Almost every prudent business, large or small sees wisdom in buying some level of business insurance. We feel comfortable paying a small amount (premium) that will deliver a larger amount (claim) if we suffer a sizeable loss.
However, insurance won't keep your customers happy whilst they wait for you to rebuild. It won't organise your people, ensure you can find capacity elsewhere or help you decide how to respond to the challenging conditions you now face.
Business continuity does these things. It works hand-in-glove with risk management and insurance. It's not difficult and the guide below explains how to do it.
The following offers a straightforward "no frills" approach that you may find helpful.
Create a Framework
BCP is a rolling process, which needs to be kept up-to-date to reflect changes or new conditions. It has a number of essential ingredients that need preparing in particular ways and added in the right sequence to arrive at a workable outcome. You need a framework or management that takes account of at least the following:
- Policy, so people know what is being done, to what level and why
- Organisation, setting out clear Business Continuity roles and responsibilities
- Documents and supporting information
- Description of how activities are carried out
- Programme plan with timeframes for completion
- Performance measurement, review and improvement
Risk Assessment (RA)
A risk assessment systematically records and analyses all of the operational threats that have the potential to critically damage your business. There are typically many of these arising both internally and externally; categories to consider include natural, civil, industrial, people, technology, commercial, infrastructure, information and supply.
Typically, you'll be able to identify a handful of very low likelihood risks that threaten business continuity and you have tools available to mitigate these and improve resilience. You can take proactive steps to prevent, defend or avoid before they affect you, and/or contain recover and claim on insurances after they occur. In any case, it's important to ensure each risk is managed at acceptable cost so the residual risk is known and accepted by stakeholders.
You'll find there are too many threats and combinations to plan for every one individually. Risk Assessment helps us pick a set of worst-case disruption scenarios that we can plan for, knowing that all others are a subset. Using these as the basis for designing continuity response strategies keeps the task manageable. For example, consider what you'd do if:
- You lose an entire site
- A critical piece of plant or equipment fails
- IT suffers a long-term outage or cyber attack
- A key supplier fails
Business Impact Analysis (BIA)
Businesses generate turnover and profit by delivering products and services to their customers. To do so, they use their Assets and Resources, both tangible and intangible. Business continuity is driven by the potential impacts on a business and is generally measured in terms of lost turnover and profit.
The triggers for loss lie in how the business is set up to deliver goods and services. If we can understand the rate of loss and the point where tolerance is exceeded, we can begin to set priorities and timeframes for recovery of all goods, services and operational assets. This is called Business Impact Analysis (BIA) and lies at the core of the BCP process.
To do BIA there are two essential questions you should ask:
- Following a worst-case disruption, what is the minimum tolerable level of service that can be delivered e.g. before you become insolvent, before a critical mass of customers jump ship?
- How does this vary over time?
The answers to these questions define your business continuity planning window and the level of service you must be able to restore.
If the loss is insured by your Business Interruption cover, then you have the benefit of assured cash flow. However, if your customers have by this time departed, then the money is wasted and the business will fail. Insurers would of course prefer a success story and a continued stream of future business, and so encourage planning.
Below is a Dependency & Response model for a typical business. This establishes the key elements supporting the main revenue streams. The notes below the diagram explain the various layers represented.
The diagram shows interdependencies between assets in all levels of the business structure running both within and between layers.
It shows how an event such as system failure can cascade up through the organisation and cause production outage, even though all buildings, machinery and other facilities are undamaged.
Other examples include failure of one machine or process through which all your products pass. An electricity or other supply failure can have similarly disruptive impact. Analysis of dependencies in this way can help you identify important concentrations, vulnerabilities, relationships and single points of failure.
Armed with a view like this, you can begin to address and resolve the issues to improve resilience. Examples of resilience-building steps are:
- Dual supplier for key raw materials and utility supplies
- Real time off- site data back- up regimes
- Staff training programme to broaden their skills base
- Duplicated key machinery or equipment
- Equipment maintenance programme
- Requirement for key suppliers to have their own BCP arrangements
- Identified production outsource
- VOIP telephone systems for added flexibility
Business Continuity Strategy
The Business Impact Analysis and Risk Assessment combine to provide the basis for planning. The BIA sets the priorities and deadlines for activities in the plan. The RA defines the scenarios for which we need an answer and identifies and specific incident responses for prevalent unusual threats e.g. radiation release, chemicals
Typically, our BC strategies have the following components:
- Summary of the scenario being addressed and any assumptions
- Priorities and timeframes for recovery
- Diagram of who goes where, when and with what
- Directives regarding how the recovery will take place
Business Continuity Planning
Many businesses have only one site; this requires more careful planning, than if your business is spread over two or more sites, where you clearly have more options. In the latter case, there are alternatives for e.g. relocating staff, alternative product/service sites and for having mirrored servers.
The key sections in the planning framework are:
Emergency Response - Purpose to save lives and contain damage to the business. It includes:
- Response flowchart to guide decisions from loss identification and escalation within and outside the business.
- Staff & Managers’ Checklist to manage staff and contractors according to HR guidelines and evacuation plans
- Call Cascade system to mobilise the senior response team.
- List of identified immediate relocation sites
Crisis management - Purpose to provide top-level direction and maintain confidence in the business. It includes:
- Crisis checklist for senior team, to gather essential information and decide on the appropriate crisis management strategies.
- Communications protocol, setting out the internal channels to follow.
- Command Centre Locations, which are pre-agreed bases from which to manage the loss event.
- Command Centre Resources – a list of essential items to support the recovery activity.
Business recovery - To resume acceptable levels of business operation by preparing and adapting. It includes:
- Recovery strategies for a range of agreed loss scenarios (as generated during the BIA)
- Specific DR teams (following the business organisation and hierarchy). So, the MD would take overall control at a strategic level and department heads would look after their specific area of responsibility, usually Finance, Production/Operations, ICT, Sales & marketing, HR
- Product Recovery strategy
- Operational Recovery for each dept./ function
- Systems Recovery
- Resources Plant & Equipment Recovery
- Supplier & Stock Recovery
Contacts - essential internal and external people and organisations whose support may be required. These are lists of various groups, including:
- Emergency responders such as Police, landlords, insurance brokers, utility providers
- Key staff, Customers, Critical suppliers
Train, Test and Maintain
Embedding - Plans are developed and will be used by the people in your business. It is therefore essential that everyone who is identified as having a part to play in the plans must be fully aware of their role and responsibilities.
As disaster response will be a team effort, everyone must be comfortable about the main thrust of the plans so that they can operate cohesively and effectively.
It is therefore important to ensure that plans are discussed and the senior management team demonstrate their commitment to the process to ensure buy-in at all levels.
Exercising - Your plans must work in practice. The best way to establish this is by a series of exercises based on a range of scenarios. Providing these are well planned, the exercises will highlight gaps in the understanding of the details, omissions in operational detail and perhaps lack of clarity.
Such exercises also help to build team work and a common understanding as the various departments in your business will work through problems together.
Upkeep - All the detail in plans needs to be kept up to date and relevant. This can relate to straightforward admin details such new telephone numbers or addresses in contact lists or something more substantive as a new customer, process or building.
As the BCP process is cyclical, senior management need to hold annual reviews of the main assumptions from the BIA and amend the plans accordingly. For the admin detail, somebody should be assigned the role of keeping the documents up to date and distributing the up to date version.
You will have seen that the BCP process provides an in-depth insight to the inner workings of a business and allows for any vulnerabilities and interdependencies to be highlighted. The analysis allows for modelling and evaluation of the various triggers within all levels of a business that can compound very quickly to impact product or service delivery.
Once identified, these triggers can be managed to avoid or mitigate their impact on the business.
Although prevention is better than cure, losses do happen and the DR aspect of the process allows for joined up plans to be created and maintained.
Finally, the various outputs from the process also allow you to review your Business Interruption insurance in conjunction with your insurance brokers.