Businesses are exposed to disasters all the time, including IT system failures, cyber incidents, power outages, major losses, i.e. fire or flood at site, epidemics or natural disasters. These causes could cripple your business unless you have a responsive and resilient Business Continuity Plan (BCP) ready.
Business Continuity Planning is a management process that identifies in advance the potential impacts of disruption to an organisations ability to function. An up-to-date and robust BCP allows your business to continue on running everyday operations seamlessly. It makes sure that you can service your customers, continue to court your prospects, manage your partners and suppliers and ensure your employee wellbeing and productivity in a satisfactory manner, even when you’re facing technical issues.
Therefore, it’s very important to come up with a continuity plan, if you don’t already have one.
Relevant factors such as your business’ resources, location, suppliers, customers, and employees must be carefully analysed before a Business Continuity Plan can be formed. It is also crucial to test the plan and check whether it’s working or not. Without a serious stress-test, it is possible that your BCP could look great on paper, but quickly show flaws in a real-life scenario.
A Business Continuity Plan (BCP) plan should:
Proactively improve the organisation’s resilience against disruption
Provide a planned method to restore products or services
Deliver a capability to manage an incident to protect the reputation and brand of the organisation
Planning should recover all aspects of the business and involves:
Pre-planning with a view to ensuring an incident does not happen in the first place
Emergency response in the immediate aftermath of an incident
Crisis management including salvage and reinstatement of assets and or premises, relation, etc within acceptable time
Business Recovery which involves the management of provision of an acceptable level of service to customers
allowing a return to normal trading
Whilst the detailed nature of the planning process may differ between individual organisations there are several key stages
which should be completed to provide a meaningful plan:
Project Initiation and Definition
Business Impact Analysis
Develop Continuity Plan
Project Initiation and Definition
It is essential to understand that the project will involve a considerable amount of time and effort within the organisation. The exercise requires sponsorship and allocation of time and resource.
Whist input is needed from all areas of the business, it is important that responsibility for implementing and coordinating is defined and allocated to an individual. Their responsibility will be to ensure all areas of the business are represented, departments are involved in their own plans and control the overall development of the plan.
It is necessary to define what the plan is trying to achieve, determine realistic timescales and allocate responsibility.
The scope of the plan will need to be determined by the business at the start in terms of the areas to be covered, together with any not in scope.
What assumptions is the Business prepared to make?
Can you envisage a total loss of the site or do the existing precautions protect areas adequately?
What aspects are to be considered. Normally this will include hard issues such as physical damage – fire, flood, etc, but does the business need to investigate issues such as product recall?
Tolerance is also key to plan.
What interruption/disruption can the business tolerate?
This can be defined in terms of time; either because of a formal Service Level Agreement (including contractual penalties) or simply a competitive environment which will see customers migrate to competitors in the event of a prolonged interruption.
What is sustainable?
Financial tolerance may be a more relevant measurement in terms of a reduction in turnover/profit following an interruption.
The business must define what represents a crisis; this will depend upon the nature of an organisation and its circumstances. Disruption is managed on a day-to-day basis by businesses so there is a need to establish when an incident falls outside the normal coping mechanisms.
It is important not to invoke the plan too early for fairly minor issues but equally any delay in invoking the plan could undermine its effectiveness.
Business Impact Analysis
A crucial stage of the process, this involves looking at what is key in terms of the operation of the business, identifying critical assets and functions and determining effect of their loss. Examples may include key pieces of equipment, bottle necks, IT, access to premises, etc.
It is often useful to construct a flowchart of the business operation, noting the input from various departments and functions to highlight the effect of their loss. The process examines the loss of a function (including external sources) for whatever reason and determines the effect on the business and how quickly it could be replaced/restored.
Assume the interruption will happen at the worst possible time and the impact will be the greatest – just before peak season, holiday period, etc.
Now consider the risks to the key assets, are they protected? Hard risks are relatively easy to consider – protection against fire, flood, etc
Soft issues are hard to evaluate but risks such as product failure and associated recall functions need to be considered.
Given the potential impact on the business in the event of loss and the potential likelihood of the loss, are the existing protections adequate or can they be improved on a cost-effective basis?
The business needs to determine a strategy for overcoming any disruption which fits the needs and tolerances of the business.
The exercise is not a magic wand, particularly in the case of single manufacturing sites and it may not be possible to come up with a cost-effective solution which replaces production in the event of a prolonged disruption.
A valid solution may be simply to protect the assets from potential loss to the highest possible limit and reduce the risk of total loss occurring. It may then be possible to develop recovery strategies for the resulting partial loss.
There are many solutions which may fit the needs of the business including duplication, outsourcing, stockpiling, etc.
It is acceptable to stagger recovery – prioritise recovery of certain functions to support customers in the event of being unable to fully reinstate.It is important that the recovery strategy is fully approved, communicated within and embraced by the organisation and it is fit for the needs of the business.
Developing a Plan
A management team should be formed involving senior management and representation from all areas of the business. The team needs to be able to comment on and take decisions on behalf of the Organisation. It will be responsible for overseeing and managing any incident allowing the business to recover in the most effective manner.
It is important to define an escalation process for incidents, the business will manage issues during the course of normal operations, at what stage do you want to escalate these to the next level?
There is a danger in micromanaging , for example do you really need to assemble the management team for a burst pipe, but on the other hand the team will need to be aware of the incidents which may then escalate to have a significant impact on the business.
Individual department plans for recovery will be documented which fit in with the tolerances and requirements of the business.
It is essential to outline responsibility for lines of communication including staff, media, customers, emergency services, etc.
The plan should include three key areas;
Emergency response - procedures at the time of the incident to ensure adequate initial response to and control of the incident. This may already be in place and could be as simple as an emergency evacuation procedure or more detailed such as chemical spill procedures.
Crisis Management - this aspect should include an assessment of damage, look at recovery options, salvage, liaison with builders, suppliers, etc.
Business Recovery - responsible for the recovery of key processes and services within the timescales outlined in the plan.
Testing & Review
Once the plan has been developed and distributed, it is important that it’s reviewed on a regular basis, particularly in the event of a change in circumstances within or external to the business.
Plan and create a ‘doomsday’ disaster scenario that affects your business. Employees should act as though the scenario is genuine and refer to their duties in the Business Continuity Plan, going through it step by step. Monitor the time it takes to get everything under control, from contacting customers to checking business resources and temporary meeting locations. Ensure you have impartial observers / invigilators who make notes and record the effectiveness.
Evaluation and amendment
After the Business Continuity Plan is put to test, gather your employees to discuss the plan’s overall performance. Identify where it needs improvement and encourage the parts that worked best. Make changes to key personnel, responsibilities and actions where necessary, to ensure that the continuity plan is working at its best.
Communicate and diary
Communicate the importance and benefit of the BCP to all levels of the workforce. Promote the review and active participation in the BCP simulation. Use the simulation to identify competencies within your workforce that may signify additional resources during a disaster situation. Diary to repeat the process within 12 months.
Having a Business Continuity Plan is a good start, but testing it regularly and robustly is equally, if not more important. A BCP will not only help with a ‘doomsday’ event but will usually alleviate some of the day-to-day operational issues, e.g. machinery breakdown, temporary supply issues, power outages, etc. which may not require a full activation of the plan but would provide solutions to smaller scales and shorter-term challenges.
About the author
Simon Broome SIIRSM Tech IOSH has over 25 years' experience around risk management, honed through his industry background and working on operating software and management systems. He is a Specialist Member of the International Institute of Risk and Safety Management and a Technical Member of IOSH, and also holds the NEBOSH National Certificate in Fire Safety and Risk Management.