LESSON 11: BUSINESS CONTINUITY

Video Activity Text Additional reading and references

11.1 PURPOSE
Review business continuity planning as the process of creating systems of prevention and recovery to deal with potential
threats to a firm and to enable ongoing operations while recovering from a disaster.

11.2 KEY CONCEPTS

Business continuity Survival Policy and governance
Impact analysis Threats Assessment
Response triggers Activity levels Testing
Budget Maintenance Improvement

11.3 LEARNING OUTCOMES

On completion of this lesson, you should be able to

 state the importance of business continuity planning

 identify the differences between risk and business continuity management
 state the importance of policy and governance
 perform a business impact analysis
 discuss threats and risk assessments
 explain a business continuity strategy and plan
 discuss the testing of a business continuity plan
 discuss the maintenance and continuous improvement of a plan

11.4 LEARNING MATERIAL

Chapter 11 of the prescribed book: Stress tests and scenarios.

11.4.1 Ensuring survival

Business continuity is about coping with unforeseen events that may threaten a business’s survival. Firms which successfully
deal with a crisis see their share value increase. Similarly, firms which invest and budget most on risk, business continuity and
governance are the most profitable in their sector. Business continuity planning is not a cost but an investment.

Study “Ensuring survival” in chapter 11.

11.4.2 Business continuity and risk management

The differences between risk management and business continuity management are as follows:

Risk management Business continuity

Key method Risk analysis Business impact assessment

Key parameters Impact and probability Impact and time

Types of incidents All types of events Events causing major disruption

Size of events All sizes and costs Survival-threatening incidents

Scope Core business objectives Incident management

Intensity Gradual to sudden Sudden or rapid events

Business continuity deals with the management of incidents that will cause significant disruption to the business. It deals with
the impact of low likelihood events. The recovery from an incident is measured by time so that disruption to customers and
suppliers is kept to a minimum and business-as-usual is restored as quickly as possible. Firms therefore need to develop and
test business continuity plans, working their way through the business continuity life cycle. In practical terms, this means

 policy and governance

 business impact analysis
 threat and risk assessment
 the business continuity strategy and plan
 testing the plans
 maintenance and continuous improvement

Study “Business continuity and risk management” in chapter 11.

11.4.3 Policy and governance

Policy and governance form the cornerstone of business continuity management.

The policy statement is the benchmark against which all business continuity activity should continually be checked, and it
should include

 an operational framework for business continuity management

 continuity principles and priorities
 business-critical activities
 minimum standards

Governance - business continuity concerns threats to the existence of a business, and it needs to be owned by all parts of the
firm. Developing, reviewing and invoking the business continuity plan will involve a steering committee, which would include
senior stakeholders from business, risk, IT and other support management. The plan and any testing of it should be
independently reviewed and audited.

Study “Policy and governance?” in chapter 11.

11.4.4 Business impact analysis

The business impact analysis provides the basis from which business continuity strategies and plans are developed. It is the
point in the process where recovery priorities and the minimum resources needed to maintain their availability are
established. The business impact analysis looks at the impact of given events on business activities over time. Worst-case
scenarios will identify the realistic recovery time objective – that is, the time by which critical systems and business processes
must be up and running after the occurrence of an incident.

Understanding what we do and how we do it – the first step in the business impact analysis is to establish what activities the
firm carries out and how. The information gathered should include as a minimum

 a complete list of products or services

 critical processes which support the most relevant products or services
 key staff who support the critical processes
 key systems, paper records and equipment
 reliance on internal departments or external suppliers
 reliance on specific premises to carry out critical processes
 key customers and stakeholders affected by the loss of products or services
Business critical – the test of criticality is the value lost over time. Costs can be assessed over time by using financial targets
or budgets and dividing the relevant weekly or monthly target into periods. New business is likely to be lost during a disruption.
Indirect costs, such as regulatory fines or client and intermediary compensation together with direct losses, will give an
estimate of the worst-case financial impact over time.

Study “Business impact analysis” in chapter 11.

11.4.5 Threat and risk assessment

Threats – incidents are only threats before they happen, and the risk lies in the likelihood of them becoming incidents and
their potential impact.

Impact assessment – the method of assessment is the same as that used for building and evaluating scenarios but with time
as the critical measure of impact.

Response triggers – a threat that turns into an incident will generate a response as formulated by the business continuity
plan.

Study “Threat and risk assessment” in chapter 11.

11.4.6 The business continuity strategy and plan

How to choose the best response – a specific incident that triggers a business continuity response will form the basis of the
business continuity strategy.

The following criteria should be considered when assessing the options:

 levels of business activity

 staffing
 locations
 communications
 infrastructure – power, data and systems, and utilities

Choosing the strategy – the results of the exercise should enable the identification of a preferred strategy for each response
trigger and for the effectiveness of the strategies and of the controls that are in place for mitigating an incident to be assessed.
Budget and business case – obtain a budget after identifying the preferred strategy.

From strategy to planning – the planning stage is the critical point in the business continuity life cycle.

Documenting the plan – details and recovery procedures.

Study “The business continuity strategy and plan” in chapter 11.

11.4.7 Testing the plan

Motivation for testing - it is essential to practise or exercise the plan, learn the lessons and improve.

Identify specific needs (what and how often) and run one of several tests:

 backup and restoration tests – the process and timeframe for backing up data and restoring it onto contingency
servers

 connectivity tests – reconnecting sites after a telecommunications or data failure

 a full technology restoration test

 a full enterprise-wide test in which a firm relocates to its recovery site for one or two days carrying out business as
usual

Planning the test – the key to planning the test is to understand the objectives of the test, which in turn will determine its
extent.

The test – the idea is to validate a process and identify weaknesses or errors in the plan. An independent observer can provide
objective feedback during the test. Feedback should be analysed after the test, and the lessons learnt from testing must be
applied to the plan and steps agreed to remedy any deficiencies. Assumptions on which the plan was based should be
reviewed in light of the test results – that is, the business continuity strategy has to be re-evaluated or changed.

Study “Testing the plan” in chapter 11.

11.4.8 Maintenance and continuous improvement

Testing is a practical way to review the business continuity plan and the assumptions on which it is based. All risks,
assumptions and critical recovery requirements should be regularly reviewed to ensure that they are up to date and
appropriate for changing business circumstances. Training ensures that the firm will be prepared for any eventuality, and it is
essential that staff be familiar with the plan. Documentation at every stage means that lessons can be learnt and that the
process will be capable of being audited and properly reviewed.

Study “Maintenance and continuous improvement” in chapter 11.

11.5 SUMMARY
Scenarios are all about the unimaginable and the unthinkable.
They are practical exercises aimed at identifying events or combinations of events which could threaten a firm’s objectives
and even its existence. Scenarios bind all the elements of the framework together and test whether the operational risk
framework is robust and fit for its purpose.
Study “Summary” in chapter 11.

11.6 ACTIVITY

Self-assessment questions: Go to the Online assessment tool to do activity 11.6.

11.7 REFLECTION

Before you continue to the next lesson, reflect on the following personal questions:

a. Where, in your professional life, do you think you will be able to use the skills you have learnt in
this lesson?
b. What did you find difficult? Why do you think you found it difficult? Do you understand it now, or
do you need more help? What are you going to do about it?
c. What did you find interesting in this lesson? Why?
d. How long did it take you to work through chapter 11 for this lesson? Are you still on schedule, or
do you need to adjust your study programme?
e. How do you feel now?

Blunden, T & Thirlwell, J. 2013. Mastering operational risk: a practical guide to understanding operational risk and how to
manage it. 2nd ed. London: Pearson.