“It’s like life assurance; whilst you hope never to use it, BCP assures shareholders and trustees, regulators, customers, suppliers and employees. It makes them happy to invest in you”
Faced with catastrophe, it’s tempting to think we are so familiar with our business that we could rebuild it without a plan… difficult, but doable. Perhaps, but there are points to consider before you take this route. Faced with a burned-out office already trending on social media, how long before customers and competitors notice and start to act? You probably have a few hours to plan your response.
Unable to operate, you start to lose revenue, the phone goes unanswered and suppliers’ terms harden. You have a crisis to manage - no time, no information, no resource and no tried and tested strategy with which to reassure stakeholders, who are now clamouring for information.
You call a meeting and set a recovery deadline that aims for 50% of normal output inside a week. Is it enough? Can you deliver? Is that for all products and services, or would you want to prioritise? What then are the implications for recovering IT? Where will other key business functions go? What messages should the sales team pass to prospects? And what about seasonality, does that change things? And somehow, amidst all the questions, you have a business to run.
Business Continuity Planning (BCP) is a management discipline that sits alongside others such as risk, compliance, information security and so on. Like them, it is not generally viewed as a bottom-line contributor, but has an important part to play. BCP equips you to answer the deluge of questions posed during a crisis - in relative comfort. It puts you in control, buys you time and builds confidence.
There are various formal definitions available for BCP, however a working description might be
A systematic process involving planning and preparation that ensures we can respond acceptably to any operational emergency affecting the business
Like other management disciplines, BCP needs to be established as a continuous activity with a policy framework and approach, an owner, a budget and top management backing. From here and with a relatively light touch, you can go on to analyse the business and write a plan.
BCP derives value from its satisfaction of risk governance criteria, ensuring that your exposure to continuity-threatening events aligns with stakeholders’ risk appetites. It’s like life assurance; whilst you hope never to use it, BCP assures shareholders and trustees, regulators, prospective and live customers, suppliers and employees. It makes them happy to invest in you.
In the event of a disruption:
“Business Interruption (BI) insurance compensates organisations with long recovery times, underwriting their gross profit and increased cost of working. For many it represents essential risk management”
Business Interruption insurance (also known as Loss of Income or Consequential Loss) is arguably as important as your Buildings and Contents cover and is an essential part of your Business Continuity Plan. It is designed to cover losses you may experience if your business is affected by insurable perils such as damage by fire, flood or even the loss of utilities for a defined period of time.
Organisations fail when they run out of cash. This can arise for many reasons, from market collapse to financial mismanagement, but also because of unplanned disruption. BI underwrites your gross profit, typically for a year or more. It buys you time to focus on rebuilding, keeping customers and restoring revenues.
The problem is that without a BCP, your response to catastrophe is purely reactive. You’re in shock and even with funding and your best efforts, it may be too late for the business. Equally, if you don’t have BI, you may run out of cash before your plans can be realised. The fact is, BI needs BCP and vice versa, each maximising the value of the other.
Insurance doesn’t cover all aspects of Business Continuity risk, since it can’t reasonably prevent brand or customer erosion if you respond inappropriately or too slowly. Because of this, many policies now expect you to have a tested BCP that documents your capability.
What you communicate in a major incident defines how you are judged by your customers, competitors, investors, suppliers and employees. Their confidence in your planned recovery can determine whether you will succeed, so what you say and do matters. BCP supports this.
Major disruption reduces income, starving the business of liquidity over a period of time, causing it to fail. Insurance policies oblige you to minimise insurable losses too. Business Continuity Planning focuses on this, establishing what must be done and by when to recover revenues before this point is reached.
In a major business incident protecting people is our number one priority, but somehow alongside this we must also prioritise the needs of the business and its customers. Business Continuity Planning coordinates emergency response with crisis management and business recovery.
IT delivers vital services but how it does this is rarely understood by the business. In a major disruption, every department will tolerate loss of IT for a characteristic time before it becomes unbearable, and this shapes what IT must deliver and at what cost. BCP sets acceptable recovery times for IT services.
Organisations rely on their supply chain and inherit its risk. It helps to know which suppliers are business-critical and how your response to major disruption dovetails with theirs. Business Continuity Planning takes account of supply chain dependencies.
Rebuilding production following disruption can be complex and carried out under extreme pressure invites catastrophic error. Business Continuity Plans formalise the response to different sources of disruption, ensuring they are thought-through and viable.
Investors are more likely to entrust their money to an organisation who takes governance seriously, managing all exposures against their risk appetite. Every organisation faces extreme events and Business Continuity Planning helps mitigate this class of risk.
Most regulatory bodies require their subject organisations to own and test Business Continuity Plans. Many formal standards also include risk and continuity management as part of their implementation framework and certification requirements.
Many major incidents involve damage or destruction of infrastructure and having available alternatives underpins every other aspect of recovery. Consequently, facilities managers should have Business Continuity Planning as part of their remit.
People think twice before buying any product from a failing organisation. Business Continuity Planning delivers powerful messages to customers, reassuring them that they will never be left uncertain or under-supplied if the business suffers disruption.
In a catastrophe you have a finite time available in which to recover, using only what is to hand. If you miss the deadline, your organisation faces a possibly irrecoverable situation, haemorrhaging money and reputation beyond the point of no return. Planning buys time, prepares and co-ordinates resources in the best possible way. It allows forethought, refinement and practice, making the deadline more concrete, and it documents the steps to recovery.
We get it. BCP is off the radar for many small firms. However, most are relatively uncomplicated so it isn’t so hard to write a plan, and any investment of time, effort and money should be correspondingly small. Set this against the blood, sweat and tears invested in creating and nurturing your business, and why would you not take this last common-sense step to help protect what you built? If the business is multi-faceted with complex processes and supply chains, then recovering it following a disruption probably needs a BCP.
Insurance provides you with cash compensation. However, it won’t reconstruct operations or hold onto your customers and reputation - you must do this yourself. You need to create belief in your ability to deliver before they turn to competitors and are potentially lost forever. Smaller firms may be able to do this reactively, but common-sense suggests that most chaotic situations do not run smoothly - unless you planned for them.
Great work, you have a plan. But take a moment to reflect - it needs to be up-to-date, detailed and totally applicable in an emergency. If it fails on any of these points, the chances are at best it will be discarded and at worst it will mislead, potentially with catastrophic results. Also, if customers, shareholders, employees, suppliers and insurers believe you have a working plan but in fact you don’t, you risk misleading them. This may result in a breach of trust and governance and potential legal consequences.