The key to a successful, long-term business is not only to ability to serve your market and retain customers, but also the ability to withstand the unexpected that could knock your success off-course.

While COVID-19 is at the forefront of our minds these days, it is worth considering that this is one of many events that have had impacts on business over the past few months. Cyber attacks, pandemics, flooding, fires and multiple storms highlight the need for planning for the unknown and the requirement to keep business operations active during times of stress.

The use of a business continuity plan or BCP, provides companies with a roadmap and processes that support the company and its strategy in times of the unexpected. An effective plan enables any organisation to react quickly and efficiently in the event of unpredictable events. The goal is to keep essential services up and running and in the event of an incident to provide for recovery in the shortest possible timeframe.

The benefits of a BCP include supporting the organisation’s strategy, creating a strategic advantage compared to your competitors, demonstrating to stakeholders such as investors and customers that you are taking their needs seriously and addressing operational vulnerabilities.

The framework that supports BCP is a Business Continuity Management System or BCMS. The de-facto standard for BCMS is ISO-22301. This lays out the requirements for a standardised management system, and highlights ten clauses to assist in developing a plan. The key considerations when developing a BCMS include:

• Decide which services are essential to keeping the business operational, this will be done through risk assessments/business impact assessment – The scope
• Understand the people element as a key part of this are identifying the correct people to be part of the reaction team, i.e. the first responders to an incident. This is a vital part of the plan as the right people need to be in place to respond and deal with the incident. – The Leadership and Support
• Plan for the testing, refining and updating of the BCMS, as this should keep abreast of how your business and strategy changes. – Planning, Performance evaluation and Improvement

Then there are the practical elements of the plan that should be agreed prior to any incident occurring. You should keep up to date contact details of all key stake holders. You should schedule for plan reviewing, testing and updating. Testing should be done regularly, from walk through, table top exercises and full emergency exercises to see how team members and execs react under stress.

Plans can look great on paper but until they are firstly fully tested in an exercise environment and lessons are learned and applied they may not operate as expected in an incident. There should be easily accessible check-lists in-situ – both in soft and hard-copy –that outline what is to be done, by who, by when, how that will be achieved and where the activity is to take place. As such understand and agree the guidelines for how and when to activate the plan

If an organisation prepares a plan in advance of an incident occurring, be it a pandemic, an act of nature or a cyber attack, then the organisation stands a better chance of emerging from the incident with its operations intact.

How to keep business continuity in a crisis

However, if an organisation doesn’t have a BCP, then there’s no need to panic. You can still implement the most important phase of a BCP - this is the response phase, and for many the least effectively planned phase of a BCP.

The response phase comprises of the following 6 key steps:

1. Mobilise your incident response team. This should be led by and comprise of senior management and company experts who manage the operations and staff at this time. Critical decisions are agreed on by this taskforce. Meetings should be held at least daily with interim phone calls involving sub-teams occurring more frequently. 
2. Decide if additional expert support is required at this time. It may be the case that the organisation is ill-equipped to deal with the incident, so now is the time to ask for help. If they don’t ask then the response to the incident may be inadequate and may prevent recovery in the long-term.
3. Safeguard your critical assets – during a crisis or incident ensure that your operational assets are monitored for unauthorised access or usage and that you have a full inventory completed.
4. Implement a communications plan to keep all stakeholders – internal, external, governmental and customers aware of what you are doing, why you are doing it and when you are doing what you’re doing
5. Plan on how the organisation will restore to pre-incident operational effectiveness. This can include a glide-path for bringing systems or staffing on-line in a controlled manner. The big-bang approach can usually lead to more issues as systems become overloaded if done too quickly.
6. Complete a lesson’s learnt report and publish this through internal and external communications. Another incident or crisis will occur in the future, so plan on re-using your hard won knowledge.

If an organisation takes these steps into consideration during an incident or crisis it can formulate a recovery plan that will assist it with keeping itself in a viable situation during the incident and also recovering to hopefully pre-incident state after the incident is over.

Authors: Neil Redmond, Senior Manager and Mark Gallagher, Manager, Risk Advisory