The key to a successful, long-term business is not only to ability to serve your market and retain customers, but also the ability to withstand the unexpected that could knock your success off-course.
While COVID-19 is at the forefront of our minds these days, it is worth considering that this is one of many events that have had impacts on business over the past few months. Cyber attacks, pandemics, flooding, fires and multiple storms highlight the need for planning for the unknown and the requirement to keep business operations active during times of stress.
The use of a business continuity plan or BCP, provides companies with a roadmap and processes that support the company and its strategy in times of the unexpected. An effective plan enables any organisation to react quickly and efficiently in the event of unpredictable events. The goal is to keep essential services up and running and in the event of an incident to provide for recovery in the shortest possible timeframe.
The benefits of a BCP include supporting the organisation’s strategy, creating a strategic advantage compared to your competitors, demonstrating to stakeholders such as investors and customers that you are taking their needs seriously and addressing operational vulnerabilities.
The framework that supports BCP is a Business Continuity Management System or BCMS. The de-facto standard for BCMS is ISO-22301. This lays out the requirements for a standardised management system, and highlights ten clauses to assist in developing a plan. The key considerations when developing a BCMS include:
Then there are the practical elements of the plan that should be agreed prior to any incident occurring. You should keep up to date contact details of all key stake holders. You should schedule for plan reviewing, testing and updating. Testing should be done regularly, from walk through, table top exercises and full emergency exercises to see how team members and execs react under stress.
Plans can look great on paper but until they are firstly fully tested in an exercise environment and lessons are learned and applied they may not operate as expected in an incident. There should be easily accessible check-lists in-situ – both in soft and hard-copy –that outline what is to be done, by who, by when, how that will be achieved and where the activity is to take place. As such understand and agree the guidelines for how and when to activate the plan
If an organisation prepares a plan in advance of an incident occurring, be it a pandemic, an act of nature or a cyber attack, then the organisation stands a better chance of emerging from the incident with its operations intact.
How to keep business continuity in a crisis
However, if an organisation doesn’t have a BCP, then there’s no need to panic. You can still implement the most important phase of a BCP - this is the response phase, and for many the least effectively planned phase of a BCP.
The response phase comprises of the following 6 key steps:
If an organisation takes these steps into consideration during an incident or crisis it can formulate a recovery plan that will assist it with keeping itself in a viable situation during the incident and also recovering to hopefully pre-incident state after the incident is over.
Authors: Neil Redmond, Senior Manager and Mark Gallagher, Manager, Risk Advisory