Many organizations that we encounter have an obligation to support the community in time of crisis, including hospitals and utilities, for example. These organizations place a heavy emphasis on emergency management, and in recent years, we’ve seen increased implementation of the standardized Incident Command System (ICS) framework, or in the case of hospitals, the Hospital Incident Command System (HICS). There are many benefits to adopting ICS or HICS, but, most importantly, it allows organizations (both government and non-government) to operate and collaborate more effectively during emergencies. Common terms, roles, and responsibilities remove barriers to cooperation, ultimately benefiting the community.
When a community is impacted by a natural or manmade crisis, we are all better off thanks to ICS and HICS. However, many organizations are discovering that these systems may fall short when it comes to an incident that does not directly impact the communities in which they operate. While placing a heavy focus on emergency management is great (and many organizations are already mature in this space), it may not prepare an organization for unplanned resource interruptions, such as IT downtime or an unexpected facility closure. So how can an organization ensure the performance of social or community responsibilities, while protecting its own operations in the event of a more isolated disruption? Enter business continuity.
INTEGRATING FOR A HIGHER LEVEL OF PREPAREDNESS
Business continuity (inclusive of IT Disaster Recovery) is often a missing component in the overall preparedness picture, even at organizations with high performing emergency management programs. Business continuity provides a process for identifying and assessing the resources (people, equipment, technology, facilities, and third-party suppliers) that an organization needs to operate, allowing for the development of contingency plans to address unplanned downtime, regardless of cause. This process isn’t isolated or contradictory of an existing ICS or HICS framework, nor does it require a complete rework of the current system. Instead, business continuity can be effectively nested within the larger emergency management program.
Sometimes the hardest part about implementing a business continuity program within an organization that is already great at emergency management, is defining where business continuity begins and ends. To help create clarity on this question, here are some guiding principles:
- A business continuity incident is any event that impacts the resources an organization needs to operate its business. As mentioned above, this includes people, equipment, technology, facilities, and suppliers.
- The existing incident command framework can still be leveraged to manage a business continuity incident, but this needs to be established and exercised. Some organizations elect to create a separate business continuity team to manage internally facing events. However, business continuity is more than just incident management. It is a program and process for proactive risk mitigation, as well as incident response.
- It is certainly possible to have an event that simultaneously impacts both the community and an organization internally. In industry terms, business continuity and ICS activation may occur at the same time.
- During community-facing events, customers and other stakeholders (like regulators and investors) tend to have flexibility and understand that an organization may not be able to meet all of its obligations. When dealing with an internal disruption that has no visible impact to the community, stakeholders are much less likely to grant this type of flexibility.
Once an organization agrees that there is a need for business continuity, there are several initial steps that help to clarify scope and determine what type of investment is needed for long-term success.
Step 1: Governance Review – If there is an existing emergency management committee (a group of cross-functional leaders who are accountable to the program’s outcomes), expand it to include business continuity. A completely new steering committee is not needed, and will probably hurt more than it will help. One of the keys to successfully integrating the two disciplines is to leverage existing oversight structures, if they exist. If this type of governance structure or steering committee is not in place, consider creating one that is responsible for both business continuity and emergency management. Don’t overcomplicate things, but a good governance committee needs cross-functional representation from the business and back office.
Step 2: Engage Management to Understand Priorities – This activity might sometimes be called the strategic business impact analysis (BIA). Bottom line, it is important to understand which products/services are time sensitive and, therefore, which of these must be protected through business continuity planning. To learn more about scoping, read How-To: Effectively Scope Your Business Continuity Program.
As part of understanding management priorities, it is also important to get a working definition of the organization’s risk appetite. In the context of business continuity, this entails understanding what is unacceptable in terms of downtime impacts by answering two questions:
- What’s most damaging – financial, operational, reputational, regulatory/legal, environmental, and/or safety impacts?
- What level of impact within each category is unacceptable?
Tip: When scoping a business continuity program at a hospital, be sure to consider any research functions or activities. While there may not be a direct patient care implication, the protection of data and materials (which can include live animals) is definitely a priority for the organization.
Step 3: Execute a Business Impact Analysis – Once an organization has a solid understanding of management priorities and risk appetite, it is time to execute a full business impact analysis. When executing the BIA, use management guidance on priorities and risk appetite to help define recovery objectives and identify risks. Once complete, a good BIA will deliver several key outputs (collectively defined as business continuity requirements):
- An understanding of the functions needed to deliver in-scope products and services and the level of performance these functions need to achieve during a disruptive incident.
- An inventory of the resources needed to perform these functions and the possible impacts of unplanned downtime.
- Recovery time objectives (when do functions and resources need to be recovered following an unplanned interruption to avoid unacceptable impacts).
The BIA should include solid justifications for each output, especially when a financial investment is required to meet the newly defined business continuity requirements.
USING THE BIA RESULTS TO DRIVE STRATEGY AND PLANNING
In addition to defining business continuity requirements, the BIA will provide the information needed to determine and implement the right business continuity strategies and identify long-term resources needed to deliver an appropriate level of preparedness.
Tip: For many organizations, the best option is to hire a temporary resource to perform the BIA. This allows an organization to stay flexible on strategy and long-term investment commitments, until the business continuity requirements have been adequately defined. This is especially beneficial to budget-constrained organizations or those new to business continuity and emergency management integration.
Once the BIA is complete, an organization should have a good inventory of the key resources needed during a disruptive incident. From this point, the next three steps include:
Execute a Gap Analysis – Use the BIA results to understand where there are gaps between business continuity requirements and what the organization can effectively accomplish in terms of recovery. This is an important exercise that will help drive the next phase of planning. Based on the results of the gap analysis, an organization can identify varying options and costs.
Clarify Roles and Responsibilities – At this point, it is important to update the existing incident management framework and documentation to account for the business continuity element. This doesn’t necessarily mean that a whole series of new plans are needed. In some cases, an appendix to existing documents will work. In other cases, there is the need for a more tactically focused set of business continuity plans. The bottom line here is that an organization needs to document how it will continue to operate during unplanned downtime.
Tip: In addition, it is important to expand existing emergency management triggers to account for when and how the incident management framework will be activated for a business continuity event. In some cases, a separate Business Continuity Team is created that coordinates with the Incident Commander or designated executives, overseeing the internal recovery effort. Other organizations will keep the existing Incident Management Team, adding procedures to address business continuity requirements.
Drill, Drill, and Drill – Getting business continuity coordination and procedures refined and socialized takes time and will require some trial and error. The best advice for working through this process is to start simple. First, drill the business continuity procedures independently. Use a tabletop exercise to work through a disruptive incident that impacts your facilities or technology, for example. Then, start to ramp up the complexity by exercising an event that has internal and externally facing impacts and requires joint activation of business continuity plans and the emergency management team. The long-term goal is to simulate real events to validate the overall incident management framework.
Business continuity is the preparedness discipline that helps organizations understand and mitigate the impacts associated with unplanned resource interruptions. When paired with ICS or HICS, it can enhance an organization’s preparedness posture significantly by accounting for incidents that impact the organization alone, or that impact both the community and the organization simultaneously. Key things to keep in mind is that business continuity can nest within the overall emergency management or incident response framework. Don’t create an entirely new process when you can capitalize on one that is already in place. More bureaucracy and complexity is not a requirement here – look for opportunities to leverage and enhance the work you have already completed; creating a new structure only when necessary. One more piece of parting advice – remain flexible until completing the BIA. The BIA will refine scope and define what you need from a business continuity standpoint. Try not to make any long-term investments before you have a reliable set of business continuity requirements.
For organizations that have mature emergency management programs, especially for those who have implemented ICS or HICS, there is an excellent opportunity to further increase resilience and preparedness by taking a looking at business continuity. Let us know if you have any questions, we would love to help clarify how and where business continuity fits in.
Dustin Mackie and Rose Reilly
Avalution Consulting: Business Continuity Consulting