Updated Good Practice Guidelines recently issued by the Business Continuity Institute offer practitioners and companies alike a significantly improved set of methodologies that are easier to follow and implement.
“Business continuity has grown considerably as a discipline, and the new guidelines reflect that,” says Tracey Linnell, general manager: Advisory Services at ContinuitySA. “Good Practice Guidelines 2013 go beyond descriptive statements to offer practical ‘how-to’ advice in layman’s language. They will contribute to making business continuity measures much more effective.”
Linnell says that the Good Practice Guidelines complement the International Standards Organisation standard for business continuity (ISO22301): following the guidelines will help companies ensure they comply with ISO22301.
Among the improvements in the 2013 Good Practice Guidelines, Linnell singles out the greater focus on the supply chain and outsourcing. The guidelines go into much greater detail to show how business continuity plans must include suppliers. “You are responsible for ensuring that your suppliers have adequate business continuity plans and systems in place,” Linnell explains.
“These guidelines take into account that businesses operate in, and are dependent on, complex ecosystems and that business continuity needs to span all their components.”
Another important improvement is the guidelines’ deeper focus on the responsibility of top management to support business continuity initiatives—and how to make that support a reality. For example, they suggest building business continuity into executive performance appraisals. “Executive buy-in has been a problem in the past, so practical advice on how to obtain it is welcome,” she says.
A related issue is the embedding of business continuity into the way a company does business. Here again, the guidelines notably shift focus from theory to action. In general, says Linnell, this is an area that receives too little attention but is vital if business continuity plans are really to be effective.
The 2013 guidelines also amplify guidance regarding business impact analysis, and show how this can be undertaken at various levels: strategic, tactical and operational.
One area in which the 2013 guidelines fail to deliver improvement is in the validation process, where the 2010 guidelines offer a set of processes that are more thorough. However, says Linnell, the review portion of the validation process is much improved.
“Once the business continuity plan has been completed, it needs to be reviewed for effectiveness. The 2013 guidelines offer functions, execution processes, methods and techniques as well as outcomes for each of an expanded number of areas,” Linnell says. “Crucially, the review process also incorporates supplier performance—another welcome recognition that a company’s business continuity efforts must cover the entire ecosystem on which it relies.”