Mostly Top level management still thinks that the Business Continuity Management (BCM) is an IT issue and IT Organization is the one who is responsible to handle that. In fact, Business Continuity is not just about how the organization own a disaster recovery center, but it is more about enabling a business to operate when the disruptive incident occurred.
Thirty years ago business continuity (BC) did not exist as a concept, but disaster recovery (DR) did – the main concern was how to save data if a disaster occurred, therefore no wonder if the disaster recovery become identic with IT issue. Conceptually, Business Continuity is different with Disaster Recovery. Business Continuity is defined as the capability of the organization to continue delivery of products or services at acceptable predefined levels following a disruptive incident.
Business Continuity Management (BCM) is defined as a holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, and which provides a framework for building organizational resilience with the capability of an effective response that safeguards the interests of its key stakeholders, reputation, brand and value-creating activities. Having only a Disaster Recovery Center (DRC) in an organization does not automatically mean that a company will operate as usual in the event of disaster or incident. DRC might solve the issue regarding IT infrastructure, such as application and data readiness, but how the business will operate after disaster occurred is not the domain of DRC. There should be systematic plan and mechanism on how to manage people and process in order to operate business after disruptive incident happened. Such plan is recognize as Business Continuity Plan.
Business Continuity Plan (BCP) is defined as documented procedures that guide organizations to respond, recover, resume, and restore to a pre-defined level of operation following disruption. The BCP deve- lopment usually starts with understanding a company’s business, performing risk assessment, and then doing a business impact analysis (BIA). BIA is used to evaluate critical business process (including IT components supporting the process) and to determine time frames, priorities, resources and interdependencies. When the critical factor of business, system and critical information has been defined, then it continues with the process of designing the recovery strategy, governance infrastructure, and then drafting BCP document. In order to ensure that the recovery strategies are effective as expected by management, The BCP document should be tested prior to submission to the management for approval. Once the BCP document has been approved by management, it should be communicated to the key person in the organization. The BCP document is also needed to be tested and updated regularly (at least one a year) in order to ensure that the BCP document is still relevant with current situation.
Given the explanation above, business continuity actually is not an IT issue, but it is a business issue. If the IT department implement business continuity for the whole organization, it would neither be able to define the critical factor of the business activities, nor the critical factor of information. Usually risk management division play a key role in BCM implementation because a lot of activities in BCM are more heavy in risk management area rather than in IT.
After all, the most important things for BCM establishment is the buy in from the top level management. The top level management play critical role for successful BCM implementation, and therefore the most challenging part for BCM establishment is how to convince top level management that BCM is important.
- Business Continuity is a business issue not an IT issue.
- Regular testing and update are the important parts after establishment of BCP.
- Top Level Management play a critical role in Business Continuity Management establishment
This article has been published at The Jakarta Post, 27 March 2017