Business Continuity Planning
According to the RISCAuthority, every year around 20% of UK businesses face an event that is unplanned, unwanted and may even challenge their very survival. In fact, around 80% of affected businesses will never fully recover. The event may, for example, be fire, flood, theft, fraud, terrorism, cyber-attack or supply chain failure. Whatever the cause, businesses that successfully recover to thrive again are those that have:
-
Assessed the likely impact on their business of significant and potentially damaging events;
-
Planned their response and documented it where necessary;
-
Tested the effectiveness of the plan and revised it where needed;
-
Invested time, thought, and where necessary, money in managing risk.
Business Continuity Programme
A business continuity programme should cover the scope of anticipated events and detail the responsibilities of individuals. Until a proper process has been completed it is not possible to say what the final programme will look like. Some organisations will have a weighty document, and some will have a simple set of instructions and contact numbers. Every organisation will be different.
An effective business continuity programme will involve the participation of various managerial, operational, administrative and technical disciplines that need to be co-ordinated throughout its life cycle. Some of these may be external to smaller businesses or be limited to one or two people. Those involved in the business continuity programme will be expected to be ready to respond and provide a lead during initial incident response and containment. If only a few people are involved, it is essential that relevant information is available to others should those with knowledge be unavailable.
Understanding the Organisation
To develop an appropriate business continuity programme, you must understand your organisation and the urgency with which activities and processes need to be resumed if disrupted. Ask the following:
-
What are the purpose and objectives of the organisation?
-
How are the business objectives achieved?
-
What are the products/services of the organisation?
-
Who is involved (both internally and externally) in the delivery of products/services?
-
What are the interactions with regard to time and resources on their delivery?
Once the nuts and bolts of the organisation are understood the next step can be taken.
Business Impact Analysis (BIA)
A BIA will identify where the most critical activities are within an organisation and therefore what responses are needed. It identifies, quantifies and qualifies the business impacts of disruption to business processes so that management can determine at what point in time these become unsupportable. In terms of business continuity, it may not be the most obvious activity in an organisation that has the biggest impact. Therefore, it is imperative that critical activities are identified before the next step can be taken.
Risk Assessment
The risk assessment looks at the probability and impact of a variety of specific threats that could cause a business interruption. The assessment should focus on the most critical activities identified during the BIA process. At this stage you will be concentrating on the top few risks that have the potential to cause most harm to the organisation. Once the critical elements are known, the organisation can determine and select the most appropriate business continuity strategies.
Development and Implementation
The aim of the plan(s) is to identify in advance, as far as possible, the actions and resources needed to enable the organisation to manage an interruption whatever its cause. Larger organisations may have several levels of planning depending on the complexity of operations.
If the event falls outside the scope of any assumptions, then the situation should be escalated to those responsible for implementing the Incident Management Plan.
Incident Management Plan (IMP)
Effective and timely management of a major incident is the significant factor in protecting an organisation’s brand from financial and reputational damage. This is achieved through management of the initial event and includes communication with internal and external stakeholders. Trigger points already identified from the BIA will invoke the IMP and pull together the response team and resources necessary to contain an incident.
Business Continuity Plan (BCP)
The BCP will have enough detail to initiate the response of the whole organisation to a disruptive incident. Those using the plan should be able to analyse information from the response team concerning the impact of the incident, select and deploy appropriate strategies from those available in the plan, and direct the resumption of business units according to agreed priorities.
Exercising
Practice makes perfect so plans must be exercised. Exercises should be planned to incorporate events such as holidays and how these impact on staff with identified responsibilities in the plans.
Maintenance/Review
The business continuity programme should be maintained and periodically reviewed to ensure it remains relevant for the business and is up to date. This could include changes of personnel, contractors, suppliers and other key factors.
Sources of Information
Most companies are advised to consider adopting the discipline of business continuity planning, sources of information on which include the Business Continuity Institute and its “Good Practice Guidelines”, available at https://www.thebci.org/resource/good-practice-guidelines--2018-edition-.html and the British Standards Institution https://www.bsigroup.com/en-GB/iso-22301-business-continuity/.
For companies in the SME sector, valuable assistance is at hand in the guise of “ROBUST”, a free to download business continuity toolkit developed by the RISCAuthority available at Robust - Business Continuity Software.
Finally, the RISCAuthority has launched an online toolkit to help companies understand which suppliers would have most impact on their business in the event of an interruption. The Supply Chain Risk Assessment Tool has been developed in response to growing numbers of supply chain disruptions and businesses failing to recover. This is available at https://risc.riscauthoritysupplychain.com/.