Business Continuity – A never ending story
Business Continuity: two very simple words, but lift the lid on its meaning and there are a host of considerations and challenges for those responsible for delivering business continuity in the commercial world.
A quick check on the internet defines Business Continuity as the capability of an organisation to continue delivery of products or services at acceptable predefined levels following a disruptive incident. Message received loud and clear, but I prefer the colour brought to the subject of Business Continuity planning by two well-known quotes: “He who fails to plan, plans to fail.” “Planning is bringing the future into the present, so that you can do something about it now.”
Recent history tells us that reputation and market share can quickly be eroded following an inadequate response in the wake of a period of disruption; and very often those disruptions can come from the most surprising of incidents – whether it’s extreme weather, such as the recent run of hurricanes in the Caribbean, or the cancellation of thousands of flights due to poor management of pilot rotas and staff shortages. We are very aware of the threat of terrorist and criminal attack but there are many types of interference that can quickly bring businesses to their knees. Fires, floods, strikes and all manner of accidents can turn a normal business day on its head. So how should your business prepare for the worst?
The first step is to carry out, or enage professional advisers to undertake, a full continuity assessment. This should cover everything from mapping every specific critical business function to training staff on how to react to various types of threats against the business. Following The Centre for the Protection of National Infrastructure (CPNI) guidelines, which is an invaluable resource in its own right, any business continuity plan should consider:
critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity;
arrangements have to be made to recover or restore critical and less critical business functions that fail for some reason.
the organisation establishes a generalised capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice.
Mapping crtitical functions and assets
The first part of the assessment is a complete mapping of the specific critical business functions and key assets. As well as identifying these key areas, the assessment should determining how they are used and how they could come under threat. Recovery times and alternative working methods will need to be considered and established for each vital area.
Disaster recovery planning often has to consider terrorist threats or environmental disasters. Whilst considering these threats, any specialist equipment that might be required to help prevent such disasters should also be considered. This could include equipment such as cabinet x-ray mailroom scanners, which assist staff to identify weapons or explosives before they enter your building.
Once the assessment has been carried out, the next step is to identify the optimal method for restarting the business after an interruption. This could be from a separate co-location site or from the existing location. Plans will need to be put in place to replace key assets quickly. Where a co-location is selected, it should have equal security measures as the main site, for example, CCTV, Access Control, front of house X-ray scanning and postal scanning and metal detection products.
Once the mapping information has been gathered and the best possible recovery methods for the business have been determined, a bespoke Business Continuity Plan (BCP) can be implemented.
Staff must be fully trained to ensure they understand the plan and can implement their parts successfully. This could include the use of supporting IT tools and the logistical arrangements in place to implement the plan. Senior level support and sponsorship for this training is imperative and it must be a regular fixture in your organisation’s training calendar.
The plan should be regularly tested, reviewing every aspect, to check whether the plan actually works. Are there any gaps in arrangements? Are staff fully prepared? Is there anything more you can do to make your organisation more resilient?
Testing your plan and training staff can be achieved through business continuity exercises. A desktop exercise is where you talk through the response to a fictitious incident, with groups and individuals sharing their knowledge and understanding. Or it could be a live scenario-based exercise, where people take on their roles and respond as an incident unfolds. It is crucial to identify the lessons learned from these exercises and incorporate them in your plan.
Once the Business Continuity plan has been assessed, implemented and tested, those responsible can then turn to one final relevant continuity quote: “Plan to be better today, but don’t ever plan to be finished.” Unfortunately, the very nature of Business Continuity means that those responsible can never rest on their laurels.
Sales Director, Todd Research