Expecting the UnexpectedBy Shaun

Lindfield

Nearly 1 in 5 businesses suffer a major disruption every year. Yours could be next. With no recovery

plan, you have less chance of survival. (Business Continuity Institute, 2003)

“An holistic management process that identifies potential threats to an organisation and the impacts to business operations that those threats, if realised, might cause, and which provides a framework for building organisational resilience with the capability for an effective response that safeguards the interests of its key stakeholders, reputation, brand and value creating activities”. (Business Continuity Institute, 2001)

Business continuity management can be best described as: -

Business Continuity Management

Why Implement BCM?BCM?

It protects the business

For legal reasons, such as: -

- Civil Contingencies Act 2004

- Companies Act 2006

Other bodies, such as: - Professional Bodies, Insurance Companies etc

How Do I Implement BCM?BCM?

Use BS25999-1 which is the Business Continuity Management Code of Practice

Speak to your insurance company, they might have a BCM guidance/template

Use specific BCM/Disaster Recovery Company to help.

Key Features of BCM1.

Analyse your business

2.Assess the risks

3.Develop your strategy

4.Develop your Plan

5.Rehearse your plan

Analyse your business

Buildings

Timescales

Systems and Processes

People

Partnerships

Suppliers

Customers

Where is your business vulnerable?

However well you understand your business, it will help to talk to other people

Analyse your business

- You need the fullest picture of complex interactions inside your organisation and between you, your customers and suppliers

- You can include expert knowledge about every part of your business.

- You can find out if any part of your business have plans or procedures to deal with a major incident.

- Gives you a chance to promote the BCM and get people involved.

- You will need a senior manager to own the BCM and be a “Champion”

Analyse your business

Who Should I Speak to and why?

The board and Senior Management Team

Department Manager

Facilities Managers

Anyone Else?

Assess the risks

There are two aspects to every risk to your business: -

- How likely is it to happen?

- What effect will it have on your business?

Business Continuity Management can help you balance them

There are three ways to provide an assessment of the risk: -

- Ask what if? questions

- Ask what is the worst case scenario

- Ask what functions and people are essential, and when

Assess the risksAsk what if? questions

What are useful what if questions?

Don’t forget people issues e.g. who is responsible for recording who is injured, missing etc.

How will you communicate after the incident?

What is the worst case scenario?

If your plan enables you to cope with a worst case scenario, it will also help you deal more easily with lower impact incidents.

Your worst case scenario will reflect what would be worst for your business. Generally the worst case will be something that completely stops you carrying out your business.

What functions and people are essential, and when?

To make an effective business continuity plan you need details of who needs to do what, when and where in the immediate aftermath of an incident.

Assess the risks

A function/time matrix is useful to show how quickly functions need to be up and running after a major incident.

Business Function

A          

B          

C          

D          

Timescale 1 Hour 1 Day 1 Week 1 Month Indefinite

Example function/time matrix

Develop your strategy

Check that the board and senior management agree with your analysis of the business risks and which people and tasks are essential.

This will give you an understanding of the appetite for risk within your organisation and allow you to choose one of the proven strategies: -

- Accept the risks

- Attempt to reduce the risks

Are you committed to reducing risk or do you prefer to take risks and have a comeback plan?

Develop your planContinuity plans should and will look different for different businesses. However most good continuity plans will share some important features, including: -

- Responsibilities

- Checklists

- Instructions for 1st hour after an incident.

- List of thought ideas for after the 1st hour.

- Document review regulatory

- Plan for the worst case scenario

Remember a good plan will be simple without being simplistic. You need to be able to react quickly without reading to much detail.

Develop your plan

Include information from outside your business such as: -

- Emergency Planning Officer

- Emergency Services

- Neighbouring Businesses

- Utility Companies

- Suppliers & Customers

- Your Insurance Company

Use the consultation as a PR tool; you take BCM seriously have commitment from all levels of staff and want to get back to business in the quickest possible time.

Rehearse your plan

Sometimes you only discover any weaknesses when you put a plan into action. Rehearsal can help confirm your plan is connected and robust if you ever needed it.

Possible ways to rehearse your plan: -

- Paper-based exercises

- Telephone Cascading

- Full rehearsal

Example from PDC

The last time we used our BCM Plan at PDC was when the electricity supply was wiped out due to the Fire at Nelson Stanley's scrap yard.

- No production, damaging reputation, damaging profits

- Potential damage to machinery causing more production problems

- Safety concerns

To ensure that the incident had as minimal impact as possible the following occurred: -

- Follow the 1st hour list

- Plan for the rest of the day/following days

- Inform staff, suppliers and customers where relevant.

Remember – In an uncertain world, you owe it yourself to be an organisation that is confident of being ‘back

in business’ in the quickest possible time. (Business Continuity Institute, 2003)