The world is now witnessing continuous advancement and progress in all aspects of life. The formulation of the global economy and global supply chain are among the characteristics of this era as well as part of our modern lives. In order for such advancement and progress to continue and be fruitful, the world needs to provide adequate stability as well as careful planning to achieve prosperity.

Unfortunately, things do not always go as smoothly as we expect them to. Being inherent to people’s presence and activities, failures, incidents, risks, disasters, and crises are taking place more and more across the world. With the close interconnection between economies and people, the results of disasters and crises quickly cross borders, creating an almost global impact. Other people’s problems are no longer just their problems. They could also be ours.

In the last few years, disasters have dramatically increased in frequency, impact, and complexity. In a shocking and saddening news release, the United Nations described 2010 as one of the “deadliest” years in two decades.¹ During 2010, 273 natural disasters caused a death toll of almost 300,000 people. In addition, these disasters affected the lives of almost 200 million people and the financial impact reached US$110 billion. Two of the worst were the earthquakes that hit Chile and Haiti, with the latter being the worst as its death toll reached almost 200,000, with financial losses of US$8 billion.²

The UN numbers were based on natural disasters, over which people have little or no control. Other disasters result from human activities or failures in human activities. In 2010, a failure on a petroleum facility for British Petroleum (BP) in the Gulf of Mexico caused millions of barrels of oil to spill out, causing severe environmental, economical, and humanitarian impacts. The incident, which was caused by human and process failures, cost BP almost US$7.1 billion in claims submitted by affected parties, governmental and private, in relation to the disaster.³

What makes us extra sensitive to disasters is the financial crisis that we have been living through during these years with budgets shrinking and revenues decreasing. Disasters at such bad times hit harder and have more and more fundamental effects on many levels. They also take considerably longer to recover from than in other times of easier conditions.

One ever-challenging aspect of disasters is the continuous change in their causes, triggers, and impacts. While this always was the case, they now change faster and at a more dramatic pace. What was considered as extreme a few years ago is now being looked on as a normal baseline for measurement. In addition to natural disasters, wars, acts of terror, and technology failures, organizations are also threatened by new risks related to public health and pandemics, supply chain interruptions, and reputational risks resulting from the new social media and the citizen-journalist concept. As everyone can see and feel, our world is not becoming any safer and there should be protection schemes for organizations to provide proper protection from existing and new threats and effective measures to manage them.

What should we do? There is definitely no way to eliminate risks and disasters, and there never will be. But there is something that we can do about them. We may not be able to eliminate them, but we are definitely capable of mitigation.

The core of the mitigation process is to understand the threats and risks and how they affect the organization and its assets. These threats and risks come from many sources: internal and external. The capability of the organization to perform this process follows a learning curve; it gets better, the more it is done properly. The more the organization understands its risks and threats, the more effective and sufficient the mitigation and protection become.

Completing the process of understanding the risks and threats, proactive procedures and measures should be put in place to mitigate these risks and threats. The idea behind proactive measures is to keep the probabilities of the threats and risks occurring as low as possible. Even if they occur, the impacts are also lowered to minimal levels that do not reach the level of a disaster. If disasters occur, there should be proper responses – plans and arrangements – to effectively handle the events and control their results for minimal impact and effect.

Business continuity management provides an organization with the necessary frameworks and implementations that can help define risks and threats to the assets and operations of the organization and devise strategies and plans to manage them in acceptable ways. The ISO22301 Standard defines BCM as a “holistic management process that identifies potential threats to an organization and the impacts to business operations those threats, if realized, might cause, and which provides a framework for building organizational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand, and value-creating activities.”

We will now proceed to shed some light on the history of BCM. What started as a practice within the information technology (IT) field to manage the implications of systems’ failures became an evolving practice within organizations across the globe to manage the implications related to failures affecting all aspects of the organization, including IT. Through continuous evolvement, BCM has moved from being reactive to disasters to being proactively involved in the strategic and operational management of threats and the relevant consequences for the organization. Today, BCM does not only provide an organization with the capability to recover from failures, it creates enhanced levels of resilience to smaller incidents that could develop into disasters. BCM has also moved from being considered as an isolated project to being counted as an ongoing program that serves organizations as long as it exists.

Throughout this book we will be highlighting the various components of BCM programs. BCM programs are unique to an organization, yet one can identify shared or common components that exist in almost all BCM programs, regardless of the geographical region or the industry. We will discover how to set up a BCM program and how to go through the BCM life cycle. There will be specific focus on three major elements of a BCM program: technology, premises, and people, as these elements represent the critical aspects of any organization and they are the areas where disasters hit organizations hard.

One of the main features of modern BCM programs is standardization, which was absent in the early days of BCM recognition. There were standards that were specific to certain geographical locations and/or industries. As BCM became increasingly adopted and its implementations were varied as well, there was a need to develop a unified and global set of rules, guidelines, and requirements for BCM implementations all over the world. Now there are several published standards that are recognized in the BCM field. In this book, we will be specifically looking at:

Disasters, outages, and disruptions are all nightmares for an organization as they may threaten its existence and survival. They also bring financial losses and other negative impacts that affect the overall performance of the organization and its ability to achieve its goals.

BCM programs form strong and solid enablers and guardians of the organization’s objectives and goals. The ultimate aim of the BCM program is to protect the organization from the effects of severe incidents and disasters as it enables the organization to maintain its existence, operations, and achievement of its strategic and operational goals.

In addition to enablement and protection, effective BCM programs bring many benefits to the organization and relevant stakeholders. These benefits may be direct, like reducing failures and disasters, or indirect, like improving performance and the perception of the organization.

This is the most tangible and direct benefit of effective BCM programs. Through effective implementation of the BCM life cycle, both the probability and impact of threats and risks occurring will decrease. In parallel, the readiness and maturity capabilities of the organization will increase. Mitigating disasters and failures reflects on the performance and outcomes of the organization on different levels: financially, regulatory, and socially.

Another benefit of effective BCM programs is a reduction in financial losses. Disasters and failures can result in significant financial losses for an organization. These losses may occur directly, like losing valuable assets or losing the revenues from operations. On the other hand, they may occur indirectly, like facing regulatory fines or suffering the loss of a good public image and being perceived badly, resulting in the loss of customers. Effective BCM programs help to prevent such awkward situations, especially those of indirect losses.

Disasters, incidents, and failures are permanent threats to an organization’s operations, causing disruption and affecting almost all aspects of the organization. With effective BCM programs, the operations will be increasingly protected from disruption caused by disasters and failures, either by reducing their probability and impact or by having robust plans to manage them.

One of the most important goals of an organization is to enhance its public image and perception, and increase its brand value. Collapsing under disasters can severely damage its image and public perception. Effective BCM programs help an organization to maintain its good public perception and continue to fulfill its obligations and responsibilities towards the public.

As major stakeholders, regulatory bodies enforce their requirements on organizations with regard to BCM. In fact, regulatory requirements are strong drivers for the BCM programs. In addition to being drivers, they can also resemble a benefit. By complying with the regulations, an organization can enhance its relationship with the regulators and they can translate this into better ratings and audit reports.

Shareholders are very important stakeholders in an organization. For shareholders, the most important thing is the protection of their investments. As disasters incur losses and cost the organization a significant amount of investment to recover from them, they can also affect the share price negatively. Implementing effective BCM programs would protect the share price and the shareholders’ investments in addition to reducing losses.

Nowadays, the words “risk” and “threat” are appearing more and getting more attention than ever before. In simple language, a risk is a probable incident that would affect an organization’s goals while a threat is an element, internal or external, which might cause loss and damage if was realized. We’ll have a deeper look into risk and threat definitions in the risk assessment phase of the BCM life cycle.

In the earlier days of BCM, when people asked themselves what could go wrong, they were mostly limited to the traditional risks and threats of natural disasters, utility failures, and IT systems’ failures.

Risks and threats are evolutionary by nature. With the changes in the nature and shape of the world and organizations’ activities, the associated risks and threats have changed too. After the mid-1990s, the number and severity of te...