Despite the number of potentially harmful events of recent times, many businesses have still to develop and implement effective business continuity management plans. Helen Morris of Marsh offers a potentially timely reminder
Having effective business continuity/disaster recovery plans in place can make the difference between a business surviving or failing following a major incident, such as a fire or a flood, according to a joint survey by the British Insurance Brokers’ Association (BIBA) and the Cabinet Office.
Events triggering business continuity arrangements are not as uncommon as you might think. In the last two years we have seen riots in many UK towns and cities, the impact of volcanic ash clouds, and the threat of swine flu, in addition to more common threats such as fire and flood.
Of those respondents to the BIBA survey who had suffered a disaster, the majority stated that having a business continuity plan in place was essential to their ability to keep trading, or reduced the cost of the disruption significantly. Sixty two per cent also said that having a business continuity plan provided benefits in terms of premium discounts, reduced excesses and doors opening to new insurance markets.
All of which makes having a business continuity plan seem very attractive, doesn’t it? Yet many organisations still choose not to develop a robust business continuity plan. The underlying reasons for this can be many and varied, of course, not least the organisation’s overall attitude to and appetite for risk, but surely it makes sense, particularly during difficult economic circumstances, to establish effective recovery arrangements should the worst happen?
So why the reluctance to develop and implement effective business continuity? As previously mentioned, the organisation’s stance on risk plays a part: “If it ain’t broke, don’t fix it”; or “We’d just roll up our sleeves and get on with it if we had a fire – we’ve done it before!” are both expressions used as reasons for not developing business continuity arrangements. There can also be a tendency to imagine that incidents leading to protracted business disruptions will never happen, although a casual glance through the newspapers often provides evidence of the contrary. It is also a question of time pressures and perceived priorities.
We are not suggesting that all organisations should suddenly embark on a lengthy, possibly costly and time-consuming programme of business continuity management. Rather, the aim is to provide a few helpful ideas as to how to develop and implement effective (and cost-effective) BCM.
There are a number of factors to consider when starting out on this particular journey, for example:
- Is there anything already in place?
- What should the end result look like?
- Does the person or group tasked with implementing BCM have any experience or training in it?
That last point isn’t supposed to be a facetious one. It might be useful to gain at least some basic knowledge before starting out. Talking to others (both inside and outside the organisation), attending a BCM training course, and finding out how others have approached this can help. It’s easy to become overwhelmed with detail, so try and make the distinction between what’s important and what isn’t.
When implementing BCM for the first time, it can be difficult to determine what “good” should look like. It will have little value if it is simply a paper exercise achieving a rubber-stamped BCM, but neither do you want it to become a project that never ends.
Too little detail and the plan can look over-simplified; too much detail and people’s eyes may start glazing over. In neither case are you likely to achieve an effective feasible solution in case of an actual incident. The ideal end result falls somewhere between the two.
The Business Continuity Institute’s Good Practice Guidelines provide an excellent starting point. When designing plans, it’s important to think carefully about their structure.
- Should this be a suite of documents or a single booklet?
- Should it be formatted in Word or Excel, or any other software package?
- Will flow charts and diagrams be included?
- How will it be kept up to date?
- Who will keep it up to date?
At this stage, thinking about the look and feel of a plan can underpin exactly what information is included.
In order to make plans more robust, it’s important to include some sort of “incident response” section. If such plans already exist, they could be linked to the BCP.
Possibly the most important aspect of any plan is in documenting who should be communicated with, during and following an incident. For example, at the time the incident occurs, it may not be immediately necessary to talk to clients, but it might be imperative to find a quick way to let employees know what’s happened.
The key is in determining who should be communicated with at each stage of an incident’s life span. Document this simply somewhere in the plan. This could be done in chart form, using a simple spider diagram, or even by capturing this data and holding it separately, electronically.
Perhaps the most complex aspect of building a robust plan is in developing an effective recovery. This is often the point at which many planners get a little stuck. There seems to be a perception that it’s a lot of work for very little return – after all, the incident might never happen. However, if a thorough business impact analysis has been undertaken, the key points of this, or at least a brief overview, can be included in the recovery section of the plan.
The important thing is that everyone understands just how much effort is going to be required to recover interrupted activities following an incident. This is something outside “business as usual”, and it’s probable that lots of extra time, effort and resources are going to be needed. For example – should the recovery strategy be to build a duplicate office in five days, or would it make more sense to have reciprocal emergency arrangements with another firm, have working from home arrangements for colleagues, and/or hire serviced office accommodation and move salvaged files and equipment there?
Think carefully about what makes sense for the organisation – and do not forget internal administration functions. If it’s important to have the finance department sitting with the payroll department, then make sure that’s written into the recovery section.
Some of the most effective plans (and the shortest!) don’t actually provide this detail in the plan itself; they simply refer to it, sometimes by stating where the documents are held or by including a hyperlink. Most emergency response/incident response plans are usually well rehearsed, so it might reduce effort and duplication by simply referencing these plans. If no plans of this nature currently exist, it’s a good idea to undertake some sort of risk assessment to determine what the most likely or probable physical threats or scenarios might be, and plan the response accordingly.
Having developed plans, it’s important that they are owned, managed and maintained by either a central department or pre-determined individuals. It’s sometimes difficult to decide who this should be. It’s not always the case that the person who wrote the plan is the correct person to maintain the plan, so it’s worth thinking about who would be most appropriate to do this. It will depend very much on the organisation’s size, geographical reach and culture.
The main point is that the plan should remain very much a living document, something current, that everyone knows about, understands and is familiar with, to the point of being able to use it should an incident occur. Consider having a link to it on the firm’s intranet, or briefing colleagues at team briefings. Some organisations have added business continuity to their induction process, so every new starter understands its importance and their role.
Complete the CPD quiz accompanying this article (providing 0.5 units CPD) on Marsh’s new website for Scottish solicitors: www.marsh.co.uk/scotlaw
In this issue
- Capacity and undue influence
- Tolent clauses in construction contracts
- Mending the safety net
- Keeping it in the family
- Speak with impact
- The complication of tax simplification
- Reading for pleasure
- Opinion column: SIHRG
- Book reviews
- Council profile
- President's column
- The price is right?
- Learning on the slate
- A better way to talk
- Plain sailing?
- Kilbrandon in the 21st century
- Who's who in banking and finance
- Corporate speak
- Here we go again...
- Deadlines in negotiations
- Scottish Solicitors' Discipline Tribunal
- Shuffling walnuts?
- A bold step forward
- Action to safeguard vulnerable clients
- Buildmark acceptance goes online
- Law reform roundup
- Escape from disaster?
- Ask Ash
- Update branches out
- Business checklist
- Work, the deciding factor