olly - Fotolia
Business continuity and crisis management -- both of which became critical during the COVID-19 pandemic -- are often mentioned together. And while they have their distinctions, the two disciplines definitely dovetail.
Business continuity refers to a set of plans and procedures that ensure an organization is resilient, said Gartner analyst David Gregory.
"You need to look at it from the perspective of critical service delivery and assess potential points of failure and their impact. You need to mitigate against those things to reduce the likelihood of failure and then develop workarounds," Gregory said.
Crisis management is complementary to business continuity. It involves the assumption that something unexpected or undesirable will happen to the organization and ensures an ability to respond, manage and restore to a new normal, Gregory said. A business continuity framework should outline the company's potential responses to a crisis. For example, if there's a fire, the response would include evacuation and contacting emergency services for help. The facilities team would look into the cause of the fire and report back to a crisis management team.
That team, alongside business leaders, will then make decisions, such as whether to move staff to different locations, as well as implement a media and communication strategy.
Who, exactly, is on a crisis management team?
Crisis management teams vary widely from one organization to the next, said Greg Schulz, founder and senior analyst at StorageIO. Depending on the company's size, needs, goals and capabilities, there could be a single person in charge of business continuity or crisis management, or there could be a team of a hundred or more. Regardless, it needs to be a structure that works, and someone definitely has to own it, he said.
The identification of potential threats is key to crisis management -- and that process begins with business continuity planning, said Naveen Chhabra, an analyst at Forrester Research. "First and foremost, [organizations] need to understand which things are most critical to the business and what kinds of risks it faces, whether they are cyber, political or natural," he said.
Depending on the nature of the threat, and the key assets that drive or support the business, organizations can begin to make decisions about how to best respond, he said. Both IT and business leaders should play a role in the decision-making process.
Communicate and test the plan
The first rule of flying is to aviate, navigate and then communicate, StorageIO's Schulz said. This is a principle that applies to business continuity and crisis management, as well.
Stabilize operations, figure out where you are and then communicate with others, Schulz said. Have a plan and think through possible scenarios. An actual crisis might require some changes to that plan, but the plan provides a solid starting point.
Many organizations underestimate the threats they face and overestimate their ability to respond, Gregory said. This makes them guilty of a double assault: A lack of preparation via a thorough business continuity plan can make the response to a crisis almost as damaging as the problem it tries to address. To address both business continuity and crisis management concerns, test and exercise all plans. Walk through them in detail to make sure they are workable and identify weaknesses or failure points.
"Make sure you have a structure in place so you can understand what constitutes a disruption, where standard operating procedures will be sufficient, and also be able to recognize small, creeping things that may not initially look like a crisis but could turn into one," Gregory said.
Don't simply review business continuity and crisis management plans once and then put them on a shelf, Chhabra said. Instead, hold ongoing and regular reviews.
"Things can change a lot in just a few years, so never assume that the exercise you did three years ago is still valid," he said.