (project budget, support staff, and supplies) is also critical. Timelines, benchmarks, and envisioning the end state are all designed to energize the project team.
- Set a Critical Path Schedule: Assist management in establishing a schedule for completing the BCP planning process and establishing the organization's BCM. This is of particular importance due to the many delays BC planners experience as new information, dependencies, and gaps are discovered during the process.
- Monitor/Control Progress of Plan and Team: It is important to have an overarching approach to monitoring the progress of the BCP project. Regular communication and coordination with all stakeholders involved in the project as it develops significantly adds to the success of the project and ultimately supports the goals of senior management.
Managerial Implications
According to A Guide to the Project Management Body of Knowledge (PMBOK® Guide) (PMI, 2013), there are five general phases of PM: Initiating, Planning, Executing, Monitoring & Controlling, and Closing. The first four phases can be directly applied to BCM/BCP to improve processes. In particular, the areas of management commitment, critical path scheduling, and monitoring and controlling overall progress of the project and development team. The last PM phase, “closing” does not directly translate to the BCM/BCP framework because BCM is an ongoing management process that continually seeks updates and improvements (i.e., the project cycle repeats itself over and over again) as different threats, challenges, and risks arise coupled with new technology developments and changes in staff structures.
It is also worthwhile to reflect on the differences in between planning a BC project in theory and actually implementing BCM in case of an emergency. This is so due to several factors:
1. Differences in Risk Perceptions: These differences may stem from changes in an organization's internal environment and external environments. Changes in an organization's internal environment include changes in management philosophy, risk appetite, objectives and business operations. Changes in an organization's external environment relate to potential economic, social, technological (and similar) factors, as well as competitors that influence the firm's decisions.
2. Differences in Risk Impacts: These differences may be due to organization's risk exposure, its fiscal condition, its core objective functions that create value-added for the business, and industry attractiveness among consumers.
3. Differences in Risk Responses: These differences may be due to dependence on its relevance or impact on the core or value adding functions/objectives and organizational long-term goals that are unique to each organization.
4. Differences in Proposed BC Plan vs. Actual BCM Response: These differences may be due to the fact that an organization may consider its long-term standing in the industry as well as opportunities that may arise. Taking the proposed BC strategy may be safe now but may not be favorable to the organization's increased exposure or long-term goals. The differences in an organizational context may be moderated by current risk culture (may be changed from when the BC plan was developed), its risk intelligence (the information used to inform BC decision-makers), and the actual practice of BCM.
These observations offer insights for effective implementation of BCM/BCP projects that are essential for business survival and for creating value while serving all organizational stakeholders.