As the COVID pandemic and lockdowns started in 2020, some organisations were more ready than others to adjust to the crisis. My observation of businesses over the past year is that those organisations that had a business continuity plan (BCP) were better off than those who didn’t.
Many organisations didn’t have a BCP then; and some still don’t.
Even those who had a BCP might not have foreseen the specific crisis of a pandemic and societal lockdown; however, a plan based on other scenarios (fire, flood etc) would still have contained many of the critical elements needed in those early days responding to the crisis.
One organisation I have worked with said that they had planned for a chicken pox outbreak in one of their residential care facilities. Whilst this wasn’t about COVID-19 or a pandemic, their plans did address another infectious disease.
So, what is a Business Continuity Plan?
The BCP is one of the risk mitigation strategies that organisations should have in place to address external risks – which can be a low likelihood event with high consequences.
Put another way, a BCP is a document that will help to prepare the organisation and management to run the organisation following a critical incident or in an emergency type situation.
Templates and model documents can always be helpful, but the number one thing when considering what to put in the BCP is to reflect your own business context. That is, your structure, roles and responsibilities. Your key contacts. Your business activities and the dependencies from different systems and infrastructure.
Where the BCP covers multiple sites/locations or regions/states, consideration should be given to different levels of planning to accommodate local versus whole of organisation events. For example, a regional manager ought to be able to deal with power loss at a regional office, whereas the CEO or Board would become involved in crises that affect the whole organisation.
Writing the Business Continuity Plan
Management should develop a BCP, reflecting the range of potential event scenarios that the business might need to ensure its continuity through. For example: flood, fire, theft, infectious disease, loss of power or other utilities, etc.
When writing a BCP, we suggest that the document will include at least the following:
- Scope of the BCP – e.g. whether the whole organisation or a particular site/location
- Analysis of potential threats, including:
- Types of event scenarios (e.g. power/comms failure, cyber attack, fire/flood/weather event, pandemic)
- Impacts on the business – operational and service delivery, workforce and technology
- Identify key business areas (e.g. business units/support functions) and their requirements
- Identify critical functions, and any acceptable downtime for each
- Review the dependencies between the critical functions and key business areas
- Proactive strategies that will be put into place to prevent crises or reduce their impact – for example, having a backup internet connection or data backups.
- Members of the business continuity team with their roles (including alternates in the event of individuals being unavailable), areas of responsibility and contact information.
- Emergency contact information:
- Internal contacts such as Board, executives and key staff
- External contacts such as phone and internet provider, utilities providers, insurance company, bank(s), IT support, public relations, legal, funders or regulators.
- Incident response plan including:
- How the plan is activated
- Likely strategies to respond to the event
- Communications needs – internally (with staff), Board, customers, other external parties and media (if required)
- Recovery plan including:
- Step-by-step process of recovering and reinstating the business operations to a pre-disaster state, including assessing the damage, estimating recovery costs, working with your insurance company, and monitoring the progress of the recovery process.
- IT recovery plan, taking account of the different systems and how each would be brought back online (i.e. server based versus cloud based systems; remote working versus at the office).
Reviewing and Updating the Business Continuity Plan
Whenever you have a business interruption, no matter how small, it is worth reflecting on and learning from the experience. This might be as simple as business being interrupted by the power or internet going off for a couple of hours and needing to adapt to keep staff working and continue providing services.
I’d suggest that you run a small meeting or workshop or just take 15-20 minutes out of a normal team or manager meeting to consider from the business interruption:
- What worked well?
- What didn’t work well?
- What would you do differently in future?
Talking about or whiteboarding these questions will give you ideas for improvements to make to the BCP. As you deal with each interruption or crisis and reflect on the learnings to update the BCP, then you make sure you are better prepared for next time, with the learnings customised to your organisation and context.
Even if you haven’t had a business interruption or crisis, at least once a year, management should review and test the BCP, such as through role play with relevant stakeholders of a risk event scenarios; and address any lessons learned through an update of the BCP.