How to prepare for the worst

Amid corporate governance guidelines, codes of practice and regulation,
business continuity has become an issue that companies can’t afford to ignore.

Regulators, investors and stakeholders are increasingly seeking assurance
that organisations have developed business continuity plans that enable them to
continue to function and meet regulatory obligations in the event of an
unforeseen interruption.

The primary responsibility for business continuity lies with senior
management, who must be confident in their organisation’s ability to
successfully respond to, and recover from, an unplanned disruption.

The success of business continuity planning hinges on clear definition of
both executive accountability and management responsibilities, and budgets
dedicated to the implementation, maintenance and testing of business continuity
arrangements.

With today’s accountancy practices assuming responsibility for an
ever-broader range of strategic business areas for clients, they too are in an
ideal position to identify any business continuity shortfalls, although this
expertise presupposes that they have embraced business continuity as an integral
part of their own operations.

Business continuity plans will vary according to the nature, scale and
complexity of the business. There are many different business continuity models,
but one of the easiest to follow is the business continuity management (BCM)
lifecycle published by the BSI, which is based on the Business Continuity
Institute’s good practice guidelines.

Identifying potential sources of risk is key to knowing your business, and
most organisations will already have some risk management processes in place.

If not, one of the most effective ways to understand your business is to
conduct a business impact analysis (BIA).

By measuring both financial impacts, such as loss of revenue, delayed cash
flow and extra interest charges, alongside operational impacts including the
effect on customers, regulatory breaches and the impact on your reputation or
brand, you will gain a clear picture of the most critical processes and
priorities of the business.

The BIA will provide the information you need to make sure that resources are
applied where the impact of a disruption would be felt most.

If you have the relevant skills in-house, schedule some workshops to identify
potential risks, particularly those of an operational nature. You could work
with your insurer to devise an approach that not only allows you to implement a
risk management process, but also ensures that your insurance cover aligns with
your actual level of risk.

Your BIA should also identify the priority actions following disruption and
establish the minimum level of resources (including people, workspace and
systems) required to complete them. Ideally, this information should be
collected via face-to-face interviews or facilitated workshops, not
questionnaires.

Don’t make the mistake of trying to plan for individual scenarios or causes
of disruption – it is far better to think about the effects of a disruption.
Broadly these are: denial of access to your building; loss of all or part of
your building; loss of critical technology; loss of critical supplies; and loss
of key people.

Your strategy may be to increase your resilience by, for example, splitting
operational functions across buildings, cross-training staff and implementing
back-up computer systems at a second site and/or establishing a recovery
capability for resources like critical servers and alternative office space
through disaster recovery contracts. Ultimately, the choice will depend on the
level of inherent resilience within your operation and the available budget.

When developing business continuity plans, bear in mind that, unless they are
owned by the business and based on sound business continuity strategies, they
will not be maintained to a standard that makes them fit for purpose.

Whether your plan is ‘high-level’, consisting mainly of simple flowcharts, or
consists of long lists of detailed tasks, the style and format should be easy to
follow and the content simple to update.

Think about the different people that will use it. Senior managers will use
plans as framework documents to help them control response and recovery
activities. Business continuity plans will be used by function heads and may
simply outline contingency procedures for achieving key tasks with minimum
resources.

Disaster recovery plans for IT and facilities staff may contain detailed
instructions for restoring critical computer systems or conducting detailed
damage assessments. As a minimum, all plans should state as clearly as possible
who goes where, when, with what and why.

Even the best-written plan will make some assumptions and will probably
contain phrases that may be misleading to the reader. Poorly written plans will
be much, much worse. We recently tested a plan only to find that the published
telephone number for the crisis command centre was incorrect and rang out
without reply. Such wrinkles can be easily ironed out through proper testing.

It is also important that employees throughout the chain know what the
process is and what their role will be should a disruption occur. Tests and
rehearsals should be planned, regular events. Ideally, you should start small
and build up. In the case of IT recovery tests, start with the individual
servers, then PCs, then networks and finally bring in users to confirm the setup
and data are as they would expect.

Remember that businesses don’t stand still. Even the simplest of plans
contain references to people who may leave. Just how often plans are updated
will depend upon the rate of change within your organisation and the level of
detail in the plans.

As a minimum, try to ensure that plan owners review their plans at least
every six months. If your organisation has a formal project management process
for all new initiatives, consider incorporating business continuity into this
process.

Successful business continuity planning is all about diligence of approach
and attention to detail, but the skills and experience required during the
pre-incident planning process are very different to the leadership qualities and
in-depth business knowledge required for ‘post-incident response’.

One company only found out how dependent they were on the presence of their
business continuity manager to advise and direct the recovery teams when an
incident occurred while she was on sick leave. Recognising these situations will
help when assigning ownership and ensure that those people named within plans
are clear about their role and their responsibilities.

Angela Robinson is former chairman of the Business Continuity Institute
and a director of Garrison Continuity