A Business Continuity Plan or BCP is not optional these days. The technological era has bought with it an expectation that organisations will be accessible and operational around the clock. Combined with catastrophic events like 9/11, the GFC and more recently data breaches, we have also seen a major shift in focus from Business Continuity as a reactive function to a proactive one. Mitchell Morley, risk management, audit and governance specialist from InConsult identify 6 steps to building a business continuity plan.
Often building a BCP can seem like a mammoth and daunting task for organisations with multiple divisions and broad functionality like councils. Breaking the process down into a logical sequence of steps can help. Guidelines and standards e.g. Business Continuity Institute Good Practice Guidelines – a global guide to good practice in business continuity is a good introduction to business continuity and will help with the details, but here is a six step process to building an effective BCP.
1. Obtain Commitment and Identify Risk Appetite
Most plans fail to take hold within an organisation due to a lack of senior management buy-in. It is crucial to get the strategic decision makers on board for a business continuity plan as these are the key players who will ultimately provide leadership in a time of crisis. Start the BCP preparation process with a workshop of the organisation’s leadership team. Prepare yourself for the meeting with senior management by conducting research on existing plans, their effectiveness, cost and resources required. This should outline any gaps which can then be presented to senior management. Utilise the session with senior management to understand and formulate risk appetite. How quickly does management believe that the organisation’s stakeholders will want key services to resume following a disruption?
A risk appetite statement provides a directive to management and staff about organisational tolerance during an outage. Quicker response times generally come at a cost so the organisation needs to understand the costs and benefits of its desired tolerance to an outage.
2. Conduct a Risk Assessment
A detailed risk assessment across the organisation and its functions will highlight existing areas of weakness and identify plausible disruption scenarios. Most disruptions can be categorised into the following 4 scenarios;
- Loss of Data and IT/Resources
- Loss of Building
- Loss of Personnel
- Loss of Equipment or Resources
A disruption can consist of any one or multiple of the above scenarios. The AS/NZS ISO 31000:2009 principles of effective risk management can be applied to disruption related risk planning. The Standard makes it clear that ‘risk management enhances an organisations’ resilience and creates strategic and tactical advantages.
3. Conduct a Business Impact Analysis (BIA)
The BIA is possibly the most important step in the overall BCP process. The BIA should be designed to capture operational impacts, financial exposure, technological reliance and resource requirements across key business areas during a disruption. This step should identify any operations which are time-sensitive, for example, waste collection services, and the time-frames by which these operations need to be fully serviceable. Also in this step identify any contingency resources and plans. Business units often have manual contingencies built into their day-to-day operations to handle minor service outages, in some cases these manual contingencies can be stretched to form an alternative business process should the need arise.
Know your critical assets. Critical assets are important to maintain business continuity. Your BCP should list details of the critical assets. They include:
- People – contact information for key staff
- Suppliers – contact information for key suppliers and third parties
- Buildings – addresses of physical locations, copies of lease agreements and access keys
- Equipment – list of major equipment including computers, printers, scanners, vehicles
- Inventory – list of supplies, materials and stock
- Data – important electronic documents, payroll, accounting, records, back-ups
4. Develop the Plan
The BIA forms the basis of the overall organisational BCP. A robust BCP should include the organisational plan and response to the following four stages;
Emergency Response procedures:
The main focus at this stage is to ensure the safety of all personnel and the security of the organisation’s assets. This step is usually a “first-five-minutes approach” and no business directive is required. Most organisations will already have emergency response procedures and these need to be referenced or incorporated in this section of the Plan.
Crisis Management Response:
This stage involves the first critical decisions about what the crisis is and what the organisation’s response should be. The BCP should identify a crisis management team, the responsibilities of team members and the process and criteria for conducting an impact analysis.
This team generally comprises of management in key decision making roles and who can provide the organisation with leadership and direction during business disruption.
Business Recovery:
The business recovery stage outlines the procedures and activities necessary to restore critical functionality and services. These may not be restored to pre-crisis levels and may involve skeletal or contingency resources and procedures. For example, resumption of Waste Collection Services utilising contingency resources from a neighbouring council.
This section of the Plan must identify alternate operational sites and key business resources required. We strongly recommend a checklist type approach rather than a detailed analysis of everything from how many pens are going to be needed to where emergency coffee supplies will be purchased from!
Business Resumption:
This stage involves returning the business to a pre-crisis operational level. This stage of the Plan should not be too prescriptive as the road to resumption will be dependent on the nature of the crisis and a whole range of other variables. Rather this section should contain a broad outline of responsibilities and key processes to move towards full business resumption.
The following diagram shows the four stages of that should be covered in a BCP.
Once the plan has been signed off it needs to be distributed to staff in a controlled manner with backup copies being stored in an accessible location in the event of a disaster. The BCP should be viewed as a live document which is reviewed, updated and improved upon over time.
5. Implementation & Training
Staff need to be trained so that they are aware of the BCP plan, what their roles and responsibilities are and who to contact should the need arise. Training will help to build staff capability and confidence to enable a smooth transition from crisis mode to business recovery and ultimately to the business resumption phase.
6. Testing and Exercising
Just as we practice fire evacuation drills to ensure staff are trained and processes are working in the time of a crisis, the same applies for the rest of a BCP. Regular testing and exercising of a BCP is critical to success. People are more likely to respond well to a crisis if they have practised what to do in advance. We strongly recommend at least annual testing/ exercising of a BCP. This can also assist in identifying gaps and weakness in processes, steps and resources.
Business continuity planning does not have to be a daunting task if it is conducted in a logical and systematic way. A robust and tested BCP with trained resources will go a long way in making sure that the organisation is better prepared and more resilient in the time of a crisis.
Can We Help?
The InConsult team has a deep understanding of business continuity management. Now is the time to move to resilience. InConsult has extensive experience in audit and assurance, risk management, cyber risk management, climate risk, crisis management, business continuity, third party risk assessment, emergency management, disaster management, climate change risk, ESG and pandemic planning.
Be more resilient and contact us to discuss your risk and resilience needs.