Tag Archives: business continuity

Is It Business Continuity or Risk Management?

An article from DRI ANZ.

What’s in a name? Depending on the person offering the definitions, business continuity and risk management are sometimes considered as different functions, or subsets of each other, or simply the same. For example, the prevention, preparedness, response and recovery approach to risk management or PPRR is presented as risk management. However, when all the steps are accomplished and the results put together, you end up with a business continuity plan. Indeed, risk identification and business impact analysis are two classic steps in preparing overall business continuity. But what then of the opposite idea that business continuity is a subset of risk management?

It is a fact that the term ‘business continuity’ arrived on the scene after ‘risk management’. Risk management can be summarised as avoid, mitigate, transfer or accept risk. Business continuity corresponds to avoiding or transferring risk, more than mitigating or accepting it. In this sense, it would seem to be a subset of risk management. However, there is a counter-argument. Risk management is not always confined to protecting an organisation as a whole. It may be done in the case of individual projects or even transactions. Credit checks on borrowers or purchasers, and exchange rate hedging for export sales are examples. Each check or hedge may be an application of risk management, but in itself unlikely to affect the continuity of the organisation.

We end up with a situation where business continuity (overall) and risk management (overall) overlap. They are not the same, even if there are common components, and one is not necessarily a subset of the other. The point is that it is important to have a mutual understanding of what somebody means by ‘risk management’ if you really want to be sure you understand the relationship with business continuity. By correctly understanding the differences, you also have a better chance of making sure that each function is being correctly carried out within your organisation, to the level required.

Merleen Yap: My Experience as a Business Continuity Professional

Merleen is a Manager with the Enterprise Risk Services practice of Deloitte Singapore.

She shares with us on her role as a Certified Business Continuity Professional (CBCP), her daily work and why she chose this as her career.

You graduated with a Bachelor of Accountancy from University of New South Wales, how did you learn about Business Continuity Management (BCM)?

I was assisting my manager in a BCM engagement for an insurance company that was looking for assistance in assessing the gaps of their BCM implementation. That was when I started, and I have never stopped thinking about BCM since.  I went to register for the 5-day DRI Business Continuity Planning course to learn more about BCM and get myself certified as a CBCP.

What is your biggest challenge as your role in business continuity professional?

Some clients compare the templates used by the different companies/consultants and question the differences. I always tell them that there are many different templates in the market but most importantly, we need to address the key BCM elements. I will help them to customise/ review the template and tell them what the required inputs are.

What are the common misconceptions that others have about your role?

“I thought you’re from that accounting firm? You’re not an accountant?” – I’m in the risk consulting line in Deloitte, and I am not an accountant. We do more than just audits!

emergency-309725_640What are the common misconceptions that others have about BCM?

Some companies think that BCM means having fire emergency plan and a very brief evacuation plan detailing what they would need to do at the assembly area. Some thought that if they have some form of contingency plan in place, that’s a “good BCM” in place. When we implement the ISO 22301 BCM programme for them, only then they realise how intensive and thought provoking the process of putting BCM in place can be with the aim to build the resiliency of the operations.

What is your favourite advice about BCM?

There is no perfect plan. BCP is like an acting script. Everyone in the script will know what to do/not to do when crisis is activated.

What is your greatest reward in your role as a BCP consultant?

Seeing my clients being more aware about the importance of BCM and truly appreciating the beauty of business continuity management. Some even signed up for a CBCP course or to get their organisations certified in ISO 22301.

Where do you hope to see organisations in 5 years’ time?

I hope to see more people being educated about the importance of BCM, and how the skills of BCM are useful in preparing and handling incidents/crises.

In most organisations the people who are better versed in BCM are usually the BCM function/BCM Managers/BCM Champions.

To me, BCM can apply to everyone. There is one particular client who saw the value in the BCM engagement Deloitte did for them and he went and shared with his organisation all the insights of incident handling/crisis management that we shared from around the world. I hope that more people get interested in the topic and we can help them satisfy their inquisitiveness and interest.

If you are interested in submitting your own experience to Thrive! please review our questions here.

How to ‘Sell’ Business Continuity to Four Generations of Workers


To view this article in its original location, please click here.

Business continuity is everybody’s business. While the principles and the planning may be better carried out by BC specialists, it’s the organisation as a whole that needs to apply them. However, a one-size-fits-all approach may not be effective when you’re trying to get the message across. It’s a fact that many organisations now have as many as four generations of employees. Each age group has its own characteristics, culture and way of doing things. As you work with colleagues to get BC in place and make it effective, knowing a little about how to ‘sell’ it to each group could help a lot.

The four generations concerned go by different names, but here are some of the more common ones.

  • Traditionalists. Aged 70 and upwards (!), these employees continue to work and achieve, either through financial necessity or simply as a choice. Traditionalists are often hard-working, risk-averse and detail-oriented, with a focus on the long-term. ‘Sell’ BC to them as a well thought-out plan that keeps the organisation safe.
  • Baby Boomers. With an age range between 50 and 70, they still have time to think about career progression. They also typically favour good management of relationships, involvement in decisions and team-working. They may therefore be more likely to ‘buy into’ your business continuity goals if you can define recommendations together.
  • Generation-X. Somewhere between 35 and 50, and focused on results and work-life balance, while also demonstrating greater individualism. Head right for the benefits and keep the analysis (which you still need to do) in reserve. Mentioning the technology that drives BC actions and BC advantages for employees’ families may be good as well.
  • Millennials (also known as Echo-Boomers and Generation-Y). Younger than 35, these employees are technology-aware with a desire for instant information and innovation. Business continuity that is presented as an opportunity to do better, not just as protection against doing worse, can be a smart way to get their attention and ‘buy-in’.

Will all your colleagues automatically fit into one of these categories? Possibly not – but perhaps these guidelines will help you better understand different points of view to make business continuity both attractive and accepted throughout your organisation.

How to Improve Business Continuity by Doing 30% Less

In business continuity we often discuss objectives, processes, systems and technology. But of course people are also a key part of how most organisations function. While stop-gap solutions and third-party assistance may save the day and keep operations going on a short-term basis, employees provide the creativity and innovation to keep a company viable for the longer term. So for everybody’s sake and for good business continuity, it makes sense to create a work environment in which employees can react constructively to emergencies and perform optimally at other times. For this, one theory says “don’t do more, but less”.

It’s called the 70 percent rule (now you can see where the 30 percent in the title came from). The idea is that productivity and motivation can both increase if people work at a less intense pace than ‘full-on all of the time’. Sportspeople know the wisdom of this; in fact, athletics was where the rule originally came from. Arnold Schwarzenegger for instance consistently followed a routine of one day on (working out) and one day off (resting) to become a body-building champion, before turning his talents to acting and politics. This kind of alternating routine can prevent injury for athletes and burnout for other professionals.

Practically speaking, the 70 percent rule in an organisation can be applied by working smarter instead of harder, taking the vacations and breaks that should be part of the job anyway, (politely) refusing unreasonable work demands and leaving a part of the working day unscheduled. Improved output and less work sounds like a dream. The 70 percent rule says you can have both, starting with less work! If there is a temporary peak in a workload or a crisis to be handled, employees then also have the additional capacity that can make the difference between business continuity and discontinuity.

The Unbroken Chain from Business Continuity Assignments to Actions – and Back

Have you met the management acronym AOSTA? It’s a nice one to know, because it links assignments all the way through to actions (we’ll explain below), providing a handy checklist for business continuity practitioners in particular. It is also the name of a picturesque town in the Italian Alps, with picture postcard images that can make a handsome PC screensaver and handy daily reminder! But let’s talk about why AOSTA can help you to get business continuity right by using it both forwards and backwards.

Here’s what AOSTA stands for:

  • A is for Assignment. This is what people ask you to do or what your boss instructs you to do
  • O is for Objective. This is what you really should do. Hopefully it’s the same as your assignment. However, if you see divergence between what is asked for and the business continuity your organisation really needs, be prepared to politely but firmly argue your case.
  • S is for Strategy. This is how you will win the war, so to speak, so that your business continuity objectives will be properly met. It’s your overall plan, like deciding to use outsourced or cloud-based resources to do secure data backups, run important enterprise applications, and so on.
  • T is for Tactics. Each battle to be fought may need its own approach, and these are the tactics you use to win it. For example, to get the Finance department to agree to move its accounting to a cloud-based platform, you show them possible cost-savings as well as improved availability.
  • A is for Actions. This is the list of things to be done, such as reviewing cloud service providers and selecting one, organising and completing application migrations and so on. Some actions will be yours, but others will be done by the different departments concerned.

The beauty of laying out the chain like this is that you can also use it in the opposite direction. If you are thinking of a particular business continuity action, you can check to make sure that it really does relate to a tactic that supports a strategy that helps to achieve a useful BC objective.

Making Sure the Right Procedures are Followed for Business Continuity


To view this article in its original location, please click here.

Procedures are there to make sure that things consistently get done the same – and the right – way. When good procedures for using technology are followed correctly, productivity and profitability can be increased. But technology used the wrong way can cause business discontinuity, where operations and productivity grind to a halt. A recent outage in a major cloud provider’s IT service was caused not by any technical problem, but by a failure to follow the correct operating procedure. So why did things go wrong and what lesson can other organisations learn from this case?

The service concerned was the Azure storage service provided by Microsoft. This service is updated from time to time like most IT installations. The procedure defined by Microsoft is to move to a new update little by little to allow the time to run checks and make sure that everything is still working properly. However, a misunderstanding about the status of a recent update led an engineer to apply a change over the entire service all at once. This change unfortunately resulted in the service becoming unavailable to users and the need to manually restart a certain number of systems. The key point is that although the correct procedure was defined, there was no safeguard to prevent employees from deviating from it (something that Microsoft has now fixed).

Organisations need to build in failsafe mechanisms to guard against human error. One of the simplest ones is the ‘four eyes principle’, in which two people must check and approve an action before it can be executed. Other failsafe devices may be mechanical or physical, such as automatic speed or rotation limits on machines. Information technology allows complex failsafe procedures to be programmed, but then those automated procedures also need to be properly checked by humans before they are set in motion. In summary, take a good look at your technology and your business continuity to also make a complete list of things that must not happen. Then make sure that you then have the appropriate preventive measures in place.

Keeping Business and IT Connected for Better Business Continuity


To view this article in its original location, please click here.

For many organisations, markets change fast as customer needs develop and competitors offer new solutions. Business people under pressure to get new products and services to market may ask more of the IT department than it can deliver at that moment. This friction can cause difficulties in communication and relationships between the two groups. From there, it can lead to fragile or fractured business continuity. The answer is systematic collaboration to ensure that plans are made ahead of time and that the organisation can take advantage of opportunities while avoiding performance issues and outages. Ideally, both parties will have a proactive role to play.

This dual proactivity is part of IT governance, the process by which organisations can make sure that interlinked business and IT goals are met. IT governance has two potential advantages. First, it helps organisations to manage their IT to prevent disasters and strengthen business continuity. Second, it stimulates innovation that then generates higher business growth rates. Naturally, business people must make their needs and expectations known. But with the right IT governance, IT is not just a provider of resources and services: it is also a contributor of business ideas.

The fact is that the IT department is involved with the organisation at practically every conceivable level. IT managers, for example the Chief Information Officer, are therefore in a great position to spot opportunities for streamlining, improving and innovating in business procedures and activities. It was this approach that gave courier company Federal Express a strategic lead over its competitors with a package tracking application jointly built by the business and IT sides of the company. While business people tell IT what they need, IT can tell business people about additional opportunities open to them. Potential disconnects are replaced by synergy that reinforces both business results and business continuity.