Business Continuity Management Executive Summary

Definition of Business Continuity

A Business Continuity Management Program is a combination of operational documents (Business Continuity Plans) used by the company’s management and subject matter experts (Business Continuity Teams) to guide restoration of the company’s ability to provide goods and services after a serious or catastrophic disruption. It provides generic response guidance for all types of recovery situations. When a disruption occurs, the appropriate plans, in conjunction with input about the specifics of the disruption and the specific business drivers currently in effect, allow efficient recovery of business operations. 

Process for Attaining and Maintaining Effective Business Continuity

  1. Create a Business Continuity Management Policy endorsed by the CEO, BOD or Executive Committee, which includes definitions, descriptions and mandates for:
    1. Accountability
    2. Roles and Responsibilities
    3. Analysis
    4. Legal, Regulatory and Contractual Assessment
    5. Execution
    6. Maintenance
    7. Training
    8. Testing
    9. Audit
  2. Identify critical businesses.
    1. Define each “business segment” within the company using a logical model (by product, service, channel, market, region, class of product, etc.).
    2. Determine critical business segments within each business unit, and then prioritize all remaining segments (by gross revenue, margin, brand visibility, public health necessity, societal dependencies, key customers, contractual requirements, etc.).
    3. Reconcile each business unit’s critical business segments to create a corporate-wide critical business segments list. Understand if there are cyclic factors that can reprioritize criticality, e.g. seasonal, economic, etc.
  3. Complete a threat assessment for each critical business segment. Determine what potential threats could limit or interrupt the ability to continue to supply each critical product or service to customers at a business-as-usual level by:
    1. Identifying severity (how bad would this be), probability (how likely is this) and visibility (will we see it coming in time to mitigate the effects).
    2. Using historical information for company, industry and in general
    3. Interviewing key employees and hold focus groups.
    4. Consolidating data and having final approval done by a BC steering committee.
  4. Conduct a business impact analysis (BIA) for each critical business segment. The depth of this phase, i.e., the number of business segments that have a detailed BIA, should be governed by the law of diminishing returns.
    1. Determine the business effect (financial, reputation, brand, share, etc.) of a reduction or interruption in the ability to provide a critical product or service by applying the TA information to model potential interruption causes.
    2. Validate or revise the recovery priority for each business from step 2 based on the importance of the segment, the business effects from loss of continuity, and the threats that apply. (Note: This may result in some reprioritization of segments.)
    3. Develop a continuity strategy for high-priority segments.
    4. Define what is needed to support each assigned employee in each critical role so they will be ready, willing, and able to participate in BC activities.
  5. Develop the BC Plan.
    1. Document all of the above in a well-designed document. Keep static information in one section and variable information in appendices, e.g. employees in critical roles with contact information.
    2. Determine and document how to activate the plan and BC resources.
    3. Clarify the supporting plans and the integration (Facilities Recovery, IT Disaster Recovery, Human Recovery, Emergency Response, etc.).
    4. Define integration with Corporate Crisis Management Team who will be establishing the overall strategic response and business drivers for the recovery.
    5. Publish the plan as needed to those involved in the response.
    6. Conduct initial training.
    7. Conduct plan maintenance, testing and auditing according to Policy developed in Step 1.