This awareness module explains Business Continuity Management as an approach to save the business and save lives.  When the chips are down, whether and how well the organization and its people survive serious incidents depends on their readiness, resources and resilience - three aspects that can be bolstered ahead of time as a kind of insurance policy.
 
Business processes fall on a continuum from absolutely vital to inconsequential in terms of their value to the organization’s business objectives and the consequences of failure.  Those at the upper end of the scale are called “critical” in order to focus attention on them and prioritize resources, but in truth the distinction between critical and non-critical is arbitrary.  Furthermore, processes that are unnecessary most of the time may become critical under some circumstances (for example at month- or year-end), and in certain types of incident, coincident failures of several processes or activities which individually are not critical may nevertheless precipitate a crisis.
 
It is generally more cost-effective to prevent interruptions to critical business processes or avoid the risk than to deal with and recover from incidents.  It makes sense therefore to design critical processes, plus the supporting or associated IT systems, infrastructure, services, supplies and key people, in such a way that ensures their continued availability and reliable operation despite all reasonably foreseeable incidents.  This essentially means engineering them for resilience or high availability, for example providing fallback arrangements (failover IT systems, alternative sources of supply etc.) to be used in case the primary arrangements fail due to hardware/software faults, operator errors, power cuts or other supply failures, unavailability of key people etc.
 
However, there are practical limits to the resilience engineering approach.  At some point, the costs of providing ever greater levels of resilience may outweigh the projected business benefits.  Furthermore, unanticipated or coincident events (such as serious physical disasters or failures of both primary and fallback arrangements) may still interrupt critical business processes under rare conditions.  Therefore, generalized recovery and contingency plans and preparations are also necessary to help the organization deal with, and recover from, unanticipated failures of critical business processes as effectively and efficiently as possible.
 
Learning objectives
Inform workers about ‘survivability’ and related concepts, within the context of information security and business continuity;
Gently point out the stark consequences of not surviving incidents and disasters;
Emphasize the value of physical and mental preparations in order to be ready to cope with anything life throws our way, both as individuals and as part of the corporation;
Describe and promote various practices that contribute to personal and organizational survivability.