Planning Business Continuity

We all know that Business Continuity is something that should be put in place. Everyone knows that there ought to be contingency plans in the event of a disaster overtaking our business. Anyone knows that, whilst unlikely, a disaster could happen at any moment. No one is better placed to understand this than the board, chief executive and senior management. Someone ought to have these contingency plans ready just in case.

So if this is self evident, why are you reading this? Do you not have such contingency plans? Or are you like many other organisations hoping that nothing disastrous happens, yet are convinced that if it does you will cope adequately?

Business continuity is a planned process identifying what might go wrong, evaluating the risk from that event and then defining plans to address such risks.

Risk assessment helps to identify the range of threats to the organisation, the vulnerabilities your organisation has if those threats arise, assessing the impact of loss upon the organisation of such events and the likelihood of them occurring.

The threats the organisation may face need to be identified. This may be obvious ones such as flood, fire, bomb threat, terrorist activities, storms and environmental effects (e.g. heavy snow). There may well be others to consider. What if key staff are in a syndicate and they won Euromillions lottery- would they still be at work on Monday? What if a key customer filed for bankruptcy or a key supplier suffered an earthquake? These are all threats to be considered.

What impact would these threats have on your organisation should they occur? Key to this is understanding the crucial activities and processes within the organisation. In order to conduct a full and proper business continuity planning process it is fundamental to understanding how the organisation works. This analysis can then be used to determine ‘what if’ that key process was to disappear? What would we do? How long could we cope without that activity? How do we get it back?

As an example, how long could the business survive if the credit control function vanished? Without someone collecting money do we have deep enough pockets to pay our people and our suppliers for very long?

Once the key activities have been identified then it is prudent to figure out how long the organisation could survive without that function. Thus the impact over time can be determined – this is Business Impact Analysis (BIA for short). From this we can determine the MTPD or Maximum Tolerable Period of Disruption. MTPD is the maximum time we can do without that service or activity before our business is irrevocably threatened. For some processes this might be a matter of minutes or hours, for others it may be weeks or months. We should set a Recovery Time Objective (RTO) for these activities. This is less than the MTPD and is the time we expect to recover the activity. If the RTO is longer than the MTPD it means that our business is in jeopardy.

To prioritise which activities are recovered and in which order it is advisable to identify the critical activities. This then gives us a recovery plan identifying which activities are recovered in which order and hence which require what resources at what time.

Armed with this information we can carry out a risk assessment and hence identify the risks to our business and determine the action plans we need to put in place to counter the potential threats to continue the organisation’s activities with disruption kept within our tolerable levels.

This process does take time and effort to implement properly. However it does take away guess work and supplants hope with a pre-determined programme. After all, this is all about protecting the organisation and those stakeholders within it from the vagaries of chance.

The Business Continuity standard BS 25999-2 (soon to be replaced by ISO 22301) provides a management system framework for not just establishing appropriate Business Continuity plans, but also making sure they stay up to date, tested, maintained, owned by relevant individuals and stay appropriate to your challenging and changing business requirements. We can help you understand your environment, undertake these planning activities, produce relevant and appropriate plans, and more importantly put in a system that ensures their ongoing testing, maintenance and improvement.