What types of incident is business continuity meant to deal with?
This week I discuss why having a clear scope of the incidents that business continuity is designed to deal with is important within your organisation.
Scope of incidents
Yesterday I had a good chat with a member of the Business Continuity Board, who is also an FBCI and has been involved in writing many of the ISO standards, so he knows his business continuity (BC). The chat was initially about a technical issue in the Good Practice Guidelines (GPG) 2018 but we then had a general chat about all things business continuity, varying from ‘Adaptive Business Continuity’ to the BCI’s response to COVID-19. One of the subjects we got talking about was the scope of incidents that business continuity is designed to deal with. This thought was also in my mind after the Emergency Planning Society’s weekly email highlighted a report by the UK Government’s Public Accounts Committee on their response to COVID-19. As part of the report, which was quite critical of our government’s preparation and response, there was the following comment: ‘it is not clear whether lessons have been learned on the need to plan now for dealing with economic impacts if COVID-19 cases rise again’.
The scope of business continuity incidents was always PPRS. This was taken from the previous version of the GPG. The scope was the loss of: P=Premises, P=People, R=Resources and S=Suppliers. I think there has always been an ambiguity within the scope of business continuity, it previously included the loss of IT but didn’t include the planning for a cyber incident. However, the impact of a cyber incident, such as a ransomware attack, could include the loss of IT but also a data breach, which may end up as a reputational issue, as if data was not destroyed then it would not actually affect the delivery of service to customers. As part of the development of the BC lifecycle, you are told within Implementation to develop a strategic team and the GPG offers this guidance: ‘Some crises or incidents do not involve physical disruption to the organisation and may not require the invocation of a business continuity plan, however, they still require a strategic-level response, for example, fraud or negative media exposure that threatens the organisation’s reputation’. Beyond mentioning reputational issues, the GPG does not give any further guidance on how to plan and then respond to them.
Is economic impact in scope of BC
One of the major issues around the world is the economic impact of COVID-19 and the global shock of lockdown. This has had and will have, a far greater impact than the virus itself, causing a number of organisations to close. In looking at the UK Government’s Public Accounts Committee on the response to COVID, the scope is to protect the economy, but for most of us business continuity practitioners the question is, do we see it as our role to involve ourselves in planning or responding to economic downturns and the impact on our organisation?
Business continuity professionals should have the skills to be able to plan for reputational incidents, as well as the PPRS incidents. They should also be able to build a robust incident management hierarchy which should give senior managers a framework and a number of incident management tools/techniques to be able to respond to the economic impact of COVID, even though business management of the economic impact may not be part of their key skills.
Be very clear to senior managers the scope of BC
Where I think all business continuity professionals should be very clear with their senior managers and clients is what the scope of the business continuity they are offering actually is. Some clients of mine use business continuity as a general term for crisis management as well and expect the scope of planning to cover any incident, whilst others see business continuity as very much having a PPRS scope and they see crisis management and reputation as a separate planning issue. As emergency response, crisis management, business continuity and disaster recovery mean different things to different individuals, organisations and industries need to have the conversation with senior managers or clients to make sure that they are clear on the type of incidents you are planning for, where you are developing an incident response capability and what type of incidents it is designed for dealing with. What you want to avoid is an incident occurring and your organisation thinking you have planned for it, when actually you have designated it out of scope and decided it is not your role to plan for it. If this happens you may be looking for a new role! Be clear on what you are expected to plan for and ensure that everyone within your organisation is clear on your planning responsibilities.