It was not possible to predict an unprecedented global crisis like the coronavirus but still – efficient planning and implementation of business continuity management processes enabled organizations to minimize the operating damages that it caused. Here is all you need to know on how proper business continuity management can affect your organization
2020 created difficulties not only on an epidemiological level, but also with respect to many aspects of the business and technological strength of companies. Among other things, organizations were exposed to a wide range of cyber attacks as a result of the transition to working from home. These and other challenges put to the test business continuity management (BCM) processes in particular and the business continuity plan (BCP) of companies in general.
A new survey reveals that companies that had a BCP in place handled the challenges of the pandemic better than organizations that did not have plans. It was also found that business continuity plans contribute to preventing the negative effects of a crisis and/or disaster, and help to reduce financial losses and maintain contacts with suppliers, other businesses and stakeholders. Nevertheless, the same survey found that 51% of the organizations around the world did not have a business continuity plan at all at the time they were dealing with the effects of the pandemic, and that the rules of ISO-22301 (international standard for business continuity management) are still not in widespread use of organizations. As a result of this last year, business continuity plans finally began receiving the attention they deserve, and it is now clear that their implementation constitutes a material strategic leverage for any organization.
What is a business impact analysis?
A business impact analysis (BIA) is a process aimed at assisting organizations to assess and quantify the possible effects of a significant disruption in critical business processes. Whether the disruption is a result of human error, natural disaster, cyber attack, accident or – like in 2020 – a pandemic, it is important that organizations prepare an appropriate risk assessment and plan. This is because the BIA process makes it possible for organizations to identify disruptive events in advance, to classify them according to their level of probability, to prepare for them and to even calculate specific effects – including financial losses.
Together with components such as assessing risks and setting recovery targets, BIA is one of the components that assures prediction of future risks. The BIA must be updated on a regular basis and be approved by the organization's senior management. At the time of an ongoing crisis, like the coronavirus pandemic, a BIA should be performed regularly and the critical processes of the company be redefined, in accordance with the restrictions and changes in the business environment.
The importance of regularly updating the BIA arises from a survey conducted by ACCA. According to the survey, in 16% of the companies that had a BCP in place it was ineffective. This information strengthens the argument that it is not enough to write a BCP and then forget about it; the BIA and all its derivatives need to be updated so that the business can recover quickly and effectively.
Improving the ability of the organization to withstand unexpected disruptions
A BIA reviews the effects of ongoing disruptive events on the critical processes, operations and responsibility of the organization. The process enables predicting the possible effect of future disruptions. The reasons for conducting a BIA include, inter alia:
· Validating the content of a BCP, IT disaster recovery plan (IT DRP) and crisis management plan (CMP); providing assurance that the identified strategies will be able to provide response and recovery results in the required time frames, and to limit, accordingly, the potential loss.
· In order to maintain the effectiveness of the management of business continuity processes, guidelines on recommended work methods such as ISO 22317:2015 – Guidelines for Business Impact Analysis and ISO 22301:2019 – Business Continuity Management Systems, recommend conducting a comprehensive BIA, during both the development of the BCP and the current improvement and learning stages of the organization's approach to mitigation and management of the effects of disruptive events.
We at KPMG Somekh Chaikin help organizations to achieve and maintain long-term business and technological strength by means of efficient crisis management, analysis of business effects, tools and processes that assure business continuity, disaster recovery plans and implementation of customized solutions.
Written by Shmulik Eini, Manager, Business Resilience, Cyber Security Services, KPMG Somekh Chaikin