How should organisations deal with vital knowledge held by employees in BCM projects?

Within many organisations, managing the human factor remains a challenging aspect of continuity planning. Many companies and organisations neglect to safeguard knowledge held by employees, information of vital importance to their business.
The interests of an organisation are even often sacrificed because these interests might perhaps invade the privacy or personal space of its employees. In case of a calamity, for instance a pandemic, the loss of vital information could have serious consequences for such an organisation.
For this reason, Business Continuity Planners have included, in the latest version of the Baucis BCM software, the ability for individuals crucial to the continuity of the organisation, such as line managers, object managers, internal or external contact persons or members of crisis management- or recovery teams, to produce and maintain a Business Testament.
An individual’s Business Testament specifies the vital knowledge, related documentation, ID’s and passwords, location and back-up location of documentation, keys, access cards and personal access codes.
It also contains information regarding particular representations, functions, responsibilities and powers of attorney held by the individual. This valuable information is stored in such a way that unauthorised access to it is prevented, yet its availability is guaranteed in the event of a calamity.
The availability of Business Testaments ensures access for the organisation to this information in case of the non-availability of the individual due to physical incapacitation, pandemic, unexpected departure or planned absence.
These persons are also allocated a Business Priority according to their most important function or role. This Business Priority indicates, amongst others, the securing, evacuation, relocation or vaccination of said persons to guarantee the execution of their essential roles in Crisis Management and Recovery.
The Business Priority of these individuals determines, according to their category, what specific guidelines are set by the organisation regarding their accessibility, their availability, the information they receive, travel allowances, observation during absence, etc. It also determines whether or not they may be supplied with a home workstation, mobile telephone or PDA with powerful e-mail features.

Through experience we have discovered that organisations utilising BCM software have succeeded in consolidating the Business Continuity Management function within one year, while this is not the case with organisations that use traditional tools (Word, EXCEL).

Initial investment

The most significant cost saving factor is that Business Continuity Management, supported by superior BCM software, can be virtually fully performed by internal personnel.Additional benefits of involving internal personnel include higher contextual quality of plans, familiarity with plans, protection of information and a consistency in the personnel performing Business Continuity Management functions.Around 60% of out-of- pocket expenses may be saved by involving internal personnel instead of employing external consultants.
Savings on initial projects for small organisations (indic. 500 workplaces) may amount to tens of thousands of euros, for medium-size organisations (indic. 2.500 workplaces), around 100.000 euros and for large organisations (indic. tens of thousands of workplaces) a number of hundreds of thousands of euros.

BCM maintenance costs

Major savings may be achieved regarding BCM maintenance because, through the implementation of a relational database environment, the costs of maintaining Business Continuity Plans are minimized. Over a four year period, the annual BCM maintenance costs of organisations which use high-quality BCM software will be around 35% of organisations which don’t.

What is the responsibility of the Crisis Management Organization?

Many organisations pay disproportionate attention to essential Crisis Management tasks such as evacuation, victim support, emergency accommodation, crisis communication, etc.
Not enough focus is placed on business contingency procedures and disaster recovery, aspects often neglected during Crisis Management exercises or simply not considered to be responsibilities of the Crisis Management Organisation.

In our opinion, the Crisis Management Organisation is responsible for Crisis Management, Business Contingency Procedures, item recovery and process recovery.These further responsibilities require thorough preparation and planning, in-depth knowledge and expertise, insight and an understanding of the organisation and its environment.
We have noticed that the necessary insight and understanding are often absent within many organisations, resulting in fall-backs to improvisation and assistance from third parties when faced with serious crisis situations.
An effective Crisis Management Organisation should include crisis management-, business contingency-, item recovery- and process recovery teams. These teams should consist of members of business management, ICT management, facility management and key suppliers.

Is item recovery determined by Business priority or by Technical priority?

Business Continuity Planners differentiates between the Business Priority and the Technical Priority of items.The Business Priority of items is determined by the processes most dependant upon those items. Technical Priority is determined by the significance of the technical function of an item: In case of a complete loss of IT configuration, the domain controller should have priority over the application server.
When recovering the configuration, the Business Priority determines the maximum permitted recovery period. However, when dealing with items of similar Business Priority, the Technical Priorities will determine the sequence of recovery procedures performed by recovery teams.

Is risk analysis mandatory during a Business Continuity Planning project?

1. To determine the net risks in an objective manner in order to prioritise the development of strategically sound continuity plans designed according to the most significant net risks.
2. To not only establish remedial measures for use during continuity threats, but to avoid the necessity to use the organisation’s continuity plans through the establishment of preventative measures.
Organisations which prefer not to perform risk analysis may find that their continuity strategies and plans are not relevant to the most significant net risks, or that valuable remedial measures are implemented while the possibly more effective preventative measures are overlooked.

In the Baucis BCM Software, Business Continuity Planners discerns between around 70 continuity threats. These are classified as follows:
External short -dangerous substances, strikes, traffic problems, etc.External long -fire, explosions, flooding, etc.Internal -computer viruses, operations errors, sick leave, etc.
In general, the recovery measures for all ‘External long’ threats are strategically similar. The same may be said for the recovery measures for ‘External short’ threats: the recovery measures used after the evacuation of premises following the release of asbestos due to a fire at a neighbouring industry will be similar to the measures implemented after the detection of legionella in an organisation’s water supply.
However, recovery measures dealing with ‘Internal’ threats will be strategically specific according to the threat: measures designed to deal with inexperienced system operators will differ vastly from measures designed to deal with labour conflicts.
For this reason it is imperative that BCM tools like the Baucis BCM Software offer users the ability to develop specific (alternative) strategies for dealing with internal threats and the ability to develop combined strategies for dealing with ‘External short’ and ‘External long’ threats.