The following business continuity documentation formed part of the comparative analysis: Business continuity policy; Business Impact Analysis; Risk Assessment; and Business Continuity Plan. Participants were also requested to provide templates if available which could be used as a best practice.
The documentation analysed was aligned with the requirements of ISO 22301: 2012 and ISO 31000: 2009. The author made use of predefined codes to analyse the data of the selected documentation. The process also required the author to consult departmental Annual Performance Plans. Table 4.7 Criteria for Document Analysis (Adapted from Bowen 2009) was applied to analyse the selected documents.
Table 4.7: Criteria for Document Analysis
Documents selected Data Analysed
Business Continuity Policy Policy endorsed by top management that was relevant to the intent of the organization, provided a frame for setting business continuity objectives, committed to meet applicable requirements, committed to the continuous improvement of the business continuity management system
Business Impact Analysis Each organization was required to institute, implement and manage a formal and documented process.
Identification of actions in support of business operations (provision of services & products); If the activities were not performed,
assessment of the impact over time;
Determining timeframes for the resumption of activities, minimum tolerable levels; and Noting dependencies and resources required
supportive of these activities.
Risk Assessment Each organization was required to institute, implement and manage a formal and documented process.
The following elements formed part of the analysis: Identification of the disruption to the critical actions, procedures, systems, assets (information, people, systems), stakeholders and other resources that support them; Analyse the risk systematically;
Determine which risks related to the disruption required treatment; and
Identify mitigations aligned to the objectives (business continuity) and risk appetite of the organization.
Business Continuity Plan Each plan shall specify: “Purpose and scope;
Objectives;
Activation criteria and procedures;
Implementation procedures;
Roles, responsibilities, and authorities;
Communication requirements and procedures;
Internal and external interdependencies and interactions;
Resource requirements; and
Information flow and documentation
processes.”
Source: adapted from Bowen (2009)
Based on the analysis the following interpretations were made by the author:
There seemed to be no business continuity policy available. The business impact analysis was not completed comprehensively for all departments. In some instances, the business impact analysis formed part of the business continuity plan which made it difficult to ascertain whether a comprehensive analysis was actually completed. Also noticeable was the fact departments were using similar formats and the information captured was either the same or similar in natured and it was not clear whether it was geared to the core business functions of the individual departments. The risk assessment was also not completed by all departments. All departments had signed business continuity plans. These plans contained most of the information required in terms of the standard. With this being said it should be noted that the information was located haphazardly in the document without any flow.
4.3.4 CONCLUSION
The following key themes were found to be prevalent. Business continuity was in response to a disruptive event, whether man-made and/or natural. It was a consultative process that required engagement with stakeholders and required the commitment of management. Creating awareness was not only limited in respect of communicating (included roles and responsibilities). The content of the business continuity plan should also include guidance on how to develop the business continuity plan. The conducting of the business impact analysis not only facilitated the identification of the critical business functions and/or processes but also the business units responsible for these functions and/or processes. The enterprise risk management process was purported as the risk management process for the Western Cape Government. The development of a communication protocol to communicate the disruption. The key themes were inclined towards the development of a business continuity management system, which could be considered the overall theme of the analysis.
Chapter 5 will discuss the analysis in relation to the key themes by referencing the literature reviewed to ascertain whether the research questions were appropriately answered.
CHAPTER 5
DISCUSSION
5.1
INTRODUCTION
The aim of the research was to ascertain the factors influencing the readiness of the Western Cape Government to continue with business as a result of a disruption. The intention of this chapter was to conclude whether the research questions were adequately answered. The research questions were designed to determine the current readiness level of the Western Cape Government. The questions attempted to explore existing business continuity processes; identification, location, management and the facilitation of risks; and forging the link between business continuity and resilience.
The chapter was arranged to discuss the findings in respect of the research questions, comparison to earlier findings, significance of the results and identifying gaps for future research. The process followed by the author was illustrated in Figure 5.1.
Figure 5.1: Process for discussion
Source: Author’s own construct (2019) Research
Questions Theory
Significance of the results
Gaps & Future Research
Understanding the research question in relation to the theory
Review the interpretation of the data as provided in
the Analysis
5.2
BACKGROUND
The study set out with the aim to explore the state of business continuity of the Western Cape Government to determine its level of preparedness to handle a disruptive event. It was established that Government had an obligation to provide services and infrastructure to improve the lives of all the people in the country. Should Government be faced with a disruption it ran the risk of not being able to deliver services to the citizens of the country. It was therefore assumed that government departments would be prepared to deal with any disruption, with the assurance that services to the citizens would continue, but in a limited capacity, with limited impact and within a predetermined time. This however was not the case based on the fact that the Western Cape (South Africa). Department of the Premier (2016) registered the ability of the Western Cape Government to plan for disruptive events, to continue and restore business after such events as a provincial risk. The insufficient supply of electricity experienced by the citizens of the country has had dire consequences for all in all industries. The inability of the country to deal with this issue has resulted in major disruptions experienced by many and financial losses.
As mentioned in the literature review, South Africa. National Treasury (2018:8) expressed similar sentiments and developed the draft Government Resilience and Continuity Strategy based on ISO 22301: 2012 – Requirements of a business continuity management system. This therefore implied that ISO 22301: 2012 would become the guiding principle to be used by the Public Service. With this in mind ISO 22301: 2012 was one of the important unit of analysis in relation to the research questions. To gain improved insight in relation to the risk environment within the Western Cape Government, ISO 31000: 2009, was used as the methodology as it formed the basis in respect of the Enterprise Risk Management Strategy for Government.
British Standards Institute (2012:v) specified that the ISO standard applied the Plan-Do-Check- Act model related to planning, establishing, implementing, operating, monitoring, reviewing, maintaining and continually improvement the effectiveness of an organizations business continuity management system. The research questions were designed to address the key processes in relation to the development of a business continuity management system; “leadership; planning; support; operation; performance evaluation and improvement”.