Integrating Crisis Management & Business Continuity for a successful response
Many organizations treat Crisis Management (CM) and Business Continuity Management (BCM) as separate disciplines with separate reporting lines. Consequently, they often lose the ability to take advantage of these two disciplines’ inherent interconnectivity when managing a disruptive event that threatens the reputation and/or continuing operations of the organization.
In these organizations, the challenge is often that the response to an event is seen through different lenses. For example, when a severe IT disruption occurs, it is usually treated, at least initially, as purely a technical event with its own language and its own taxonomy. This is the traditional technical Incident Management process in which Business Continuity may have little or no role to play. However, this approach often lacks the articulation of the severity of the impact in business terms and the appropriate management actions required to ensure a response by the organization. This “non-integration” can lead to a delayed business response and reputational damage, as misalignment between the technical response and the organization as a whole results in conflicting actions. Greater integration between CM and BCM can improve an organization’s ability to respond to disruptive events by reducing the risk of delays, conflicting priorities and miscommunication.
BCM is defined as a holistic management process for identifying potential impacts from threats, and for developing response plans. The objective, ultimately, is to minimize the impact of disruptions by increasing the speed of recovery.
Crisis Management is the overall coordination of an organization's response to a crisis, with the goal of avoiding or minimizing damage to the organization's profitability, reputation, or ability to operate.
The differentiating factor is the level at which these functions are implemented. The CM function is usually a strategic function implemented by the ‘Gold Team’ (typically the Executive Team); the BCM function is an operational function, implemented by the ‘Bronze Team’ (typically the Operational Teams). What sits between these two functions to facilitate the process is the tactical function implemented by the ‘Silver Team’ (typically the Management Team).
Diagram 1 shows the hierarchy as well as the illustration of integration. CM and BCM can collectively be described as two halves of the same coin, each side with their own objective, but working symbiotically to strengthen the outcome.
CM does not always have to be invoked by the Gold Team. CM can also be implemented at the Tactical level by a Silver Team, perhaps at Divisional level. This will depend on the size of the organization as well as the nature of the disruptive event. Both the levels of application will result in the operational function being implemented by the Bronze Team. It will be the nature of the event and its impact that will determine the level of activation required.
To better understand the above process, we will use the following example from the financial services sector. The trading systems in the Capital Markets Division becomes inaccessible due to a faulty switch on the trading floor in one area of the building. The scenario only impacts the trading operational function and Capital Markets as a Division. The event is deemed a crisis due to its potential for far-reaching financial impacts on the organization. It is now dealt with at a tactical level by the Silver Team (Management). The Divisional Crisis Management plan is implemented. The decision is made to invoke the trading team continuity processes (implemented by the Bronze Team) and move them to alternate premises to resume the critical service. The Tactical Team keeps the Gold Team (Executive) informed of the impacts of the incident and the status of the resolution. Should this event escalate to have a broader impact on the organization by starting to impact other services such as Payments and Client Services, the event will be escalated to the Gold Team to make organizational decisions to mitigate regulatory and reputational impacts.
This example illustrates how integration of CM and BCM is applied during an event.
What are the benefits of integrating Crisis Management and Business Continuity?
- Ensure a seamless response from all levels of the organization as roles and responsibilities and expected actions are clearly defined and understood in both the Business Continuity function and the Crisis Management function. This allows the organization to focus on resumption in a shorter timeframe.
- Having established Business Continuity representatives allows the organization to identify Operational issues and their strategic impacts in a quicker way. This also ensures faster escalation de-escalation, resolutions and resumption.
- Provides a sense of “everything is under control”. The disruptive event is managed by appropriate and competent teams, which helps to protect the brand and stakeholders’ interests.
- Enhanced communication channels. The CM function gathers relevant information from all three levels and disseminates it to the stakeholders.
- When CM and BCM work together through a disruptive event, a sense of interconnectedness is formed which helps the organization to better achieve the goal – business continuity.
- Enhanced Transparency and end-to-end reporting of incidents, which allows for an all-inclusive view of the event, as well as identifying areas of improvement and lessons learnt.
How do we integrate Crisis Management and Business Continuity?
The integration of CM and BCM happens in the Implementation phase of the BCM Lifecycle as described in the in the BCI Good Practice Guidelines 2018 and ISO 22301 standard.
There are also other phases of the BCM Lifecycle that contribute to this integration process. The Business Impact Analysis (BIA) - where critical services for the Recovery Strategy are determined – is one of them.
The Recovery Strategy will then drive the content for integration of these two functions as the strategic actions to manage an event will be outlined in the Crisis Management Plan and the operational recovery actions in the Business Continuity Plans.
Thus, it is of great importance that sufficient time is spent on the BIA and Recovery Strategy phases in order to gain the practical content for the Crisis Management and Business Continuity Plans The Crisis Management Plan cannot be completed if there is no knowledge of the impacts that we are trying to mitigate in a specified timeframe and at a tolerable level.
Once these details are gathered and detailed in the Business Continuity Plan, the information is consolidated as input to the Crisis Management Plan with a particular focus on the strategic response and action. The BC Plan and the CM Plan must reference each other.
It can be depicted as a hierarchy of plans with the Crisis Management and Crisis Communications Plan at the pinnacle and Business Continuity Plans on the underpinning layers as support to the Crisis Management plan with up-and-down arrows on the side to indicate bi-directional activation and escalations.
Disruptions mostly start at a divisional level, but they can potentially extend to the entire organization. For this reason, the Divisional Crisis Management Plan details when the organizational plan should be activated, how and by whom.
Business Continuity Plans are implemented based on decision-making processes that take place within the CM Team. It is only then that resumption teams can implement the appropriate actions at the right level.
A typical structure of integration can be depicted in the below diagram:
The example above shows how important it is for CM and BC to be interconnected. Integration is necessary to ensure that organizations can effectively respond to any disruptive event. Whether that may be at a Divisional level or an Organizational level, having an integrated system ensures a coherent response to achieve a single goal during a crisis - and that is to resume the business as quickly as possible, at the acceptable tolerable levels with the least amount of financial, reputational and regulatory impacts.
About the author:
Chantal Coetzer has built-up extensive practical experience in all components relating to Business Continuity Management (BCM), Business Resilience (BR) and Enterprise Risk Management (ERM), predominantly in the financial industry and has relevant experience in the Health and Physical Security industry. She works with organizations to implement enhance the efficiency and effectiveness of their business resilience and crisis management programmes and teams. She has been pivotal in the design and planning for various scenarios at different organizations as well as planning for protracted outages on the national infrastructure. Specialties are the design, implementation and maintenance of Business Continuity Management, Resilience and Enterprise Risk Management programmes, as well as the designing, developing and facilitating of Business Continuity Management, Business Resilience and Enterprise Risk Management training and simulation exercise programmes. She has obtained her BCI MBCI accreditation in 2005 and is currently a Group BCM Manager.
About the author
Group BCM Manager
Based in South Africa, Chantal Coetzer has built-up extensive practical experience in all components relating to Business Continuity Management (BCM), Business Resilience (BR) and Enterprise Risk Management (ERM), predominantly in the financial industry and has relevant experience in the Health and Physical Security industry. Organisations listed on her CV are the likes of Deloitte, Discovery, ContinuitySA, RMB Asset Management (Momentum Wealth), South African Reserve Bank, Control Risks and lately Investec. She works with organisations to implement enhance the efficiency and effectiveness of their business resilience and crisis management programmes and teams. She has been pivotal in the design and planning for various scenarios at different organisations as well as planning for protracted outages on the national infrastructure. Specialities are the design, implementation and maintenance of Business Continuity Management, Resilience and Enterprise Risk Management programmes, as well as the designing, developing and facilitating of Business Continuity Management, Business Resilience and Enterprise Risk Management training and simulation exercise programmes. She has obtained her BCI MBCI accreditation in 2005 and is currently the Group BCM Manager at Investec.