Critical operational and/or business support, service or product related activity (provided internally or externally), including its dependencies and single points of failure, which enables an organization to achieve its business objective(s), taking into account seasonal trends and/or critical timing issues.
The trend to create "virtual" organizations raises a number of new issues as it pertains to interdependencies and single points of failure. The ability to provide sourcing alternatives in the event of a catastrophic failure of an MCA provider is a key priority. As the trend becomes more operational and logistically complex organizations must exercise more often to determine where processes or systems weaknesses occur.
An organizational Business Crisis & Continuity Management (BCCM) strategy ensures resilience and high reliability of MCA's. At the process level is a documented framework that identifies the organizations MCA's in the context of products or services. Each MCA should have it's own BCM strategy that provides clarity of how the organization will provide protection for the MCA.
One key outcome is the definition of the BCCM relationship, positioning and connection with other risk related functions, e.g. Operational Risk Management (ORM) A critical component of getting this BCCM relationship connected with the risk management culture is through awareness and education training. Merely documenting a strategy and plan provides a narrow and limited method of fully developing a true BCCM culture.
Ownership of BCCM by organizational lines of business, especially where Operational Risk originates and resides is paramount. No matter how well designed a strategy may be, exercising and testing on a regular basis is necessary to identify potential issues during a real incident. Good quality exercises rely on specific and relevant scenarios in the actual locations, facilities and with normal personnel in place.
And no BCCM is complete without measurement and audit. You must verify compliance independently to highlight key material deficiencies and issues to ensure their resolution. Each stage of the BCCM life-cycle may require a unique audit process depending on that stage of the life cycles maturity.
At the end of the day, the question is this. Has the organization introduced risk management controls to eliminate, mitigate, reduce, transfer the effects of identified threats, vulnerabilities, exposures or liabilities to MCA's?