Where does it end, or conversely, where does it begin? When one thinks of Business Continuity the thoughts are usually around the processes and capabilities that allow the organisation to recover from a disruptive incident. Of course much of the work is focussed in this area but what about either side of this?

Business Continuity disciplines can identify threats and potential single points of failure before they are realised. Useful stuff if the organisation is prudent enough to take action to reduce or eliminate them. Therefore we can already see that it is possible for Business Continuity work to make an upfront contribution towards protecting your organisation way before any conventional Business Continuity Plans have been written.

The point is that employing good Business Continuity practices can actually prevent and reduce the impact of incidents before they even occur. Not many people would consider that to be Business Continuity in it’s conventional sense, and are more likely to see it as risk management or resiliency. So if you are a Business Continuity consultant there’s a chance you won’t get any recognition for your work in this area from all but the more astute stakeholders.

I have debated in previous articles about whether organisations would be structured differently if Business Continuity consultants where involved in building them. Maybe so but organisations also need to operate within efficient economic models and this is the argument that generally wins out so a degree of risk is accepted and Business Continuity Plans are prepared so that the organisation can recover and survive a range of incidents.

And what of the other end? Where does Business Continuity end? When the Recovery Time Objectives have been met? When the organisation is up and running? When the organisation returns to normal operations? Remember, all plans should include the steps necessary to carry out a Post Incident Review. This is really important to ensure lessons learned are captured, mistakes can be identified so they won’t be repeated, improvements to plans can be applied and so on. All too often the organisation is so focussed on day to day business after the incident it’s easy to postpone or avoid the Post Incident Review.

Typically a Post Incident Review will identify changes or follow up actions which may require time or investment to address them. Someone needs to own and take charge of these actions because otherwise they risk being overlooked or lost in the maelstrom of ongoing activity. Your Business Continuity Manager or consultant is often well placed to drive such activity.

Back to the question then. Does Business Continuity stop when the Post Incident Review has been done? Does it stop when all the actions have been completed?

Both BS 25999 and ISO 22301 refer to the Plan, Do, Check, Act model often illustrated as a continuous cycle generating ongoing improvements. Is there an end?

I like to see things finished off properly, I like to see the loose ends tied up. How about you? Are you happy to restrict your Business Continuity activities and run the risk of dealing with unnecessary or repeated incidents?

Surely prevention is better than cure so maximise the use of your Business Continuity consultant, manager or coordinator to help you be better prepared.

As always, if you need any help with your Business Continuity activities just give me a call.

February 11, 2013 at 10:09 am
Return to All News
Category: Planning
Tags: , ,