The first step of your business continuity plan is to think about the parts of your
business that are crucial in keeping it going during and following a crisis. This
step is called the Business Impact Analysis (BIA)
The BIA involves identifying the critical business activities within the business
and determining the impact of not performing that function. Types of criteria for
assessing the impact include:
- Customer service/satisfaction
- internal operations
- legal/statutory requirements
- financial impacts
Once functions have been identified the BIA should look at the time dependencies
for each and assign a Recovery Time Objective. This is the time span that the function
could be suspended, if at all and how quickly the function/activity would need to
be recovered.
Return to top
The next step in developing your Business Continuity Plan will be to Identify the
risks that could cause a disruption to your operations. Most risks can be grouped
into the following categories:
- People
- Premises
- Information (Electronic & Non-Electronic)
- Location
- Environmental
- Utilities / Services
Common risks experienced by businesses include:
- Fire/Flood
- Bomb/Terrorist threat
- Denial of access to premises
- Legal/Regulatory actions
- Utilities failures
- Burglary/Vandalism
- Staff sickness/absence
- Supplier failure
More information on potential risks can be found in UK Resilience Planning Assumptions.
Return to top
Once the risks have been identified they need to be assessed as to their potential
to create disruption and the probability of occurrence. The analysis process could
take the following form:
- Document the risks identified in previous step.
- List the likelihood of the risk occurring.
- List what arrangements you currently haven place to prevent or reduce the likelihood of the risk occurring.
- List whatarrangements you could put in place to prevent or reduce the risk on your business.
- Assign a likelihood score for each risk.
- Plot the likelihood against the impact.
- Rank the risks and make an informed decision about what action to take.
The options are:
TREAT
Use of BCM to reduce disruption by ensuring the activity continues at, or is recovered
to, an acceptable level and within the timeframe stipulated in the BIA.
TOLERATE
You may decide that you are willing to accept the risk as the cost of implementing
any risk reduction strategies outweigh the benefits.
TRANSFER
For some risks the best response may be to transfer them. This might be done by
conventional insurance or contractual arrangements, or it might be done by paying
a third party to take the risk in another way. This option is particularly good
for mitigating financial risks or risks to assets.
TERMINATE
In some circumstances it might be appropriate to change, suspend or terminate the
service, product, activity, function or process. This option ought only to be considered
where there is no conflict with the businesses objectives, statutory compliance
and stakeholder expectation. This approach is most likely to be considered where
a service, product, activity, function or process has a limited lifespan.
Return to top
This step in the process is concerned with the development and implementation of
appropriate plans and arrangements to ensure the management of an incident and continuity
and recovery of critical activities that support key products and services. A developed
plan may include the following:
- Purpose and Scope - It is important to clearly state the purpose and scope of the plan being developed.
- Document owner and maintainer - You should document who owns the plan and who is responsible for reviewing, amending and updating it at predetermined intervals.
- Roles and Responsibilities - The plan should list all individuals with a role in its implementation and explain what that role is.
- Plan Invocation - The method by which the plan is invoked should be clearly documented, setting out the individuals who have the authority to invoke the plan and under what circumstances.
- Contact Details - All plans should contain or provide a reference to the essential contact details for all key stakeholders, including all those staff involved in the implementation of the plan.
- Incident Management - You should document the tasks that will be required to manage the incident and the individuals responsible for each task.
- Communication Strategy - The plan should include a communications strategy detailing information to be given out or sought, by whom and in what format.
Return to top
This element of the BCM process ensures that the recovery plans developed are fit-for-purpose,
up-to date and that they deliver the required response. Your BCM arrangements cannot
be considered reliable until they are exercised and proved to be workable. Exercising
should involve:
- Validating plans
- Rehearsing key staff
- Testing systems relied upon to deliver resilience.
The frequency and type of exercises will depend on your business, but you should
take into account the rate of change and outcomes from previous exercises. As a
minimum exercises should be conducted on an annual basis. The Four main types of
exercising your plans are testing, discussion, table-top and live exercises.
Testing
Not all aspects of your plan can be tested, but some crucial elements can, such
as the contact list and the activation process.
Discussion
This is the cheapest and easiest exercise to prepare. This type of exercise will
bring staff together to inform them of the plan and their individual responsibilities.
It will include a discussion of the plan to identify problems and solutions.
Table-top exercise
This is a scenario based and is likely to offer the most efficient method of validating
plans and rehearsing key staff. It brings staff together to take decisions as a
scenario unfolds in very much the same way they would in the event of a real incident.
Live exercise
This ranges from a small scale test of one component, such as evacuation, through
to a full scale test of all components of the plan.
What ever type of exercise you opt for, it is worth considering inviting other stakeholders,
and in particular, those that you rely on to deliver your key products and services.
It is also important to record and evaluate the event, through a debriefing immediately
after the exercise and then written up in a lessons learned report with actions
as necessary
Return to top