Skip to main content

Business Continuity Framework: Developing a Process to Protect Your Organization

Does your organization have a resilient BC Framework?

In the wake of the recent unforeseen global pandemic, organizations have become more aware of the impact that many unforeseen disruptive events such as natural disasters, cyber-attacks, pandemics, and civil disturbances have on critical operational functioning. As the threat landscape continues to evolve, organizations must demonstrate not only business and operational resiliency but also the ability to adapt quickly to dynamic events that can stress existing plans.

It is vital for organizations to build and maintain a structured Business Continuity (BC) Framework to ensure operational resilience, which include three basic elements. The framework begins with a comprehensive Threat and Risk Assessment that considers potential threats from a 360° perspective. Fully cataloging risks is crucial to planning how your business can react during a crisis.  Next, it is important to conduct a comprehensive Business Impact Analysis (BIA) that identifies all critical business processes and systems and interdependencies across the enterprise.  Finally, as part of a thorough business continuity planning process, custom-tailored recovery strategies must be thoughtfully developed, deployed, and tested to guarantee continuity when a disruption materializes.

BC Framework

Business Continuity Management (“BCM”) groups must implement and maintain a documented framework for Business Units (“BU”) to evaluate their business processes in terms of Business Continuity risks and planning requirements. This framework requires BUs to identify and assess disruptive business risks and the impacts of those risks to the organization, its clients, and potentially industry. When documenting the BC Framework, the following components must be considered and evidenced including:

  • Business Continuity Threat and Risk Assessment
  • Business Impact Analysis
  • Recovery Strategies to manage disruptive events

 

Business Continuity Threat and Risk Assessment

Business Continuity Threat and Risk Assessments provide the basis for BUs to determine vulnerabilities of their critical business processes to different drivers of disruptions (“Threats”). Common impacts as the result of an event include the premises being inaccessible, regional power outage, unavailability of personnel, loss of supplier, and technology failure. The types of threats include:

  • Geopolitical - The impact of international political behavior through geographic variables.

  • Security - Security risks including cybersecurity.

  • Environmental - Weather events and other naturally occurring disruptions.

  • Local Infrastructure - Stability and availability of local utilities and other supplies.

  • Emerging Risks and Technologies - Newly developing or changing risks or technologies that could have a major impact on an organizations industry.

To help safeguard from disruptions, a Threat Analysis is performed to assess and assign risk likelihood and to estimate impacts and costs. Results are often graphed in a Threat Analysis Matrix displayed in a simplified form below:

Particular emphasis should be given to low probability, high impact, catastrophic events (Black Swan), and predictable, low impact events (Routine).

Business Impact Analysis

A BIA is an assessment and prioritization of business functions and processes in a BC Plan that identifies the potential impact of business disruptions arising from a disruptive event. It should be documented in the BC Framework to support business-critical processes and include the following steps and considerations:

  • Process Taxonomy that identifies and analyzes mission critical processes, systems, equipment, and records.
  • Interviews with key personnel in each BU.
  • Development of an Enterprise or BU wide analysis to ensure interconnectivity and consistency throughout the organization.
  • Estimate of disruptions to processes, downtimes, and associated costs.
  • Consideration of industry-wide impacts on suppliers and customers as well as regulatory requirements.
  • Prioritization (tiering) of critical processes, roles, and systems.

Recovery Strategies to Manage Disruptive Events

The BC Framework should include approved recovery strategies, developed as part of a BC Plan, that the organization and BUs use to mitigate the impacts of a disruptive event. Recovery strategies selected must be consistent with the outcome of the BC Plan, Threat and Risk Assessment, and BIAs. The BCM Team will coordinate with key partners as the affected BUs invoke their recovery strategies during the event. The recovery strategies selected should be appropriate for the BU and address a range of impacts of varying severity and duration.

BUs must identify and prioritize their short-term functional requirements for short-term outages (i.e., impact of the event lasts five days or fewer). BUs must also document functional requirements to operate the business critical functions during extended outages (i.e., impact of the event lasts more than five days, potentially up to several months). If the organization experiences a disruptive event with the potential to become an extended outage, BCM groups should coordinate with key partners at the organization-level and the BUs as the disruptive event evolves.

Remote

REPs login and work remotely using a virtual machine (or a production virtual machine where deployed). If an employee logs into their non-virtual production machine from home, this does not qualify as Remote strategy.

Dedicated

Pre-Installed and existing seating which is configured to BUs requirements and is generally vacant until invocation of the BU's BC Plan.

Displacement

Space occupied by Non-Critical Personnel who will be displaced by an incoming BU during invocation of the BU’s BC Plan. Displacement requires a predetermined agreement between the staff members that are displacing a group and the group being displaced.

On Demand

Common space (e.g., cafeteria, conference rooms) that has been pre-cabled to enable PC/laptop installation, post a BC Event.

Transference

Recovery Strategy that moves a business process from an impacted area to an alternate, non-impacted area staffed with Personnel that the BU has trained and provisioned to conduct that process.

Reserve

A backup in the same Functional Group as a REP who has defined recovery strategies. The backup can assume the REP’s defined recovery strategies during an event.

Sia Partners Approach

Sia Partners focuses on actionable strategies aimed at safeguarding against disruptive events. We facilitate coordination among our clients’ business units, teams, and leadership to develop a robust and resilient BC Framework.

Sia Partners performs a multi-phased process for our clients to develop their BC Framework. Our approach is as follows:

A well thought out BC Framework is instrumental to ensuring your business can operate successfully through disruptions.  Sia Partners offers a comprehensive program to bolster your framework and Operational Resilience program.

Capability