Business continuity used to be considered a part of Disaster Recovery (DR), another cog in the urgent wheel that turns to put the business back on track in the event of a crisis.
However, the past year has reshaped business continuity in the eyes of the organisation. Its value as a standalone, essential strategy that takes the organisation from crisis to stability, has finally been recognised. In a recent analysis, McKinsey points out that business continuity plans need to be resilient and coordinated, focusing on not just technology resiliency, but on operational resiliency.
It is a view shared by Karien Bornheim, CEO of FABS, who believes that the wider meaning of business continuity needs to be considered to ensure that business operations can continue uninterrupted, from anywhere.
“For the longest time, companies have considered business continuity to mean disaster recovery,” she adds. “it is seen as backups and high availability and the accessibility of a second site in the event of a physical incident such as fire or a hurricane. Most companies, however, do not consider the other facets of business continuity that include people, location, and redundancy.”
Business continuity plans need to focus on multiple layers and consider multiple parts of the business. There is the aforementioned technology resiliency that is needed to ensure the business is capable of working from any location, at any time. This particular factor came into stark focus during the pandemic as organisations shifted their operations centres from offices to homes.
Those without robust business continuity planning that considered technology, struggled to adapt to the markedly different working demands of the remote employee. Today, business continuity plans need to be capable of adapting to rapidly changing demands from employees and organisation – resilient, flexible, adaptable, and digital.
“Until recently, companies didn’t consider their employees not being able to physically go into the office or to a disaster recovery location,” says Bornheim. “Covid-19 made many take notices and look to a business continuity strategy that allows them to quickly and efficiently respond to an interruption of any kind. Technology investment needs to be scalable and reliable. It also needs to move away from the quick fix of the past year towards more long-term digital solutions that are considered and relevant.”
By this, Bornheim means that technology quickly slapped onto systems and into homes to ensure that people could do their jobs during the lockdown, now needs to become a more formal investment and follow a more formal business continuity process.
This leads to a focus on operational resiliency. For McKinsey, this means flexible working models, geographic redundancy, the virtualisation of key processes, and a deeper evaluation of security and policies. It also means the development of an operational process and strategy that allows for seamless transitions and functionality in the event of business failure.
“Neither the customer nor the employee should notice, or be aware of, any interruption to the business unless they’re told about it,” says Bornheim. “This allows the business to remain financially stable and to protect its reputation – any extended outage will have a financial and reputational impact so avoiding these two pitfalls is key.”
To build a resilient business continuity strategy, the business needs to start with the end goal in mind. Is it protecting the business, the employee, and the customer from disruption? Is it reputation and cost? Or is it all the above? Understanding the key strategic pain points of the business helps refine the strategy and the focus.
The next step is to follow the age-old business continuity process of doing a business impact analysis. This will identify scope, key business areas, critical functions, critical people, dependencies between business areas, and acceptable downtime for each function and area.
“Maintain the plan and then test, test, test,” adds Bornheim. “And, in addition to the standard process of preparing for business continuity, including the security of systems and data and people. This has become crucial to long-term success. The human factor has also become fundamental – ensuring employee and customer health and safety. The right plan embodies all these elements. It should also follow the BCP ISO22301 process of Plan, Do, Check, Act (PDCA) in as much as it makes sense for the business and its operating model.”
This comprehensive and holistic approach to business continuity is far more capable of handling the vagaries of uncertainty than the rigid models of the past. By considering every part of the company and ensuring that every individual and unit understands their role, the impact of an unexpected event will feel less a crisis and more a routine move from one mode of operations to another.