Why should we bother with Business Continuity?

Business continuity?is often associated with the government and “the big guys” dealing with major disasters like hurricanes, earthquakes, pandemics, and the like. And you would be surprised to find out how little advanced matters even in such organizations often are.

Yet, business continuity is something that even for smaller organizations is?much easier?to achieve than widely perceived. And it likewise?costs significantly less?than generally thought. However, being done in a suitable fashion?lets you sleep much better at night.

At the bottom line, business continuity is all about?preparedness for?events that cause?disruption?to your business if unfolding. Having worked out a strategy on how to survive such events beforehand is?the war half won?when it happens.

It starts out with?risk assessment, i.e. finding out which disruptive scenarios there are and how they would impact your organization: power outages, road works, severe weather, significant numbers of staff calling in sick, equipment and internet failure, burglary, fire, strikes, civil unrest, etc., but also “positive” things like a major event in town or a sudden unexpected increased demand in your product or service.

The impact of each of these will depend on many factors, e.g. size, nature, location of your organization, etc. Take the weather: either heat, drought, snow, or torrential rain is normal in some parts of the world, in others even a little bit of it causes major chaos. Are you ready for that or at least?aware of the risk??Or just holding your thumbs?

While business disruption might immediately be joked off as a welcome break, the reality is that it means loss of revenue while costs keep running. How long can you afford such a situation safely without edging towards?insolvency or bankruptcy??Determining a reliable answer to this question is called?business impact analysis.

Having identified what would bring us to our knees, is a start but won’t save us in any way. The next question is what can we do to not let it come to the worst? This is where preparedness comes in: do you have backup facilities, supplies, reserves, alternative revenue streams, etc. to?carry you through??Can you call on extra resources quickly when in need to top up or replace those that have gone missing? Organizing this kind of preparedness in a structured way is known as?business continuity plans.

Have you already considered some of these - likely in a rather informal and unstructured way? Maybe triggered by some daunting reports in the news making you think:?“What if that happened around here?”?If so, congrats, you have already started the journey. If not, maybe this article has made you think…

Doing risk assessment, business impact analysis and business continuity plans likewise will sound a daunting perspective. And no doubt, some consultancy will come along and quote you for it in a way that sends you straight out of business because it is sheerly unaffordable. But it doesn’t have to be that way.

Like for many other areas, e.g. quality, health, safety, environment, information security, etc., there are?international standards?set out in a deliberately generic way on how to manage such matters. You very likely will have come across Quality Management Systems following the ISO 9001 standard, long established and in many industries regarded as the bare minimum. The corresponding standard for a?Business Continuity Management System?(often just referred to as BCMS) is ISO22301.?

While often misunderstood, this generic approach to ISO standards is particularly aimed at?small and medium-sized organizations. It allows them to benefit from these standards at least as much as the big players in the market. It all revolves around the idea of taking measures appropriate to the individual organization considering their individual context and objectives.

The alternative often found elsewhere is a one-size-fits-all approach that necessarily will make it impossible for smaller yet totally under-challenging for big organizations, as such not creating any value for anyone. Hence, why I much prefer the ISO approach. It is achievable and adds benefits to every organization and those dealing with it. And it allows you to grow with it.

Talking of?adding benefits, I already mentioned sleeping better at night because of the preparedness a BCMS creates. Let’s not be mistaken here, it doesn’t come for free, and it will not save us from all and everything, but it will put us in a much better position. And this better position will give an organization a competitive edge, e.g. by?increased resilience, customer confidence, and satisfaction,?reduced costs?due to better-tailored insurance arrangements, lowered legal and contractual liabilities, better resource management, etc.??

Should we? Yes, we should.

Martin Holzke

--------

At ISO in the Sun, we offer consultancy, training, and coaching on information security, business continuity, and risk management - such as PECB's ISO 22301 Lead Implementer and Lead Auditor courses, in Lanzarote, Canary Islands, Spain.

You can find out more about our Business Continuity courses, and other training that we offer on our website here.