Role of the board in Business Continuity Planning and Disaster Recovery (BCM/ DR)

No company should get ready. It should stay ready. That way, there are no surprises. The case of fire at one of Toyota offices in Kampala that led to loss of a brand-new car worth over US $100,000 to fire is still. Indeed, many disasters have happened and caused some businesses to collapse altogether.

The easiest solution to such risk management is insurance. However, one must insure risk which is transferable. Risks like loss of goodwill, reputation, intellectual property and inconveniences are not transferable and therefore cannot be solved by insurance.

Accordingly, Insurance cannot pay for lost time, goodwill and business opportunities. For example, since after the fire broke up at the Toyota office in the industry area, as of day, the showroom has never been opened to the public.  Recall the fire broke-up on 29th September 2018. Over six months later, the showroom is still closed. If you want to buy a new Toyota vehicle, you are directed to visit another showroom located in Namanve, an industrial park located about 10 kilometers from the city. It is so inconveniencing to customers.  For that reason, proactive risk management is critical as it avoids indirect loses and bad reputation.

The board plays a critical role effective corporate governance.  The two primary roles of the board are going concern (risk management and compliance) and sustainability (growth strategy and execution). Business continuity is part of risk management. What happens when the risk treatment strategies fail?

What is risk?

According to ISO 31000:2018, risk is “the impact of uncertainty on organizational objectives.” The impact could be adverse or positive. However, leaders are more concerned about adverse impact. For that reason, risk management emphasis is put on adverse events that could happen. If the upside of risk, an opportunity, arose, it would be easier to handle than the adverse one.

Take a case of a real estate company. Their corporate objective could be providing affordable housing units that is strong, safe and preserve value for the clients. However, there are events that could happen and threaten achievement of this objective like flooding, earth quakes or power outage.

All these are uncertain events and they threaten the corporate objective. It is the board’s role to set an enterprise wide risk management framework that includes a risk policy, risk appetite and risk assessment and treatment process.

In the case of Toyota Uganda office, the risk of fire was assessed and managed by among others installing fire extinguishers and all staff trained in fire drills. But the risk finally materialized. So, what next?

The BCP / DR comes into action where risk management stops.

There are seven key roles of the Board in a BCP/DR business continuity and disaster recovery agenda. These are as follows:

  1. Set the BCP
    Agenda Approve the business continuity policy and procedures; including critical asset identification and management. 
  2. Allocate sufficient resources and knowledgeable personnel to develop, management and monitor the BCP agenda and strategy;
    Approve the budget to implement the BCP policy; including automating the processes.
  3. Set policy by determining how the institution will manage and control identified risks;
    What are the key risks that threaten the critical assets? What controls are in place? What are recovery strategies per assets? What are the recovery time objectives?
  4. Review BCP test results on going;
    Who is who in the recovery agenda? do you have resources in place to execute recovery options?
  5. Approve the BCP on an annual basis and fund all initiatives to keep the Organisation ready for any event any time for going concern assurance.
    Keep your BCP up to date by reviewing and approving it annually. This enables management to provide for a BCP budget.
  6. and Ensure the BCP is kept up-to-date and employees are trained and aware of their role in its implementation
    As above.
  7. Provide for on-going awareness training
    New staff should be trained, and existing ones retrained for a strong BCP readiness and culture. never tire training staff fin your business continuity initiatives.

When it comes to your business preparedness, don’t get ready. Stay ready.

Copyright Mustapha B Mugisa, 2019. All rights reserved.

Ifis Updates

Subscribe to our newsletter

You will be able to get all our weekly updates through the email you submit.

Newsletter

Subscribe to Newletter

Subscribe to our newsletter and stay updated with the latest in cybersecurity and digital forensics.