A comprehensive business continuity management (BCM) programme, which incorporates business continuity (BC), disaster recovery (DR) and crisis management, is a must for complex, growing and global business organisations.
In today’s global economy, the various operational aspects of the companies are susceptible to the risks of disruptions that are beyond the reach of Information Technology (IT). The resilient commitment from senior executives and the establishment of a BCM governance procedure are essential for effective response to manage the disaster. Many organisations, identifying the benefits of BCM, are investing in comprehensive BCM programme development instead of developing regulation-compliant strategies.
The 2014 annual global benchmark study by Disaster Recovery Preparedness (DRP) Council shows that 73 per cent of respondent organisations worldwide do not take adequate measures to protect their data and IT systems. More than 60 per cent report that they do not have a fully documented disaster recovery plan and around 64 per cent surveyed say that their organisations’ disaster recovery (DR) budget is inadequate and underfunded.
According to EY’s Global Information Security Survey, 17 per cent of the survey participants said their organisations do not have an established BCM programme. In the case of the organisations that have a BCM programme, only 25 per cent trust their programmes reveal a principal practice ratified by senior management with distinct standards and strategies, roles and responsibilities and tools and methodologies.
Frameworks, processes, methodologies and tools vital for a coordinated incident response management, maximised personnel security and minimised data loss risks constitute a typical BCM programme. The programme should also inspect the recovery effort demarcated by critical business requirements and help in persistent learning from the practice and improve.
The governance integration between the components of BC and DR is one of the components of the BCM programme, which impact the success rate of the programme across the multiple organisations. BCM programme governance implies the set of rules and roles and responsibilities to manage the effective execution of the BC programme and the DR programme during the course of the BCM life cycle. Absence of unified governance can cause disconnected BC and DR initiatives, misalignment of business direction and technology strategies that obstruct on time disruption recovery.
Middle East demand for BCM programme on the rise
Businesses in the MENA region have been facing challenges in terms of managing their diverse and complex operations. The BCM programmeme has recently gained prominence with the increased expansion of entities for each of the businesses and the need for integration of multiple levels of stakeholders. Also, the politically unstable environment in the Middle East and the increasing use of technology have contributed to the need for BCM in the region. Moreover, the various threats facing the companies have increased three-fold in recent times making them highly vulnerable.
According to the results of the recent Middle East Business Continuity Survey, there has been improvement compared to previous years, in accepting BCM as organisations are increasingly looking to improve their disaster recovery capabilities. The report found that around 21 per cent of the organisations have had a robust BCM programme since 2010, while 14 per cent have started maintaining and exercising their BC plan. The remaining 65 per cent of the organisations either have no concrete plans to initiate a BCM programme or are still at different stages of implementation in the BCM lifecycle.
The Horizon Scan Survey Report from Business Continuity Institute lists unplanned IT and telecom outages, followed by cyber-attack and fire as the top threats for the Middle East in 2013.
A 2013 survey by B2B International and Kaspersky Lab found that only 40 per cent of users in the UAE were able to retrieve the data they lost in a malware attack, with 60 per cent stating they lost some of their valuable information forever. This confirms the theory that MENA businesses without robust data disaster recovery and business continuity plans are more prone to reputation hits from downtime than ever before.
Lack of integrated governance causes potential issues in BCM life cycle activities
The continuous sustaining and maintaining activities of the BCM life cycle ensure the viability of BCM programme over time. Governance plays a crucial role in each phase as well as the transition phases of the cycle. The lack of governance could disrupt the BCM life cycle activities.
A BCM life cycle has six phases:
- Planning the programming (Plan)
- Assessing the impact and risk (Assess)
- Developing the continuity and recovery strategies and plans (Develop)
- Implementing the continuity and recovery strategies (Implement)
- Exercising the plans (Exercise)
- Maintaining the plans and the overall programme (Sustain and maintain)
The integrated governance within the plan and assess phases implies executive management’s sponsorship and support, associated priorities among businesses and harmonisation between different business units and DR teams. This helps to identify and protect the critical business functions. Develop and implement phases’ integrated governance ensures distinct roles and responsibilities across different teams. This is essential to device a well-coordinated recovery effort that meets the business and IT requirements, minimising the outage impacts. Integrated governance of the exercise and sustain and maintain phases enable effective conduction of plan reviews and transfer of BC and DR knowledge among employees.
Moving forward with integrated governance
To overcome the challenges of BCM, the related and overlapping root causes has to be addressed. The senior management must take a strategic approach to align with a company’s objectives to develop an effective integrated governance structure for their BC and DR programmes. This will gradually promote a better understanding of the organisation, cost mitigation, reputation and brand safety and sustenance of critical activities.
The most common challenges and the corresponding root cause analysis
Establishing an effective BCM governance structure
An efficient BCM governance programme is characterised by a well-defined composition and structure. The organisation should be knowledgeable enough to identify the organisational hierarchy suitable for incorporating the BCM programme and to select the appropriate people for facilitating governance.
The executive sponsor and owner of the BCM programme should be a member of the senior leadership team. The BCM executive sponsor is recommended to be someone outside of the organisation’s IT team, such as the head of risk management, human resources or finance. The sponsorship of critical role outside IT will help in maximising the support of the business units, which is vital for the programme implementation.
There are three governance models in practice. The success of each depends on the position of the proper components such as:
Centralised model, where a centralised team directs BCM activities globally
Decentralised model, where the business units oversee their own BCM activities
Hybrid model, where a central team develops the global framework and the business units implement it
Integrating efforts between business and IT
The organisational goals should drive business continuity and disaster recovery. BCM initiatives across an organisation are usually executed in silos, resulting in fragmented programme with misaligned priorities. A successful programme leverages the integrated governance to promote effective business communication among the businesses, between the business and IT team and the BCM team and the executive decision makers.
As BCM liaisons of the organisation, the BCM manager and team are responsible for defining processes that facilitate the BCM integration in the organisation. The working committee comprising representatives from multiple areas of the organisation promotes partnership in defining the BCM framework. The steering committee at the executive level must ensure the BCM integration with other related disciplines, such as enterprise risk management and security.
Managing the changing organisational priorities of the corporate, IT and business areas can pose challenges. Having an executive sponsorship to line up the BCM effort with overall company goals provides the foundation. The priorities become aligned through the collaboration between the BCM team and the steering committee.
Creating a culture of quick change adoption
BCM is a continuous process. Hence, the planning activities should keep on pace with the ever-changing business needs. This should consider the changes within the organisation (e.g., M&A, team restructuring), IT infrastructural changes (e.g., IT transformation, system upgrades and retirement) and turnover of BCM professionals and business unit leadership. Turnover affects the BCM programme because there are chances for effort and knowledge loss that could affect maturity of the programme. The governance model should address the quick transition demands through a change management process. This will ensure the identification of the changes, revalidation of risks and doing essential modifications to the BC and DR plans.
A sustainable BCM programme persistently identifies and manages its organisation’s risks. To ensure this, regular tracking methods such as revisiting the BIAs and strategies, reassessing the threats and risks, reviewing plans, conducting exercises and reporting metrics are essential. This will guarantee the efficiency of the BCM programme in meeting the current as well as the forthcoming requirements of the organisation. Governance must provide knowledge transfer and sharing across the organisation to inculcate a culture of proactive risk management.
Most of the organisations have some elements of a BCM programme. Among them very few can claim to be devoid of governance challenges. The risk statistics of those organisations without a BCM programme are high, however the success of a BCM programme depends on the appropriate integration of business and IT.
Successful BCM integration can be accomplished through a strong executive commitment to the programmes’ successes through the definition of:
- BCM policy and vision that aligns with corporate objectives and strategy
- Governance model with defined roles and responsibilities for business areas and IT
- Consistent standards and guidelines, enterprise framework, methods and tools
- Communication protocols to facilitate collaboration between business and IT teams
- Prioritisation of critical resources based on a holistic view of risks and impacts
- Continuous improvement initiatives to update and upgrade the BCM programme
The recommended BCM integration practice maximises the business and IT collaboration. It facilitates senior leadership to participate and make risk-based business decisions, minimising assumptions that could result in recovery process issues.
The author is Senior Director, Advisory Services, Sub competency leader for IT Risk Management, Middle East & North Africa, Ernst & Young