Why having a business continuity plan needs to be a priority

Source: Howden

Read time: 5 minutes

Picture this…. your team are at a key stage in a product launch. Much of this is digital design, coding, and critical online activity. Then boom! There’s a major network failure. Or further down the line, a physical product is about to go to market, but the shipping containers containing all stock and parts are stuck in a port halfway across the world due to a local trading dispute. Or perhaps there’s a virus outbreak amongst your employees causing a surge in absence??

The question is, do you and your operations team have a plan in place to deal with all or any of these scenarios? And if not, what’s your business survival strategy?

What is business continuity planning?

Business Continuity Planning (BCP) is all about having a formal process in place to deal with all the scenarios above and a whole lot more – including the more day-to-day elements like a change in supplier or office layout. In essence, any circumstance that alters or changes how and when you work needs a Plan B (or even a C and D).?

And a BCP isn’t just a fleeting concept – it’s a serious management discipline that sits alongside risk management, compliance, information and cyber security, as well as health and safety. Each of these should be treated as important, functional business pillars. While not necessarily bottom-line critical, without one of them, there is the possibility of organisational failure, or even collapse. To put this into real figures, in 2022 it was reported by the Business Continuity Network (BCN) that one in five businesses suffers a major disruption each year, and an estimated 80 per cent of those affected face closure within a month of the incident.?

However, with a strong BCP in place, a business team or organisation is better placed not just to deal with and solve the situation, but also to answer questions from customers, suppliers, employees, stakeholders, and shareholders, as well as the media.

Mark Robinson, Consultant at Inoni, a trusted partner of Howden Risk Management writes: “Having a written, tested plan of action means those responding are (literally) all on the same page, sharing deadlines and priorities, ensuring that vital interdependencies are picked up and acted on. Conversely, in a major incident where the leadership team has no plan, they have a choice of either reacting individually on their instincts – with unpredictable results, or consuming vital hours in meetings attempting to plan and communicate whilst the business awaits their potentially flawed decisions.”

To put a definition of BCP into a single sentence, Inoni describes it as this: ?

A systematic process involving planning and preparation that ensures we can respond acceptably to any operational emergency affecting the business. 1

Examples of when a BCP is needed:

By recognising and understanding the main incidents and triggers for a BCP to be implemented, you can then tailor your own so it meets the needs of a situation should it happen. Common reasons are:

• Supply chain failure or breakdown: You don't have access to stock, equipment, or services when needed or expected, whether that’s caused by that international incident or a petrol shortage in your region.
• Utilities outage: You’re left without electricity, gas, water, or network and internet access.?
• Cyber incident: A cyberattack paralyses your network, releases a virus, takes down your website, or compromises customer data.
• IT infrastructure failure: A programming or configuration error, or critical component failure deadlocks your core systems.
• Onsite incident: Whether it’s the escape of a potentially dangerous substance, flood or fire damage, an accident on the factory floor, or an unforeseen occurrence at one of your premises calls for the swift execution of a backup plan.
• Industrial action: If some or all of your employees decide to strike, picket, or protest, are you prepared with a response?
• Outbreak of illness: We know from the pandemic that businesses of all sizes were, on the whole, blindsided by the very sudden impact of COVID. Should this happen again, will your business be better prepared?
• Negative media story: While this is often as a response to one of the above, reputational salvage can be a reason alone for a BCP. If the negative activities of an employee or team become public knowledge or business practice is called into question, do you have a PR plan to mitigate this and a single defined person who will lead media communications?

What should a BCP cover and contain?

The main value is to have a proven documented response for every conceivable business event, whether that involves premises, people, stock, supply chains, machinery, IT and communication systems, logistics networks, or brand and organisational reputation.

The BCP is required to clarify what is the “Plan B” and operational coping strategy for interruptions to the above. Primarily, what is the cleanup and recovery plan, and how will operations continue or restart?

For example, if there’s a data breach a BCP will need to state how this can be limited and contained, how this will be communicated, and what measures can be implemented to ensure it doesn’t happen again.

Or if a supplier shipment is delayed or goes out of business, do you have a secondary source arranged in advance that can step in, and is there an arrangement to defer payments until the order is fulfilled? By having the strategy for this mapped out in advance, you’re greatly reducing risk while simultaneously increasing faith from your customers that they’re in safe hands to receive their goods.?

It’s also important to distinguish and separate a BCP from an IT disaster recovery plan (DRP), which only focusses on technology recovery, and Enterprise Risk Management which addresses non-operational existential risks. In the simplest of disruptive situations, a BCP may amount to simply moving one department to a new office in the same building – but a process and timeframe still needs to be adhered to.?

It’s also advisable that a BCP is regularly reviewed and tested to ensure it’s up to scratch and meets the evolving requirements of your business. The testing element may involve drills and fire alarm practice, sending out comms or newsletters to customers, employees, and suppliers, and even getting feedback from these groups.

Simply writing the BCP highlights assumptions and blockers whose time to resolve might leave the business high and dry. If you don’t plan and instead simply react, it’s easy to overlook or assume solutions to barriers you’ll encounter along the way. Some of those barriers may prove insurmountable. If you have a BCP, you not only find the barriers but also have time to design workarounds.

Why having a business continuity plan matters

A BCP is more than the metaphorical first aid kit that appears only when you need to treat a wound. This example of continuous activity should be built into your policy framework, business guidelines, and processes. It should also be subject to regular scrutiny and review to ensure it meets all possible circumstances.?

Putting a BCP plan in place is rather similar to taking out a life assurance policy. It’s not something that anyone wants to use, but it needs to be there, just in case. Of equal value, having a stable and recognised BCP is very reassuring to shareholders, regulators, customers, suppliers, and employees – all those people who may be affected or concerned if it needs to be utilised. And for potential customers and investors, a BCP can play in your favour as they consider whether you’re a safe and reliable business partner.

With so many sound reasons to either formulate a BCP for the first time or take a second look at your existing one, we’ve listed some of the many reasons why it’s a ‘must have’ rather than a ‘maybe’:

1. Eliminates sudden, knee-jerk responses to circumstances that may do more harm than good.
2. Recovery and response deadlines are calculated, reducing excessive spending or risk and ensuring you’re efficient and organised at all times.
3. Capability is clearly stated, so your people have a clear direction in times of crisis.?
4. Resilience, recoverability, and robustness are reflected in the BCP and actions that follow.
5. A strong BCP may save a life, with emergency procedures and first aid processes in place.
6. Insurance value is enhanced, as a watertight BCP may reduce the need for a business interruption claim.
7. Customer, investor, and supplier confidence is boosted as all three recognise that their money is safe, and bills will be paid – even during challenging times.
8. Brand value and company reputation are both safeguarded.
9. Supply chain security, and therefore order fulfilment, will not be completely derailed under most circumstances as there is a backup plan or route in place.
10. Your business is ready for sudden change, prepared for the unexpected, and able to control and minimise losses and downtime.?

But while much of the above is about how others are affected by a change in your operational and commercial circumstances, the key beneficiary is your business and the people within it. A BCP provides reassurance, guidelines, and compliance at a time of, or in a place of, uncertainty.?

Prevention as part of the BCP cure

There are some additional factors in favour of the BCP that are more aligned with BAU, but equally support the requirement to have a plan:

• A BCP has the potential to identify vulnerabilities, risks, and weaknesses before an incident takes place, which may help your business avoid some destabilising situations altogether.
• Time saved is never time wasted. If something happens and the business follows a plan, then nobody is running around in a panic, getting in the way of recovery, or searching for a guidance document.
• A regular review of security systems – both cyber, building, and fire – means that if there is a weakness or fault, it can be identified and addressed.
• A BCP that is well-known and easily accessed, equals increased efficiency. Employees become familiar with processes daily, rather than simply following emergency protocols – possibly in a heightened state of anxiety – if an incident occurs.

Business continuity planning is not a “one-and-done” task. As requirements shift, global situations make more of an impact on local operations, and cybercrime picks up a malign and rapid pace, there are new areas to plan around and consider. And again, let’s not forget the seemingly more mundane business activities like an office move or even a change to a logo or brand strapline that may have an impact.

By taking on board all of this via a structured BCP, you not only mitigate for a plethora of risks and outcomes, but you build a more resilient, forward-thinking business in the process. Offering solutions rather than waiting for the answer to appear in a moment of panic can turn a potentially damaging moment into an opportunity for thought leadership and positive action.

If you’d like to find out more about how you can effectively implement a new or stronger BCP, please get in touch.

1 A Practical Guide to Business Continuity Planning - An Introduction (inoni.co.uk)