To many, business continuity planning (BCP) can be pretty daunting subject. It challenges us to face the unthinkable. What if a fire or a flood or a bomb destroys our building? What if a critical computer system fails and puts a key business department out of action? Where do our staff go? Where will our customers go? And will they ever come back?
In addition, we are living in an increasingly regulated world, with a growing list of guidelines and requirements to comply with new legislation.
The Civil Contingencies Act is just one example of this. Is there a danger that business continuity, like compliance, may be seen as an administrative mountain, difficult to define, hard to justify and even more difficult to implement and complete meaningfully?
In recent times we have witnessed incidents which have served to show us that in reality a simple but effective plan that works best. Those companies that recovered well after a shocking event, such as the Buncefield oil depot explosion, did so because they had explored the way in which their organisation worked and had prioritised and separated the processes into smaller parts that could be thoroughly tested.
Comments from our customers and contacts in the industry suggest that BCP is being perceived as becoming too ambitious and too complex. Are plans becoming so complicated that it is no longer practical for the organisation to test them? If this is so, it would make the whole plan worthless. Quite simply, if the plan is unproven, the organisation remains unprepared.
Realistic processes
The approach to business continuity needs to retain a balance; in short, to turn plans into realistic recovery procedures and practical testing exercises.
The first move is to step back and focus on the real risks we face and decide how best to mitigate them. Take the analogy of the Rugby World Cup 2003 competition. It is now widely recognised that one of the major coaching strategies that enabled England's success in that competition was engendering in the team the ability to 'scan' - the ability to mentally and physically step out of any game for a brief moment and observe - before going back into the fray. 'Scanning' seems ideally suited to our approach to business continuity - step back from a situation, observe what is really going on, work out where the real problems lie, what your options are for dealing with them, consider your objectives - then go back into the fray.
Although we may be seeing an increase of interest and activity in what goes on in the business continuity world, the end result must be incisive and effective. Recent survey work carried out by the FSA on the 'best of the best' organisations, however, would suggest that there is much room for improvement. So are we stepping back? Are we allowing sufficient time to scan? Will our plan be a winner?
Business continuity is an area where there can be a tendency for emphasis to be placed on being seen to comply, especially with increasing legislation and regulation. The danger is that, in reality, there may not be much substance behind the perceived compliance. For example, it is well known in the industry that there are numerous organisations that have committed to business continuity plans, but have yet to test them regularly, or even in many cases, to test them at all.
While, on paper, organisations may appear to be prepared, the reality may be that they do not know if their plans would work if they should ever be faced with a real incident. It is the testing and flexing that refines a business continuity plan and ensures that, should the worst happen, the company has a response that will work. Without a robust plan, any organisation represents a real risk to the general economy, as do those whose plan is out of date or untested. Similarly, a plan on paper is not much use without some resources behind it to make it real.
It is not just the single organisation that is at risk, but all those others that have a relationship with it. The failure of one large or small enterprise may affect its entire supply chain and many employees in its locality. The impact of a disaster on a large public body will be just as serious, so those organisations that are not prepared actually represent a real danger to our economy.
One of the problems is that, traditionally, IT has been perceived to own business continuity (in reality, disaster recovery). IT of course remains a core element, but the view of business continuity has been evolving towards a more holistic approach, encompassing human resources and the entire business. After all, it is a combination of business processes that maintain services and operations. To be effective, business continuity must be driven from the highest level in the company, and it should start by taking a logical view of the business to work out where the real risks lie.
Viewing the business
One way to look at this is to view the business in terms of people, business processes and technology/infrastructure. Companies will lay more stress on different areas according to the nature of the business. Some rely on manpower; some rely heavily on technology. Different organisations will find that the 'discs' (as seen in the diagram) of people, business and technology will overlap each other in different amounts. The overlap between these areas will assist in recognising which area the organisation is most reliant on, and this is key to your BCP.
Another dimension to consider is the organisation's position within the supply chain - represented as a 'black box', within which the people, business and technical aspects of the organisation sit. This shows where the organisation stands in the supply chain, and reveals those relationships with outside entities that could affect the organisation. It also shows how an interruption of the business might impact suppliers, employees and others. For example, the loss of one major employer in an area can cause its suppliers and local service industries real difficulties, not to mention causing unemployment among local workers. By 'scanning' its supply chain position, an organisation can prioritise where its greatest risks lie and what its critical business processes are.
Deciding what to guard against
A definition of the impact of a risk can be taken as the probability of an event occurring, measured against the consequences if it should occur. So an assessment of the risks should start by considering which threats are the most serious. The next stage is to consider the consequences of each risk and decide which of them to accept and which to mitigate.
Those with a low impact, we may decide to live with, but if the consequences are disastrous for the business, even if an event is relatively unlikely to happen, it should be included in the plan.
The next step is to decide how to guard against the risks. This might involve working with third parties. For example, should we have arrangements with a recruitment consultancy to provide temporary management staff at short notice if something should occur to prevent senior management from continuing work?
This is all very well in theory, but it must also be the basis for a plan that can be tested in a practical sense. It is the testing of the plan that will show what is likely to go wrong in a real situation. The risk analysis will identify where the focus for these tests should be.
A realistic test will expose any elements that were overlooked in the planning process, and it is then that it becomes possible to refine it, adding in any elements that were missed first time round.
It is imperative to construct a plan that can actually be tested, and then to test the plan and continue to test it regularly - at least annually - to make sure that it evolves with changes in business practices and systems.
Remember, in really serious situations people do not sit down and read through their plans. Initially they tend to work to a rudimentary checklist of actions and communications based on the plan. There can be confusion and an understandable lack of discipline. For example, everyone wants to talk to the media, and the media want to talk to everyone. The dangers from this kind of uncontrolled reaction are obvious. Communication with the press should be directed through the person best suited for that task.
This preparedness will only come through testing and training.
So, a business continuity plan need not be daunting or over complicated.
Keep it simple, realistic and workable. This is not to say that parts of a plan may not be more involved than others, but appreciate that an overall plan should be developed logically; allowing time to step back, 'scan' how your organisation works, assess the risks, mitigate them and prioritise and separate processes into smaller parts so they can be tested.
A simple, logical and realistic business continuity plan that can be tested is the best way to be prepared, to know where your staff will go, how customers will be dealt with and how you will continue operating in the face of an interruption.
- Dennis Thomas is managing director of NDR Ltd, E-mail: sales@ndr.co.uk, www.ndr.co.uk