Business continuity management entails defining business continuity (business system continuity) well in advance of any disaster or attack. It also entails setting up IT and business systems to deal with unexpected extreme events like fires, floods, or earthquakes. These extreme events can be devastating since they can take down entire computer systems, render applications useless, or even render a company insolvent. Therefore, companies that rely on IT infrastructure for their business must have contingency plans in place to deal with these types of disasters. One way to do this is by establishing a board called the Business Continuity Management Board (BCM).
The Business Continuity Management Board is the chief authority in charge of implementing business continuity plans. It is made up of senior management and key executives from various departments and teams. The members of the BCM meet quarterly and have the responsibility of synchronizing resources across the organization, as well as coordinating plans and documents to implement the plans.
It can also keep employees of an institution running while they are off duty.
Another example is that it can protect the normal operations of an institution from viruses or intrusion. It can also keep the institution’s IT systems functional during a natural disaster or cyber attack.
The Business Continuity Management Board (BSM) uses a set of standard risk management and response procedures that are based on ISO 27002 toolkit standards, the same as for board portal software. The toolkit consists of four elements, which include threat analysis, an incident response plan, a procedure for corrective action, and a control plan. Based on this standard, the BSM will customize policies and procedures that address specific threats and corresponding events. The plan can also include contingency plans for incidents not covered by the policy or procedure manual. The four elements of the toolkit include:
One of the most critical components of a BSM is its disaster-recovery planning. This element focuses on both natural disasters and cyber-attacks. In addition to preparing for disasters, business continuity professionals should conduct regular risk assessments to evaluate and improve the management of risks to the organization. These assessments should be conducted for each major disaster that affects the enterprise.
Business continuity professionals can further their ability to respond to disasters by enhancing the resilience of the enterprise. Resilience refers to the ability of a system or physical facility to continue working after an emergency or another catastrophic event has occurred. A firm’s resilience is measured in the level of its ability to continue operating despite severe weather, computer viruses, and other external threats. A good measure of resilience is the ability of key employees to continue working after natural disasters or emergencies. Once an emergency or disaster has occurred, it is imperative that those employees who are most vital to the business’s continued operations take the lead in emergency preparedness and response.
An important component of a BSC is the business impact analysis.
This section assesses the potential loss from a disaster or major incident at the enterprise level. The purpose of this section is to allow the planning and selection of the appropriate actions for remediation and recovery. The impact assessment considers the loss of company assets, future revenue, and the loss of service to key employees.
A business impact analysis should identify all critical assets and identify which of those assets may be most vulnerable during an emergency. Based on the identified vulnerable assets, the plan will determine the appropriate protocols and procedures to mitigate and recover those assets. One of the primary methods of recovery is through event sequence management (ESM). The objective of ESM is to systematically restore key business operations following a disastrous event. Other methods of recovery include restoring the affected data from backup tapes, restoring non-volatile data storage devices such as floppy disks, tape drives, or CDs, and restoring non-software-software applications.