Ensuring that your business can keep going when unexpected events happen has always been important, but the events of the year 2020 have brought the need for sound business continuity to the fore. This article will help you to understand what business continuity is all about, provide guidance on creating a business continuity plan and model that’s right for you, give you advice on an appropriate strategy, and help you to maintain the continuity of your business whatever the world might throw at you in the future.
Disruption to any organization’s business can be very costly, and in today’s online consumer choice marketplace, it can even lead to you losing business to your competitors. Using business continuity techniques to prepare for and plan your reaction to disruptions can help you to significantly mitigate risks, reduce any harm, and in turn, improve the experience of your customers.
Your business can be disrupted at any time by circumstances that are outside your direct control. Business disruption can be a dramatic as a natural disaster or seemingly unimportant such as one of your employees getting sick. Other examples include your premises being flooded by a water leak, one of your suppliers going out of business, or a transport strike that stops your workers from getting into the office. Disruptions like this to your business can happen at any moment, with no warning, and are out of your direct control. Without any emergency preparedness, the implications of these disruptions to your business can be severe.
Business continuity is all about having a plan to deal with these situations so that your organization can continue to function with as little disruption as possible. What is business continuity in detail will be different for each organization, as each organization is different, but each will use the same business continuity principles. Whether you run a commercial business, a public sector organization, a charity, or any other type of organization, you need to understand what is business continuity to help you to keep operating in unforeseen circumstances.
Business continuity doesn’t happen all by itself. Sometimes you might get lucky and be able to carry on as usual after an emergency, but more often than not, your business will be disrupted unless you have created plans for how to keep it going. This might be a high-level business continuity plan that sets up a crisis management team and lets them make the decisions about what to do next. Or it could be a set of more detailed plans that direct the different parts of your business in what they should do next. But trying to keep going without any form of business continuity plan will risk your organization’s survival.
The cycle of events for maintaining business continuity is mostly the same, irrespective of the organization or event that leads to it. Every cycle starts with something untoward happening. This is what should happen next:
Many people get confused between what is business continuity and what is disaster recovery. They are not the same thing and have different goals, but there are relationships between them. Business Continuity is concerned with keeping all essential functions of an organization going when there is a significant disruption to any part of the organization, including IT systems, essential infrastructure, people, and premises.
Disaster recovery (DR) is usually only concerned with the IT and technology infrastructures that support critical business functions. DR is aimed at restoring these critical technology-based systems and services in an emergency after a major event stops them from working. This often involves switching services from the primary site to an alternative location, then switching back again once the emergency is over. Disaster recovery is often considered to be a subset of business continuity.
Consider a holiday booking company that takes orders both online and over the telephone. Both rely on IT systems hosted on the company’s premises. Disaster recovery preparations could include having back-up IT systems in another location, with the data backed up to it several times a day. If the primary IT systems fail, then users could rely on back-up systems. Business continuity arrangements would, of course, include this but also extend to non-IT issues. For example, making preparations for staff to work from home if they were unable to get into the office for any reason.
Risks should include natural disasters such as fire and flood, anything that could prevent access to your premises, cyber-attacks, and pandemics that could reduce your available workforce.
All of the identified risks should be included in your BCP, together with:
Every business, irrespective of its size, should have a BCP. Disruption to normal operations will lead to loss of revenue and higher costs, contributing to reduced profitability. Relying on insurance policies alone will not cover the costs of trying to win back the business that you have lost.
The complexity of the BCP will vary according to the size of the organization, how it is structured, the nature of its business, the risks to continuity, and any external regulatory requirements. The aim should be to create a BCP that is in enough detail to be easily followed but not so complex that it is difficult to understand.
There are a number of lower-level goals that can help you to understand what is the purpose of a business continuity plan, including:
In most businesses, some business functions are more critical than others, especially those that deliver the organization’s goods and services. These should be a priority for all business continuity models.
One of the most significant benefits of having a business continuity plan is that it can minimize damage to the organization during disruptive changes, as well as during external events.
Who is responsible for what will vary between organizations, but roles and responsibilities for all business continuity planning and execution activities must be clearly defined and communicated. This should include responsible for BCP operations covering who can invoke the plan and who will manage the execution.
Just having a plan isn’t enough. It is unlikely that you will maintain continuity for your business unless all staff are aware of its existence, its content, and what their roles and responsibilities are when the plan is executed.
Every plan should be tested, as it’s only then that you will discover what doesn’t work. Testing a business continuity plan will need to use simulations, not real disasters, but your plan should define up-front how testing will be done.
This is an obvious goal for every plan that defines the actions that should be taken to maintain the continuity of the business for a number of different scenarios once the plan has been invoked.
This goal addresses a missing element in many business continuity plans. There will be a point when the business can return to its regular operating model. How this is done should be defined in the BCP.
Creating a good BCP needs investment in time and money. A big part of justifying the value of business continuity planning is understanding how a BCP helps mitigate risk.
Every business faces risks to its continuing existence. While some of these may be unique to each organization, many of them are common. These include:
The process of creating a business continuity plan forces you to consider all these types of risk in the context of your own business operations. That includes assessing the likely impact and the probability of the risk actually materializing. For example, if your premises are on the top of a mountain, then the likelihood of flooding may be very low! This is why trying to adopt a business continuity plan from another organization without reviewing and updating it for your own circumstances isn’t a good approach. At a high level, it can provide a useful BCP plan checklist to act as a guide for your own business continuity requirements, but you need to do the thinking at a detailed level.
There’s an old saying that goes something like ‘Better the devil you know than the devil you don’t know.’ The activities necessary to create a BCP make you think about what those challenges are for you, then think about how you could deal with them. That leaves you significantly better prepared when one of them jumps out at you. That will always help you to maintain business continuity.
As you work through the detail of each possible risk, it’s possible that you will identify actions you can take to mitigate against the risk fully. For example, if you operate a data center, your business continuity planning will identify a risk of total power supply failure. Depending on the likelihood and the cost of alternatives, you might decide to fully mitigate against this risk by investing in generators and fuel supplies. Many commercial data centers have taken this approach, even going to the level of paying fuel suppliers a premium to ensure that they get priority for fuel deliveries if there are fuel shortages. This is an excellent example of where BCP activities have considered every risk in detail.
When you can’t fully mitigate against a risk, then there is a chance that it might materialize. The process for BCP makes you think about what you could do to maintain the continuity of your business if this happens, at worst reducing the impact but at best reducing it to zero. In reality, this is just good risk management, but a business continuity model will give you a good structure and approach for identifying and then managing the risks.
ACTION | FURTHER INFO/DETAILS |
Evacuate the building if necessary | Use standard evacuation procedures for the building |
Ensure all staff report to the Assembly Point. | The Assembly point for the [team/service/organization] is: The main parking lot The alternative Assembly Point for [team/service/organization] is: the shopping mall car park [insert name(s)] is responsible for completing this action |
Call emergency services (as appropriate) | TEL: xxx [insert name(s)] is responsible for completing this action |
The types of event should include natural disasters, power outages, cyber-attacks, civil disturbances, transport failures, denial of access to premises, and supply chain disruptions. Any of these could cause an emergency, either singly or in combination. For example, widespread flooding could damage essential equipment, cause a power outage, and prevent staff from getting into work.
Some functions within a business are more critical to continuity of operation than others, especially those that deliver the organization’s goods and services. Continuity plans address specific types of disruptions, how these disruptions will impact different business units, which business units are most important, and which actions to take in order to protect those functions. For example, most businesses can carry on for a time without a payroll function.
Completing a business impact analysiswill project the potential effects of disruptions, assessing risks, and potential losses. The analysis will provide important information that can be used to develop prevention, mitigation, and recovery strategies. They should be as in-depth as is reasonably possible, covering a variety of potential scenarios, timing, duration, and other relevant variables.
One of the biggest benefits of having a business continuity plan is that it can minimize damage to the organization during a disruption. Though it is not always possible to prevent certain types of events from affecting the business, there are often ways to reduce negative impacts. In certain situations, business continuity efforts can even mean the difference between failure and survival. Approaches should be developed to protect the most critical business functions and restore lost functionality as soon as possible. It is vital for organizations to protect these critical business functions during a disruption so that the crucial business operations can continue. Recovery strategies for business continuity can include relocating operations, outsourcing lost business functions, and hiring in replacement equipment. For example, initiating remote working policies can allow businesses to stay functional when employees cannot work on-site, as organizations discovered during the COVID-19 crisis.
This is the plan of action with the recovery strategies that will be implemented by business continuity teams. The BCP describes the sequence of actions to take in the event of a disruption or emergency, including the communication protocols and the responsibilities for executing the plan.
Testing is a vital part of any business continuity strategy. As soon as you create your plan, you must test it. Only by doing that comprehensively and diligently can you prove whether your BCP is going to work or not. Far too many organizations don’t do this and only realize that their plan doesn’t work as expected when they have to execute it for real. Testing will help you to find any parts of the plan that need to be changed or improved.
Just having a tested plan isn’t enough. Everyone in the organization needs to know that the business continuity plan exists, why it is needed, and what are their own roles and responsibilities. Employees should become familiar with a plan before it is ever needed. Providing pre-emptive training can ensure that employees stay prepared and can perform their duties effectively when the plan is invoked.
Instead of waiting for a real disaster to happen, it is a good idea to execute the plan using a simulated emergency. This should be done with as few people as possible, knowing in advance that it isn’t a real emergency. This approach to testing business continuity will give you the best guarantee of success, as it will highlight any areas of improvement. Ideally, this will be regularly re-run using different scenarios that will test different parts of the BCP plan.
Implementing any BCP is a project, so you should follow a project management methodology, using a project team that includes all parts of the business. Business continuity can be implemented solely using internal staff, particularly if you have individuals with the necessary skills and experience. In a large organization, a BCP plan will be prepared by someone that has a role dedicated to business continuity. In smaller organizations, the task can be assigned to another role, but preparing the plan is not an administration task. It requires knowledge of what a BCP Plan should contain and the BCP process flow, strong risk management skills, and a good understanding of who business continuity planning is done for: the whole organization. However, many organizations bring in external companies that specialize in business continuity management (BCM).
One of the key activities for any BCP implementation is the definition of roles and responsibilities, both for the implementation itself but also for BCP execution, maintenance, and improvement. Business continuity approaches are often led by a dedicated individual or team. The BCP team’s composition will vary, depending on the nature of the disruption, and each team member will be assigned specific duties.
Defining and executing training activities and exercises is a key part of any BCP implementation. Training will ensure that employees are prepared so that they can perform their tasks effectively and operate efficiently during an invocation of the business continuity plan. Without this training, employees will not be able to react effectively or swiftly – precisely when speed is of the utmost importance.
It is imperative to get genuine management support for the business continuity plan. Far too often, the plans are created to satisfy a governance requirement, but in reality, the management doesn’t really care about business continuity or disaster recovery plan. They care more about profit, business strategy, client satisfaction, and market share. One approach to get management support is to educate them on the need for business continuity and how important it is for continued business operations. Using examples from other organizations is a good way to help.
Creating an efficient business continuity plan is extremely crucial for every company. Despite this, some organizations still underestimate the need for one, believing that nothing bad can happen to them. This is illogical if you consider the number and wide range of potential threats to any business.
Creating a BCP is not an administrative task. It requires considerable thought and effort by a lot of people. Using a robust approach to BCP implementation that has full management support is vital for success.
Any plan is only as good as its testing, so ensure that you test your BCP plan as soon as you create it, then improve and repeat regularly. Doing this will help ensure that your organization can continue to operate in the face of disruptions, helping you build trust and reputation with your customers.