Would you be ready to respond to an incident?
A good business continuity plan and strategy can often be the difference between failure or success when faced with unprecedented circumstances.
What is Business Continuity?
Business Continuity management focusses on how to equip your organisation to deal with difficult situations: such as flooding, cyberattack, data loss, and others.
This is usually through a Business Continuity Plan, which recognises potential threats and analyses their impacts on your day-to-day operations. Mitigations can then be put in place that would allow your firm to continue its key functions even if the worst occurs.
The institute provides regular updates that can help you prepare, as well as media such as the below to help clarify the concept of Business Continuity and Organisational resilience.
Business Impact Analysis & Business Continuity Plan
8 simple steps to solid Business Continuity planning
The following steps can be used as a framework that helps to identify what your business critical functions are, how to prioritise them, and how to get them back to a tolerable level of function in a reasonable (and achievable) timeframe.
These should be identified from the get-go and are defined as those activities that are vital to your organisation’s survival, and to the resumption of business operations.
Typically, your critical functions are the business functions that are most sensitive to downtime, fulfill legal or financial obligations to maintain cash flow, play a key role in maintaining your business’ market share and reputation, and/or safeguard an irreplaceable asset.
Any changes to the categories that define these critical functions should prompt a review of your business continuity plan.
Lasting damage isn’t always physical – but could be reputational, financial, or damage that affects the resilience of other business critical services.
For services: It’s very important to understand both the maximum tolerable period of disruption (MTPD) and their minimum business continuity objective (MBCO).
MTPD: The maximum amount of time that an organisation can afford to be affected by an incident.
MBCO: The level of products or services at which the organisation deems acceptable to run at during that time (an incident).
How severely would an incident impact the critical service that youprovide?
What is the likelihood of that incident occurring?
Each county is susceptible to various different risks that often depend on their make-up. Understanding your surroundings can be crucial in making preparations.
Lincolnshire’s community risk register (CRR) rates the key risks for the county.
Prioritise these functions based on the impact of each risk (likelihood vs severity). They should be listed in order of criticality, with this being based on the timeframes that they would need to resume by in order to meet business needs
There are a variety of materials and guidance available to you from firms such as the BCI that can help you assess and reduce your risks.
Use frameworks (such as our preparation guidance) when building a resilience checklist for your business continuity planning. This will incorporate best practice into your preparations.
Build layers of resilience into your emergency planning by sharing responsibility throughout your organisation.
…but make sure that there are primary and deputy contacts.
Think about what would actually need to occur in order to trigger a plan invocation – and make sure that these triggers points are communicated to all stakeholders.
Only a select few people should hold the power to invoke – make sure this is detailed appropriately in your planning.
What makes a good communications plan?
A comms. cascade allows for quick notifications to be sent to specific parties during an incident.
It is best practice to build timelines into your cascades. This ensures that communications progress can be tracked. This builds greater reputational resilience and help to manage expectations across stakeholders.
Consider producing communication templates. Messaging can be drafted ahead of an incident and adapted when the incident occurs, which will facilitate appropriate contact with stakeholders.
Communications plans should be revised frequently – with best practice being every 2 years. However, if any of the following changes occur then a review should be considered: changes to people, practice, property, or post-incident.
Make sure your key contacts are up-to-date – you never know when you might need them!
Opportunities should be taken in order to build business continuity knowledge and individual responsibility into everyday processes.
If encouraged to take part in exercises, and by seeing the context of business continuity in their day roles, colleagues will be able to understand the importance of the business continuity process.
Exercising an incident can feel daunting but they can range from a simple discussion/walkthrough, to a full live-staged event rehearsal.
There is no one size fits all to what approach best suits your organisation.
A good approach, however, will allow your plan to be broken down and rehearsed in manageable chunks. This will highlight potential lessons to be learnt, and these inform future planning sessions.
It’s good practice to share your business continuity plans with suppliers and staff, ensuring that there are both physical copies in known locations as well as a copy that is accessible remotely.
There is no set time limit on how frequently business continuity plans should be revised.
However, during the drafting process a maintenance schedule should be assigned to make sure that the plan remains current and efficient.
Good practice suggest that a review should take place every 2 years. However, if any of the following changes occur then a review should be considered:
…a change in personnel means an update to roles, responsibilities, and contact details is required.
…has the way you deliver your service changed? New contractors or suppliers could be supporting your business, and need to be detailed in your business continuity planning.
…have you had a change of property? Work from home? Plans may need to be adapted to suit this new way of working – which means adapting those sub-plans as well (communication, evacuation, IT policy and reliance, grab bag storage etc.).
Working from home will also require more responsibility from individual staff members to take ownership of their contribution to the business continuity effort – this could require additional training sessions and/or reminders about how to achieve this remotely.
…some incidents are inevitable no matter how robust your resilience is. Post-incident is the perfect time to revisit planning.
Ask yourself – what didn’t work well? What DID work well? What would we do differently?
Reflecting is key to progression. It is essential to make sure these reflections are recorded and built upon in future planning. This can be achieved through effective debriefing when appropriate, as this allows both positive and negative feedback to be identified, and this helps implement lessons learnt.