Business continuity capabilities are an organisation’s ability to protect and sustain critical business processes during a disruption. Effective business continuity management (BCM) ensures that firms are equipped with the ability to prevent, respond to, and recover from various operational disruptions.

It comes as no surprise that we are living in an ever-changing environment, which is shaped by numerous risk events and potential threats. Floods, cyber-attacks, IT breakdowns, asset failures, supply chain issues, or loss of skilled staff are just some of the possible threats to the smooth running of an organisation. Advances in technology and rapid digitisation are fundamentally transforming the way of doing business and the way of working, but they also bring more and new security risks. And, of course, we are still experiencing the impacts of a global pandemic.

Despite this, a recent KPMG poll indicated that most companies are at still at the level of “ad hoc and reactive” or “developing” an approach towards business continuity and resilience management.

If not addressed effectively, these threats can cause disruption or even business failure. Consistent planning for what to do when a disaster strikes, means a more effective response and a quicker recovery.

At KPMG, we have strong capacities to help build proper processes for business continuity management no matter the size of your enterprise. We operate within the framework outlined below and can tailor our efforts to match the exact needs of the organisations and companies we support.  

What are the key components of Business Continuity Management?

Business Impact Analysis (BIA): 
Based upon a standardised approach, as well as clearly defined impact criteria, you identify, prioritise, and quantify the impact on time-critical business processes, customers, premises, technologies, assets and suppliers. 
Strategy and recovery:  
Management should be able to give assurance that they are in control of managing failures, incidents, and so on. They should also be able to ensure immediate recovery of the critical processes.

Monitoring and improvement: 
Performance review processes provide transparency for all stakeholders. In the light of continuous improvement, the combination of Risk & Review is essential – we learn from the lessons of the past to improve the future. 
Risk assessment – what matters most: 
Here you use risk assessment techniques to achieve one important goal – to plan for the worst case scenario and to protect your most vulnerable assets.  
Testing and exercising: 
Organisations should determine the feasibility of – and test the efficiency and effectiveness of – emergency plans on a regular basis.
There should be clear roles and responsibilities to facilitate implementation of the framework.

Three documents to have in place:

A Crisis Management Plan

    which outlines the immediate response of the management to manage a crisis and recover critical operations.

A Business Continuity Plan

    which outlines the procedures to follow during a major, unanticipated and disruptive event. Business Continuity Plans may include: business recovery strategies, contact lists, equipment requirements, personnel requirements etc.

A Disaster Recovery Plan

    which outlines the specific procedures required to recover or restore critical operations and/or systems.

What are the key criteria for a successful Business Continuity Management program?

  • Strong leadership: Support from executive management and the board is critical.
  • Clarity: Underlying plans/documents must be written clearly and take into account the capabilities of team members during a significant business disruption. 
  • Usability: Plans must be simple, easy to use, and accessible for everybody.
  • Business involvement: Business continuity should be business-driven, with the involvement of all functions.
  • Beyond IT: Remember that it’s not only about IT – that’s only one piece of a larger puzzle.
  • Consider the impact: Focus on the impact of major disruptions – even when it’s difficult to accept the scenario.
  • Change management: Prepare your organisation to deal with immediate change, impact and action.
  • Practice: Regular simulation of failures and disasters can save your business.

How do I implement a management system for business continuity?

You do not need to reinvent the wheel. There is already an ISO standard on business continuity and resilience – ISO22300x. It gives you access to international good practice to help you to respond to, and recover from, disruptions effectively, leading to reduced costs, less impact on business performance, and even respect from your customers.

With a standardised approach your actions will be consistent throughout the entire organisation, and you will be able to reassure clients, suppliers, regulators, and other stakeholders that your organisation has sound systems and processes in place for business continuity.

What’s the role of the board?

The most important drivers for good business continuity and resilience are that it should be taken up multi-disciplinary, and it should be positioned strategically within your organisation.

Active board involvement is key to integrating business continuity management and operational resilience into the organisation’s business and risk strategies and to setting the tone at the top.

Considering the perspective from various management positions within the organisation will ensure that the “business continuity and resilience” is based on the different corporate objectives and is implemented and operated in line with your strategy, the customer experience, as well as financial and IT perspectives and requirements.

Key questions for boards to consider:

- Do we have a business continuity plan in place? If so, has it been tested?

- Do we have a full view – end-to-end view– of our processes?

- How will we keep operating and serving customers/clients in the face of a disaster?

- How well is business continuity and resilience experienced within our organisation?

A Business Continuity Management System makes your organisation more “incident proof”. By building business resilience, you not only gain the capacity to survive, adapt and thrive, but also get another view on your organization and its critical processes and systems.

Since we all know what a disaster can lead to, now is the time to make sure you do not miss the opportunity for positive change that this crisis represents.