Unit 2 : Concepts & Definitions
• Concepts and definitions;
• Business continuity within an holistic approach to resilience;
• Theoretical state of the art
• Business continuity management key concepts
• Isn’t business continuity just another kind of risk management?
• All analyses must be «objective»
• «Critical» does not mean «important»
• Main takeaways
Concepts & definitions
But now it’s time for definitions!
So far, we have mentioned both organizational resilience and business continuity management, implying that the latter is a significant component of the former.
But what exactly are our definitions? These are the most commonly accepted, as established in ISO 22300: 2021.
Business continuity within an holistic approach to resilience
As we can see from the previous slide, business continuity is narrowly focused on the delivery of products and services, whereas resilience is a broader concept signifying the organization’s ability to absorb and adapt to changes.
This is because business continuity should be thought of as one of the many disciplines contributing to an organization’s resilience. It is indeed true that business continuity alone cannot make an organization perfectly resilient, but it is also true that, without proper business continuity arrangements, no organization can consider itself resilient.
Resilience must be a strategic goal of your organization, which should therefore give value to the many business functions and departments that contribute to achieving this goal.
Theoretical state of the art
In most cases, the state of the art of the various resilience disciplines is mandated by relevant international standards, issued by the International Standards Organization (ISO).
ISO standards define what constitutes a well-implemented management system that pertains to a given resilience discipline. For instance, ISO 22301:2019 defines the necessary elements of a BCMS.
Moreover, additional technical specifications (ISO/TS) set out more in-depth requirements for specific practices inherent to a BCMS (such as ISO/TS 22317 on the business impact analysis).
Business continuity management key concepts
There are many key concepts in business continuity management that every professional needs to keep in mind when implementing a business continuity management system, which ISO sets out and many professional manuals reference.
Implementing a business continuity management system can be done through a standard series of six professional practices, or project «phases,» but all methodologies rely on concepts that are often misunderstood.
These misunderstandings are not important only from the perspective of theoretical rigor, but also because they can cause unnecessary complications, redundancies, or other inefficiencies when an organization is attempting to implement/improve its BCMS.
Therefore, it’s important to make a few things clear right from the outset.
Isn’t business continuity just another kind of risk management?
There are overlapping interests, but business continuity management is not concerned with risk as the latter is properly defined.
Professor Ian Mitroff provided the famous definition of risk that is currently also included in ISO 31000, «risk is the effect of uncertainty on objectives1.» The risk of an event to an organization is, indeed, commonly calculated by some form of product between the probability of that event occurring and its impact, should it occur, on the organization.
In business continuity management, the probability of events occurring is, strictly speaking, irrelevant. To a large degree, so are the events themselves.
Business continuity management is interested only in an event’s consequences on the organization – what assets it would make unavailable, how this would impact delivery of products and services, and how to restore them.
To provide a stark example of the differences in approach:
• Business continuity provides protection against all those events that an organization thought would never happen, but always do.
1Risk Management — Guidelines ISO 31000: 2018, ISO, 2018.
“Risk is the effect of uncertainty on objectives.”
– ISO 31000
All analyses must be «objective»
There are many outcomes of a business continuity management system, but one of the main results is certainly a map of all the critical processes that go into delivery of key products and services (Unit 2 will illustrate how this can be achieved).
In the course of your professional efforts to implement a BCMS, you will need to engage with different areas of your organizations, each with its own sensibility about the importance and criticality of its daily business as well as its own perception of risk and vulnerability.
If this diversity is not corrected for in your analysis, the result will be a collection of non comparable responses. For example:
•Both the accounting department and the business department say that the impact stemming from their disruption would be «severe.»
What does «severe» mean here? Are we sure that they both have the same scale of consequence in mind? The problem is clear.
Therefore, ensuring that everyone is operating in a common «language» and with a common frame of reference is of primary importance.
«Critical» does not mean «important»
Business continuity is concerned with safeguarding the delivery of an organization’s products and/or services. One of the main methods through which it pursues this goal is to guarantee the continuity of the critical processes that underlay a given product and/or service. In case of a disruption, this means that critical processes must be restored more quickly than less critical or non critical ones.
This does not mean that critical processes are any more important than non critical ones. As an example of what we mean, consider the following example:
•You are paying your bills online but the light suddenly goes off.
Now, paying your bills is certainly more imporant than your light being on or off at any given moment, but in this disruptive scenario, the immediate priority is making sure that the light comes back on – you simply can’t pay your bills without it.
Accordingly, in a business continuity context, we will say that «lights on» is a critical process.
Business continuity management must be part of an organization’s broader resilience efforts, and no organization can be said to be truly resilient without good business continuity management practices.
Business continuity itself provides numerous advantages:
1. It safeguards delivery of products and services independently of any specific event;
2. It allows the organization to think rationally about its recovery priorities in the face of an incident;
3. It is a competitive advantage.