Business continuity (BC) is typically viewed in the context of responding to specific events, as opposed to a tool for effectively managing an organization. But BC activities can add value to the corporate governance process.
Corporate governance includes a variety of separate activities that collectively provide a foundation for achieving goals set by management, whether revenue targets, number of units sold or increasing the organization's market position.
Most corporate governance models assume the business will continue to operate during a disruptive event without full consideration of the potential outcomes. Realistically, it is highly likely a business will experience a life-threatening disruption at some time during its existence. So, it is important to understand how BC fits into and enhances the governance process.
According to the 2013 edition of the Good Practice Guidelines from the Business Continuity Institute (BCI), BC is a "key contributor to effective corporate governance by helping interested parties ask searching questions." We'll examine each of these questions and offer tips to address them.
How resilient are the company's business and operating models?
Business and operational models should be designed to succeed, not fail. But it's also essential for business leaders to identify where potential failures or other disruptions may exist, how and why they might occur, and how to survive them. A business impact analysis (BIA) coupled with a risk analysis can identify things that could go wrong and how the business may be impacted, allowing you to prepare for and deal with such occurrences.
What are the key value-creating products and services?
This is what business is all about: creating and selling products and services that offer value, and thus are desirable and worth buying. A well-planned BIA can identify critical products and services, and the impact their loss would have on the organization.
What are the firm's key dependencies, e.g., their priority assets and processes?
Within any organization there are a variety of dependencies. Primary dependencies might include staff, electric power to run systems, office space for employees to work, and systems and data the company needs to provide its products and services. Additional dependencies can be identified by examining an organization's supply chain. Disruption to a specific supplier in a supply chain could affect the organization's ability to deliver products and services. A BIA and a supply chain analysis can identify and prioritize these dependencies.
How would the organization respond to a loss of or threat to any of the above?
Without a plan to identify, assess and respond to potential disruptions, an organization's ability to govern in an emergency may be severely hampered. The firm's potential to "weather the storm" and subsequently return to business as usual can be greatly increased with documented and tested BC and technology disaster recovery (DR) plans.
How well does the organization know the principal threats to the business, both today and on the horizon?
With vast amounts of historical data, as well as algorithms and systems that can analyze current and past data to project future scenarios, business leaders have additional insights on how to guide their organizations in the face of uncertain times. But this is not enough. To ensure that, when unplanned incidents threaten the firm's direction, good governance includes BC and technology DR activities to get back on track and resume course.
How well can the organization be assured that its continuity plans will work in practice?
While we advocate BC as an important part of a corporate governance process, good business continuity practice demands that plans and other related activities are regularly reviewed and tested to ensure the following:
- The people entrusted to run the plans in an emergency are prepared to do so.
- The systems and operational assets the organization needs are fully recoverable from wherever the organization operates.
- Senior managers are fully prepared to modify and adjust business policies and procedures after the incident to ensure that "business as usual" can be achieved.
Additional corporate governance process tips
Consider implementing a business continuity management system (BCMS) as part of your organization's corporate governance process. The structure and elements of a BCMS are clearly defined in ISO 22301:2012, the global BC standard. The BCI's Good Practice Guidelines define a BCMS as "that part of the overall organization's management system (of governance) that establishes implements, operates, monitors, reviews, maintains and improves business continuity."
Ensure your BC activities include documented policies, people with defined BC roles and responsibilities, documented procedures that implement the policy, execution of specific projects that support the overall BC program and sufficient resources to implement the BC program (staff, budget, time and facilities).
Good governance must also include activities that keep a business functioning in the face of risks and unplanned events that threaten the firm's continued existence. Business continuity and technology DR are thus recommended as essential elements of good governance.
About the author:
Paul Kirvan, CISA, FBCI, works as an independent business continuity consultant and auditor, and is secretary of the U.S. chapter of the Business Continuity Institute and member of the BCI Global Membership Council. He can be reached at [email protected].
Align IT governance with corporate governance
Ensure regulatory compliance through good a corporate governance plan
Maintain a strong data governance program