Is your Business Continuity Plan worth the paper it is[n't] written on?
Flash back to 23 March 2020. The UK Prime Minister, Boris Johnson, announced a stay at home order, stating that where people were able to work from home they must do, and only certain essential commuting can continue in offices.
Businesses up and down the country went in to emergency procedures – dusting off Disaster Recovery Plans that had been so carefully written years before – and found they were insufficient. The DR Plans were out of date, they didn’t match what the business was currently doing and centred around how to recover lost IT systems. Or even worse, there was no plan in place and businesses had less than 12 hours to determine how the business was going to continue.
Only a few businesses were truly ready for lockdown – these businesses had a Business Continuity Plan that had been well developed, planned, tested and reviewed at regular intervals. They were able to seamlessly transfer from office-based working to remote working as they had the contingencies in place to support their critical business functions.
So, did the businesses who did not have a BCP in place learn from the mistakes of the first lockdown and put a robust BCP in place? According to Databarrack, only 27% of small businesses had a Business Continuity Plan in place in May 2021 compared with 75% of large companies and of that 27%, 73% had not tested their BCP.
Relying on a Disaster Recovery Plan only is a mistake. A Disaster Recovery Plan is an essential part of a Business Continuity Plan but is centred around maintaining access to data and ensuring data validity in the event of data loss. A Business Continuity Plan on the other hand is a full risk-based approach to all key business areas covering prevention, strategy, continuity of service and recovery from a disaster.
A Business Continuity Plan encompasses all key areas of the business; therefore, all areas of the business should take part in its development.
The first stage is to identify the scope of the Business Continuity Plan – does it encompass all geographic locations, or, more likely, will each geographical location have its own BCP?
The next stage is to determine the key business areas that take place in the scoped area. This will often be Design, Production/Manufacturing, Sales/ Customer Services, Product Delivery, Back Office (HR/ Accounts)
Once the business areas are established, a full Business Impact Assessment must take place using a risk-based methodology.
Using both internal and external sources (SWOT and PESTLE analysis) work out the threats that there are to your business – some will be environmental (flood/ earthquake etc) some will be society (war, riots etc) some technological (hacking/ ransomware etc) and assign these threats a risk level based on the likelihood of these events happening vs the potential severity of the impact if they did happen.
Then ascertain how these threats would impact critical functions of the business and what these critical functions depend on to keep running. Critical dependencies can include key staff, key external stakeholders, key data/equipment and supplies, key documents and key locations.
For each critical dependency a contingency must be put in place that reduces the impact or severity of the risk.
For example, a critical dependency of the sales department is being able to contact potential clients. In the event of a power cut in the office, is there UPS to allow access to CRM databases and telephone lines, or will the salespeople be able to work in a secondary location on a short-term basis?
One item that was missed from a lot of business’ BCP was the effect of a global pandemic – but they were able to tailor other parts of the plan, such as loss of office location, civil disobedience which prevents travel etc. to react quickly to the stay at home order and then review their plan to include pandemics.
The contingency plans should be far and wide reaching – for example, loss of key personnel is a substantial risk to a business, so having a talent pipeline, nominating deputies etc will help to mitigate this issue.
A key part of the contingency plan is determining how it will be enacted, who will take charge of it and how will people be informed of the contingencies as well as the priorities for implementation – not everything can be up and running at once so prioritise the business-critical areas and assign timeframes for each stage of the Business Continuity.
Contingencies will come at a cost – cost of equipment, cost of location, cost of productivity etc so ensure that this cost is estimated as close as possible and a budget available for the BCP. Allocate who will make any payments, what authorisation they need (as the chain of command may be broken) and what will be used to make payments.
The final stage of the Business Continuity Plan is the return to normal. As we have seen in the global pandemic, the return to normal can be a long process, so it is important that there is a plan to return to normality as soon as possible and if that is not going to be realistic, then what are the review points to determine a new normal.
Once the plan is written, that is not the end of it. A robust BCP needs to be tested regularly. There are a number of ways to test a BCP:
- Talk through the BCP with key stakeholders in each business area and invite feedback on any areas that may have been missed.
- Walk through the BCP step by step in the event of a crisis.
- Simulate the disasters that may cause the activation of the BCP. This does not need to be a full Hollywood style disaster but could involve blocking access to the office one morning to test the BCP.
Following the plan and testing, the BCP must be reviewed regularly and anytime business processes change.
Only with a fully comprehensive, well-planned, tested Business Continuity Plan can businesses be prepared for the multitude of disasters that could befall it and continue to trade without significant disruption.
At Giotech, we can assist with preparation, planning and testing of your Business Continuity Plans. To find out more email us at firstname.lastname@example.org or call us on 0207 183 2494 and our experts can advise on the stages to take.