MAL49 MAL 49:22 | Page 44

nearly impossible to predict and , thus , to prepare for . That ’ s why one could argue that the title of this article is contradictory . Although no one can predict Black Swan events , organizations can take measures to lessen their effects . It ’ s vital to note at this point that preparing for Black Swan events necessitates preparing for White and Grey Swan events as well , Swans whose retrospective risks should already be detailed in your organization ’ s risk registers .
Many organizations make the wrong assumption that the downtime or outage they set as their maximum tolerance is also the acceptable downtime for their customers and other stakeholders . Because of this , businesses are urged to invest in effective Business Continuity Management ( BCM ) systems that give all stakeholders the assurance the organization shall be able to function properly even in the event of a catastrophe . Finding the White Swans , Gray Swans , and Black Swans when implementing the Risk Management Process is one of the BCM program ’ s responsibilities . This enables the organization to effectively mitigate retrospective and prospective risks . Within the wider all-encompassing Business Continuity Management program is the Business Continuity Plan ( BCP ), the manual that specifies the individuals , responsibilities , procedures , resources , activities , and redundancies to be used in the event of a disruption .
The Relationship between Business Continuity Management ( BCM ) and Business Continuity Planning ( BCP )
Business Continuity Management ( BCM ) is about more than the reaction to a natural disaster or cyber-attack . It begins with the policies and procedures developed , tested , and used when an incident occurs . The Policy defines the program ’ s scope , key parties , and management structure . It articulates why business continuity is necessary and why good governance is critical in the disruption phase .
On the other hand Business Continuity Planning ( BCP ) is the framework by which organizations protect and sustain business functions during a disaster ( natural or man-made , e . g . pandemic , cybersecurity breaches ). It seeks to ensure that organizations can prevent , respond , and recover from business disruptions . A common error made by some
44 MAL49 / 22 ISSUE
organizations is assuming that a Business Continuity Plan can be used in isolation to handle disruptions to operations . This strategy can turn out to be disastrous since a BCP can only be developed and operationalized effectively if it is based on a structure that supports its management and upkeep . This structure is the Business Continuity Management system that we have described earlier on . Business continuity planning therefore becomes a set of sound risk management techniques connected together because the structure supporting it is a sub domain of the overall Enterprise Risk Management . It then follows that a well-established Business Continuity Plan should include incidence response , disaster recovery , and crisis / emergency management .
Organizations that have increased their capacity for resilience have moved beyond crisis / emergency management to prepare for black swan events by adding a renewal / rescaling component beyond the catastrophe recovery phase .
Hence , it ’ s incumbent on senior leadership to ensure that Business Continuity planning begins with having an effective Enterprise Risk Management System that contains risk management principles , a risk management framework and a risk management process .
A major consideration when establishing the BCP includes identifying the mission critical functions and related business-critical processes , activities and dependencies which if disrupted will adversely impact operations .
An impact assessment is carried out to identify and predict business disruption consequences which in turn enables the organization to gather information for developing recovery strategies . A large part of this assessment involves ascertaining how soon after the disruptive incident each activity needs to be resumed . It therefore becomes critical for an organization to establish whether risks leading to a disruption fall under Black Swan , Grey Swan or White Swan category . An organization can only determine the proper risk reduction or treatment techniques when the categorization is accurate .
Why Organizations Are Hesitant To Adopt Business Continuity Management
Losses from business disruption are covered by our insurance policy
Indeed Commercial Insurance can help pay the costs of property damage , lawsuits and lost business income and other actual business loses and expenses associated with the restoration of business services . What Commercial Insurance is unlikely to cover is the loss of your clients , reputational damage , and drop in overall market share , or any project-related delays associated costs . Hence Commercial insurance is not a business continuity strategy . In some circumstances , your insurer may even insist