Business Continuity Planning

Business continuity planning is a process by which a system of prevention and recovery is created in order to minimise damage from potential threats. Disasters that organisations must be prepared for can include fire, flooding, cyber attack and many more. The business continuity plan outlines procedures an organisation must follow in the face of any of these disasters, and ensures that personnel and assets are protected and can function quickly and effectively in a crisis.

Threats and disruptions can result in loss of revenue and high costs, which leads to a drop in profitability. Being prepared for and able to handle any incident effectively can have a positive effect on your organisation’s reputation and market value, as well as increasing customer confidence.

Business Continuity Planning during COVID-19

With the uncertainty afforded by the ongoing COVID-19 pandemic, having a business continuity plan in place is more important now than ever before. Implementing an updated and effective plan is essential to workplace resilience in the current environment.

Developing a business continuity plan that accounts for COVID-19 related disruption helps businesses assess the impact of the pandemic on its people, processes and profits. Therefore, damages and recovery times following any threats can be minimised.

Critical activities to consider during the ongoing pandemic include: ranking and prioritising processes, opening communication channels to understand changing demands and requirements, and preparing for emergency re-negotiations.

The anatomy of business continuity planning can be split into 5 steps: risk assessment, Business Impact Analysis (BIA), business continuity plan development, strategy development, and testing and maintenance.

Step One: Risk Assessment

There are two aspects to be considered during the risk assessment stage: how likely is it that any given threat will occur, and what is the effect it will have on the business. This involves evaluating already existing control measures and assessing communication plans before and during crises. The findings from this evaluation will help to devise a roadmap for the business continuity plan.

It is at this stage that worst-case scenarios should be identified. If the plan provides a strategy for the most severe disasters, it will also help to deal with lower-impact incidents.

Step Two: Business Impact Analysis (BIA)

This process identifies the impact of a sudden loss of business functions, enabling organisations to look at its processes and determine those that are most important, and identify any interdependencies between them. This information is then used to make decisions about strategy and recovery processes.

Critical company assets that could be affected during disruption include information and data, equipment, personnel, suppliers, finance, and transport and logistics.

The BIA should look at how each of these activities will be affected and determine the Maximum Tolerable Period of Disruption (MTPD) and Recovery Time Objectives (RTO), which refer to the speed with which a situation can be recovered and the maximum time passage before the interruption causes significant harm.

Step Three: Business Continuity Plan Development

This stage involves reviewing preventative measures and monitoring systems, as well as developing company, divisional and site level plans as required.

A common business continuity planning tool is a checklist comprised of supplies and equipment, the location of data backups, where the plan is and who has access to it, and contact information for emergency responders and key personnel.

In the development stages, the plan should be reviewed with key stakeholders to agree their role and requirements.

Step Four: Strategy Development

Strategies and solutions need to be developed to cover any potential threats Strategy development will help to reduce the likelihood of disruption; shorten the period of disruption; limit the impact of disruption; and ensure the resources necessary to deal with disruption are available.

A response structure needs to be established in which responsibilities are assigned to personnel, plans are activated, a communications strategy is developed, and Recovery Time Objectives are met.

Step Five: Testing and Maintenance

A business continuity plan must be tested on a regular basis to truly know whether it will work. Testing can be done using table-top exercises, structured walk-throughs, or simulations – all which help to ensure that any weaknesses are identified.

As technology evolves, staff members come and go, and working environments change, plans must be updated and tested further.

A business continuity plan must be applicable to many different risk scenarios and reviewed on a regular basis.

What is ISO 22301?

ISO 22301 is an international standard providing a practical framework for setting up and administering an effective business continuity management system. The standard helps businesses to understand threats and mitigate damage, specifying the requirements for a management system that will protect against, reduce the likelihood of, and ensure recovery from disruptive incidents.

What are the benefits of ISO 22301:

• Identify and manage threats to your business
• Take a proactive approach to minimizing the impact of incidents
• Keep critical functions up and running during times of crises
• Minimize downtime during incidents and improve recovery time
• Demonstrate resilience to customers and stakeholders

The impact of disruptive incidents on business can be substantial, regardless of the size of the organization. Business continuity planning helps organisations to identify potential threats and quickly overcome any disruption, thus improving workplace resilience.