This week’s bulletin has been provided by Gavin Watt (AMBCI) who gives some insight into the current need for business continuity in our organisations and how business continuity can be operationalised.
Over the past couple of days, I have been thinking about the past few exercises with clients I have conducted, training sessions I have delivered, and a talk I have just delivered to MSc Risk Management students. Usually, when exercises have been well received and training sessions have resulted in quality discussion from the participants looking to truly improve resilience in their organisations, you can walk away with a feeling of satisfaction.
However, this week whilst preparing for my talk with the students which involved the Good Practice Guidelines, I began to focus on PP6 Embedding which made me realise how much work is still required to truly embed business continuity within many organisations. Many organisations have carefully crafted plans in place, have considered a myriad of potential risks facing their organisation or sector, and have created wonderfully designed scenarios, with complex injects requiring months of planning. These can be fantastic spectacles and can fulfil the requirements of an audit, ISO requirements, or just the need to exercise the specific team. The results can help an organisation fill gaps noted through the exercise and improve the incident team’s response. However, what about the rest of the organisation?
Often when training differing levels of an organisation, there can be a lack of understanding of business continuity, and where it is apparent it is often through ‘business as usual’ as opposed to knowledge, or understanding, of business continuity and what it means in their workplace. Within many organisations it is clear that many people are so busy carrying out their day jobs that there is no time to meet and discuss issues with other departments or individuals in the organisation. Where this is possible, it can allow for greater understanding of how interconnected the differing departments are, which allows for a holistic approach to business continuity in that there would be a clearer understanding of how departments work together, and why (if carried out) one department’s Recovery Time Objective (RTO) relies on another department’s ability to recover effectively following an incident.
There is the old adage that everyone who fills a role in an organisation is a risk manager and they are responsible for the risks associated with that role. The same plays out for business continuity, as all staff will ultimately be involved in the restoring of operations following an incident.
What can be clear though in organisations throughout the UK (and beyond), is that there appears to be clearly defined ‘ownership’ of BC and associated processes, and that the wider staff are still unaware of what business continuity is, what resilience means, and how they can be involved in the very process. It can almost be viewed through the disconnect of ‘silo risk management’ where the left hand does not know what the right hand is doing.
People are seen to be an organisation’s greatest strength, and a lot of money and time can be spent on their personal development, however if an organisation is to successfully recover from an incident or crisis, developing further approaches to embedding business continuity can be one of the most effective decisions an organisation can make and is worth the investment.