home Business Plans Frequently asked questions Terms and conditions Contact Us

Business Continuity Planning

Business continuity planning is an increasingly important exercise used by businesses to check their exposure to internal and external threats. It is used to ensure effective prevention and recovery for the business whilst maintaining competitive advantage.

A business continuity plan is a roadmap for continuing operations under adverse conditions.

A well developed continuity plan has enormous value for the organisation beyond the obvious – the ability to speedily, smoothly and cost effectively respond to significant changes in the environment. The development of a comprehensive continuity plan will:

  • Focus the company on identifying what risks exist and the levels of that risk;
  • Enable the company to review the overall objectives of the existing plan in the light of the risks identified, (especially their impact on company KPI's);
  • Assist in creating strategies to manage and mitigate risk (prevention being far cheaper than cure);
  • Review the existing information system to clarify whether it can both identify failure early (early correction is far cheaper and easier than late), correctly (taking the right action for the right reasons rather than the wrong actions for the wrong reasons), and has the ability to forecast significant changes in the risk environment (controlling change rather than reacting to it is always more cost effective);
  • Establish a set of actions/ policies which are in line with the problem (this is the concept of graduated response – as problems grow worse, more severe actions need to be considered, but it is often early and small changes that prevent larger difficulties occurring in the future);
  • Formalise continuity plan actions into standard operating procedures (SOP);
  • Provide for the integration of continuity plan actions into company wide induction and maintenance training to ensure rapid and effective response, and link with outside agencies where necessary;
  • Create a framework which can be continuously reviewed and updated, with post event analysis incorporated into best practice.

Software exists to assist the company in the creation and management of continuity planning, but an initial manual approach is advisable – otherwise the company either over or under plans its responses.

Risk

Two golden rules should be followed in assessing potential risk – What can go wrong, will go wrong, and – If it cannot go on, it will not. An initial assessment of possible risk components should be as broad as possible; those that have high probability of occurring and those that have high impact on company performance. These will vary over time and for specific industries. The worst group is obviously those that have both high impact and high probability – such as fuel prices in the airline industry. Formal or informal benchmarking can help establish what other organisations consider as their main risk elements and this can further assist in creating an objective profile.

Impact on objectives

One of the more useful aspects of continuity planning, and one little discussed, is its relationship to the structure of the overall plan. The creation of the plan should lead managers to consider the impact of changes in risk on the probable level of organisation performance. As the level of environmental risk increases, so will the risk of not achieving the plan objectives. What level of risk is acceptable to stakeholders? Does a changing level of risk imply the need for changed objectives? For example, a high probability / high impact risk would be a recession for a consumer goods company – should not this imply a changed set of objectives from perhaps aggressive to conservative?

Managing risk and budgeting

As the development of the continuity plan identifies the major risk components, management can consider each with the following questions:

  • Can we design it out entirely or partially? (for example, premises design/ location can significantly reduce the impact of fire, flood, access, employee productivity, health);
  • Can we mitigate it through the implementation of the correct disciplines? (for example, project failure can be mitigated through accurate design and effective monitoring or customer loss through programmes such as customer satisfaction audits);
  • Can we share the risk? (credit insurance for example).

Each of these actions will involve cost. Some of this will be essential – such as fire doors for example – but much of it will be discretionary. Decisions will have to made as to the level of investment that the organisation is prepared to make to control and manage the risk – often not easy when resources are limited. As contingencies, by their very nature do not occur when expected, the organisation needs to budget for them – and this obviously relates to the level of risk inherent in the environment. Where the risk is low, the set aside can be also low. Where it is high – for example in start up high technology ventures, the additional resources should be considerable. In the existing company a review of unexpected expenditures over a three year period will give a good starting point for setting continuity budgets, while benchmarking and industry experience will give similar indications for start up companies.

Information Systems

A second important impact on the overall business and development efficiency of the continuity plan is the review of the information system. It will emphasise the need for information gathering, correlation and review processes to meet specific company requirements.

Some failure is obvious and easy to identify, but much can be quite complex. For example, loss of electricity supply is straightforward; employee fraud is often far more sophisticated. The review of the information system should initially concentrate on high probability/ high impact areas and ensure that changes in these criteria can be identified as early and as accurately as possible. Once this has been achieved it is important to ensure that the data provides access to the real problem.

For example, company sales may be in decline. Is the real reason that the product/ service is uncompetitive? That quality has declined? That sales force / marketing effectiveness has declined? That the economy has changed? That there is a problem with a major customer? There is little point in spending money on sales promotion for example if the real reason is that a major customer has liquidity problems – that will be resources poorly spent.

Finally the information systems should be reviewed to clarify whether they can provide reasonable forecast data in key areas that need to be managed. Does the system provide accurate information on high probability/ high impact trends? Does it need to be strengthened? What research and/ or additional systems do we need to carry out? What are the associated costs? Primary research can be very expensive – is there adequate secondary research available?

Action policies

The concept of the trigger point is important in establishing action plans and policies. At what stage should you take action? If sales decline by 2% - is it within the normal range of variance or does it demand correction? Each company will have different requirements and different market circumstances. The continuity plan needs to establish:

  1. when the button is pressed;
  2. what action should be taken at that particular point
  3. what action is next to be taken should the situation further deteriorate
  4. who is responsible
  5. how they will report
  6. who they will report to
  7. how the organisation will measure that “success” has been achieved (however “success” can be measured)

These must be realistic: the organisation can carry out these actions – unless it has the resources to do so the plan will be useless.

Standard operating procedures

The important continuity plans need to be formalised and incorporated in documentation so that staff are aware of the plan demands and what actions should be followed. The simplest health check within the organisation is to ask managers a series of simple questions – what do you do if x, y or z happens? If they cannot answer, it is clear that there is a requirement for the creation of standard operating procedures available throughout the company to guide actions and decisions. Where a continuity plan is complex, it is unrealistic to expect individuals to remember the detail – but if they know that it is available both in written form and ideally on the company Intranet, they will be able to rapidly access and use it.

The other advantage of the standard operating procedure for the continuity plan is that it will provide an audit trail to ensure that specific tasks have been completed – important both for internal and any external review.

Continuity planning and training

Staff forget; when they join an organisation they need to become aware of its operating procedures. In both cases, the incorporation of the continuity plans into training makes sense, as part of an induction framework or as regular reminder or maintenance training.

Review and update

Circumstances change, and every organisation can learn from experience. Reviewing and updating continuity plans is essential – and where it has been used, a post plan review makes obvious sense so that improvements can be incorporated while lessons are fresh in the mind. Incorporating the continuity plan into the monthly review ensures that changes where necessary are made and that the key high probability / high impact areas receive constant attention.