Putting a robust Business Continuity Plan in place
Putting a business continuity plan in place can not only have your operations quickly up and running again should a disaster occur but, as consultant Keith Brownsword points out, can deliver day-to-day benefits as well
Business continuity is a process that identifies potential threats and impacts to an organisation that could jeopardise the reputation, brand and/or the value-creating activities of that organisation.
Having identified these threats the organisation develops appropriate measures to increase the resilience to these impacts, which are communicated to key stakeholders and tested and enhanced as the organisation and its business environment changes.
Responsibility for establishing, implementing and improving the Business Continuity Programme varies by organisation depending on its size and complexity and the scope of its business continuity requirements. What does not vary, no matter what size of company, is that the responsibility for ensuring that arrangements are in place and are fit for purpose lies with top management. All relevant authorities and regulators would not only expect that senior management is responsible but the organisation can demonstrate this with appropriate documentation.
Emergency planning has not been immune from the severe challenges that businesses have had to endure as a result of the economic downturn. The temptation to identify business continuity as an area to downscale is, on the face of it, an attractive option, however, progressive organisations are increasingly choosing an alternative approach.
The risk of not having business continuity arrangements in place in a volatile and regulated environment is too significant for most reputable companies to countenance, so emphasis is now moving to gaining a greater return on the investment made from the Business Continuity Programme.
Most advice will direct companies towards the steps that are required to develop a business continuity plan and will emphasise the requirement for testing and maintenance of that plan. Following this advice will lead a company to the development of a suitable supporting programme, and will assist in achieving an adequate emergency response at the time of an incident. What this advice may not focus upon is what benefit this activity will add to the business in its day-to-day operation.
Organisations are now becoming increasingly aware of the additional benefits that may be achieved by integrating a Business Continuity Programme into the business as a whole. These include:
• Regulatory. Contributing evidence to prove the compliance of the organisation with its wider legal and regulatory requirements.
• Competitive advantage. Sales and marketing functions testify to the additional value that offering the reassurance of continuity of service brings. It should be noted that the requirement for continuity is increasingly becoming considered a must. This is leading to the view that the absence of a robust Business Continuity Programme can become, at best a competitive disadvantage, at worst a deal breaker in winning and maintaining custom. This benefit can be extended to consolidate the brand, especially where the brand needs to engender confidence among its customers in its stability, availability and reliability.
• Insurance. Whether this may be negotiating insurance premiums or as an integral part of making an insurance claim, insurance companies are increasingly expecting that companies will be making adequate arrangements to counter or at least mitigate the impact of an incident on the company. An adequately documented Business Continuity Programme is essential when interacting with insurers.
• Enhanced strategic decision making, in developing a robust emergency response. Companies will identify very clearly their key priorities, resources and risks that feed directly into strategic initiatives, such as succession planning, organisation redesign, etc.
* Selling a business. A business with a structured and robust Business Continuity Programme in place presents a better prospect for potential acquirers as it demonstrates sound management as well as the assurance that should flood, fire or other event occur a week after purchase the business will still be operational.
To know whether you are maximising your investment in your business’s emergency planning, it is worth considering:
• Who are the key players in the company’s response to an incident, are they aware of the plan and how confident are the Crisis Team that they know how to invoke, implement and stand- down the business continuity plan?
• How often is business continuity discussed when developing the company’s strategic approach?
• To what extent would the company’s key customers be reassured by the arrangements that have been made and how has this been exploited by the company’s sales and marketing approach?
• When obtaining services and products from external companies, to what extent is the business continuity considered as part of the procurement process to ensure the company can rely on its business partners.
• Should key customers, regulators and other key stakeholders require proof of the currency and adequacy of the company’s preparedness for an emergency, how confident is the company that they could provide evidence to address any enquiries satisfactorily and in a timely manner?
• What are the expectations and requirements of the company’s insurance, to what extent does the Business Continuity Programme satisfy these requirements? What are the impacts of any gaps and where are the opportunities to exploit the programme’s strengths when negotiating with the insurers?
Whatever size of company, having a clear, documented, well communicated Business Continuity Plan in place can ensure that should your operations be impacted by an emergency – from the loss of a key director through to a premises burning down with the loss of all equipment – management and staff can act quickly to get the business back on its feet and working as effectively as possible, maintaining its ability to trade and to deal with customer concerns and expectations.
PUTTING A PLAN TOGETHER
ONE COMMON MISCONCEPTION is that an organisation should think of a scenario and plan in detail what they would do should that scenario occur. While this clearly has advantages and is used very productively as part of a project management process, this approach is not likely to fully protect an organisation.
Quite often organisations can handle a single incident reasonably well. What is more difficult is when, as is usual in major crises, a number of incidents occur at the same time. This can leave a plan based on a single scenario vulnerable to it being incomplete or too rigid to cope with the scale of a diverse and rapidly escalating situation.
Organisations, even in very similar business sectors and markets are not identical. It should be no surprise that, like fingerprints, no two business continuity plans are the same. A good plan should reflect the individual company’s requirements.
Here are a few suggestions for a set of requirements for a plan:
a) Ensure that there are very clearly defined roles and responsibilities for who should do what at the time of an incident, including what authority individuals and teams have. These needn’t be the same as business as usual roles and responsibilities.
b) A clear, documented process for activating the emergency response. c) Details on how to manage the immediate consequence of an incident. This should include; the welfare of individuals (not necessarily just within the organisation), strategic, tactical and operational options to responding to disruption and actions to contain or prevent further disruption.
d) A clear communication approach, so the organisation knows and documents how it will communicate to all its key stakeholders and, where possible, what it will say.
e) What are the key timescales to restore critical activities, particularly activities that are critical to the Unique Selling Point(s) of the company.
f) A process for standing down the emergency, particularly if the roles and responsibilities individuals have taken on are different from those undertaken as part of business as usual.
g) A process for returning back to business as usual, and understanding how the impact has actually impacted the business, its employees, customers and other stakeholders. These impacts often take time to assess, so this process should be ongoing – for example, if the impact of the incident has been to the emotional or physical welfare of individuals care should be taken around anniversaries of the crisis.