Operational continuity: are we ready to face a crisis?
Is it possible to become more resilient to emergencies? How can you avoid disruption to operations and maintain business performance in the event of extraordinary events? By being prepared for even highly unfavorable circumstances, however unlikely they might appear to occur
As this year's events have sadly shown us, some variables are difficult to predict or appear decidedly unlikely, and therefore the tendency may be to neglect the possibility. The capacity of business organizations to react promptly and to continue in the production or in the supply of services, despite the spread of the pandemic, the quarantine and the closure of international borders, the difficulty of supply and export, as well as other major obstacles, has made and will make the difference between those that can overcome the moment of economic crisis and those that unfortunately will suffer the unfortunate consequences.
Business Continuity Management: a standard for reacting promptly
The discipline known as Business Continuity Management originated, almost half a century ago, as a recovery strategy in case of malfunctioning computer systems, caused by destructive events of great magnitude but low probability. The objective was to prepare resources and make the right investments to mitigate the consequences of such events, ensuring the ability to resume normal business activities in the shortest possible time.
Operating Continuity is standardized by the ISO 22301 standard, which strictly defines the parameters to design, implement, maintain and improve a safeguard system, which will allow the company to quickly face and overcome adverse circumstances, limiting damage and facilitating a rapid recovery. The standard proposes generic requirements that can be applied to different sectors and organizational types, which touch on various elements, from resource management to business processes, as well as key business assets.
The process of defining and implementing a business continuity plan
The first step consists of a precise analysis of the organization, internal needs and external demands, possibly involving all business functions responsible for the provision of services. All stakeholders potentially involved must be identified and listed and regulations that must be complied with have to be carefully evaluated. The objective is also to clearly define the general purpose of the Business Continuity Management system, which represents the true heart of the company's activities, which must be kept in motion in the event of an emergency. Critical points relating to specific processes, suppliers and customers must be identified and the impact of an interruption of operations at each juncture assessed (Business Impact Analysis), so that a detailed containment and resolution protocol can be prepared. The result, the Business Continuity Plan, will therefore consist of the company's complete strategy for reacting to critical events, articulated in alternative procedures, specific to each department, that guarantee the necessary level of operations and the return to standard conditions, with sustainable costs.
The standard for Business Continuity provides a specific hierarchical organization, with a summit that refers to a team responsible for ensuring the implementation of the measures set out in the protocol. The manager in charge may appoint additional figures in the company, with experience, roles or skills deemed useful to provide a timely response in support of the company's recovery. Dedicated resources should be allocated, to effectively enable the plan, and guidelines for communication and dissemination of precise instructions for the entire organization should be outlined. It will also be useful to make explicit criteria for measuring the success of the plan itself, in order to accurately monitor its outcome and progressively improve its effectiveness.
The difference between Risk Management, Disaster Recovery and Business Continuity
Their common goal is to protect the company from potential obstacles, but while managing risk involves an a priori assessment of the relationship between risk and opportunity and the formulation of specific strategies to mitigate the negative effects, a Business Continuity strategy involves the development of an articulated recovery plan, to be implemented in the occurrence of a disastrous event. Disaster Recovery is therefore a component of Business Continuity, specifically concerning the information technology sector. This strategy is aimed at restoring systems, infrastructure and databases following an incident, so that business activities are not interrupted or can resume the standard pace in a short time.
A complete management system includes both elements of risk management, in order to identify potential dangers and establish procedures to avoid damage before it occurs, and a continuity plan, aimed at intervening if the crisis cannot be avoided, to restore operations as soon as possible and contain losses. Business Continuity means going beyond the present and asking questions about the possibility of future survival, not only in the event of disastrous events but also with regard to the outcomes of progress. What market developments could pose a threat? What new needs, regulations, technologies could impact the supply-demand relationship in the industry? What global or environmental events will help to redesign international trade patterns?