Business Continuity Management (BCM) usually involves having a contingency plan in place should disaster strike, to ensure that essential functions can continue during and after the disaster, and to minimize the disruption by avoiding the impact of an unplanned interruption of service.
One of the most well-known precautions that companies take is to have off- site IT back up. But this is only the first step that most companies will need to take.
The objective is to prevent interruption of critical functions and to return to normal functioning as soon as possible. It is impossible to envisage and guard against all the potential events that could interrupt business as usual. So the key to effective planning is to consider the loss or non – availability of key resources, no matter what the cause.
First of all the critical functions and processes necessary to keep the business running need to be identified. Each business critical function should have its own contingency plan, independent of the others, which allow for it to maintain essential services.
The plan describes how the organisation will deal with a disaster and the precautions it takes to minimise the effects and allow the business to return to normal.
Developing the BCM plan
A Business Continuity Management Plan sets out clear roles and responsibilities, nominating staff assigned to manage liaison with customers, employees and the emergency services.
It lists contingency plans to enable key business activities to continue in a crisis and also details emergency procedures to ensure employees’ safety.
To develop the BCM plan, the management team need to identify the parts of the organisation that they can’t afford to be without. Depending on the business, this may include maintaining information, stock, offices or other buildings, protecting staff, accessing key pieces of equipment, or the ability to communicate with remote teams delivering a service.
The team first need to identify the business’ key products or services, and the critical activities and facilities required to deliver them without interruption.
Then they will need to identify the risks to the critical activities and facilities, and then consider how they can maintain these critical activities in the event of different types of crisis.
Should we use consultants to develop the BCM plan?
There are consultants who will develop a BCM Plan on behalf of a management team. But apart from the cost involved, they are not as well placed as the management team themselves to understand how the company works, and what the critical functions are.
An added advantage is that, if the management team are involved, they will have “buy in” to the plan, and an inherent understanding of it .They will have personally been involved in developing the process, and will probably achieve a greater understanding of how the business works in the process.
They will also be in a position to evolve the plan as the business changes, grows and adds new technology. They will be in a strong position should the plan ever need to be implemented, as they will know and understand it.
A compromise might be to use an outside consultant to mentor the management through the process, which will afford some experience to the project, keep costs low, and involve the team at every step.
Minimum the BCM plan should include
The BCM plan should include;-
- BCM plan leader – name and contact details
- Nominated management team who will make key decisions
- Team members contact details
- Nominated meeting point
- List of business critical functions, with summary of necessary details
- Recovery plan outline
- Arrangements for Telephone diversion
- Employee’s Emergency contact numbers, next of kin names and contact details
- Resources required, with appropriate details e.g. staff, work area, IT, telecommunications
- Contact details for agencies nominated to support recovery e.g. outsourced third parties
- Address of nominated recovery site if applicable
- Contents and storage location of any offsite disaster pack, or IT back up, vital records, any offsite records
- Contact list of major customers, suppliers, and subcontractors
- Team cascade list, to allow dissemination of information to staff
- Network infrastructure plans, factory floor plans, any other technical information
- Any specific risk hazard, such as chemicals in the factory
The BCM plan may be hard copy, or software based. In the latter case it should be backed up offsite, perhaps by an independent third party. In either event the plan should be readily available offsite to whoever needs it, and in a format that is quick and easy to access, so time is not wasted in an emergency going through the rationale for the plan.
Each person required to take specific action should be able to immediately access the part of the plan that lists their urgent actions.
Business Impact Analysis
The team will analyse the impact on the business if provision of key products or services were disrupted for a short term such as a few hours, a medium term such as a couple of days, and also a longer term, say two weeks .This will enable the team to assess how tolerant the business will be of a disruption to delivery, and how soon normal activity must be resumed to avoid damage to the business.
This will enable them to determine what resources are needed to maintain services at an acceptable level.
From this information the BCM strategy can be developed, and implementation plans put in place.
These plans should be regularly reviewed, all staff must be made aware of their existence, and new staff should receive training. Plans should be validated by discussion of scenarios, and exercises should be held to check plans are still relevant and robust.
Handling the media
Today, one of the most feared incidents is terrorist attacks such as 9/11, or the Charlie Hebdo attack, which are staged to draw attention by social and news media.
Other difficult- to-handle events, such as product withdrawals or product tampering require careful media handling, and an understanding of how events can spiral out of control in the hands of news or social media. It is important that the media are fed information, or they will speculate.
There is often a standing instruction in larger organisations that all staff should refer press queries without comment to a nominated contact in the organisation, who should be able to respond quickly on behalf of the company .This prevents a member of staff giving incorrect or damaging information , or an adverse personal opinion, to the media.
If there is an outline media crisis plan in place, it can quickly be adapted to the current crisis. The company needs to show that is controlling the situation, carrying on with business and that there will be no long term effects for the company.
Media should be handled in such a way that the company assures the public it sympathises with those who have suffered, and apologise. They also need to be open about what went wrong and what action is being taken.
For these reasons a company will probably choose to have a crisis media plan. This will include when and what to say to the public, and develop an appropriate press release.
The plan will also nominate one or several spokespeople, who may be a PR representative, an executive of the company, or even a service user.
The plan will deal with all outlets, such as print and broadcast media, online and the company’s own website.
The business may have a group of “friends” outside the company it can call on to speak in support of it at difficult times. They might be politicians, partner companies, suppliers, celebrities, or clients and customers. They might make a statement, or offer support on social media.
So companies can, and should, take some action to prevent disaster striking them and to plan to mitigate the events of a crisis.
All staff should be aware of potential threats, and sensible precautions should be taken to avoid, for example, letting strangers into the building. All offices should have at least minimal door security.