Business Continuity Planning (“BCP”) can be defined as preparing activities that counter events that threaten the survival or normal operations of a business. It is a set of planned actions taken when something happens to prevent normal business operations. The actions should allow for a business to continue, even at a minimal level, during a crisis.
In the past crisis-causing events included external and internal events such as strikes, electricity outages, or loss of a key person. Those events are still with us today and countermeasures need planning.
However, the pandemic has added a whole new category of issues that need to be addressed.
Many companies have increased their online presence in the post-pandemic world. Some have moved to e-commerce, and others are now supporting working from home and remote access to the business from staff and customers.
This means that in addition to other crises, IT has moved to become a critical business resource, and is more open to external threats. Partial or total loss, for whatever reason, can be a business killer.
A Business Continuity Plan is an essential tool in business survival today.
Business Continuity as a concept has been around for quite a while under a variety of guises. In the 1970s it was called Disaster Planning. Companies brainstormed scenarios and what is needed to ensure corporate survival if they happened. Scenarios ranged from losing the raw material storeroom keys to a total loss of the corporate head office.
Requirements changed over time as companies became more and more reliant on IT systems, and Disaster Planning programmes specifically designed for IT recovery became part of the CIO’s To-Do list.
Many practitioners thought that Disaster Planning was a far too negative description and Business Continuity replaced it as a much more positive name. The prime movers of the change are thought to be auditors and their associated consultancy firms, who saw lucrative fee-earning opportunities in providing guidance and advice and drawing up Business Continuity plans. In addition, it satisfied the business requirement to “Protect and enhance shareholder value”.
The recent pandemic has shown clearly that many businesses do not have effective business continuity plans.
The way to kick off planning is to think of all the things that could derail the business and rank them in order of likelihood and impact on the operations. In effect, carry out a Risk Analysis. Remember though, this covers the entire business, not just a part of it. There will be some parts, for example, IT, that will have individual plans, but these are a subset of the overall Business Continuity plan.
There is also a section devoted to the actions needed by senior management.
Be creative, think out of the box. But remember as Donald Rumsfeld said, “there are known knowns, there are known unknowns, and there are also unknown unknowns”. In short, you can’t plan for everything. There may even be a scenario where your business cannot survive.
Some areas to consider include:
These are just some of the general risks a business potentially faces. Others will be particular to a business, some to a business area, for example, changes to regulatory compliance regulations in the pharmaceutical industry.
Today, with an increased focus on IT continuance, there are some key factors to consider:
The first step is to set up a working party with representatives covering all parts of the organisation. Each representative in turn sets up a working party that will look at the business risks associated with their business area. The risk might be standalone or downstream of risks in other departments. They must also set up how the risk can be mitigated or got round if it occurs. Bear in mind, that depending on the likelihood of a risk happening and the cost of preventing it, it may be better, operationally or financially, to let it happen and sweep up afterwards.
The output of each working group will be a matrix of risks, the probability of their occurring, the severity, and the steps to be taken if it occurs.
You also need to consider any other actions that must be taken. For example, a communication programme with suppliers and customers letting them know what has happened. Senior executives must be in the loop as part of an overall communications programme. You may also need them to authorise actions or commit expenditure.
It is very tempting following a BCP exercise to put the documentation in a cupboard and leave it there until it is needed – at which time you will find it is out of date. A second issue is that everyone needs to know where it is, what is in it, and what they need to do.
A regular programme of education is essential, perhaps even to training exercises. One day, lock the doors to the offices and tell people to invoke the BCP. That will be very instructive.
Understand that BCP is not a static one-off exercise, it is a continuous rolling programme.
An essential part of any BCP is regular education and updates. New threats appear, contact details change, keyholders change, suppliers change. Changes mean updates to the BCP documentation. For example, new regulations in the Finance or Pharmaceutical industries or a change in Board-Level Executives may mean changes to the BCP.
If you do that, you have a fighting chance of surviving a crisis.
If you would like to know more about this process, and how it can specifically help your organisation develop clear strategies for thriving in the challenging post-pandemic marketplace, then please contact Anitech’s specialist specialist consultants today by filling out this simple online Contact Us form, or by calling us on 1300 802 163
They can go through this process with you in detail, answer your questions, and explain to you how your business could directly benefit from this process.
We can help you to get your business ISO Certified.