ME PoV Spring 2018 issue
A different perspective
Business Continuity Management (BCM)—the ability of an organization to maintain essential functions during, and after a disaster has occurred—should not be perceived as a compliance requirement only. When properly implemented, it is a system that not only affects strategy, but also protects all the processes of high value to the organization.
Imagine being able to focus solely on your organization’s strategic growth without having to worry about external threats. Global financial crises, political tension, pandemic outbreaks, terrorism, cyber-attacks and natural hazards have become part of the business lexicon regardless of sector or location and have increased the level of uncertainty and fear that now govern many businesses.
Organizations around the world are now recognizing the importance of a Business Continuity Management system to help them navigate turbulent waters, as well as its effectiveness as a first step towards Organizational Resilience—the ability of an organization to anticipate, prepare for, and respond and adapt to incremental change and sudden disruptions in order to survive and prosper.
The Gulf countries in particular have started to develop tailor-made standards in alignment with the International Organization for Standardization (ISO)—such as NCEMA 7000-2015 in the United Arab Emirates (UAE) and SAMA BCM Framework 2017 in Saudi Arabia—and implementing them across government entities, especially critical national infrastructure, effectively creating an immune system protecting the country’s reputation and the safety of its population.
The question that often arises is: why invest so much effort and time in a system perceived as corrective and that requires a significant amount of resources, not only to implement but to keep running?
Three compelling reasons
While it is true that a functional and effective Business Continuity Management system will require ongoing time and effort, especially from top management, past experience has shown that incidents can, and will occur at any time and probably when least expected. Organizations should understand the critical operations driving their business, and their respective vulnerabilities, in order to develop the right strategies and ensure continuity, stability and business sustainability. There are various key organizational benefits to business continuity within the organization:
- Overview of the time-critical activities and the threats landscape
The two pillars of an effective business continuity management system are the Business Impact Analysis (BIA) and the Threat Risk Assessment (TRA.) BIA consists of providing detailed information about the minimum requirements (in terms of facilities, personnel, equipment, dependencies, vital documents and technology) of every activity deemed time-critical. TRA presents an in-depth analysis of the threats that could have a drastic impact on the organization and the likelihood of it happening. This analysis phase provides an overview of the organization’s critical activities and resources and helps evaluate recovery priorities and assess any threat leading to business disruption.
In addition, this analysis helps top management better understand the functionality of the organization and reconsider what actually are its time-critical activities and resources in order to develop an accurate and comprehensive investment strategy.
- Enhance image and confidence of stakeholders
Communication during a crisis is a key element to recover and maintain a good reputation. As part of the BCM system, Crisis Communications, by the right person at the right time and through the right channels, are essential to address the interested stakeholders and prevent rumors or leaks of confidential information. A business continuity plan will define the communications flow and assign the various roles of who will contact employees’ families, address the media (and what to say,) notify interested parties, as well as how employees will act under media pressure. An effective Business Continuity framework helps address the different stakeholder concerns in a confident manner to provide the required assurance and help build the trust relationship through each phase of the response and recovery by conveying the accurate information to the relevant sources. As a result, organizations will benefit from a strong brand and image that reflects the confidence and skill of top management to overcoming the unexpected.
- Return on investment even without any crisis occurring
Implementing recovery strategies is imperative to a successful Business Continuity Management system, but it is also an expensive part, due to the required investment of time, money and technology. However, without well-defined and tested strategies, recovering the resources during a crisis—whether the impact is on personnel, equipment, technology or supply chain—will exponentially increase the cost, as compared with a preventive recovery strategy, due to the short notice and the urgency of investment in previously untested strategies that may turn out to be ineffective. In addition, establishing a Business Continuity Management system will either lower the organization’s insurance cost or allow it to upgrade to premium policies without additional cost. A joint survey by the British Insurance Brokers’ Association (BIBA) and the Cabinet Office revealed that a large proportion of insurers (83.3 percent) “would provide a discount or improved insurance terms to a business interruption policy if a business continuity plan were in place.”
Every organization needs a source of assurance, especially for the external stakeholders, in order to grow and survive. The importance of business continuity resides in providing effective recovery strategies and a strong brand image, facilitating the strategic objective of achieving a resilient organization. Once Business Continuity is established, unlimited options to maintain and improve the system are available to reach the required maturity level and drive the organization towards resilience. One of the most effective solutions would certainly be automation: reducing human effort and human error to a minimum by keeping the system accurately up-to-date.
by Ziad El Haddad, Principal, and
Naji Zoghbi, Business Analyst, Risk Advisory, Deloitte, Middle East