James is an experienced and versatile business professional who has worked across multiple sectors. He provides complementary skills to executive teams, advising across a range of disciplines including IT strategy, business continuity planning and IT project management.
James is an accredited Cyber Essentials consultant
What should be included in a business continuity plan?
Unpalatable, but predictable
You’ll be glad to know this isn’t another Coronavirus article. Businesses have been faced with severe threats to their survival long before anyone had heard of COVID-19 – floods, fires and other localised disruptions are not new. Pandemics do remind us however that unpalatable events can and will happen.
COVID-19 is unusual in recent history because its consequences for business have been so severe and so widely felt. And it brings into sharp focus the relationship between likelihood and impact. Once in a lifetime events are, by definition, very rare. But when they do strike the pain can be relatively high. We may be less able, or perhaps less willing (sometimes with justifiable good reason), to prepare. And – yes – let’s be honest – that justification may be that reducing the risk is prohibitively expensive and we decide therefore that it is a risk worth taking.
In this article, I guide you through some simple steps to help your organisation survive an emergency. This is often referred to as a Business Continuity Plan (BCP). Unpalatable events will continue to affect businesses long after the history books have analysed the COVID-19 crisis. Therefore, it covers a broad range of topics, including many of the more common disasters which can and do happen during times when life feels more normal. This includes disruption to IT systems – a key topic because so many businesses rely heavily on technology to go about their daily work.
BUT – there’s some good news. It is not a complex subject. It doesn’t have to take up vast resources and time. You can do it yourself. Even a small amount of planning can make a big difference. And it can have a positive sales and marketing value too.
Common sense, written down
There are two key tests of a good BCP:
- Written down – a plan is no good if it’s all in the head of one person. Especially if that person leaves the business or is incapacitated. Write down your plans so you can share them with other members of your team.
- Common sense – other people in your company need to be able to pick up the plan and understand what to do in a crisis. Get feedback from colleagues. If it’s complicated, simplify it. Use tools such as checklists and flow diagrams so it is easy to follow.
This article will provide typical section headings to include in a BCP to help you achieve a result to meet these two tests.
Doing the right thing becomes a matter of routine
When we are under pressure or faced with unfamiliar circumstances, we tend to be more prone to mistakes. A BCP allows us to make rational decisions in peace time when we have the headspace to think.
Take the analogy of skid pan training, which can help you to develop the skills needed to control and correct a sliding car. If you’ve learnt and practised the skills, when your vehicle starts to aquaplane on a wet surface, your training kicks in and helps you to recover the situation; doing the right thing has become a matter of routine. If you haven’t prepared, your survival starts to rely more on good fortune.
Another way to describe a BCP is Internal Emergency Planning. It is about looking at things we can control within our businesses to respond to risks we can anticipate. Our primary goal is to ensure that essential tasks can continue to take place. This then becomes the starting point for our planning; we need to identify:
- What are the principal hazards we face?
- What does our business do which must continue in the short term, and what functions can be temporarily suspended in a crisis?
The Business Impact Analysis (BIA)
A BIA is simply the name given to the process you use to analyse:
- the risks you face
- your critical activities
- how quickly you need to restore those critical activities before the pain is too severe
Whilst not exhaustive, a typical set of hazards a small or medium-sized business may face include:
- IT failure – e.g. computer virus, hardware failure, loss of communications including phones and/or internet
- Information and data loss (paper or electronic)
- Loss of utilities – e.g. electricity (and knock-on consequences such as to IT), gas, water
- Business failure of a key partner
- Widespread illness (or fear of widespread illness) – e.g. pandemic affecting staff and suppliers
- Fire or explosions – affecting premises or neighbouring premises
- Damage to premises – other than fire or explosions
- Severe weather – affecting staff or supply chains
- Major transport disruptions – e.g. fuel protests
- Theft or fraud by staff or third party
- Industrial action affecting staff or supply chains
- Bomb threats and suspicious packages
- Accidental or deliberate release of harmful agents affecting premises – e.g. gas leak
- Critical financial shock to the firm – e.g. cash flow crisis
- Loss of key people e.g. resignation
It can be very helpful to rank your hazards using a simple RAG (Red, Amber, Green) rating. This helps to identify areas to prioritise so that you can focus on the greatest risks. You need to be realistic as it is unlikely you will be able to tackle everything straight away.
It is common to assess risk in terms of two criteria:
Each is typically given a score out of 5. The scores are then multiplied together to give an overall risk rating. A key is used to equate that score to a RAG rating. For example:
- Likelihood (5), Impact (5) – Score 25 – RAG rating – RED (High)
This is the worst possible risk – both very likely to happen and with severe consequences for the business when it does happen. Urgent action is needed to try and mitigate this risk.
- Likelihood (1), Impact (1) – Score 1 – RAG rating – GREEN (Low)
o This risk is very well controlled. It is rare, and even if it does happen the impact would be negligible. It is unlikely that any mitigating actions are needed at the moment; it just needs to be monitored over time.
A simple model to measure your risks
An easy to use risk matrix incorporating a RAG key is shown below:
Risk Rating Matrix
To use this to inform BCP actions, a risk appetite policy could be applied as follows:
Don’t be an ostrich
REMEMBER – the risk of something happening cannot always be eliminated, nor can the consequences always be mitigated. You may decide that the cost of fully eliminating the risk is too high, but the cost of some less radical steps to reduce it from High to Medium may represent a balanced compromise.
It’s your business; you are in control of the decision making. But knowing the risks exist in the first place, and making a considered judgement, even the decision is to do nothing, is always better than ignoring it completely.
‘Must continue’ and ‘Can suspend’ functions
To illustrate this point, let us assume you run a manufacturing plant making widgets. An explosion at a local electricity substation wipes out mains power to your plant and all your machinery stops working. You cannot fulfil orders to your customers until those machines start working again. What do you do?
This is clearly a time to invoke the BCP. Included in your BCP should be a list on all the functions in your firm, categorised as ‘Must continue’ and ‘Can suspend’. In the example above, the Manufacturing function would certainly be a ‘Must continue’ function; without it the business cannot fulfil its primary purpose, so all efforts must to focused on trying to restore it. IT is also likely to be a ‘Must continue’ function – it is almost certain the business relies on IT to process orders and communicate with customers.
‘Can suspend’ functions may include departments such as HR and Marketing. This is not to say these departments are not important; they of course fulfil a vital role, otherwise, they would not be there in the first place. However, it is about focussing all available resources on solving the immediate problem and restoring time critical services. If the annual appraisal process or a marketing mailshot is delayed by half a day, this is relatively easier to recover from than half a day of lost manufacturing production and loss of customer goodwill.
Structures, roles and responsibilities
You now understand your main risks and have understood the importance of different functions to your recovery time objectives. You now need to think about how you will organise leadership during a crisis. This will depend on the size and complexity of your company. In a very small company, you may all be very hands on; in a larger company you may need to have more defined layers so that information can be cascaded. However, there are broadly three types of activity which are relevant to companies of all size, even if individuals in smaller companies end up taking on more than one of these activities:
A BCP should be simple and easy to follow when the pressure is on. The airline industry has understood this for many decades and pilots use a series of checklists to carry out essential pre-flight checks to ensure nothing is missed. Checklists are also used in-flight to troubleshoot incidents; following the correct procedure, for example, to restart an engine, is critical to safety. It is easy to make mistakes when you rely on your memory, especially in a crisis.
Checklists, action cards or flow diagrams are also valuable tools in a BCP. You will have identified predictable scenarios from which your company may need to recover. But you may only need to invoke them very occasionally, therefore people will often be unfamiliar with the detail when it happens.
For example, a power outage at your head office may mean you decide to tell staff to work from home that day. A checklist can help you manage the communication systematically, ensuring everyone finds out about the news and that you have made any required changes to your IT to enable people to work from home. A coordinated response to an incident can save valuable time and therefore money.
Training and exercise programme
When you step onto a commercial aircraft, you can feel comfortable that the two people sat on the flight deck are business continuity experts. They have spent hours in flight simulators practising how to recover from potentially catastrophic events. You hope these skills will never be tested, but it is good to know they have a plan in case they are.
The same applies to your own BCP. A good BCP never stands still. It is always a work in progress. This includes testing it on a regular basis and refining it if necessary. Testing can be ad hoc – you do not have to test the whole plan all at once. This might include tests such as allowing some staff to work at home for a day and evaluating whether it is practical and whether the theory set out in your plan works as you had expected.
Also, when new people join your company, remember to brief them about the plan and the role they can play in helping to protect themselves and the business.
Key sections to include in a BCP
A BCP can develop over time and become very comprehensive, incorporating years of thinking and risk mitigation. However, if you are starting from scratch and want to focus on the basics to get you moving, the following is a good list of sections to include in your first written plan:
- Distribution list (i.e. who has a copy of the plan in your company)
- Business Impact Analysis (including RAG ratings for your key risks)
- ‘Must continue’ and ‘Can suspend’ functions
- Structures, roles and responsibilities
- Action cards to recover from predictable incidents
- Training, exercise and review
- Contacts directory (e.g. key staff, customers and suppliers)
More advanced techniques
There are numerous things you can add to your plan over time. For example:
- The provision of ‘Grab bags’ containing critical tools and information should you need to evacuate a building in a hurry
- Work Area Recovery (WAR) planning – making provision to relocate your business to another location for a period of time
- Salvage planning – developing detailed incident sheets to capture what happened in a crisis. This can help when making insurance claims for business interruption.
- Preparation of draft media statement
To reiterate – a BCP is never finished. It is always a work in progress. It can always be refined, extended and simplified.
Show your customers you care
Finally, a BCP is increasingly something your customers might demand to see. It is often a requirement in tender processes. Customers want to know that their suppliers will still be there to support them even if the worst happens. A BCP will demonstrate that you are a responsible, trustworthy business. It can also, therefore, be a valuable sales and marketing tool – a differentiator – as well as a piece of emergency planning.
4 words to finish off
A BCP should not be complex. It should describe your business and practical steps it can take to protect itself. It should therefore pass this simple test:
COMMON SENSE WRITTEN DOWN
More articles on IT Strategy in the EasylifeIT Learning Centre