Business Continuity and Organisational Resilience are distinct and complementary functions that together seek to achieve the same goal: an organisation that is prepared for, able to withstand and recover from major disruptive events. This article explores Business Continuity Management, explaining how the structured, process-oriented approach prepares business for disruption and emergencies.
What’s the difference between Business Continuity and Organisational Resilience?
While both are often lumped together under the title ‘Business Continuity Planning’, their individual approaches are different, yet highly complementary.
- Business Continuity Management is a management system and process focusing on risk assessments, business analysis, solution design, planning, implementing and testing. It is an instruction manual for preparing a business for emergencies
- Organisational Resilience is a more subtle and ‘messy’ concept that concerns the culture of an organisation (i.e. ‘the way we do things around here’, the innate beliefs and motivations). Organisational Resilience seeks to influence culture so these ‘ways’ are inherently more resilient to disruption
These two concepts are co-dependent: Business Continuity Management can be implemented in a matter of months by improving systems, processes and management structures. Changing the culture of an organisation can be a long and arduous task that requires techniques more common to Organisation Development and Change/ Transformation disciplines than Business Continuity Planning.
Business Continuity explained
“Business continuity is about developing plans to deal with difficult situations”
(Business Continuity Institute, 2020)
A more extensive definition is provided in the Business Continuity Institute’s Good Practice Guidelines:
“Business continuity management identifies organisational-priorities and prepares solutions to address disruptive threats. An effective business continuity programme supports the strategic objectives of the organisation and pro-actively builds the capability to continue business operations in the event of disruption. The programme includes the identification of risks and threats, the creation of response structures and plans to address incidents and crises and promotes validation and continuous improvements”
(Business Continuity Good Practice Guidelines, 2018)
Which is rather wordy.
A simpler definition could be:
Business Continuity is a management system that seeks to protect key business operations from disruptive events and quickly recover by pro-actively managing risks, identifying priorities and critical functions and develop solutions to the challenges created by the identified risks to the identified priorities.
BCM = Priorities/risks + planning
The Business Continuity Management Process/cycle
Business Continuity Management is structured around a cycle of continuous improvement:
- Policy and Programme Management – A document that explains how the BC programme will be delivered within the organisation. It includes services that will be included in the programme, who’s in charge and how the organisation will monitor and make sure it happens.
- Analysis – In this phase we identify the organisation’s priorities and risks to their delivery. This is a research phase that usually involves interviews, workshops, mapping exercises and document reviews to understand how the organisation works within its business environment. The technical term is ‘Business Impact Analysis’, a fancy way of saying ‘understanding the business, assessing the risks and identifying the critical functions and activities needed to deliver the key products and services.’ It usually involves lots of ‘what if…?’ questions, like: What if something stopped this activity? What if this person wasn’t here? What if you couldn’t deliver this product/service for 2 weeks?
- Design – designing the solutions to the challenges we identified in the Analysis It generally involves management of the risk through an appropriate approach:
- Prevent it – remove the risk by changing the way you do this activity
- Reduce it – limit the likelihood or potential impact of the activity going wrong
- Transfer it – give the issue to another supplier/company/organisation that may be better equipped to handle it (for example, moving data from an in-house server to cloud-based system with a company with more robust and resilient systems)
- Accept it – shrug those shoulders and accept that I might go wrong and that you’ll deal with it when the time comes
- Create a contingency/Plan-B – plan what you will do if it does go wrong in detail
The design phase will create a statement that sets out the organisation’s strategy for managing these risks, for example: All key services delivering at 80% volume as a priority for the entire organisation through preventing and reducing the likelihood of medium and high risks, with contingency plans for the highest rated risk-critical product lines.
- Implementation – Putting what you’ve designed into practise, creating your continuity plans and a monitoring and management structure. You could create plans at different levels of your business, such as: Corporate Plans, Directorate Plans, Service Plans or Product Plans. I would encourage the use of Product Plans that manage products/ services from start to finish. Whatever you choose, make sure it works for your organisation.
- Validation – Testing it, make sure your people know what to do and continuously improve how you do it. Keep this going, this isn’t a one-off activity; processes change, people move on, the environment alters – your plans have to match these changes if you want them to work, so review regularly. This doesn’t have to be complicated, and testing can often be fun and interesting. The hard part is doing it, especially when everyone is so busy just doing their everyday job.
- Embedding – building resilience and business continuity practices into the heart of the organisation and its day-to-day business as usual. This can be done through communication, training, practice and spreading awareness. This stage at least recognises a need to influence organisational culture, although, in my opinion, it probably doesn’t give this the emphasis it really needs to be effective.
So there you have it, business continuity in a nutshell. Business Continuity works, it will give your organisation a better chance of overcoming disruptive events and the evidence is there to prove it.
Business Continuity doesn’t have to be complicated, and it shouldn’t be. For more on how to build resilience in your organisation without making it complicated, see: Preparing your business for emergencies and disruption (including Coronavirus)
You’ll need more than well laid-out plans and processes if you’re to survive and thrive in disruption. The next article will explore Organisational Resilience and the key contribution that it makes to supporting organisations to overcome disruption.
More information on Business Continuity
If you would like to know more about how to apply Business Continuity to your organisation, here’s some links below:
- Business Continuity for Dummies is a good, well-structured guide to Business Continuity developed with the UK’s Government Cabinet Office. It does a reasonably good job of explaining business continuity in a nearly plain English way, simplifying or removing jargon. You can buy it on Amazon here or you can download a sample chapter on Quick Wins from the UK Government website here
- Official UK Government guidance – UK Government website – Preparing for Emergencies – provides a good overview on preparing your business for emergencies, as well as links to insurers, 10 minutes Business Continuity plans, business health checks and guidance on cyber security
- Mist of Management.net (shameless plug!) – Has a number of articles on resilience planning including Preparing your business for emergencies and disruption (including Coronavirus)
- The Business Continuity Institute – the lead institute for Business Continuity practice and practitioners in the UK. The institute offers a range of training and guidance documents that can be purchased through the website, as well as a list of institute Members recognised as qualified practitioners by the Institute (not all practitioners are members). You can also download a free copy of the Good Practice Guidelines (Lite Edition) here
- Local Councils – All local Councils have a duty to provide local businesses with advice and guidance on business continuity to help prepare them for disruption, although this varies greatly from one council to another – you can find your local council here. Searching for Business Continuity or Emergency Planning on your council webpage should find you more information. Councils should also have a Community Risk Register that identifies the risks to the local area and community
- The British Standards Institute, ISO 22301 – The International Standard for Business Continuity Planning. The website provides links to recent research, basic guidance on the Standard, self-assessment checklists for free. The full standard and guidance are available for purchase, as well as training courses, professional support, professional audits and official certification
- BCI Horizon Scan Report 2020 – provides a review of the risks that could affect the UK and businesses. Primarily written for resilience professionals, it provides a great deal of information that can help you to identify the sorts of risks your business or organisation may face, from physical disasters through to lack of qualified staff and ICT disruption.
Wikipedia, 2004, Business Continuity Management, available online at: https://en.wikipedia.org/wiki/Business_continuity_planning (viewed 11/04/2020)
Sterling et al, 2012, ‘Business Continuity for Dummies’, UK Cabinet Office, John Whiley and Sons Ltd, Chichester, UK
BSI, 2016, Introducing ISO 22301: Business Continuity Management – Minimize risk and protect your business, The British Standards Institute
Business Continuity Institute, 2018, BCI Good Practice Guidelines, 2018 Lite Edition: Highlights of the global guide to good practice in business continuity, Business Continuity Institute, UK
UK Cabinet Office, 2018, Preparing for Emergencies – Guidance, UK Government website, available online at: https://www.gov.uk/government/publications/preparing-for-emergencies/preparing-for-emergencies (viewed 13/04/2020)
Business Continuity Institute, 2020, BCI Horizon Scan Report 2020: An examination of the risk landscape for resilience professionals, The BCI, UK, available online at: https://www.bsigroup.com/localfiles/en-gb/iso-22301/resources/bci-horizon-scan-report-2020.pdf (viewed: 13/04/2020)