Business Continuity and Risk Management: Essentials of Organizational Resilience

By Kurt J. Engemann and Douglas M. Henderson

Written by Scribd Editors

There are many career possibilities in the fields of business continuity and risk management. To prepare students for these careers, Kurt J. Engemann and Douglas M. Henderson created a comprehensive textbook called Business Continuity and Risk Management: Essentials of Organizational Resilience.

The authors of this textbook have years of experience within the field. Using clear and concise language, they explain the basic concepts and main ideas in a way that students can easily grasp and apply.

Chapters in this book include:

• Fundamentals of Business Continuity Management
• Business Continuity Management Organization
• Business Impact Analysis
• Risk Assessment
• Strategy Development
• And so much more

Business Continuity and Risk Management is a state-of-the-art textbook that includes extensive downloadable instructor resources. Enjoy development training, slides, syllabi, a test bank, discussion questions, and case studies. With this comprehensive textbook, your students have the foundation they need to pursue a wide variety of careers within the fields of business continuity and risk management.

• Language: English
• Publisher: Rothstein Publishing
• Release date: Oct 1, 2014
• ISBN: 9781931332897

Kurt J. Engemann

Kurt J. Engemann is the Director of the Center for Business Continuity and Risk Management and Professor of Information Systems in the Hagan School of Business at Iona College. He has consulted professionally over the past thirty years in the area of risk management decision modeling for major organizations and has been instrumental in the development and implementation of comprehensive business continuity management programs. Dr. Engemann is a Certified Business Continuity Professional (CBCP) with the Disaster Recovery Institute International. Professor Engemann is the editor-in-chief of the International Journal of Business Continuity and Risk Management and the International Journal of Technology, Policy and Management. He teaches courses in the areas of Business Continuity and Risk Management, Systems Analysis and Design, Operations Management, Statistics and Decision Analysis. He has a PhD in Operations Research from New York University and has published extensively in the area of risk management and decision modeling. Professionals from a number of Wall Street banking firms and Fortune 500 companies attend his graduate courses in business continuity and risk management.

Book preview

Business Continuity and Risk Management:

Essentials of Organizational Resilience

By

Kurt J. Engemann,PhD, CBCP

Douglas M. Henderson, FSA, CBCP

ISBN 9781931332545 (Softback)

ISBN 9781931332736 (PDF)

ISBN 9781931332897 (EPUB)

Rothstein Associates Inc., Publisher

Brookfield, Connecticut USA

www.rothstein.com

Business Survival™ Weblog: Business Continuity for Key Decision-Makers from Rothstein Associates at www.rothstein.com/blog

Copyright © 2012, by Kurt J. Engemann and Douglas M. Henderson

All Rights Reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording or otherwise, without express, prior permission of the Publisher.

No responsibility is assumed by the Publisher or Authors for any injury and/or damage to persons or property as a matter of product liability, negligence or otherwise, or from any use or operation of any methods, products, instructions or ideas contained in the material herein.

ISBN 9781931332545 (Softback)

ISBN 9781931332736 (PDF)

ISBN 9781931332897 (EPUB)

Library of Congress Control Number

(LCCN) 2011933801

PUBLISHER:

Philip Jan Rothstein, FBCI

Rothstein Associates Inc.

The Rothstein Catalog on Disaster Recovery

4 Arapaho Rd.

Brookfield, Connecticut 06804-3104 USA

203.740.7444

203.740.7401 fax

info@rothstein.com

www.rothstein.com

Keep informed of the latest business continuity news. Sign up for Business Survival™ Weblog: Business Continuity for Key Decision-Makers from Rothstein Associates at www.rothstein.com/blog

Foreword

As a business continuity professional serving New York’s Wall Street firms, I have been an active part of how the profession has evolved. Not that long ago, business continuity was viewed as an afterthought by many organizations - a form to complete and a box to check off. The defining moment, however, for me and many senior managers now leading business resiliency and risk programs in major corporations - as well as our firms’ senior leaders - was the crucible of the World Trade Center disaster – September 11th. This unimagined tragedy of unimaginable proportions taught us that no threat is impossible. Planning and preparation for both the possible and impossible, we learned, are essential for any organization.

Many of us learned business continuity and risk management by doing it, strengthened along the way by a growing international body of experience and knowledge drawn from practitioners and academicians. Kurt Engemann and Douglas Henderson have made a fundamental contribution with their focus on resiliency issues. In an open source format, they have assembled a core curriculum spanning a discipline that traditionally took major portions of a career to experience and understand. A blend of theory, common sense, best practice and cases, this versatile textbook provides a structured learning tool and encyclopedic reference guide for business continuity and risk management students, teachers, practitioners, and executives.

One of my favorite chapters focuses on awareness and exercises. In March 2001, at the Wall Street firm where I headed Business Continuity at the time, we completed a major disaster recovery exercise for a scenario covering the complete loss of our primary data center near the World Trade Center. This scenario and much worse was realized six months later. On that day our preparation and exercises rewarded us with the restoration of key information processing capabilities at a backup location in just over two hours. Through resilient operations and people, these efforts played a key role in helping restore basic functionality to the markets and the financial services industry affected by 9-11.

No one can foresee the future. But I believe that this can be no excuse for lack of preparation, management support or exercises that improve awareness and continuously sharpen our organizational and technical response to adversity. We repeatedly experience the unimaginable - whetherMumbai terror attacks, tornado clusters, earthquakes or tsunamis. Crises will continue to arise, as will our need to understand and practice the essentials of organizational resilience.

Roseann McSorley

Roseann McSorley

Managing Director

Global Business Resiliency Head

JPMorgan Chase & Co.

New York City

Note: The writer is not necessarily representing the views or opinions of JPMorgan Chase & Co.

Foreword

Business Continuity Management has been around for the best part of 30 years through its antecedents in Disaster Recovery and Emergency Preparedness. Arguably Risk Management has an even longer pedigree given its evolution from insurance and loss control. Together they form the backbone of how a business or public body protect themselves from threats and hazards of all types.

Given their importance in an increasingly risky world and their relative maturity as business disciplines, it is strange that little has been done to structure the subject in a way that is accessible to students and the wider academic community. Most relevant books and professional journals are targeted at either the professional practitioner or those with general interest in the topic. Most relevant books and professional journals are targeted at either the professional practitioner or those with general interest in the topic. What has been missing is a college core textbook that covers the basic body of knowledge for aspiring students wishing to gain academic qualifications en route to a professional career in Business Continuity or Risk Management.

This new book by Kurt Engemann and Douglas Henderson does much to redress this deficiency in our arsenal of published literature. Written at a level which is very comprehensive but still easily readable it provides a route-map through the terminologies, methodologies and philosophies of the subject. It is impossible to define the subject matter as precisely as many would like; there are many sources of good practice and national standards circulating globally and many competing views about what constitutes best practice. There are even many debates about the intrinsic nature of BCM and Risk. Are they really about Regulation and Compliance or are they about the improvement of Organizational Resilience? Some might argue they are about both.

Given these still unanswered questions, Engemann and Henderson has given us a fair picture of the state of the art and one in which most subject matter experts could feel reasonably comfortable. They have combined the formal coverage of traditional topics like Business Impact Analysis and Strategy Development with some strong content particularly suitable to those set on a career in Risk Management. Their treatment of Risk Modeling as a specialized area in the book is challenging and interesting. Although not all will want to delve too deeply into the theoretical basis for such techniques, the Chapter on Probability and Statistics makes enlightening reading for those who do.

Alternatively for those of a more practical bent, the range of case studies included are informative and provide ample evidence of the value and importance of the topics covered and their application. As Technical Director at the Business Continuity Institute, one of my specific duties is to encourage the inclusion of BCM as a serious topic in graduate and masters business programs. I believe this book will form a cornerstone of many such programs and I look forward to it facilitating the discussions I plan to have with many academic bodies in the coming months and years. The Business Continuity Institute welcomes this book and wishes the authors well in their efforts to engage with both the business and academic communities in a language that both will understand.

Lyndon Bird

Lyndon Bird, FBCI

Technical Director and Board Member

The Business Continuity Institute

Foreword

Businesses can be interrupted and destroyed by a number of threats – manmade and natural. Engemann and Henderson have done something about it with this book. For years, Business Continuity Planning Professionals have passionately attempted to address these issues, often working with knowledge gained from years of experience, trials, failures and limited resources.

Kurt Engemann and Doug Henderson decided to actively recruit talented learners into the field through their research, experience with real clients, writing and the graduate certificate program at Iona College. In this book, they provide the facts and examples on which decisions should be made, not knee-jerk reactions to crises, but researched, professional practices that produce informed decisions prior to, during and following a business interruption or crisis. The book cements the notion that BCP professionals will achieve greater success if they collaborate with external resources.

The integration of NIMS and ICS into the private sector has been the hallmark of my professional practice, and Engemann and Henderson endorse this practice.

This is a book that will inform the novice, support the expert and enhance every business continuity planner’s efforts to create a resilient organization. The book is well organized as an instructional tool, a reference guide, and as a toolkit for practitioners. The outlines provided in the Appendices are worth the price of the book. Students at both the undergraduate and graduate levels will find what they need to build a strong foundation for business resiliency, regardless of the nature of the business career they seek.

Adult learners, and those already BCP practitioners, will find solid support and proven practices to enhance and improve their work. Most of all, an executive, a student, or a practitioner who absorbs the content of this book will be better prepared to function in a field where preparedness is absolutely essential. This book will serve you well in your education and practice.

Dr. Thomas D. Phelan

Dr. Thomas D. Phelan

Program Director

Emergency and Disaster Management and Fire Science

American Public University System

Brief Contents

Copyright

Forewords

Preface

About the Authors

Chapter I: Fundamentals of Business Continuity Management

Chapter II: Business Continuity Management Organization

Chapter III: Business Impact Analysis

Chapter IV: Risk Assessment

Chapter V: Strategy Development

Chapter VI: Disaster Recovery for Information Technology

Chapter VII: Information Systems Security

Chapter VIII: Emergency Response

Chapter IX: Enhancing Coordination with External Agencies

Chapter X: Business Continuity Plan

Chapter XI: Crisis Communication

Chapter XII: Crisis Information Management Systems

Chapter XIII: Sustaining Organizational Resilience

Chapter XIV: Fundamentals of Probability and Statistics

Chapter XV: Statistical Applications in Risk Management

Chapter XVI: Simulation Modeling and Supply Chain Risk

Chapter XVII: Risk and Decision Modeling

Case Study A: Alpha Investment Services

Case Study B: Beta Widget Makers

Case Study C: Supply Chain Analysis

Case Study D: Sample Risk Assessment

Case Study E: Phased Pre-Positioning of Employees

Case Study F: Tabletop Exercise

Glossary

Appendices

Index

Table of Contents

Copyright

Forewords

Preface

About the Authors

Section I: Development

Chapter I: Fundamentals of Business Continuity Management

Objectives

Business Continuity and Risk Management

BCM Responsibility

BCM Development Process

Project Management

Professional Standards

Professional Terminology

Information Technology and Business Continuity

Green BCM

Review Topics

Case Studies

Bibliography

Chapter II: Business Continuity Management Organization

Objectives

Overview of BCM Organization

Key BCM Individuals and Groups

Review Topics

Case Studies

Bibliography

Chapter III: Business Impact Analysis

Objectives

Organization Objectives and Business Impact Analysis

Recovery Time Objective

Recovery Point Objective

Operations

Interdependencies

Single-Point-of-Failure

Support Infrastructure and Physical Environment Requirements

BIA Provides Direction for BCM

Review Topics

Case Studies

Bibliography

Chapter IV: Risk Assessment

Objectives

Risk

Threat Identification

Controls Identification and Evaluation

Event Probability Estimation

Impact Estimation

Risk Measure Evaluation and Risk Prioritization

Risk Treatment

Review Topics

Case Studies

Bibliography

Chapter V: Strategy Development

Objectives

Developing Strategies

Selecting Strategies

Specific Strategies

Implementing Strategies

Review Topics

Case Studies

Bibliography

Chapter VI: Disaster Recovery for Information Technology

Objectives

Overview of Disaster Recovery Planning

IT Alternate Site

IT Alternate Site Provider

IT Alternate Site Location

Data Center Controls

Data Center Recovery

Information Management

Information Security

Review Topics

Case Studies

Bibliography

Chapter VII: Information Systems Security

Objectives

The Control Environment

Information Systems Auditing Considerations

Information Technology and Security Considerations

Conclusion

Review Topics

Bibliography

Section II: Implementation

Chapter VIII: Emergency Response

Objectives

Emergency Response Overview

Pre-Crisis Activities

Actions during the Pre-Strike Phase

Actions during the Strike Phase

Interfacing with Civil Authorities

Review Topics

Case Studies

Bibliography

Chapter IX: Enhancing Coordination with External Agencies

Objectives

External Relations Overview

External Relations throughout the Four Phases: Overview

Opportunities to Develop Relationships in the Mitigation and Preparedness Phases

External Relations throughout the Four Phases

State and Local Government Agencies

Non-Government Organizations (NGOs)

Review Topics

Bibliography

Chapter X: Business Continuity Plan

Objectives

Business Continuity Plan Overview

BCP Objectives

Organization

Requirements

Strategies

Activation

Actions

Communication

Maintenance

Review Topics

Case Studies

Bibliography

Chapter XI: Crisis Communication

Objectives

Crisis Communication Overview

Crisis Communication Team

Media Communication

Systems and Equipment – Key Features

Systems and Equipment – Evaluation

Crisis Communication Procedures and Protocols

Review Topics

Case Studies

Bibliography

Chapter XII: Crisis Information Management Systems

Objectives

Systems for Crisis Information Management

Information Management during Crisis

How Information Technology is Used

Social Media In Crisis Communications

Institutional Initiatives

Review Topics

Bibliography

Section III: Maintenance

Chapter XIII: Sustaining Organizational Resilience

Objectives

Making BCM Effective

Awareness and Training

Testing and Exercising

Maintaining and Updating

Review Topics

Case Studies

Bibliography

Section IV: Risk Modeling

Chapter XIV: Fundamentals of Probability and Statistics

Objectives

Fundamentals of Probability and Statistics

Graphical Presentation of Data

Stem and Leaf Plot

Frequency Distributions

Measures of Central Tendency

Measures of Dispersion

Basic Probability Concepts

Discrete Probability Distributions

Continuous Probability Distributions

Review Topics

Bibliography

Chapter XV: Statistical Applications in Risk Management

Objectives

Forecasting Techniques

Regression Analysis

Maintenance Modeling

Reliability Modeling

Review Topics

Bibliography

Chapter XVI: Simulation Modeling and Supply Chain Risk

Objectives

Introduction

Case 1: Supply Chain Analysis

Case 2: A Three Tier Supply Chain

Conclusions

Review Topics

Bibliography

Chapter XVII: Risk and Decision Modeling

Objectives

Introduction

Decision Making Environments

Decision Making under Certainty

Decision Making under Risk

Decision Making under Uncertainty

Other Decision Making Models under Uncertainty

Recent Approaches

Other Decision Making Models

Dealing with Imprecise Information

Decision Making under Uncertainty and Imprecise Information

Review Topics

Bibliography

Section V: Case Studies

Case Study A: Alpha Investment Services

Operations

Resource Requirements

Information Technology

Revised Recovery Time Objectives

Crisis Communication

Case Study B: Beta Widget Makers

Operations

Resource Requirements

Information Technology

Revised Recovery Time Objectives

Crisis Communication

Case Study C: Supply Chain Analysis

Supply Chain Analysis

Case Study Questions

Bibliography

Case Study D: Sample Risk Assessment

Introduction

Risk Analysis

Risk Assessment Illustration

Probability

Expected Disruption

Impact

Risk Evaluation

Review Topics

Bibliography

Case Study E: Phased Pre-Positioning of Employees

Objectives

Employee Release Groups

Plan of Action

Review Topics

Bibliography

Case Study F: Tabletop Exercise

Tabletop Exercise Overview

Alpha Investment Services Tabletop Exercise

Beta Widget Makers Tabletop Exercise

Section VI: Additional Information

Glossary

Appendices

Appendix A: Organizational Functions

Appendix B: Disaster Assistance Plan

Appendix C: Building Fortification

Appendix D: Pandemic Outbreak Planning and Response

Appendix E: Emergency Operations Center (EOC)

Appendix F: Evacuation Procedures

Appendix G: Shelter-in-Place Procedures

Appendix H: Hurricane Preparation Steps

Appendix I: Tornado Preparation Steps

Appendix J: Severe Winter Storm Preparation Steps

Appendix K: DHS Advisory Code System

Appendix L: Assigning Actions by Department

Appendix M: National Weather Service Terms

Appendix N: Seismic Terms

Index

Preface

Objective

The viability of an organization can be seriously challenged by a disaster. Numerous recent events have focused attention on the need to be prepared for such events. The objective of this text is to provide a comprehensive study of the critical field of business continuity and risk management with particular emphasis on decision making using a holistic approach. The coverage of the book is derived from the growing body of knowledge of practical methods, experiences and research to lead an organization in the process of systematic decisions to protect people, the environment, assets and operations from disastrous events.

Because business continuity and risk management often deals with events that are improbable, analyzing these risks is challenging. Risks come in many varieties, and there is a growing concern and associated effort for organizations to respond to the challenge. Organizational resiliency can be accomplished through an effective program in business continuity and risk management based on an understanding of risk methodologies and technologies.

This book can serve as a primary text in an undergraduate or graduate level course that focuses on business continuity and risk management or as a supplemental text in a closely related field. Business students majoring in any concentration, including operations, information systems, management science, finance, accounting, marketing, human resources, management and international business will find the material both interesting and useful. In addition, emergency management students and management engineering students will also find this book very valuable.

A wide range of educational and training needs are addressed by the book. In addition to being a text for college courses, this book is also intended for use in professional training programs and as a self-study manual.

Contents

The main portion of the book is divided into the sections entitled: Development, Implementation, Maintenance, and Risk Modeling.

Section I: Development

Chapter I: Fundamentals of Business Continuity Management overviews the essential components of business continuity and risk management.

Chapter II: Business Continuity Management Organization analyzes the organizational structure that needs to be in place to effectively prepare for, respond to and recover from a crisis event.

Chapter III: Business Impact Analysis determines the importance of the organization’s activities by assessing the impact over time of their interruption and establishes continuity and recovery objectives.

Chapter IV: Risk Assessment examines threats and prioritizes planning by assessing the likelihood of events and their potential impact on critical functions.

Chapter V: Strategy Development examines strategy identification, selection and implementation necessary for an organization to effectively respond to a crisis event.

Chapter VI: Disaster Recovery for Information Technology examines alternate site selection, data center controls, information management procedures and information technology principles to provide continuation and recovery of the systems and communication capabilities of an organization.

Chapter VII: Information Systems Security reviews security controls and auditing considerations and applies these concepts to various information technology applications.

Section II: Implementation

Chapter VIII: Emergency Response defines the immediate actions taken during a crisis event with the prioritized objectives of life-safety, environmental protection and asset protection.

Chapter IX: Enhancing Coordination with External Agencies examines how an organization should interface with external agencies during disaster mitigation, preparation, response and recovery phases.

Chapter X: Business Continuity Plan discusses the central plan documentation that defines continuity and recovery procedures for crisis events.

Chapter XI: Crisis Communication investigates the importance of emergency communication, media communication plus the devices and systems used to conduct crisis communication.

Chapter XII: Crisis Information Management Systems reviews the role that information systems play in the process of managing emergency information before, during and after an event.

Section III: Maintenance

Chapter XIII: Sustaining Organizational Resilience discusses the importance of awareness and training, testing and exercising, and maintaining and updating to ensure that plans remain operable and current.

Section IV: Risk Modeling

Chapter XIV: Fundamentals of Probability and Statistics develops a foundation in probability and statistics that is very useful in business continuity and risk management.

Chapter XV: Statistical Applications in Risk Management explores forecasting techniques, regression analysis and reliability modeling.

Chapter XVI: Simulation Modeling and Supply Chain Risk examines simulation modeling in business continuity and risk management with application to supply chain analysis.

Chapter XVII: Risk and Decision Modeling examines decision making techniques under risk and uncertainty.

Case Studies and Discussion Topics

Several case studies are incorporated in the book to provide a practical application of the material. The case studies are designed to enhance the connection between business continuity and risk management concepts and practical applications. Two of these case studies are examined throughout the book, providing a comprehensive view of business continuity management.

In addition to the case studies, review topics are presented at the end of each chapter. These review topics examine the primary subjects covered in the chapter. There are also discussions embedded within the text of several chapters that relate business continuity principles to practical application.

Application

This book is designed to be used in a variety of courses and its modular design allows for the inclusion of topics based upon the objective of each course.

Sections I, II and III comprise the core material for an introductory course focusing on the basics of business continuity management. The inclusion of Chapters VII and XII in a course is dependent on the extent to which the foundational material is to be enhanced with a more comprehensive coverage of information systems. Likewise, Chapter IX extends coverage of emergency management beyond the basic level.

Section IV may be included in a course if a more comprehensive approach that includes risk modeling is the intent.

Supplementary Materials

Instructor Resources are available including: PowerPoint presentations, discussion - suggested solutions, review topics - suggested solutions, case studies - suggested solutions and a test bank. Contact the Publisher at info@rothstein.com for details.

Contributing Authors

Shoshana S. Altschuller, PhD

Daniel P. Iradi, JD

José M. Merigó, PhD

Holmes E. Miller, PhD

Donald R. Moscato, PhD, CDP

Ore A. Soluade, PhD.

Conclusion

We hope that our text provides a solid foundation for and appreciation of the importance of business continuity and risk management.

Kurt J. Engemann, PhD, CBCP

Douglas M. Henderson, FSA, CBCP

September, 2011

About the Authors

Kurt J. Engemann is the Director of the Center for Business Continuity and Risk Management and Professor of Information Systems in the Hagan School of Business at Iona College. He has consulted professionally over the past thirty years in the area of risk management decision modeling for major organizations and has been instrumental in the development and implementation of comprehensive business continuity management programs.

Dr. Engemann is a Certified Business Continuity Professional (CBCP) with the Disaster Recovery Institute International. Professor Engemann is the editor-in-chief of the International Journal of Business Continuity and Risk Management and the International Journal of Technology, Policy and Management. He teaches courses in the areas of Business Continuity and Risk Management, Systems Analysis and Design, Operations Management, Statistics and Decision Analysis. He has a PhD in Operations Research from New York University and has published extensively in the area of risk management and decision modeling.

Douglas M. Henderson, President of Disaster Management, Inc., has 20 years of experience in management with major consulting firms. In August of 1992, Doug was the key associate of the Emergency Response Team for a consulting firm located in South Miami-Dade County. Inspired by the real life business experience with Hurricane Andrew and concerned about the lack of preparation within the business community, Mr. Henderson founded Disaster Management, Inc. in 1993.

Mr. Henderson’s clients include Bombardier Capital Group, CP Ships, Discovery Channel Latin America, Intek Plastics, Kemper-NATLSCO, Professional Golfers’ Association (PGA), University of Miami, United Educators Insurance Company and numerous other organizations of all sizes. The activities he has undertaken on behalf of these organizations includes conducting site inspections and writing Risk Assessment reports, Business Impact Analysis reports, Business Continuity Plans, Emergency Response Plans and the facilitating of tabletop exercises.

Mr. Henderson has a Degree in Mathematics from the University of Arizona. His professional credentials include FSA – Fellow, Society of Actuaries, and CBCP – Certified Business Continuity Professional. He is the author of the book Is Your Business Ready for the Next Disaster? and is the author of the Comprehensive Business Continuity Management Program, the Continuity of Operations Plan for Colleges and Universities, the Hurricane and Flood Plan, and several other planning templates.

SECTION I: DEVELOPMENT

Development begins with senior management’s commitment to a Business Continuity Management program and commitment to improve organizational resiliency. The main components of development begin with the program initiation and the allocation of resources and assignment of responsibilities. Development includes the identification and analysis of the organization’s operations, the assessment of natural and man-made threats to the organization, and the selection of the strategies needed to meet the established response, continuity and recovery objectives. Development also includes an analysis of information technology and other organization controls and exposures to manage risks.

CHAPTER 1

Fundamentals of Business Continuity Management

Objectives

» Define Business Continuity Management (BCM)

» Define the relationship between BCM and risk management

» Review BCM responsibilities

» Identify BCM benefits, costs and the commitment required

» Examine the BCM development process

» Review the use of a project management approach within BCM

» Review the data collection process for BCM

» Present an overview of professional standards and terminology

» Review the relationship between information technology and business continuity

» Define Green BCM.

Business Continuity and Risk Management

Planning for disasters may take a backseat to more immediate concerns, especially for a manager who considers such events as improbable and who has not thought through the potential impact of being unprepared. However, a prudent manager will develop contingency plans to provide for the continuation of essential operations. Senior managers should review the criticality of the organization’s products and services to determine priorities and when operations must resume in order to avoid significant losses.

Operations will be disrupted if one or several required resources are unavailable. The event of the loss of a resource can be due to any one of several potential disasters. Identifying these possible events requires a review of all internal and external resources required to deliver an organization’s products and services.

Planning must focus on those events that can result in significant losses. Such events are identified by comparing the expected recovery time associated with the event to the length of time operations can be interrupted before incurring significant losses.

Alternative strategies can reduce the risk of an event. The selection of the set of alternatives to be used will depend on their respective costs and benefits. In certain cases the decision is obvious. When the selection is not obvious a cost-benefit analysis may be required.

Business continuity refers to the actions taken to sustain and/or resume operations impacted by crisis events. Frequently the term business continuity by itself also implies recovery. Business Continuity Management (BCM) is a holistic management program that identifies potential events that threaten an organization and provides a framework for building resilience with the capability for an effective response that safeguards the interests of its key stakeholders, the environment, reputation, brand and value creating activities. Resilience is the ability of an organization to withstand the impact of a crisis event.

Risk management consists of the processes of risk assessment, risk communication and risk treatment. Risk management and BCM are sometimes mistakenly seen as competing fields. However, risk management and BCM are strongly tied together and viewing the fields separately is unhelpful. Risk management tends to be preventative, whereas BCM tends to deal more with consequences. Risk management processes provide important inputs for BCM and also deals with control for risks. On the other hand, BCM goes beyond risk management to plan for the inevitable disaster. Utilizing business continuity and risk management in an integrated fashion is coherent and productive.

There are multiple purposes for BCM. BCM is used to prevent serious disruptions, if possible, and to mitigate the impact of occurring disruptions. BCM is designed to provide safety for people and the environment, minimize the interruption of operations, mitigate damages, maintain customer service standards, maintain quality controls, reduce legal exposures and comply with regulations.

Risk management is the foundation of comprehensive BCM and provides an analytic basis and an economic justification for decision making regarding the allocation of resources. Risk management is a continual process of decisions resulting in how risks are treated, whether accepted, avoided, reduced or transferred.

Conceptually, risk management decisions are extremely difficult. The difficulty arises because these decisions must come to grips with uncertainties surrounding highly unlikely events with major, potential adverse impact upon the operation of an organization. The use of risk management for contingency planning can provide an organization with considerable savings through effective use of insurance and implementation of cost-effective loss reduction strategies.

BCM Responsibility

There are many challenges facing organizations regarding BCM. Communication of the benefits of BCM and similarly communication of the risk of not having a BCM program are foremost among these challenges. BCM should be partnered strategically with the organization to be most beneficial and the effectiveness of the program should be thoroughly evaluated. There is a need for regulations to ensure compliance, and likewise, there is a need for industry standards to promote widespread implementation of BCM.

The Board of Directors is an organization’s highest management authority and has ultimate responsibility for the organization's performance. The Board of Directors must establish policies and objectives to ensure the organization’s survival and fulfillment of its mission. Law imposes strict duties on directors because they exercise control and management over the organization. Internal control is the direct responsibility of the directors and these duties apply to each director separately.

Senior management holds specific powers conferred by the authority of the Board of Directors and has the responsibility of managing the organization. Senior management is responsible to initiate and oversee BCM to ensure the organization’s preparedness and resiliency for a broad spectrum of critical events. It is the responsibility of all employees of an organization to understand their role in BCM and to actively participate as directed.

If there is a management of money or property among two or more parties a fiduciary responsibility is created. Although fiduciary responsibilities vary somewhat between different countries, a fiduciary is required to perform duties to the highest standards and to avoid any conflicts of interest.

BCM Benefits

Communication is a critical factor in obtaining support for BCM. Senior management should be made aware of the dangers of not having BCM. Examples of disasters in relevant industries are useful in establishing the necessity of BCM and obtaining support. Highlighting actual incidents that could have been disasters is also most useful.

There are many benefits to an organization to have comprehensive BCM. Effective BCM decreases exposure, reduces downtime, secures assets and improves security. The process of developing BCM improves employee understanding and provides cross-functional training. Also, BCM protects markets, provides legal compliance and helps avoid liability.

A presentation to senior management should relate BCM to the organization’s mission, explain the risks to which the organization is vulnerable, explain management’s accountability and liability and provide a foundation to develop BCM policy.

BCM Costs

The cost-justification of BCM is similar to the cost-justification of a good insurance policy: there is an initial outlay of a modest amount of money that will lessen the financial impact of a possible future crisis. Similar to an insurance policy, the financial benefit of BCM must be viewed from a long-term prospective. BCM is not a vehicle that will likely produce a short term return on investment. However, as with any other venture, BCM must ultimately be cost effective to remain funded. Many of the important benefits of BCM (for example, employee goodwill and customer satisfaction) are clearly important but are difficult to measure. All of these factors contribute to the challenge of securing a financial commitment from senior management for BCM.

The cost of establishing and maintaining BCM includes both initial and ongoing expenses related to various activities and assets, including:

Developing BCM analysis and documentation.

Backup facilities and equipment.

Organization assets dedicated to emergency response.

Physical improvements designed to mitigate damages.

Training programs for employees.

Exercising the BCM program.

Maintaining BCM documentation.

Insurance.

BCM Commitment

Before any program can commence and be successful, a commitment must be secured from the highest levels of the organization. Significant senior management-level participation at the corporate level is needed to oversee the program. Sufficient authority and resources have to be allocated to the BCM program for it to be successful.

A senior executive should act as sponsor and champion of the BCM program. Management is typically aware of the need for business continuity planning but may need assistance in many aspects of project initiation and management.

Senior management should ensure that prudent precautions are in place to prevent or mitigate a crisis, with the primary emphasis being on having the organization prepared to respond to safeguard people. Fundamentally, senior management is responsible for protecting the organization.

Senior management needs to develop and implement a business continuity policy tailored to its needs. The organization should define a BCM policy so that all operational components have documented and exercised plans for the full range of resources required. A generic example of such a statement is: ‘We are committed to providing continuous operations for our entire organization under normal circumstances and rapid recovery from disruptive events.’

BCM is not a short term project that comes to completion, but rather it is an ongoing, continuous program. BCM should be comprehensive across the entire organization and prioritized by operational needs. To be effective, BCM should always be current and properly tested to ensure that the proper measures are taken in the event of a situation requiring BCM activation. It is necessary to develop an approach with a budget and a timeframe. Key decisions are needed to resolve several questions as follows:

Do we have the internal expertise to complete the program? Do we want to use the services of a consultant? The consultant may shorten the time necessary to develop the BCM program and also add much value to it.

Which software should be utilized for the BCM program? Word processing templates come in