Business continuity management has been a buzz phrase for almost 10 years. Many companies still ignore it. Peter Viner gives a step by step guide.

Business continuity management has been a buzz phrase for almost 10 years. Many companies still ignore it. Peter Viner gives a step by step guide.

Insurance alone cannot protect your business against the effects of a disaster. It can do nothing about the fundamental cause of many business failures - the loss of clients and reputation which may follow a physical loss or major liability issue. There are also a significant number of uninsurable risks, as well as those that are not economically viable to insure. Insurance forms a small but important part of the overall risk management process of business continuity management. The complete process deals with the total risk management of a business in its broadest sense. Companies starting to produce a business continuity plan are often misled by the term itself. They place emphasis on completing the plan, rather than on the vital phases that make up 80% of the process. This process can split into several stages.

Phase 1: Awareness
You need to establish awareness within the organisation. "Top down - bottom up" is a good approach. Management must not only understand the principles and practices of the exercise and its on-going requirements, but must also be seen to endorse and sponsor the exercise throughout. This conveys its importance to staff.

You need to spell out the principles and subsequent benefits of business continuity management to the general workforce and, more specifically, to those individuals who may become involved. Employees as well as the company stand to gain from improved resilience against disaster.

It is important to encourage staff to buy in to the process. Their commitment is instrumental in making it a success. Two benefits that can result are improved employee relations and better internal communication.

Phase 2: Establishing the team
You need to select the individuals who will both lead and coordinate the business continuity management process. They will have to make the decisions that allow the company to weather a disaster.

Choosing the right people is vitally important. The future of your company may rest in their hands. It is not always easy. Telling a managing director that he is not best suited to a particular task may not be career enhancing. You should also pick and include deputies at this stage.

Phase 3: Risk identification, assessment and impact analysis
This is one of the most time consuming parts of the process, involving collecting a vast amount of data. It can also be a process for the enlightenment of management, since it will invariably lead to a greater understanding of the company, its vital processes and its constituent parts.

The first step is to establish which are the business-critical processes within your organisation. You can then draw up detailed lists of the critical equipment, personnel, and skills, and create flow diagrams of the dependencies on other processes, suppliers and customers. You should collate any other items that may be needed to maintain the process.

Once you have established which the vital processes are, and drawn up the critical resource lists and dependency diagrams, you should define what you consider acceptable and unacceptable risks to the company. You need to take account of the acceptable down times of a particular process, piece of equipment or machinery, and the availability or lack of back-up facilities, personnel, or equipment.

After this, your team should agree a system of risk categorisation in terms of probability and severity (impact). You should then draw up a list of risks with their probability and severity ratings.

The extent and types of risks involved will obviously vary considerably between different organisations. They may include physical hazards to property or equipment, risks to IT systems (both equipment and information), legal hazards, including compliance with statute or regulation, and reliance on key individuals or suppliers. Categorising the risks allows you to prioritise those which fall into the "unacceptable risks" area, which you have already defined.

Phase 4: Risk reduction, transfer, minimisation and removal
From the previous phases, your management/survival team should have established:

  • The critical processes within the organisation
  • Details of the resources required to make such processes function, including reliance and interdependencies
  • A prioritised list of unacceptable risks which need to be addressed.

    At this stage, you should allocate each unacceptable risk to an individual who will be responsible for researching potential counter measures. This will involve weighing up the costs and the ease of implementation against the likely benefits in terms of how far the chosen solutions will affect the probability and severity of the risk. Reports with recommendations should be submitted to the management/survival team.

    One of the simplest ways of reducing risk in connection with personnel and equipment is to have back-up resources available. You should assign deputies to research each critical position here.

    Your team should review the particular merits and disadvantages of each potential solution for minimising, transferring, or removing unacceptable risks. You can then reach a decision about each of them, which can be submitted for board approval and then implemented as soon as possible.

    You can address many of the risks in the "acceptable" category over a longer period of time, aiming to reduce them to an even lower level. However, it is critical to give priority to unacceptable risks.

    Phase 5: Planning
    You should now have reached the stage of drafting the plan itself. Your team will have most of the information and resources available that it needs. These include:

  • Details of all the critical functions within the organisation (including acceptable down times and dependencies)
  • Details of all the equipment that is required to keep the organisation functioning (including acceptable down times and dependencies)
  • Where appropriate, back-up resources (buildings, equipment, external suppliers, or personnel assigned)
  • Details of identified risks and their counter-measures where applicable
  • A management/survival team that is closely acquainted with the business's processes and its survival needs.

    You should incorporate these elements into a draft document in a format that is easily accessible and understandable. You should also establish a prioritisation call tree and process so that, in the event of a crisis, the correct individuals are contacted to coordinate your response.

    Where applicable, you can draw up broad-based plans in terms of procedures and tasks against threats, allocating responsibilities and time scales. However, in most cases, it is unwise to put together detailed plans for very specific scenarios - it is better to keep it simple and flexible. The principle of the plan is to establish a team of people who are capable of focusing on a particular problem, who understand its nature and extent, and can effectively coordinate the best recovery strategy.

    Phase 6: Plan testing and maintenance
    The plan at this stage is only a draft. You need to test it to ensure that the survival team will perform in the event of a real disaster hitting the organisation.

    Testing can take several forms and the type of test depends upon the organisation, as well as the resources available. It may be a full or partial test, or simply a check that measures such as back-ups and IT "systems mirroring" are actually available and working.

    It is advisable here to involve an external party -someone who understands the organisation and its processes and can both produce and manage a scenario. This allows an independent assessment of the effectiveness of the plan and the team's response. Once you have completed the tests and analysed the results, you can make amendments to the plan and produce the final version.

    From this stage onwards, maintaining the plan is vital. It should be a "living document". This involves regularly implementing or updating procedures that fit your organisation's needs. You should ensure that the plan takes into account any element of the business or its processes that changes. You should also test it regularly to check that it - and your survival team - remain effective.

    Business continuity planning management is not overwhelmingly complicated. But it does require the complete dedication of staff as well as significant support from management to make it effective. You can gain enormous benefits. Greater understanding of your organisation, its processes and functions, may well result in greater efficiency and cost savings, as well as providiing you with greater resilience to disaster.
    --
    Peter Viner is business development manager, Ark & General. Tel: 01543 877 701, email: main@arkgen.co.uk

    AIRMIC comments
    Floods which hit the UK and other parts of Europe in October emphasise the need for risk assessment, says David Gamble, executive director, AIRMIC. "The recent floods highlight the need for carrying out rigorous risk assessments when planning any commercial or public development in or near known flood plains. This is even more important given the accepted view that global warming is changing weather patterns in the UK so that we will have wetter winters and drier summers. If this happens, flooding will become more frequent and possibly more dangerous."