Taken from Part 2 of our Business Continuity Blueprint.
Nobody does business continuity (BC) for the sake of it, there’s always a good reason and it helps if you understand what’s driving it - not least because you can then set firm success criteria.
However, the most powerful and frequently cited reasons for doing it include:
- Winning and retaining customers. Many large organisations require suppliers to demonstrate business continuity capability
- Audit or policy requirement, satisfying governance on behalf of shareholders
- Regulation or statute. BC is a compliance requirement for some sectors
- Insurance terms. Most insurers now expect BC as a basis for providing cover
- Experience. Most CEOs who have seen major disruption demand a practical business continuity capability
There is no point in investing time and money in a BC system that fails to satisfy the requirements of the stakeholders these drivers represent. They include people with the power to demand compliance and you need to get it right. You can add to the list a less influential but often equally interested group who consume assurance indirectly, including employees and suppliers. The expectation in every case is that BC will protect their interests so they can then plan and invest with confidence. You must plan to a level that satisfies all of them or they will invest less.
Notwithstanding this, few stakeholders have the time or expertise to independently assess the adequacy of your BC system. Instead, they generally turn to a convenient accepted benchmark in the form of International Standard ISO 22301 for business continuity. It provides a quick and convenient universal checklist.
The Standard is written in a way that allows it to be interpreted, considering organisational scale, complexity, risk appetite and other important determinants. This also makes it possible for any organisation to comply, provided the necessary components are present. Some firms choose to formally certify, however many simply seek alignment. The latter should be your minimum aim.
For many tasked with BC, their first instinct is to immediately start to write a plan, accelerated using a template maybe downloaded from the Internet or passed on by colleagues. This seems reasonable at first sight. But remember that most of the time, the plan won’t be used; months and years may pass and people, structures, customers and mission may all change radically and the plan owner moved on to other projects. If an incident occurs, the plan is likely to be outdated, irrelevant and misleading, making it worse than useless.
To avoid this, you need a controlled system that runs continuously, maintaining conditions under which your plan is kept ready and relevant. The ISO standard provides a tried-and-tested recipe for achieving this. By applying it, your plan is automatically created within a sustainable environment that preserves its long-term value.
Write a Policy
Going through the process of writing a formal BC policy then getting it agreed seems a lot of work for not much reward. Far from it.
Policy has two valuable components that help make business continuity happen. Firstly, it defines how an organisation legally commits to satisfying its stakeholders’ wishes. This includes the continuous safeguarding of their interests, including the appropriate management of continuity risk. It implies a form of control known as governance which is a Board responsibility, typically delivered via internal and/or external audit in larger companies, and directly by managers in many others.
Once policy is defined, the business is obliged to implement it and this defines our second key component. If policy is vague, implementation can be unconstrained, ranging from completely ineffective to unnecessarily expensive. Conversely, if over-specified, policy can become a constraint on business, so pitch and content are important to get right.
With these points in mind, it’s clear organisations can benefit from an enduring business continuity policy. On the one hand, our policy must mandate busy people to contribute meaningfully and promptly so we can get the job done; on the other, it must direct us operationally, providing high-level guidance on scope, performance and outcomes.
Get a system
So, ideally you need to set up a framework or more formally, a business continuity management system (BCMS) before you start work on the plan. If you do this you stand a good chance of creating a lasting organisational capability, with numerous associated benefits. ISO describes this in seven closely-linked clauses which can be summarised briefly as:
- Leadership. Get organised. Recruit an executive sponsor, a full- or part-time owner or BC Manager and maybe an analyst or administrative specialist you can count on
- Build a detailed understanding of the organisation, its external environments and relationships and document it. ISO refers to this as Context
- Plan how you will operate the BCMS, setting its scope and objectives within a defined programme of activity with accepted deadlines and milestones
- Secure all the information, resources and authorities you will need to Support the plan. Define all the roles, procedures and activities it requires
- Construct and maintain the Operational elements of the BCMS including policy, impact analysis, risk assessment, continuity plan and all associated sub-plans and strategies
- Monitor the Performance of the BCMS, comparing what it achieves against the objectives set in the plan
- Build mechanisms that deliver continual Improvement, so the outcome converges on policy.
Write the Plan
Your BCP must provide a fool-proof recipe for responding acceptably, in good time and with tolerable loss to any foreseeable major disruptive event. And to be certain of success it must include or refer to every critical instruction and asset required to do this.
Set the pace
You need to know how fast to respond if a scenario materialises. Too slow and you risk an unacceptable outcome where you don’t recover in time; too fast and it's possible you’ll spend considerably more money preparing an over-elaborate response.
To set a maximum acceptable outage time you need to write a BC Policy and get it adopted by the Board. The policy should amongst other things set out the organisation’s requirements for business continuity, but specifically its tolerance to loss.
Many organisations are seasonal, sometimes with complex patterns reflecting market sensitivity and volatile supply that need to be factored-in. Of course, you need to plan for the worst-case, but there may be a number of these requiring different responses.
Finally, when you know the restoration deadlines for all products and services, you must then cascade this through the organisation, factoring-in alternatives, latency and lag, providing latest recovery times for all critical assets and services so you can plan with certainty. This process is known as business impact analysis or BIA and forms the essential foundation for a successful plan.
Scan for risk
Different disruptive situations require significantly different responses. Take a business with a factory and a warehouse where all raw materials and finished product are held prior to shipping. If the factory burns down, the set of recovery activities is substantially different compared to that for loss of the warehouse despite the cause being the same. Conversely, the response for loss of the warehouse due to an air accident may be the same as for fire.
Fortunately, although there are many threat-related causes, many are similar and culminate in a handful of effects, and it is these we must plan for. They give rise to scenarios such as loss of site A or sustained IT failure. It means that by planning for the worst and building-in flexibility, we can cover many scenarios and risks in a single plan.
The best approach is to carry out a horizon-scan of all risks and identify those with catastrophically high impact potential, then characterising the effect they have on business. These scenarios form a valuable basis for planning and have unique implications for each organisation. This activity is called Risk Assessment or RA and provides a second vital cornerstone for an effective BCP.
Plan a response
Continuity planning is like project planning, but with most of the certainty removed. You can’t tell when or why a planned-for disruption will arise, just as you can’t predict the weather, economy, other news events or what your competitors are thinking. In BC there are many unknowns.
Instead we rely on the BIA and RA to inject confidence into our response, knowing we can adjust them constantly with whatever reliable information comes to hand. Even with little no new information, we should be safe because our calculation was based on worst-case scenarios.
Because of all this forethought, our continuity plans are able to have a characteristic anatomy. Of course, this can vary between species (organisations) and even stylistically between plan authors, but the basics remain the same. When you write your plan you should aim to include:
- Prescriptive Emergency or Incident Plans that ensure human safety and welfare, before escalating and mobilising to contain and control the immediate disruption
- Flexible Crisis Plan, providing close control over information flow and communications with the media and other interested third parties
- Business continuity Strategies for each distinct scenario you identified, setting out the response in broad terms that can be followed and interpreted by the business
- Detailed Operational Plans for critical functions and assets that need specific recovery
- Information Database including all key contacts, forms and policies
- Sufficient appropriate People, Facilities and Resources to enable each stage of the response
OK so now it’s time to put pen to paper and create your BCMS. It’s not so hard. If you decide to build your own, remember you are doing this for the first time and there are pitfalls to look out for. Find a good source of advice and avoid re-inventing a wheel that’s already available.
Alternatively, you may find it easier to use a template or software tool. If you go this route, again, take time to become familiar with what’s being offered and ensure it accommodates your organisation’s shape and requirement comfortably as it should.
Finally, this post should help you decide on the best approach to your own business continuity planning activity. There is of course much more to consider and professionals regularly write volumes on the subject. At times it may look complicated and can be, however, the art lies in doing all this whilst keeping the result simple and understandable, because then, and only then will others take the time to pick it up and read it. And of course, it’s pointless if they don’t.