A practical guide to Business Continuity Planning

Part 1 - An Introduction

“It’s like life assurance; whilst you hope never to use it, BCP assures shareholders and trustees, regulators, customers, suppliers and employees. It makes them happy to invest in you”

Faced with catastrophe, it’s tempting to think we are so familiar with our business that we could rebuild it without a plan… difficult, but doable. Perhaps, but there are points to consider before you take this route. Faced with a burned-out office already trending on social media, how long before customers and competitors notice and start to act? You probably have a few hours to plan your response.

Unable to operate, you start to lose revenue, the phone goes unanswered and suppliers’ terms harden. You have a crisis to manage - no time, no information, no resource and no tried and tested strategy with which to reassure stakeholders, who are now clamouring for information.

You call a meeting and set a recovery deadline that aims for 50% of normal output inside a week. Is it enough? Can you deliver? Is that for all products and services, or would you want to prioritise? What then are the implications for recovering IT? Where will other key business functions go? What messages should the sales team pass to prospects? And what about seasonality, does that change things? And somehow, amidst all the questions, you have a business to run.

Business Continuity Planning (BCP) is a management discipline that sits alongside others such as risk, compliance, information security and so on. Like them, it is not generally viewed as a bottom-line contributor, but has an important part to play. BCP equips you to answer the deluge of questions posed during a crisis - in relative comfort. It puts you in control, buys you time and builds confidence.

There are various formal definitions available for BCP, however a working description might be

A systematic process involving planning and preparation that ensures we can respond acceptably to any operational emergency affecting the business

Like other management disciplines, BCP needs to be established as a continuous activity with a policy framework and approach, an owner, a budget and top management backing. From here and with a relatively light touch, you can go on to analyse the business and write a plan.

BCP derives value from its satisfaction of risk governance criteria, ensuring that your exposure to continuity-threatening events aligns with stakeholders’ risk appetites. It’s like life assurance; whilst you hope never to use it, BCP assures shareholders and trustees, regulators, prospective and live customers, suppliers and employees. It makes them happy to invest in you.

 

BUSINESS CONTINUITY PLANNING IN 60 SECONDS

 

BCP in 60 seconds.png

11 reasons why you need to have a Business Continuity Plan

In the event of a disruption:

  1. You avoid knee-jerk dead-end reaction
  2. You have calculated recovery deadlines that avoid excessive spend or risk
  3. You develop capability, so your people know what to do when called on
  4. You build organisational resilience, balancing toughness and recoverability
  5. Your plans can save lives, ensuring correct emergency procedures are followed
  6. You enhance insurance value, balancing BCP against BI
  7. You inspire customer confidence, knowing they can rely on you, no matter what
  8. You have the confidence of your investors, knowing their money is in safe hands
  9. You have the confidence of your suppliers, knowing their bills will be paid
  10. Your plans can preserve brand value and company reputation
  11. Your plans can ensure supply chain security and order fulfilment

The relationship between Continuity and Insurance

“Business Interruption (BI) insurance compensates organisations with long recovery times, underwriting their gross profit and increased cost of working. For many it represents essential risk management”

Business Interruption insurance (also known as Loss of Income or Consequential Loss) is arguably as important as your Buildings and Contents cover and is an essential part of your Business Continuity Plan. It is designed to cover losses you may experience if your business is affected by insurable perils such as damage by fire, flood or even the loss of utilities for a defined period of time.

Organisations fail when they run out of cash. This can arise for many reasons, from market collapse to financial mismanagement, but also because of unplanned disruption. BI underwrites your gross profit, typically for a year or more. It buys you time to focus on rebuilding, keeping customers and restoring revenues.

The problem is that without a BCP, your response to catastrophe is purely reactive. You’re in shock and even with funding and your best efforts, it may be too late for the business. Equally, if you don’t have BI, you may run out of cash before your plans can be realised. The fact is, BI needs BCP and vice versa, each maximising the value of the other.

Driving business value with continuity planning

Why should the rest of the business be interested?

Risk and Insurance

Insurance doesn’t cover all aspects of Business Continuity risk, since it can’t reasonably prevent brand or customer erosion if you respond inappropriately or too slowly. Because of this, many policies now expect you to have a tested BCP that documents your capability.

Marketing and PR

What you communicate in a major incident defines how you are judged by your customers, competitors, investors, suppliers and employees. Their confidence in your planned recovery can determine whether you will succeed, so what you say and do matters. BCP supports this.

Finance

Major disruption reduces income, starving the business of liquidity over a period of time, causing it to fail. Insurance policies oblige you to minimise insurable losses too. Business Continuity Planning focuses on this, establishing what must be done and by when to recover revenues before this point is reached.

HR

In a major business incident protecting people is our number one priority, but somehow alongside this we must also prioritise the needs of the business and its customers. Business Continuity Planning coordinates emergency response with crisis management and business recovery.

IT

IT delivers vital services but how it does this is rarely understood by the business. In a major disruption, every department will tolerate loss of IT for a characteristic time before it becomes unbearable, and this shapes what IT must deliver and at what cost. BCP sets acceptable recovery times for IT services.

Procurement

Organisations rely on their supply chain and inherit its risk. It helps to know which suppliers are business-critical and how your response to major disruption dovetails with theirs. Business Continuity Planning takes account of supply chain dependencies.

Operations

Rebuilding production following disruption can be complex and carried out under extreme pressure invites catastrophic error. Business Continuity Plans formalise the response to different sources of disruption, ensuring they are thought-through and viable.

Governance

Investors are more likely to entrust their money to an organisation who takes governance seriously, managing all exposures against their risk appetite. Every organisation faces extreme events and Business Continuity Planning helps mitigate this class of risk.

Health, Safety and Environment

Most regulatory bodies require their subject organisations to own and test Business Continuity Plans. Many formal standards also include risk and continuity management as part of their implementation framework and certification requirements.

Facilities

Many major incidents involve damage or destruction of infrastructure and having available alternatives underpins every other aspect of recovery. Consequently, facilities managers should have Business Continuity Planning as part of their remit.

Sales and Customer Service

People think twice before buying any product from a failing organisation. Business Continuity Planning delivers powerful messages to customers, reassuring them that they will never be left uncertain or under-supplied if the business suffers disruption.

Do you Really need one though?

"We don’t need one - we’re prepared and will cope"

In a catastrophe you have a finite time available in which to recover, using only what is to hand. If you miss the deadline, your organisation faces a possibly irrecoverable situation, haemorrhaging money and reputation beyond the point of no return. Planning buys time, prepares and co-ordinates resources in the best possible way. It allows forethought, refinement and practice, making the deadline more concrete, and it documents the steps to recovery. 

"We don’t have the time nor money to develop a plan"

We get it. BCP is off the radar for many small firms. However, most are relatively uncomplicated so it isn’t so hard to write a plan, and any investment of time, effort and money should be correspondingly small. Set this against the blood, sweat and tears invested in creating and nurturing your business, and why would you not take this last common-sense step to help protect what you built? If the business is multi-faceted with complex processes and supply chains, then recovering it following a disruption probably needs a BCP.

"We have insurance to cover our losses"

Insurance provides you with cash compensation. However, it won’t reconstruct operations or hold onto your customers and reputation - you must do this yourself. You need to create belief in your ability to deliver before they turn to competitors and are potentially lost forever. Smaller firms may be able to do this reactively, but common-sense suggests that most chaotic situations do not run smoothly - unless you planned for them.

"We already have a plan in place"

Great work, you have a plan. But take a moment to reflect - it needs to be up-to-date, detailed and totally applicable in an emergency. If it fails on any of these points, the chances are at best it will be discarded and at worst it will mislead, potentially with catastrophic results. Also, if customers, shareholders, employees, suppliers and insurers believe you have a working plan but in fact you don’t, you risk misleading them. This may result in a breach of trust and governance and potential legal consequences.

Get started with our free BCP templates

Read our blog

View our case studies