A series of unfortunate events

Last month Adam looked at the reasoning behind having a business continuity plan; This month he looks at how to write a plan

Published:  05 January, 2022

At the core of a business continuity plan is the concept of risk management. The Business Continuity Institute’s Brian Kinch observed: “Business continuity is concerned with helping with the capacity to withstand incidents and return to normal operation in an acceptable timeframe and condition, regardless of the issue.”
    
Of course, what is written into the plan will very much depend on each firm and the issues it faces, the needs of interested parties, key processes, identified risks and the controls that the firm subsequently introduces to cope with the threats during the interregnum. It’s critical to include an assessment of how soon it can actually recover key processes should disaster strike.
    
Is there a set format for a plan? Gordon Brown, senior consultant at Plan B Consulting, thinks not: “There is no right or wrong way to write a business continuity plan as each should be tailored to the organisation and not just a list taken from the latest good practice guide.” However, he recommends including contact information; contact procedures; Guidance and procedures on incident management; and recovery based on different circumstances.
    
It’s easy to make classic mistakes in an environment where as Gordon puts it, “an incident management team is under pressure internally and externally and is expected to make correct decisions.” The biggest problem is a plan with irrelevant information which just ticks boxes but doesn’t add value.
    
As to why business continuity planning is important, consider if, pre-9/11, anyone planned for a dual air strike and the collapse of what had once been the world's tallest buildings? Planning is about preparing to deal with the consequences in a people, premises, technology and process context for the unthinkable.
    
Just writing a business continuity document is akin to writing out a MOT test certificate for a car that hasn't been inspected. When a plan is written it is essential that members of the management team are trained and given support while the document itself must be regularly tested and updated.


Assess the risks
Threats to the business are easily categorised and although some seem improbable, it’s nevertheless good practice to consider them all including natural disasters, theft or vandalism, fire, power cut, fuel shortages, IT or telecoms system failure, restricted access to premises, loss or illness of key staff, crises affecting suppliers, crises affecting customers, crises affecting business reputation, or terrorism.


Strategy and plan
Plans should be written in plain English so that all can understand it. Guidance on this is available through a free piece of software; ROBUST: https://robust.riscauthority.co.uk
   
Build-in redundancy, without adding too much extra cost. For example, there’s no point renting a spare building or equipment just in case, but having suppliers may help. Plan for IT failures by backing up data regularly, at least once a day. Also, keep the backup off-site and accessible. Consider having mobile phones on different networks with ample data packages which can be switched in if the landline fails. Consider a piggy-back arrangement with a neighbour for broadband.
    
Check on the business insurances, noting down policy details, and keeping them off-site. Apart from the obvious; Premises, stock, vehicles, public and employers’ liability; Look at directors and officers insurance, business interruption insurance, keyman insurance, critical illness cover, and permanent health insurance.
    
Good policies and risk assessing threats may help forestall any obvious threats and may help lower insurance premiums as a firm presents a lower risk to the insurer. Policies also tell staff what to do in given situations, such as illness or bad weather policy.
   
Draw up a list of emergency contacts that includes key staff, utilities, employment agencies and key suppliers. Work out how calls can be diverted if there’s no access to the building. Remember also details of the company accountant, solicitor and the tax/VAT office (with references). Lastly, disaster recovery plans need testing and keeping up to date.
 

Related Articles


Facebook


©DFA Aftermarket Media Ltd 1999-2022
Terms and Conditions