A focus on resilience and business continuity planning
Benjamin Franklin, US founding father, is reputed to have said “if you fail to plan, you are planning to fail”. Whether or not that quote is correctly attributed to him, it remains sound advice for any business. This article is intended to provide readers with some practical advice on steps to establish robust resilience and continuity plans for their business.
What is a Business Continuity Plan (BCP) and why does every business need one?
At the time of writing Coronavirus is a huge concern to everyone, now taking on a global significance. This is forcing many businesses to focus on continuity arrangements, in many cases for the first time. When the dust settles on this crisis, businesses with robust BCPs will emerge from this crisis on a strong footing and will be prepared to weather the next storm.
Richard Wraith of WESH UK, a UK based website hosting and accredited domain registrar company, advises to “buy two of anything you depend on and keep one in safe storage. In fact, for some businesses, buying three of everything may be appropriate particularly for a highlighted critical component’. He explains “we keep spare servers racked up ready to go at all times and can fully restore an entire failed or corrupted system and have every website live again within four hours or replace an entire failed machine within an hour, or both. We have only ever had to do this once in our history, this was a total drive controller and server failure. Because of the plans in place, we were back up in business with limited impact to our customers”.
For many, the terms BCP and DRP (Disaster Recovery Plan) are interchangeable. However, a whilst a DRP generally refers to technology and operations (as in Richard’s example), including actions to recover business data and operations in the event of a crisis or breakdown, a BCP includes reference to all major functions of a business in much greater detail. For example, a well-designed BCP will provide planning and guidance on how a business will get its core revenue generating and operational functions back up and running in an orderly manner. A well-prepared business will have BCPs and DRPs, with the BCP highlighting critical systems and processes requiring specific DRPs.
It is helpful to think of a BCP like a recipe. It sets out the ingredients (identifying key functions, people and responsibilities) and then establishes the method for getting the business up and running following an incident. A BCP should cover not just common “unexpected” events, for example a fire, a terrorist attack or a malicious cyber-attack by cybercriminals but should be flexible enough to adapt to other “rare but high impact” eventualities – such as the pandemic as we are currently experiencing. The BCP should describe the steps and actions taken to ensure that the business continues to perform – from checking on the safety of staff to informing clients of what can or cannot be achieved given the interruption.
As well as maximising ‘business as usual’, in these challenging times, businesses which have a robust, well-documented and credible BCP are finding they have an additional selling point for potential clients. A BCP provides clients with confidence that, in the event of a crisis, the business will be able to maintain service levels with minimal disruption. But even in more normal times, when sourcing business finance, lenders require potential borrowers to provide copies of continuity plans to provide additional assurance.
Creating the BCP
The process for developing a BCP can be summarised as follows.
Step 1 – Creating a functional overview.
Many businesses do not think of their businesses as having different functional areas (particularly in SMEs, where one person may be performing a number of roles). Building a functional view of a business and how these areas interact is critical to identifying and understanding the interdependencies and connections which exist across the business, including those which have been outsourced to service providers (such as payroll).
Step 2 – Identifying tasks and owners.
Next, all the tasks performed in each functional area are identified and articulated with clear ownership.
Step 3 – Defining the process.
It is then important to determine which tasks and processes are on the critical path, i.e. those which must be undertaken no matter what happens, can be identified.
Step 4 – Developing the BCP.
To this point, we have covered the functional parts of a BCP i.e. understanding the business and who performs what functions. This is only part of the story; the BCP should articulate the process for who should be contacted should a crisis occur and how employees, 3rd party service providers and clients will be kept informed.
Implementing the BCP and ensuring its effectiveness
“All members of staff need to understand what their contributions and role should a BCP be activated.”
To make a BCP effective, every employee must be informed of and educated on their role(s). Gemma O’Loghlen, a cyber security expert in the banking industry, considers a good BCP to be “one that is socialised and is implemented properly in the core business of the organisation”. To achieve this, BCP principles can form part of the induction process, ongoing mandatory training integrated into the operational framework of the business. This will often require testing, which Gemma says should be “be realistic”, and despite temptation, exercised in real-world conditions rather than during quiet or holiday periods. “All members of staff need to understand what their contributions and role should a BCP be activated.”
Lessons learnt should not extend beyond ‘what went poorly or wrong’ and should include consideration of ‘what went well and why.’ Both perspectives help businesses to assess their maturity to respond to incidents and crises and understand how they can improve preparation and practices. Gemma observes that “the biggest missed opportunity occurs when the crisis has passed and there is no formal view of consequence management and lessons learned.” We generally tend towards to optimism and assume that some incidents or scenarios will not be repeated; however, it is highly likely that they will. Lessons learned from a crisis, if appropriately analysed and operationalised, will continue to help improve business resilience.
Green Robin Solutions is a business optimisation consultancy assisting clients to ensure they have the right processes in place and that their businesses are resilient. We offer a no obligation 30-minute consultation to discuss continuity and disaster planning, and more widely how problem processes within your business can be dealt with.