You sit in a management meeting and are tasked by the CEO to create a continuity plan for the business. She gives you a modest budget and a couple of months to complete, and you walk away with a spring in your step, after all, how hard can it be? You read around the subject and discover various standards and guides, which you find initially impenetrable, but manage to extract what you believe to be some useful pointers.
Spurred on, you search the Internet and download free templates for Business Impact Analysis (BIA) and a Business Continuity Plan (BCP) which seem comprehensive enough. The process seems to parallel project plans you’ve written in the past and the templates invite you to fill in the blanks. It all looks promising.
You start work on the BIA and soon realise you need quite a bit of information to populate it properly. It also asks you to reason about the organisation’s risk appetite and tolerance to loss, and then about its customers and their sensitivity to disruption, and it’s not completely clear where you can get this detail or how it affects things. What is clear is that you will need to speak with people in just about every area of the business to complete the BIA, and you set about arranging this. You spend a day making calls but find senior management hard to pin down, and realise you need a convincing explanation of what you’re doing and probably, an executive mandate if you’re to complete on time.
You push ahead, collecting data for both BIA and BCP from those who will give you the time, finally coming up with drafts which you email to the COO just as the deadline arrives. She invites you to her office to discuss the outcome. As you take a seat, she looks up from the plan, takes a sip of coffee and makes eye contact. “So, does it work?”. In that lightbulb moment you realise that, like so many before you, Business Continuity is about creating capability, and not simply writing a document.
Experience tells us there are good ways of implementing business continuity but that these are far outnumbered by the multitude of dead ends and pitfalls that we must take care to avoid. This Blueprint offers a high-level summary approach that aligns with accepted good practice. It identifies headline BC programme activities, critical success factors and outcomes to help you deliver on your promises.
For many tasked with BC, their first instinct is to immediately start to write a plan, accelerated using a template maybe downloaded from the Internet or passed on by colleagues. This seems reasonable at first sight. But remember that most of the time, the plan won’t be used; months and years may pass and people, structures, customers and mission may change radically and the plan owner moved on to other projects. If an incident occurs, the plan is likely to be outdated, irrelevant and misleading, making it worse than useless.
To avoid this, you need a control system that runs continuously, maintaining conditions under which your plan is kept ready and relevant. The ISO 22301 standard provides a tried-and-tested recipe for achieving this. By applying it, your plan is automatically created within a sustainable environment that preserves its long-term value, and it all starts with policy.
Going through the process of writing a formal BC policy then getting it agreed seems a lot of work for not much reward. Far from it. Policy has two valuable components that help make business continuity happen.
Firstly, it defines how an organisation legally commits to satisfying its stakeholders’ wishes. This includes the continuous safeguarding of their interests, including the appropriate management of continuity risk. It implies a form of control known as governance which is a Board responsibility, typically delivered via internal and/or external audit in larger companies, and directly by managers in many others.
Secondly, once policy is defined, the business is obliged to implement it. If policy is vague, implementation can be unconstrained, ranging from completely ineffective to unnecessarily expensive. Conversely, if over-specified, policy can become a constraint on business, so pitch and content are important to get right.
An enduring business continuity policy benefits us by mandating busy people to contribute meaningfully and promptly so we can get the job done, and directing us operationally, providing high-level guidance on scope, performance and outcomes.
To implement policy you need to set up a framework or more formally, a business continuity management system (BCMS) before you start work on the plan. If you do this you stand a good chance of creating a lasting organisational capability, with numerous associated benefits. ISO describes this in seven closely linked clauses which can be summarised briefly as:
Different disruptive situations can require significantly different responses within an organisation. Take a business with a factory and a warehouse where all raw materials and finished product are held prior to shipping.
If the factory burns down, the set of recovery activities is substantially different compared to that for loss of the warehouse, despite the cause being the same. However, the response for loss of the warehouse due to an air accident may be exactly the same as for fire. This means we must plan to deal with effects and not just focus on the cause.
Fortunately, although there is a multitude of threat related causes, many are similar and culminate in a handful of effects, and it is these we must plan for. They give rise to scenarios such as loss of site or sustained IT failure. It means that by planning for the worst and building-in adaptive capability, we can cover many scenarios and risks in a single plan.
One approach is to carry out a horizon-scan of all risks and identify those with catastrophically high impact potential, then characterising the effect they have on business. These scenarios form a valuable basis for planning and have unique implications for each organisation. This activity is called Risk Assessment or RA and provides a vital cornerstone for an effective BCP.
Have your heads of department each write a list of things that could possibly go wrong.
Distil these down into a list of broad threats to your organisation.
Quantify each threat's potential impact and likelihood.
You need to know how fast to respond if a scenario materialises. Plan to respond too slowly and you risk an unacceptable outcome where you don’t recover in time; too fast and its possible you’ll spend considerably more money preparing an overelaborate response.
To set a maximum acceptable outage time your BC policy should amongst other things specify the organisation’s requirements for business continuity, but specifically its tolerance to loss.
Many organisations have seasonal trading, sometimes with complex patterns reflecting market sensitivity and volatile supply that need to be factored-in. In general, you need to plan for the near-worst-case scenarios, but there may be a number of these requiring different responses.
Finally, when you know the restoration deadlines for all products and services, you can then cascade this through the organisation, factoring-in alternatives, latency and lag, providing latest recovery times for all critical assets and services so you can plan with greater certainty. This process is known as business impact analysis or BIA and forms a second essential cornerstone for a successful plan.
From your risk register, choose the continuity scenarios to focus on in your plan.
Establish what effect the scenario has on each part of the business.
Estimate the tolerance that each part of the business has to disruption. Use this to set recovery timeframes.
Continuity planning is like project planning, but with most of the certainty removed. You can’t tell when or why a planned-for disruption will arise, just as you can’t predict the weather, economy, other news events or what your competitors are thinking. In BC there are many unknowns.
Instead we rely on the BIA and RA to inject confidence into our response, knowing we can adjust our plan constantly with whatever reliable information comes to hand. Even with little no new information, we should be safe because our calculation was based on worst-case scenarios.
These forethoughts allows continuity plans to have a characteristic anatomy. Of course, this can vary between organisations and stylistically between plan authors, but the basics ought to remain the same.
When you write your plan you may expect to include:
Write out the assumptions of the scenario and your objectives for recovery.
Write a step-by-step guide for recovering the affected assets.
Write a list of improvements that can be made to help avoid or mitigate related threats.
OK so now it’s time to put pen to paper and create your framework. If you decide to build your own, remember you are doing this for the first time and there are pitfalls to look out for. Find a good source of advice and avoid re-inventing a wheel that may already be available.
Alternatively, you may find it easier to use a template or software tool. If you go this route, again, take time to become familiar with what’s being offered and ensure it accommodates your organisation’s shape and requirement comfortably.
Finally, this blueprint should help you decide on the best approach to your own business continuity planning activity. There is of course much more to consider and professionals regularly write volumes on the subject. At times it may look complicated and can be, however, the art lies in doing all this whilst keeping the result simple and understandable, because then, and only then will others take the time to pick it up and read it. And of course, it’s pointless if they don’t.
Inoni Limited
Albany House
14 Shute End
Wokingham
Berks RG40 1BJ
Copyright © 2023 INONI Ltd
