The primary purpose of a Business Continuity Plan (BCP) is to document how an organisation intends to respond to various incidents or events that seriously affect the organisation’s operation.
The aim of the BCP is to restore and resume critical and essential functions and processes as quickly as possible, to protect the organisation’s workforce, assets and reputation.
Some of the more typical incidents include fire, flood, storm damage and sustained power outage. Less common events might include civil disturbance, military action, economic disruption and pandemics.
Of course, the number of incidents or events that could occur is unlimited, but for most of them, occurrence is improbable but not impossible. However, as we're experiencing right now with COVID-19, even the most improbable events do occur from time to time.
The effects on an organisation might include partial to complete loss of production capability due to damage to its own or its suppliers’ facilities, limited or no access to computer systems, or the inability of some or most employees to get to work.
The effects of any particular event are essentially limited in number, constrained by the general nature of the event and the unique aspects of the organisation that are susceptible to it.
The scale or severity of the effect can be unpredictable but is normally graded somewhere between minor and catastrophic.
The organisation’s response to the effects of any particular event depends on the severity grading of each effect. Typically the higher the severity, the greater the urgency of the response activities.
The Key Elements of a BCP
Generically, a BCP should at a minimum capture the following details of each potential business interruption:
- Event / incident type: the nature of the event, such as an internet outage or a factory fire
- Incident prevention measures: the key activities, processes, technologies and anything else established to prevent or minimise an occurrence of the event
- Response trigger delay: the amount of time the effects of the event have to persist before the BCP is invoked and formal notifications issued
- Impact / effect: who and what in the organisation could be affected by the event and how, plus the severity of that impact and how it might vary over time or some other variable
- Response: what the organisation will do, how and when, to contain, control, minimise and recover from the event
- Stakeholder actions: who will do what and when to investigate and scope the event, then manage, finalise and implement the response to it
There are hundreds of BCP templates available online, varying in details required, format, layout and so on. Any organisation that already has a BCP in place is likely to have its own requirements and arrangements sorted.
Hard-won military wisdom has it that no plan survives first contact with the enemy. It’s not just because the enemy doesn’t behave as expected, it’s also because our side doesn’t either, or can’t, because the internal interfaces, weaponry, radio frequencies, other technologies, even policies often just don’t mesh.
And so it is with BCP. The worst time to be trying anything for the first time is in the heat of battle. It’s when you can find out the hard way that, no, not everybody uses a left-handed thingamajig, those guys there are using a right-handed doohickey. Who knew?
Scenario testing, desktop testing, dry-run testing are all approaches where different elements of a plan can be tested theoretically or practically, involving a few people or a lot. The only thing missing is the actual event. Its consequences and all the rest are simulated.
Regular testing also makes or keeps the stakeholders familiar with their roles and responsibilities.
There’s no time for time-wasting when the ship hits the sand.
The BCP will often need updating as a result of these tests, but also because the business environment, the organisation, its activities and risks change over time.
Dealing with COVID-19 in your BCP
If your organisation doesn’t have any sort of BCP, creating one to deal with COVID-19 is a good place to start.
If a BCP is in place though, it’s time to have a thorough review of anything in it dealing with infectious disease issues. These might have been prepared for the earlier outbreaks of SARS, MERS, Ebola, H5N1 bird flu or swine flu.
A large number of the issues created by COVID-19 might never have been seriously considered in the BCP. Alternatively, any considerations previously prepared about those earlier events might now look inadequate based on recent experiences with COVID-19 itself and governmental responses to it.
The COVID-19 issues centre around the effects on an organisation’s workforce, suppliers, customers, operations and contracts.
Each organisation needs to consider these issues from their own unique viewpoint and circumstances. While there is a huge amount of conjecture and commentary online and in the news, this can actually be confusing and prevent a clear and actionable plan from being formed.
Businesses have to stay focused on what they can control and prioritise the safety of their people and their ongoing operations.
Hidden Benefits of the BCP
It’s clear that an organisation will benefit greatly from having a regularly tested and updated BCP at hand. Sure, it takes a fair bit of effort, but so much less than trying to deal with a situation on the fly, by the seat of your pants. That could lead to ejection without a parachute, career-wise.
A much better outcome should be expected than otherwise when everybody is familiar with what they have to do, when and why, when the unexpected unexpectedly occurs.
Preparing a BCP sooner is better than later, but better late than never.
One hidden benefit of a BCP is that it can give comfort to an organisation’s contracted or prospective third parties about the organisation’s preparedness for dealing with exceptional incidents and events, if and when they enquire about it.
Another hidden benefit is the converse of the first. A review of the organisation’s contracted or prospective third parties’s own BCPs could be a factor in the continuation or commencement of any arrangement with them.
A third party’s or the organisation’s lack of a BCP under today’s general state of uncertainty, even without the distortions induced by COVID-19, just might be a risk too far.
For more information on how Gatekeeper can help businesses manage business risk, request and store BCPs from their suppliers and navigate a rapidly changing global situation, get in touch today.