This blog post will cover the basics of Business Continuity Planning, Resilience, and Contingency Planning. All three concepts are essential, and focusing on just one area alone isn't enough.
Business Continuity Planning (BCP) is a process of identifying potential risks to a company's operations, developing strategies to mitigate those risks, and implementing those strategies into regular business practices. It helps companies manage their risk by preparing for the unexpected.
In an era where natural disasters are increasing in frequency and intensity, people need to plan ahead to avoid major disruptions that could impact the organization's financial position or cause physical property damage.
Contingency planning involves anticipating the events that may occur and what actions might need to be taken in response (Disaster Recovery Plan). The goal is to ensure that you take all necessary steps to protect employees, information, resources and assets from the effects of an event. Examples: Fire, flood, strike, earthquake, war, outages, cyber-attack, terrorist attack, pandemics, etc.
Resilience refers to the ability of an organization to continue operating effectively during times of uncertainty or adversity. It is the ability of business operations to adapt and respond to internal or external dynamic changes rapidly. Resilient organizations can recover more quickly than non-resilient ones because they have built processes that minimize downtime and keep customers happy during disruptions.
IBM White Paper "Resilient infrastructure: Improving your business resilience" defines six blocks of a resilient organization:
- Recovery
- Hardening
- Redundancy
- Accessibility
- Diversification
- Autonomic Computing
A Contingency Plan is a plan devised for an outcome other than the usual (expected) plan. Events covered in the contingency plan are not as extreme as the Business Continuity Plan. Examples: Supplier going out of business, bankruptcy, price/currency fluctuations.
The contingency plan is to be implemented only if required. The risk that this type of event will occur is low, and therefore it is essential to keep resources ready to deal with this situation. But it is also possible to overestimate risks and prepare too much - so you don't end up wasting resources on something that never happens.