A Risk Management Approach to Business Continuity: Aligning Business Continuity with Corporate Governance

Views: 1358
Ratings: (0)

Consultants with experience in 50 countries show how to integrate business continuity, risk management, and corporate governance enterprise-wide. They focus on factors to consider in developing a comprehensive Business Continuity Plan. Includes case...

List price: $79.99

Your Price: $71.99

You Save: 10%


19 Slices

Format Buy Remix

Chapter 1: A Risk-Based Approach To Business Continuity



A Risk-Based Approach

To Business Continuity

Objectives of This Chapter

Track the development of risk management from its roots of origin to modern practice

Provide risk related definitions

Develop the link between risk management and business continuity management as part of a risk management framework

Introduce the theme of risk management and business continuity management as part of good governancd business management

Risk - a Moving Target

Ten years ago, if you had picked up this book, because of the reference to risk in the title, you probably would have been a finance director, internal auditor or treasurer. This statement should not come as a surprise to the reader. In the early 1990s Board-level interest in risk management and internal controls was largely focussed on financial and treasury issues, and although there were some organisations that took a wide-angle view of risk and controls beyond finance, even in these cases, attention was generally focussed on hazard-related or insurable risk. With broad insurance coverage at highly competitive prices freely available a decade ago, there were very few reasons for


Chapter 2: Stakeholders





The objectives of this chapter are to:

• Begin the process of understanding the operational risks to the organisation and, above all, the potentially destructive impact of some risks.

Recognise the wide range of the stakeholders in the organisation; and understand their importance, their roles and their needs.

Ensure sensitivity to these stakeholders’ roles when undertaking risk assessments, business impact assessments, and any subsequent risk management activity.

Understand both the role of the stakeholder who plays a part before a risk incident; and the potential additional impact of new stakeholders who emerge as a risk incident is unfolding.

Set the wider scene for the risk assessments, business impact analyses and recovery planning subjects that are covered in later chapters.

The Organisation

The corporate model for a hundred years or more has traditionally “manufactured” the product or service from within the organisation’s own production lines. Using its own employee labour force it has taken the raw materials though all of the processes necessary to deliver the end product or service, finally, to its waiting customer or wholesaler. These organisations had operational risks around the physical buildings, contents and machinery and around the workforce itself. They could incur legal liabilities to their workforce, product liabilities, or public liabilities in the event of a failure that caused loss or damage to another.


Chapter 3: Governance, Good Practice, Standards, Regulation and the Law



Governance, Good Practice,

Standards, Regulation and the Law

Objectives of This Chapter are to:

Consider the position of governance, good practice, standards, regulation and the law in the risk management framework

Examine the relationship between governance, good practice, standards, regulation and the law

Explore each subject in sufficient detail to appreciate the position of these in terms of business continuity management

Analyse the global response of organisations to business continuity management regarding each of the issues

Taking Control - the Position of Governance

While the expressions governance and corporate governance are widely used, there is no generally accepted definition or model for corporate governance, although there are common themes which run through most governance models produced by industry and professional groups.

Governance refers to oversight mechanisms including the processes, structures and information used for directing and overseeing the management of an organisation. Most models and definitions of governance focus on organisational performance for the benefit of stakeholders and how organisations are directed, controlled and held to account. The simplest and least ambiguous definition is provided by the Organisation for Economic Co-operation and Development (OECD) which is: “… the system by which entities are directed and controlled” and which goes on to expand


Chapter 4: Culture, Strategy, Performance, Risk and Business Continuity



Culture, Strategy, Performance,

Risk and Business Continuity

Objectives Of This Chapter

Examine the impact of cultural differences in terms of external and internal influences

• Explore how risk management and business continuity management can be embedded as part of good management practice

Consider the position of risk management and business continuity management in the strategic and operational planning processes

Review the risk environment in the context of what is at risk and what impact discontinuity might have on an organisation and its vision, values, culture and risk tolerance

Consider business continuity at all levels internal and external to the business environment and in the context of enterprise risk management and enterprise business continuity management

Examine how the board is engaged and attention sustained through demonstrating how value can be added to the organisation


Chapter 5: Getting Started: The Business Continuity Management Cycle



Getting Started:

The Business Continuity

Management Cycle

Objectives Of This Chapter

Consider how to engage the Board in appreciating the need for business continuity management

Discuss the communication and embedding of business continuity management throughout an organisation

Recognise the wide range of the stakeholders in the organisation; understand their importance, their roles, their needs and engagement

Introduce the Business Continuity Management Cycle.

Compare and contrast the Business Continuity Cycle to the Risk Management Cycle

Engaging The Board - Business Continuity Management As A Sustainable Investment

Many organisations make an error in judgement when trying to engage their board. That error is to capture the board’s attention by setting out details of the most recent incident to affect the organisation and to use this as the reason for seeking their support for business continuity management. While this is one useful tool in the business continuity manager’s toolkit, this approach in isolation is unsustainable, and could backfire.


Ch apter 6: Introduction to the Business Impact Analysis



Introduction to the

Business Impact Analysis

The Objectives Of This Chapter Are To:

Understand the role and the values of a Business Impact Analysis (BIA) within the business continuity management process.

Understand the BIA framework, its needs, its players and its ownership

Enable a consistency and clarity of objectives

Enable a consistent, clear, and measured communication of risk issues

Access and evaluate sources of information

Consider the opportunities for decision-making around risk information evolving from the


Risk: Definitions

A risk is the threat that an event or action will adversely affect an organisation’s ability to maximise shareholder value and to achieve business objectives. Risk arises as much from the possibility that opportunities will not be realised as it does from the possibility that threat will materialise or that mistakes will be made. A risk is integral to all opportunity and is as much about opportunity as it is about threat.


Ch apter 7: The Business Impact Analysis: A Hitch-Hikers Guide



The Business Impact Analysis:

A Hitch-Hikers Guide

The objectives of this Chapter are to:

Understand practical considerations when moving forward to deliver a BIA

Identify the options to obtain information and gain a trust in the balanced picture being developed.

Explain the importance of thorough investigations into cause and effect and thus aid credibility in the final document.

Consider some options for tools to present risk concepts in a clear and concise way, ready for decision-making.


We have stated that the BIA has two challenges. One is to understand what risk incidents may occur and divert the organisation from its business model and plans. The second is to understand critically the very arteries of the organisation, including its relationships with a whole range of stakeholders.

By bringing these two together the BIA can create real information around which decisions can be made and money and other resources invested. This information is equally about the dependencies of the organisation and just how quickly they need to be reinstated to ensure survival of the organisation. Furthermore, the principles apply whether the organisation is a profit-making company or a not-for-profit organisation. The stakeholders may be different but the pressures and headline responsibilities are the same. We have also stated in our objectives to this chapter that the


Chapter 8: Application and Uses of BIA Information



Application and Uses of BIA Information

Objectives Of This Chapter

Illustrate the wider role and the practicalities of the BIA by reference to individual risks.

Consider individual risks and impacts related to:

Intellectual assets

Physical damage to workstations and production lines

Outsourcing and the value chain

Illustrate the differing values of the BIA including the creation of tools and information that lead directly into business recovery plans.


In this chapter we lead the reader though the uses and the application of BIA information once it is obtained. We propose to illustrate this by reference to risks that we believe are worthy of individual attention. In this way we hope to be able not only to bring out some special features of these risks, but also illustrate, by example, the wider message about how BIA information can best be used across the organisation. The risks we have chosen represent challenges to the risk manager in three different arenas;


Chapter 9: Technology, Exposures and Continuity



Technology, Exposures and Continuity

The Objectives Of This Chapter Are To:

Consider the special dependencies and the exposures around the technological services to an organisation.

Embrace the dependencies and interdependencies of centralised computer services, distributed systems, communications and end user equipment, and, to embrace the exposures around laptops and other remote equipment.

Encourage the risk manager to embrace the risks within both in-house as well as outsourced services and dependencies

Bring together and match the opportunities available from the technology suppliers with critical and urgent operational needs.

Consider the special expectations, exposures and dependencies of e-commerce

Ensure the risk management and continuity of computerised systems embrace the mutual dependencies between technical services, the “old technologies” and people.

Once the dependencies and opportunities are clear, encourage the organisation to develop technological continuity plans that will precisely meet those urgent crucial needs.


Chapter 10: Dependency Management: Supplier Management, Outsourcing and Business Support



Dependency Management:

Supplier Management, Outsourcing and Business Support

Objectives Of This Chapter Are To:

• Provide definitional language for supplier management, outsourcing and in-sourcing

Explore the implications of supplier management and lead times for replacement following loss or disruption

Examine the issues involved and the planning required in managing the exit from an outsourcing agreement

Examine with the use of case studies the implications of single-source and critical components in production and supply-chain processes

Investigate the issues associated with production-line management techniques including just-in- time

Consider the services provided to support business continuity management and the issues of dependency associated with these

Offer an approach for dovetailing business continuity with supplier and outsourcing management

Transferring Risk, Not Responsibility


Chapter 11: Opportunities and Other Applications for Business Continuity Tools and Principles



Opportunities and Other

Applications for Business

Continuity Tools and Principles

Objectives Of This Chapter:

The objectives are to consider the work done and the tools that have been created in the business continuity field and:

Recognise where those principles and tools can be used elsewhere in the organisation

Make as much additional use as possible of the Business Continuity tools, information and resources that have been created

By maximising all such values, improve the business case further for the resources and time applied; and any monetary investment made in business continuity management, and

Illustrate these additional values by considering individual exposures

The Principles and Tools To Be Applied

We will begin this chapter with a reminder of the principles we believe are at the very core of business continuity risks and continuity planning. They are relatively straightforward and common sense in nature, but it is important that, as we delve into detail from time to time, we do not lose sight of the overall objectives. We have stated that they are:


Chapter 12: The People Factor



The People Factor

Objectives of this Chapter are to:

Gain an appreciation of the issues associated with people and business continuity management

Gain an understanding of why some people excel following an incident while others falter

- and what makes the difference

Examine the dynamics of team performance, the team players and issues associated with plan invocation and recovery

Consider the people success factors of an invocation

Examine post-trauma considerations and management

Consider supply chain, outsourcing and off-shoring people-related issues

Consider business continuity management training and education needs and the options for delivery

The People Factor - An Introduction

Scientific research has discovered that frogs cannot perceive an increase in surrounding water temperature if the water is heated gently so that the increase is slow and steady. Eventually the frog dies, still unaware of the threat it faced.


Chapter 13: The Value of Insurance When Facing Potentially Catastrophic Risk



The Value of Insurance When Facing

Potentially Catastrophic Risk

Objectives Of This Chapter Are:

• To consider insurance products from the viewpoint of the critical or catastrophic risks carried by an organisation

To understand whether and where insurers’ products and the insured’s need for continuity interface effectively with each other.

To assess the value of conventional insurance products to organisations facing potentially catastrophic damage

To identify in particular where these insurance products do not provide protection for the continuity needs of an organisation.

Assessing Insurance Needs

It is a major disappointment, when looking at many an organisation’s insurance programme, to see just how much the design of the protection package is driven by the ‘off the shelf’ insurers’ products rather then by the risks of the organisation itself.

Where there are large numbers of small value and smaller premium risks – say households, shopkeepers, hoteliers, smaller manufacturers etc. - there is a real value in accepting ‘off the shelf’ products. The smaller commercial insured can see that there is value in accepting the ‘package’ even if it provides protections that it does not need, because negotiating individual changes would cost more than the premiums that have been built in for the risk protections that are not needed. The very real danger here however is when the package does not provide protections that are needed. We will revert to this issue in this chapter.


Chapter 14: Communications




Objectives Of This Chapter Are To:

Examine the role of communication

Consider aspects of reputation

Consider communication by stakeholder and the options available

Gain an appreciation that building resilience applies to communication too

Consider communication as part of the planning process

Consider communication as part of the notification, invocation and recovery processes

Evaluate the opportunities and threats associated specifically with the media

Review the communications issues associated with team training, rehearsal and exercising

Communication And The Organisation

The ability to communicate is ranked the number one key to an organisation’s success by leaders in business, government and the professions. “It can sell a point of view, gain media attention, win over an audience, make a sale or enhance one's career.” (1)

In this Chapter we will examine internal communication and that external to an organisation as part of the planning process and post-incident.


Chapter 15: Emergency and Governmental Services



Emergency and

Governmental Services

Objectives Of This Chapter Are:

To consider the role that emergency services and other governmental departments play in business continuity

To consider the role that emergency services and other governmental departments play in crisis management

To explore the value in understanding those roles and in cooperation when undertaking a process of continuity management.

To recognise the opportunities and challenges brought by public authorities throughout the management of a business-threatening incident.


The Business Continuity Institute advocates as one of its ten certification standards for business continuity practitioners, that they establish “…applicable procedures and policies for coordinating crisis, continuity and restoration activities with external agencies (local, state, regional, national, emergency responders, defence, etc.) while ensuring compliance with applicable statutes or regulations.” (1).


Chapter 16: Rehearsals and Exercising of Plans and Risk Decision-Making



Rehearsals and Exercising of Plans and Risk Decision-Making

Objectives Of This Chapter Are To:

Discuss the importance of ensuring as much credibility as is possible in catastrophic risk management and continuity planning.

Consider the values of rehearsal training and exercising of people, and the resources that are expected to be used.

Understand the use of exercising and rehearsal training as a quality measuring tool for decision- making around risk.

Understand the importance of exercising plans as a vital check that these plans are still up to date.

Consider the different types of exercises that are available to the risk and continuity manager and where different styles best meet different requirements.

Consider guides and standards that are available on exercising; and their use as benchmarking tools.

Understand the limitations as well as the values of exercising.

The Need For Credibility


Chapter 17: Maintenance, Benchmarking, Assurance and Audit



Maintenance, Benchmarking,

Assurance and Audit

Objectives Of This Chapter Are To:

Review the drivers and options for plan review and maintenance

Consider the role of benchmarking tools

Discuss quality assurance and compliance in the context of business continuity management

Explore the validation of business continuity plans through the processes of internal and external audit

Know where you are heading

Ferdinand Magellan was a Portuguese navigator who travelled around the world. He died in the

Philippines but his crew continued the voyage and many people think it was the greatest navigational feat in history. However when Magellan set off he did not know where he was heading, during his travels he did not know where he was, and when his crew returned they did not know where they had been!

Today’s world is rather different and organisations most certainly need to know that the path they are travelling is the one they have chosen, and how well their journey is working out against their plan.


Chapter 18: Developing a Plan: Putting Theory Into Practice



Developing a Plan:

Putting Theory Into Practice

Objectives Of This Chapter:

• Examine the purpose of a plan

Explain the plan components

Outline the stages of an incident and how plan design can address these

Consider the differing needs of the small, medium and large organisation

Review specialized planning needs from call centre to board-level crisis

Examine team characteristics at various positions within the an organisation’s plan framework

Review support services and suppliers

Evaluate the role of software

Consider where Business Continuity Management is heading as a discipline both independently and as part of Risk Management

“Plans are nothing. Planning is everything.”



Before You Start Writing …

In this book we have provided a view on the relationship between business continuity and risk management. We have travelled through issues as diverse as business impact analysis, culture, outsourcing and audit and arrived at the point where this knowledge can be harnessed and the production of a programme and plans may begin.


Load more


Print Book

Format name
File size
0 Bytes
Read aloud
Format name
Read aloud
In metadata
In metadata
File size
In metadata