Business Continuity Management
INTRODUCTION
Business Continuity Management (BCM) and the associated Business Continuity Plan (BCP) is a fundamental risk management discipline, the application of which has grown significantly over the years. From its beginnings in the major corporate sector, the benefits of BCM have become widely recognised by risk aware companies of all sizes as an essential means of protecting their trading position and the interest of stakeholders, particularly in times of increasing competition.
BUSINESS CONTINUITY MANAGEMENT
Business Continuity Management (BCM) is defined “as a holistic process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause. It provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of key stakeholders, reputation, brand and value-creating activities.”
BCM Policy and Programme Management - Key Components
BUSINESS CONTINUITY INSTITUTE – GOOD PRACTICE GUIDELINES
In response to the growth in BCM, the Business Continuity Institute (BCI) was established in 1994 to enable individual members to obtain guidance and support from fellow business continuity practitioners. With circa 8000 members in some 100 countries worldwide working in in an estimated 3,000 organisations in private, public and third sectors, the BCI has become the world’s leading institute for business continuity.
Amongst the various documents produced by the BCI is its Good Practice Guidelines 2018. Highlights of this document are available at https://www.thebci.org/training-qualifications/good-practice-guidelines.html and are most useful for any Consultant wishing to refresh their knowledge on BCM. ISO 22301 - Business Continuity Management (bsigroup.com) is a further source of information.
ISO STANDARDS
Previously the subject of BS 25999, BCM is now covered under the following ISO standards:
ISO 22313 – Business Continuity Management Systems - Guidance. This provides guidance based on good international practice for planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improving a documented management system that enables organizations to prepare for, respond to and recover from disruptive incidents when they arise.
ISO 22301 - Business Continuity Management Systems – Requirements. A specification for planning, establishing, implementing, operating, monitoring, reviewing, exercising, maintaining and improving a documented BCM system.
Demonstration of successful implementation of these Standards can be used by an organisation to assure interested parties that an appropriate business continuity management system is in place.
RISCAUTHORITY – “ROBUST”
In conjunction with its member companies, the RISCAuthority has produced “ROBUST”, a business continuity planning toolkit which is free to download at https://www.thefpa.co.uk/. This is mainly focused towards the SME sector and is referenced in the RSS standard RI wordings.
In addition, a new business continuity template has been published by the RISCAuthority, aimed at helping small businesses, which find the ROBUST SME software toolkit overly complex for their needs, to produce a recovery plan. This document is highly recommended.
Finally, the RISCAuthority has launched an online toolkit to help companies understand which suppliers would have most impact on their business in the event of an interruption.
The Supply Chain Risk Assessment Tool has been developed in response to growing numbers of supply chain disruptions and businesses failing to recover. This is available at https://risc.riscauthoritysupplychain.com/
SURVEY EXPECTATIONS
Where a requirement of a particular report template, a specific client instruction, or where producing a separate BI report, information should be obtained as regards the following:
The existence and extent of a BCP.
The date when it was prepared, whether it has been exercised and the extent to which it is maintained, reviewed and updated.
The keeping of a secure copy off site.
Except when dealing with a BI survey on a complex case, Consultants are not expected to read through the BCP’s detail, but should take an overview from the known details of the BI risk that the BCP generally appears fit for the purpose. Where this is not the case, an appropriate risk improvement should be raised.
Unless advised to the contrary within a specific client CSI, a risk improvement calling for the preparation and implementation of a BCP should be made for all cases where the BI exposure (EML) is £2.5m or above. This should be based on the RiskSTOP standard wordings and would normally be raised as a Recommendation.
The above proviso is not intended to imply that RiskSTOP has no interest in BCP below the £2.5m threshold and where encountering a company that is considering this route, they should be actively encouraged.
Occasions may arise when dealing with a major connection that RiskSTOP is requested to become involved in a BCP review/working group with key Policyholder personnel and representatives of the brokers. Such activity will always be conducted under special arrangements of which the Consultant will be notified and must not be entered into independently.