1 Business continuity
1.1 History
Risk, risk management, business continuity management, evoluation
Any decision involves a risk. Peter Barge
The word risk could come from the Latin word resecum “that which cuts, reef” hence the maritime origin “steep rock” or could derive from the ancient Italian risicare, which means “to dare.”
Opportunities and threats are two sides of the same coin called risk. When the outcome is favorable we speak of an opportunity, when the outcome is unfavorable we speak of a threat.
About 5,200 years ago in the Euphrates region, a group called Asipu were consultants in risk analysis for making risky or uncertain decisions.
In Mesopotamia, around 3,900 years ago insurance began as one of the oldest risk management strategies. The risk premium for ship and cargo losses in basic contracts was formalized in the Hamurabi Code.
More than 2,400 years ago Pericles spoke about taking risks and evaluating them before carrying out an action. His compatriot Socrates defines eikos (possible, probable) as “likelihood of truth”.
Blaise Pascal and Pierre de Fermat laid the foundations of probability theory in the 1650s, which opened the door to quantitative risk assessment.
Pierre Simon de Laplace developed a risk analysis in 1792 with his calculations of the probability of death with and without smallpox vaccination.
Risk management is relatively recent. For example, the Basel II agreement on risk management requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2) in the banking sector dates from 2004. Some prescriptive (non-certifiable) standards on risk appeared at the start of the 21st century.
A difficulty in risk management arises from the fact that the event concerned (the damage) takes place in the future. You have to imagine an event that may never take place.
No-risk situations do not exist
The 2008 global financial crisis called into question the contribution of risk management. Some have said that risk management methods have failed to avert this crisis. But the analysis reveals that this failure is mainly due to:
- the lack of a balanced analysis of the high benefits and the risks involved
- poor judgment of the improbability of certain events (poorly quantified level of risk) based on imprudent financial models
- poor monitoring of key parameters
- the divergent understanding of different stakeholders on risk appetite and attitude towards risk
- the collapse of wholesale money markets not anticipated by the credit models used by certain banks
Risk management has been considered in the past by some managers as something superfluous. These people believed that the main goal was to avoid risk. Since then, many have understood that risk is inevitable and intrinsic to any activity but must be reduced to an acceptable level.
Risk cannot be eliminated
Risk management has become a necessity, even the ISO 9001 standard (quality management systemsset of processes allowing the achievement of the quality objectives (see also ISO 9000, 3.2.3) – requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2)) since the 2015 version has included the risk approach.
The risk that results from uncertainty can be managed. The ability to identify risk, analyze it, evaluate it, and then act accordingly is the basis of risk management.
Business continuity management is also relatively recent. One of the first standards concerning the business continuity management system (BCMS) dates from 2003: BSI PAS 56, Guide to Business Continuity Management, (see paragraph 2.2).
The first edition of the ISO 22301 standard (“Societal security – Business continuity management systems – Requirements”) dates from 2012.
For several decades, the majority of companies have become aware that the costs of implementing business continuity management are insignificant compared to the unfavorable consequences or even the insurance to take out.
Some differences between risk management and business continuity management are shown in Table 1-1:
Table 1-1. Differences
| Risk management | Business continuity management | |
| Purpose | Risk reduction | Survival (resilience) of the company |
| Activity | Daily incident | Major disruption |
| Scope | A department | The company |
| Method | Risk analysis | Impact analysis |
| Subjects concerned | Likelihood and impact | Direct and long-term impact |
A fire breaks out in a computer center. The damage is enormous because the situation will be restored after more than a month.
The center had signed a backup contract with an external service provider.
But the contract did not include a fire guarantee and had not been properly tested.
According to an Eagle Rock Alliance survey, 40% of companies surveyed believe that 72 hours of interruption of their IT system is a critical time before the risk of bankruptcy.
The main objective of business continuity management is to ensure the survival of the business in all circumstances.
1.2 Implementation
Implementation, Deming cycle
Preparing for the worst is a realistic and pragmatic view of the world
The establishment and implementation of the ISO 22301 business continuity management system is shown in figure 1-1.
Figure 1-1. Implementation of the BCMS
Step 1 consists of explaining the importance of having a BCMS, identifying and defining the processes, interactions, owners, responsibilities and drafts of certain documents. With the participation of as many people as possible, the first versions of business continuity plans are drawn up.
In step 2, the resources necessary to achieve the business continuity policy and objectives are set. A plan of tasks, responsibilities and deadlines is established. Training for internal auditors is taken into account.
Step 3 allows you to define and implement methods to measure the effectiveness and efficiency of each processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) and business continuity plans. Internal audits make it possible to assess the degree of implementation of the BCMS.
Nonconformities of all kinds are listed in step 4. An outline of the various deviations is established. Corrective actions are implemented and documented.
An initial assessment of the tools and the scope of the continual improvementpermanent process allowing the improvement of the global performance of the organization (see also ISO 9000, 3.2.13 and ISO 14 001, 3.2) processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1) is made in step 5. Risks are determined, actions are planned and opportunities for improvement are found. Internal and external communication is established and formalized.
To perform the BCMS pre-audit (step 6) the BCMS documentation is verified and approved by the appropriate people. A management review makes it possible to assess compliance with applicable requirementsexplicit or implicit need or expectation (see also ISO 9000, 3.1.2). The business continuity policy and objectives are finalized. A business continuity manager from another company or a consultant will be able to provide valuable comments, suggestions and recommendations.
When the systemset of interacting processes (see also ISO 9000, 3.2.1) is correctly implemented and respected, certification of the BCMS by an external body becomes a formality (step 7).
An example of an ISO 22301 Certification project plan with 26 steps is presented in annex 01. 
A relevant method for assessing the level of performance of your business continuity management system is the RADAR logic of the EFQM (European Foundation for
Quality Management) excellence model with its 9 criteria and its overall score out of 1000 points.
The PDCAplan, do, check, act cycle, or Deming cycle (figure 1-2) applies to the control of any processactivities which transform inputs into outputs (see also ISO 9000, 3.4.1). PDCAplan, do, check, act cycles (Plan, Do, Check, Act) are a universal basis for continual improvementpermanent process allowing the improvement of the global performance of the organization (see also ISO 9000, 3.2.13 and ISO 14 001, 3.2).
Figure 1-2. The Deming cycle
- Plan, define the context, issues and processes, demonstrate leadership, establish business continuity policy and objectives, address risks (clauses 4, 5, 6 and 7)
- Do, demonstrate leadership, analyze the business impact, provide support, establish strategies and solutions, carry out business continuity plans and test them (clauses 5, 7 and 8)
- Check, demonstrate leadership, evaluate, inspect, conduct audits and management reviews (clauses 5 and 9)
- Act, adapt, demonstrate leadership, address nonconformities, react with corrective actions and find new improvements (new PDCA), (clauses 5 and 10)
To deepen your knowledge of the Deming cycle and its 14 points of management theory you can consult the book “Out of the Crisis” by W. Edwards Deming, published for the first time in 1982, cf. paragraph 2.3.
1.3 Benefits
Benefits, excuses
Preparing for war in peacetime
Often the decision to implement a BCMS and BCPs is taken after having suffered a crisis or a situation very close to a financial catastrophe.
Incidents, accidents, crises, disasters and catastrophes don’t just happen to others!
Each disruption is specific and often causes unexpected and different damage. Preparing for these events of natural origin (earthquake, flood, fire) or human origin (terrorism, cyber-attack, loss of qualified personnel) can only benefit us.
One response to a partial or total disruption, potential or actual, is to have a business continuity plan and a designated crisis team. Then you will be able to reduce certain risks, mitigate impacts and recover priority activities during and after a disruption.
Expected benefits of business continuity management:
- prevent crisis situations
- strengthen your resilience by assessing and reducing the consequences of a crisis
- maintain vital business operations during a disruption
- put in place civil protection tools and equipment
- raise awareness and train staff on the behavior to adopt in the event of a crisis
- protect the company’s assets
- reduce insurance costs (renegotiation of the contract)
- protect and improve the reputation of the company
- strengthen stakeholder confidence
- consolidate competitive advantage
- meet legal and regulatory requirements
- anticipate disruptive incidents and reduce the risk of disaster
- have effective processes to guarantee business continuity
- establish a reliable basis for decision-making in times of crisis
- analyze and understand the main threats and areas of vulnerability
- increase the likelihood of achieving objectives
- increase the opportunities to be seized
- reduce losses
Amazon, a global leader in e-commerce, implemented ISO 22301 to improve customer confidence in the company's ability to maintain its services in the event of a major incident.
ISO 22301 certification has allowed Amazon to demonstrate its commitment to the continuity of its services and to reassure its customers.
Amazon saw an increase in customer trust, demonstrating the importance of business continuity for e-commerce customers.
He who apologizes accuses himself
Common excuses for failure:
- it was the responsibility of top management
- this was not an explicit requirement in the contract
- how can we have an effective plan in the face of so many potential problems
- give me enough time and everything will be sorted
- in the event of a serious emergency situation, the implication will be completely different
- there was not enough time
- there was no staff available
- there are more important things to do
- I was sure we could cope
- I didn't realize it was so serious
- I didn’t think it was a key process
- I didn't think this would happen
- insurance had to take care of this situation
- the contract was already signed
- you cannot plan for the unexpected
A list of Business continuity successes and failures can be found in annex 02.