Professional Documents
Culture Documents
Ass 2
Ass 2
Ass 2
It covers everything from business processes, human resources details, and more. Essentially
a BCP provides a concrete plan to the organization to maintain business continuity even in
challenging circumstances.
Below are key reasons why businesses need to have a BCP today:
BCP’s relevance has gone up considerably after the outbreak of the COVID-19 pandemic and
was also a major testing time for organizations that did have such a plan in place. The
organizations which had a business continuity plan in place were better able to cope during
these unprecedented circumstances better than those who did not have any such plans.
The recorded number of natural disasters has increased from 375 in 2016 to 409 in
2019Opens a new window . Globally, the loss because of natural disasters was $232 billion in
2019, according to a study by AonOpens a new window .
The number of cyberattacks has also increased in all geographies and all business
verticals. MonsterCloud reported that cyberattacks have skyrocketed during the COVID-19
pandemic. All this means that the organizations have to be better prepared to fight disasters.
The importance of BCP can hardly be exaggerated in this context. Preparing a BCP is
imperative for any enterprise, big or small, today.
The end goal of a BCP is to ensure that the essential services continue to run in the event of
an incident. For instance, if there is an earthquake where your customer service
representatives operate from, your BCP will be able to tell you who will handle customer
calls until the original office is restored.
Also Read: What Is Disaster Recovery? Definition, Cloud and On-premise, Benefits and Best
Practices
Difference between a business continuity plan (BCP) and disaster recovery plan (DCP)
A BCP is often confused with a disaster recovery (DR) plan. While a DR plan is primarily
focused on restoring the IT systems and infrastructure, a BCP is much more than that. It
covers all areas and departments of the organization, including HR, marketing and sales,
support functions.
The underlying thought behind BCP is that IT systems can hardly work in silos. Other
departments also need to be restored to cater to the client or for meeting the business
demands.
“Many people think a disaster recovery plan (DRP) is the same as a business continuity plan,
but a DRP is only a small, yet essential, a portion of a full BCP. A DRP focuses solely on
restoring an organization’s IT infrastructure while minimizing data loss. On the other hand, a
BCP is a comprehensive guide on how to continue the mission and business-critical
operations during a time of an unplanned disruption (natural disasters, pandemics, or
malware),” says Caleb Pipkin, a security expert at Logically.
On the other hand, the lack of a plan means that your organization will take longer to recover
from an event or incident. It could also lead to loss of business or clients. Let’s look at some
key benefits of BCP.
A well-defined business continuity plan is like a roadmap during a disruption. It allows the
firms to react swiftly and effectively and maintain business continuity. In turn, this leads to a
faster and complete recovery of the enterprise in the shortest possible timeframe. It brings
down the business downtime and outlines the steps to be taken before, during, and after a
crisis and thus helps maintain its financial viability.
2. Offers a competitive edge
Developing competence to act and handle any unfavorable event effectively has a positive
effect on the company’s reputation and market value. It goes a long way in enhancing
customer confidence.
Disasters have a considerable impact on all types of business, whether big or small. Business
disruption can lead to financial, legal, and reputational losses. Failure to plan could be
disastrous for businesses. You may lose your customers while trying to get your business on
track. In the worst circumstances, you may not be able to recover at all. A well-defined
business continuity strategy minimizes the damage to an organization and allows you to bring
down these losses as much as possible.
One of the most significant consequences of a disaster is the loss of employment. The loss of
livelihood can be curtailed to an extent if the business continues to function in the event of a
disaster. It leads to greater confidence in the workforce that their jobs might not be at risk,
and the management is taking steps to protect their jobs. It helps build confidence in senior
management’s ability to respond to the business disruption in a planned manner.
5. Can be life-saving
A regularly tested and updated BCP can potentially help save the lives of the employees and
the customers during a disaster. For instance, if the BCP plan for fire is regularly tested, the
speed with which the workforce acts can help save lives.
6. Preserves brand value and develops resilience
Possibly the biggest asset of an organization is its brand. Being able to perform in uncertain
times helps build goodwill and maintain its brand value and may even help mitigate financial
and reputational loss during a disaster.
BCP curtails the damage to the company’s brand and finances because of a disaster event.
This helps bring down the cost of any incident and thus help the company be more resilient.
Having a BCP allows organizations to have additional benefits of complying with regulatory
requirements. It is a legal requirement in several countries.
A precise BCP goes a long way in protecting the supply chain from damage. It ensures
continuity in delivering products and services by being able to perform critical activities.
One of BCP’s lesser-known benefits is that it helps identify areas of operational efficiency in
the organization. Developing BCP calls for an in-depth evaluation of the company’s
processes. This can potentially reveal the areas of improvement. Essentially, it gathers
information that can benefit in enhancing the effectiveness of the processes and operations.
Also Read: 7 Ways to Build an Effective Disaster Recovery and Business Continuity Plan
The COVID-19 pandemic has put the spotlight on preparing for a disaster like never before.
We make the job easier for you by listing out the key steps in building a formidable business
continuity plan:
How to Build a Business Continuity Plan
This phase involves asking crucial questions to evaluate the risks faced by the company.
What are the likely business threats and disruptions which are most likely to occur? What is
the most profitable activity of your organization? It is vital to prioritize key risks and
operations, which will help mitigate the damage in the event of a disaster.
Essentially, Business impact analysis (BIA) is a process that helps the organization define the
impact if critical business operations are interrupted because of a disaster, accident, or
emergency. It helps in identifying the most crucial elements of the business processes. For
instance, maintaining a supply chain might be more critical during a crisis than public
relations.
While there is no formal standard for a BIA, it typically involves the following steps:
Collating information: As a first step, a questionnaire is prepared to find out critical business
processes and resources that will help in the proper assessment of the impact of a disruptive
event. One-on-one sessions with key management members may be conducted further to gain
insights into the organization’s processes and workings.
Analysis: This is followed by analyzing the collected information. A manual or computer-
assisted analysis is conducted. The analysis is based on an interruption in which crucial
activities or resources are not available. Typically it works on the assumption of the worst-
case scenario, even when the chances of a risk likelihood are low. This approach is followed
to zero in on the systems that, when disrupted or interrupted, threaten the organization’s very
survival. This way, these processes are prioritized in the business continuity plan.
The analysis phase helps identify the minimum staff and resources required for running the
organization in the event of a crisis. This also allows the organizations to assess the impact on
the revenue if the business is unable to run for a day, a week, or more. There might be
contractual penalties, regulatory fines, and workforce-related expenditure which need to be
taken into account while finding out the impact on the business. Further, there might be
specific vulnerabilities of the firm, and they need to be considered in the BIA.
Preparing a report: The next step is preparing a BIA report, which is assessed by the senior
management. The report is a thorough analysis of the gathered information along with
findings. It also gives recommendations on the procedure that should be followed in the event
of a business disruption. The BIA report also shares the impact on the revenue, supply chain,
and customer delivery to the business in a specific time frame.
The business impact analysis report may also include a checklist of all the resources, such as
the names of key personnel, data backup, contact information, emergency responders, and
more.
Presenting the report: Usually, this report goes through several amendments before being
cleared by the senior management. The involvement of senior management is crucial to the
success of the business continuity plan. It sends out a strong signal in the organization that it
is a serious initiative.
Also Read: Will Extreme Weather Events Affect Your Business? Lessons From the Texas
Winter Storm
Step 3: BCP Testing
Several testing methods are available to test the effectiveness of the BCP. Here are a few
common ones:
TableTop test: As the name suggests, the identified executives go through the plan in detail to
evaluate whether it will work on not. Different disaster types and the response to them are
discussed at length. This type of testing is designed to make all the key personnel aware of
their role in the event of a disaster. The response procedure is reviewed, and responsibilities
are outlined, so everybody knows their roles.
Walk through: In this type of testing, the team members go through their part in the plan with
a specific disaster in mind. Drills or a simulated response and disaster role-playing are part of
this. This is a more thorough form of testing and likely to reveal the shortcoming in the plan.
Any vulnerabilities discovered should be used to update the BCP accordingly.
Disaster simulation testing: In this type of testing, an environment that simulates an actual
disaster is created. This is the closest to the actual event and gives the best case scenario
about the plan’s workability. It will help the team find gaps that might be overlooked in the
other types of tests. Document the results of your testing so you can compare the
improvement from the previous tests. It will help you in strengthening your business
continuity plan.
Frequency of testing – Typically, organizations test BCP at least twice a year. At the same
time, it depends on the size of your organization and the business vertical you operate in.
Step 4: Maintenance
Also Read: Offsite Data Replication: A Great Way To Meet Recovery Time Objectives
Step 5: Communication
In the end, the organizations should accept that despite preparing a formidable business
continuity plan, several factors beyond your control may still affect its success or failure. The
key executives might not be available in the event of a crisis; both the primary and the
alternate data recovery sites might have been affected by the event; the communications
network might be damaged, and so on. Such factors are common during a natural disaster and
may lead to the limited success of the business continuity plan.
Takeaway
The success of a business depends on it acting swiftly and efficiently when confronted with
an unanticipated crisis. Any failure to do so results in a financial and reputational loss, which
takes up a long time to recover. It can be avoided if the organization quickly gathers itself
during a disaster. A business continuity plan is then of paramount importance for a business
of any size. At the same time, it is crucial to ensure that the BCP is not a one-time exercise. It
needs to be continuously evaluated, tested, amended, and maintained so it doesn’t let you
down when you need it the most.
What is a Risk Assessment?
Risk assessment is the cornerstone of the European approach to prevent
occupational accidents and ill health.
FacebookTwitterShare
There are good reasons for this. If the risk assessment process – the start of
the health and safety management approach – is not done well or not done at
all, the appropriate preventive measures are unlikely to be identified or put in
place.
Every year, millions of people in the EU are injured at work, or have their health
seriously harmed in the workplace. That is why risk assessment is so
important, as the key to healthy workplaces. Risk assessment is a dynamic
process that allows enterprises and organisations to put in place a proactive
policy of managing workplace risks.
For these reasons, it is important that all types and sizes of enterprise carry
out regular assessments. Proper risk assessment includes, among others
things, making sure that all relevant risks are taken into account (not only the
immediate or obvious ones), checking the efficiency of the safety measures
adopted, documenting the outcomes of the assessment and reviewing the
assessment regularly to keep it updated.
Definitions
Hazards
A hazard can be anything - whether work materials, equipment, work methods
or practices - that has the potential to cause harm.
Risks
A risk is the chance, high or low, that somebody may be harmed by the hazard.
Risk assessment
Risk assessment is the process of evaluating risks to workers' safety and
health from workplace hazards. It is a systematic examination of all aspects
of work that considers:
Companies can use a risk assessment framework (RAF) to prioritize and share the
details of the assessment, including any risks to their information technology (IT)
infrastructure. The RAF helps an organization identify potential hazards and any
business assets put at risk by these hazards, as well as potential fallout if these risks
come to fruition.
In large enterprises, the risk assessment process is usually conducted by the Chief
Risk Officer (CRO) or a Chief Risk Manager.
Step 1: Identify the hazards. The first step in a risk assessment is to identify any
potential hazards that, if they were to occur, would negatively influence the
organization's ability to conduct business. Potential hazards that could be
considered or identified during risk assessment include natural disasters, utility
outages, cyberattacks and power failure.
risk avoidance
DOWNLOAD 1
Step 2: Determine what, or who, could be harmed. After the hazards are identified,
the next step is to determine which business assets would be negatively influenced
if the risk came to fruition. Business assets deemed at risk to these hazards can
include critical infrastructure, IT systems, business operations, company reputation
and even employee safety.
Step 3: Evaluate the risks and develop control measures. A risk analysis can help
identify how hazards will impact business assets and the measures that can be put
into place to minimize or eliminate the effect of these hazards on business assets.
Potential hazards include property damage, business interruption, financial loss and
legal penalties.
Step 4: Record the findings. The risk assessment findings should be recorded by
the company and filed as easily accessible, official documents. The records should
include details on potential hazards, their associated risks and plans to prevent the
hazards.
Step 5: Review and update the risk assessment regularly. Potential hazards, risks
and their resulting controls can change rapidly in a modern business environment.
It is important for companies to update their risk assessments regularly to adapt to
these changes.
Risk assessment tools, such as risk assessment templates, are available for different
industries. They might prove useful to companies developing their first risk
assessments or updating older assessments.
Identify hazards and risk factors that have the potential to cause harm (hazard
identification).
Analyze and evaluate the risk associated with that hazard (risk analysis, and risk
evaluation).
Determine appropriate ways to eliminate the hazard, or control the risk when the
hazard cannot be eliminated (risk control).
A risk assessment is a thorough look at your workplace to identify those things, situations,
processes, etc. that may cause harm, particularly to people. After identification is made, you
analyze and evaluate how likely and severe the risk is. When this determination is made, you
can next, decide what measures should be in place to effectively eliminate or control the harm
from happening.
The CSA Standard Z1002 "Occupational health and safety - Hazard identification and
elimination and risk assessment and control" uses the following terms:
Risk assessment – the overall process of hazard identification, risk analysis, and risk
evaluation.
Hazard identification – the process of finding, listing, and characterizing hazards.
Risk analysis – a process for comprehending the nature of hazards and determining the level
of risk.
Notes:
(1) Risk analysis provides a basis for risk evaluation and decisions about risk control.
(2) Information can include current and historical data, theoretical analysis, informed
opinions, and the concerns of stakeholders.
(3) Risk analysis includes risk estimation.
Risk evaluation – the process of comparing an estimated risk against given risk criteria to
determine the significance of the risk.
Risk control – actions implementing risk evaluation decisions.
Note: Risk control can involve monitoring, re-evaluation, and compliance with decisions.
For definitions and more information about what hazards and risks are, please see the OSH
Answers document Hazard and Risk.
What the scope of your risk assessment will be (e.g., be specific about what you are
assessing such as the lifetime of the product, the physical area where the work activity
takes place, or the types of hazards).
The resources needed (e.g., train a team of individuals to carry out the assessment, the
types of information sources, etc.).
What type of risk analysis measures will be used (e.g., how exact the scale or
parameters need to be in order to provide the most relevant evaluation).
Who are the stakeholders involved (e.g., manager, supervisors, workers, worker
representatives, suppliers, etc.).
What relevant laws, regulations, codes, or standards may apply in your jurisdiction, as
well as organizational policies and procedures.
Identify hazards.
Determine the likelihood of harm, such as an injury or illness occurring, and its
severity.
o Consider normal operational situations as well as non-standard events such as
maintenance, shutdowns, power outages, emergencies, extreme weather, etc.
o Review all available health and safety information about the hazard such as
Safety Data Sheet (SDS), manufacturers literature, information from reputable
organizations, results of testing, workplace inspection reports, records of
workplace incidents (accidents), including information about the type and
frequency of the occurrence, illnesses, injuries, near misses, etc.
o Understand the minimum legislated requirements for your jurisdiction.
Identify actions necessary to eliminate the hazard, or control the risk using the
hierarchy of risk control methods.
Evaluate to confirm if the hazard has been eliminated or if the risk is appropriately
controlled.
Monitor to make sure the control continues to be effective.
Keep any documents or records that may be necessary. Documentation may include
detailing the process used to assess the risk, outlining any evaluations, or detailing
how conclusions were made.
The methods and procedures used in the processing, use, handling or storage of the
substance, etc.
The actual and the potential exposure of workers (e.g., how many workers may be
exposed, what that exposure is/will be, and how often they will be exposed).
The measures and procedures necessary to control such exposure by means of
engineering controls, work practices, and hygiene practices and facilities.
The duration and frequency of the task (how long and how often a task is done).
The location where the task is done.
The machinery, tools, materials, etc. that are used in the operation and how they are
used (e.g., the physical state of a chemical, or lifting heavy loads for a distance).
Any possible interactions with other activities in the area and if the task could affect
others (e.g., cleaners, visitors, etc.).
The lifecycle of the product, process or service (e.g., design, construction, uses,
decommissioning).
The education and training the workers have received.
How a person would react in a particular situation (e.g., what would be the most
common reaction by a person if the machine failed or malfunctioned).
It is important to remember that the assessment must take into account not only the current
state of the workplace but any potential situations as well.
By determining the level of risk associated with the hazard, the employer, and the health and
safety committee (where appropriate), can decide whether a control program is required and
to what level.
See a sample risk assessment form.
Remember to include factors that contribute to the level of risk such as:
High: major fracture, poisoning, significant loss of blood, serious head injury, or fatal
disease
Medium: sprain, strain, localized burn, dermatitis, asthma, injury requiring days off
work
Low: an injury that requires first aid only; short-term pain, irritation, or dizziness
Let's use an example: When painting a room, a step stool must be used to reach higher areas.
The individual will not be standing higher than 1 metre (3 feet) at any time. The assessment
team reviewed the situation and agrees that working from a step stool at 1 m is likely to:
Cause a short-term injury such as a strain or sprain if the individual falls. A severe
sprain may require days off work. This outcome is similar to a medium severity
rating.
Occur once in a working lifetime as painting is an uncommon activity for this
organization. This criterion is similar to a low probability rating.
When compared to the risk matrix chart (Table 1), these values correspond to a low risk.
The workplace decides to implement risk control measures, including the use of a stool with a
large top that will allow the individual to maintain stability when standing on the stool. They
also determined that while the floor surface is flat, they provided training to the individual on
the importance of making sure the stool's legs always rest on the flat surface. The training
also included steps to avoid excess reaching while painting.
What are methods of hazard control?
Back to top
Once you have established the priorities, the organization can decide on ways to control each
specific hazard. Hazard control methods are often grouped into the following categories: