In times of Industry 4.0, a fully networked world, and the omnipresent influence of the World Wide Web, we are used to having access to the many benefits of these systems at all times, both privately and for business. Many people are unaware that in crisis situations, such as the recent corona pandemic, IT processes can fail, making a company vulnerable. But when it does happen and such a crisis occurs, the aggravation and at times despair is immense. This makes it all the more important for companies to respond to such difficult situations in the best possible way—or better still, to ward them off beforehand. Business Continuity Management, if properly established and implemented, is considered a valuable tool to optimally prepare against unavoidable and unforeseen threats. Failures due to disruptions and the associated loss of revenue or sales can be minimized in many cases, and interruptions of especially critical and essential business processes (such as the maintenance of supply or production chains) can be noticeably reduced. The more established the BCM system is, the more successful its implementation will be in an emergency.
In addition, more and more companies and service providers are aware of the importance of BCM and see it as a prerequisite for cooperation in certain areas. Companies that have implemented Business Continuity Management use just this fact to strengthen their negotiating position vis-à-vis service providers from the financial sector, for example, or to sustainably increase the trust of prospective business partners and customers in their business.
A Business Continuity Management System (BCMS) consists of a total of six elements, all of which are interlinked and must be taken into account when implementing it in the company:
BCM Policy & Governance
The objective of a BCM policy is to set the framework for Business Continuity Management, to clearly define the necessary functions, tasks, and responsibilities (governance). In this way, everyone knows what to do should a crisis occur.
Business Impact Analysis
It all starts with a comprehensive analysis of all significant risks and business processes by means of a BIA—this identifies individual business processes using precisely specified internal evaluation criteria and classifies them by criticality factor. The complete failure of a business process is assumed and it is determined when this failure becomes critical for the company as a whole. It is then decided whether these business processes are “critical enough” to be safeguarded via an contingency plan.
This can primarily be answered by asking the question “What is needed to get the business process up and running again as usual?” The resources required for the five phases of the “restart” are identified; these phases are named as follows: immediate measures, restart emergency operation, emergency operation, restoration of normal operation, and post-processing. Based on a classic cost-benefit analysis, contingency plans are then developed for the individual process phases to be safeguarded. These are highly individual and must be repeatedly reassessed and redefined from company to company.
As previously mentioned, in the event of a crisis preventive measures are needed in order to be able to survive as a company. This includes the definition of roles and responsibilities in the event of a crisis as well as the implementation of alert and crisis communication channels to control and monitor a crisis. Functioning, non-hierarchical internal crisis communication in particular is indispensable!
Tests and Exercises
In order to check the effectiveness of individual and interdisciplinary measures and contingency plans, regular tests and contingency exercises must be planned and carried out; similar to internal audits.
The results obtained through regular reviews are incorporated into the existing management system in order to continuously improve it.
At the beginning it is important to deal with the ISO standard on which the BCM system is based: ISO 22301, which is internationally recognized and initially creates an important, fundamental understanding of Business Continuity Management and provides a theoretical framework that can be useful during implementation.
In any case, a comprehensive business impact analysis of all possible risks and business processes and a highly individual risk evaluation must be carried out as part of the risk assessment.
Then it is important to clearly define who is to assume which tasks in the event of a crisis (keyword: clarify responsibilities!). Comprehensive contingency plans are drawn up for risks that have already been identified; these plans are extensively tested in advance—naturally with the involvement of both internal and external partners within the affected business processes. And, last but not least: the new knowledge gained as a result of the regular audits is integrated to the best of our knowledge and belief into the existing BCM.
As a German technology manufacturer, Myra Security offers a secure, certified Security-as-a-Service platform with comprehensive solutions for companies that would like to implement a custom BCM system. Both the Myra High Performance CDN (a product that delivers static and dynamic data and web content at lightning speed without overloading your server) and Myra Security as a Service Platform, which reliably filters out malicious traffic on web applications, websites, DNS servers, and IT infrastructure, are ideally suited to take a comprehensive approach to Business Continuity Management.