Don’t be ’too busy’ to make a Business Continuity Plan
Regardless of the industry you operate in, you will be expected by customers, staff, suppliers, general public and other stakeholders, to be prepared for a potential disruption - whether it be caused by a power outage, staff shortage, cyber-attack, flood, earthquake, fire, network outage, supply chain issue, flu outbreak or other cause. For the sake of your business and stakeholders, it is paramount that you implement a Business Continuity Plan (BCP).
Whether it’s better preparedness for impacts on your workforce, a critical vendor, your ICT systems or access to buildings and other physical assets, consider the good practices listed below - no matter how large or small your organisation is, and whether it’s an NFP, Government agency or commercial business.
1. Who’s the boss?
Who is in charge in the event of an incident? Build a team with ‘rotating chiefs’ to make key decisions and nominate alternates to step in when primary members aren’t immediately available (or fatigued). Ensure the team is efficient in its crisis response, encourage its members to think ‘outside the box’ and ensure they are open to completely changing business direction, if necessary.
Ensure all contact details are available and accessible - including internal and external stakeholders’ details such as staff, suppliers, customers, media and next-of-kin. Store various contacts (e.g. work and personal email and mobile details) in several forms (e.g. cloud, pre-populated SIM cards, hard copy and/or USB/thumb drive). Ensure appropriate security and suitable continuity options in case some platforms are out of operation.
What are your key, time-critical services and activities that absolutely cannot wait? Prioritise your most valuable customers and focus on recovering their critical services first.
4. Don’t have all your eggs in one basket
Have multiple supplier arrangements in place. Having your ’eggs in multiple baskets’ in the form of various ongoing vendors of key services such as data/voice communication, maintenance, consumables and medical services may reduce economies of scale in your day-to-day business, but does allow for that badly needed ‘quick switch-over’ in case one supplier is down.
5. Are your key people multi-skilled?
Ensure your staff are trained and equipped take on various roles in the event of sudden illness or resignation, particularly if you don’t have extra employees on hand for every key role. Job rotation on a regular ‘practice’ basis can also be an excellent way to enhance cross-departmental understanding and overall corporate culture.
6. Build plan B (and C!) including manual operations
Well-prepared and well-tested manual work-arounds could assist you, at least temporarily, in case of an unexpected business disruption. Apart from working from home or a dedicated alternate location, consider utilising a virtual/shared workspace or hotel as an affordable continuity solution - at least for your team of decision-makers. Set-up a reciprocal arrangement with a business that has similar requirements to yours. Ensure IT, phone, supplier deliveries and other services can be diverted from a remote location and be sure to have the necessary passwords and contact details at hand.
Use a smart, best-practice BCP documentation format including pocket guides. During an incident, typically the last thing that people do is work through a 200-page plan (which generally is out of date to some degree, meaning those activating the BCP and needing it most, don’t actually trust its contents).
7. Train your team and take the plan for a test drive
Training and exercising your BCP go hand-in-hand. Most decision-makers and staff learn best by actual experience, and practicing the plan based on various disruption scenarios reduces the chance of panic in the event of an actual incident. Additionally webinar-style training supported by quizzes and other interactive elements assist in induction programmes.
8. Stay one step ahead
Be proactive and notify customers, suppliers, the community, press and other stakeholders before they find out through trial and error that your services are delayed or fully disrupted. Avoid unnecessary stress by negotiating delayed payment terms with suppliers, banks, the landlord and/or the tax office, to buy some time and breathing space in the initial stages of an incident.
9. Recognise your weakness
On the preventative side, conduct a gap analysis or benchmarking exercise (or ask an independent party to do so). Understand and mitigate your weaknesses, whether it be vulnerability to a cyber-attack, key staff unavailability or critical dependency on a facility, and agree on an action plan to bridge them - rather than over-promising and/or keeping your fingers crossed that you won’t ever experience an incident.
10. Cover yourself for what’s beyond your powers
Consider taking out insurance where specifically needed to bridge the final gaps - and where particularly relevant to your business. Apart from insuring for fire, general property, glass, accidental damage, money, liability, burglary, goods in transit, tax audit, equipment breakdown and fraud, also consider ‘key person’ insurance and ‘business interruption’ insurance as a last resort - but be aware this only assists you financially. A BCP is still required to actually keep key services operational and to provide confidence to your stakeholders.
This article was originally published in the Better Boards Conference Magazine 2023
Digital Transformation & Governance
Cyber Security 1.0.1 For Boards
The Board’s Role in Business Continuity Management