Uncertainty - Are we really prepared for it?
Andy Taylor | Head of Management Services | November, 2021
​
Business continuity planning provides a framework for building resilience and the capability for an effective response that safeguards the interests of your key stakeholders, the reputation, brand and value creating activities of your business.
​
A glimpse at the current news headlines on almost any given day would have one believe that we are faced with a series of never-ending challenges that do nothing other than fuel uncertainty – long queues at fuel pumps, energy prices on the rise exponentially, containers stuck at ports to name but three. What will follow? Rather blandly, the answer is probably the next unforeseen crisis.
Perhaps when pondering the term that is now firmly embedded in our lexicon, the ‘new normal’, we should consider that what this really A glimpse at the current news headlines on almost any given day would have one believe that we are faced with a series of never-ending challenges that do nothing other than fuel uncertainty – long queues at fuel pumps, energy prices on the rise exponentially, containers stuck at ports to name but three. What will follow? Rather blandly, the answer is probably the next unforeseen crisis. means is constant uncertainty over the things that were previously taken for granted. A cynic might agree with the news headlines and say that we are just lurching from one unforeseen crisis to another due to a lack of foresight and preparedness and that on the surface, all responses to date have been far too reactionary.
​
Whatever the underlying causes, be they Brexit, COVID-19 or the climate crisis and the need to move rapidly to a net-zero carbon footprint, to overstretched and under-resourced supply chains, the result can be the same - a disruption to normal planned services, products and outputs.
​
Threats to business can come from a multitude of sources and they won’t be the same for all organisations. Commonly experienced incidents include, but are not limited to, the areas of:
-
Cyber
-
Infrastructure
-
Financial
-
Supply chain
-
Health and safety
Just as it is the responsibility of any government to ensure that the nation is safe, secure and has the conditions for prosperity (and all that underpins this from health, education to a strong economy and industrial base), it is also the responsibility of business leaders to do all they can to prepare their organisations for the disruptive event when it comes.
​
Rather than just react to the unexpected, would it not be better to plan for it and turn the unexpected into the expected? This is the underlying purpose of business continuity management. How an organisation defines its approach to risk management, and by association, business continuity management, will determine how resilient it is in the face of uncertainty.
​
Contingency Planning
A major part of the business continuity management plan and indeed the wider risk management process is the preparation of contingency plans.
​
In its simplest form, a contingency plan is the sum of the actions that an organisation needs to take to minimise the disruption following a detrimental incident that affects it in one form or another.
​
In its 2018 Good Practice Guide, the Business Continuity Institute (BCI) goes further and defines it as:
“The capability of an organisation to continue delivery of products and services at acceptable predefined levels following a disruptive incident.”
​
Some obvious initial questions fall out of this rather simple statement:
-
What are the products and services being referred to?
-
What is an acceptable level?
-
What constitutes a disruptive incident?
​
The answers to these questions should all be answered by the organisation’s analysis of what should be included in its business continuity plan and the policy that underpins it. This will have included activities such as;
-
The understanding of the strategic objectives of the organisation.
-
Developing and understanding which of the organisation’s products and services are beneficial to customers, recipients and interested parties and warrant continuity planning attention - e.g. securing, protecting, duplicating, replicating etc. Often these can be grouped under the following areas:
-
Systems - e.g. IT networks, infrastructure and tools,
-
Services - e.g. gas, electric, water, heating, lighting, telecoms, data, waste disposal etc,
-
Staff,
-
Suppliers and logistic networks,
-
Assets - e.g. physical infrastructure such as buildings, critical equipment and other assets such as vehicle fleets.
-
-
Threat horizon scanning. This can include not only traditional threats in terms of your customer's future requirements and by extension, the competition, but also the results from the regular evaluation of external factors that can affect the business such as political, socio-economic, technological, environmental, ethical and legal etc (for example SWOT and/or PESTLE/STEEPLE analysis outputs).
-
The development of the roles and responsibilities within the organisation to deliver this key function; the command, control and communication functions.
-
​
Once the policy is set there are essentially two stages to follow for managing business continuity; Preparation and Execution.
Preparation
​
Business Continuity Planning (BCP) comprises five stages:
​
​
​
​
​
​
​
​
​
​
​
​
​
​
​
​
​
​
​
Further to the BCP cycle illustrated above:
​
-
Risk Assessment and Business Impact Analysis - define the events that are going to interrupt the business output.
-
Prepare the detail of the contingency plans. These should cover four main areas of activity:
-
Immediate response to the interruption event
-
Stabilisation - activity to prevent deterioration of the situation
-
Recovery - the implementation of recovery or restorative activity
-
Resumption to ‘business as usual’
-
Communicate those contingency plans and ensure that all staff understand their responsibilities within these plans.
-
Rehearse the contingency plans. This can range from simple table top exercises designed to get staff thinking and talking about the plans all the way to full scale rehearsals (e.g. vulnerability testing, call outs etc).
-
Learn from experience and refine the contingency plans (from either rehearsal events or real circumstances).
​
Go again….start the cycle again.
​
There is a lot of detail behind each of these stages and with careful, joined up planning and input from all relevant stakeholders, the result should be a considered and useful business continuity plan that will give your organisation the competitive advantage at a time when it needs it the most.
Execution (or Invocation)
In the event that the business continuity plan needs to be invoked, there is no doubt that if the preparation phase is done well, then the execution phase will be made easier.
​
However, it is not in itself a guarantee that all will be well on the day. Two major things to consider here:
-
There is always the chance of a curveball being thrown. If it is, adaptability and agility are critical in retaining the edge during the execution phase. Adapt the plans to the situation as it is presented and not the other way around.
-
When to invoke the plan? It will differ between organisations, as their appetite and response to risk and threats will be unique. However, six broad decision points should be considered:
-
What is the estimated time required to restore the interrupted service/function and does this breach your recovery time objective?
-
What are the service-level agreements in place with critical suppliers and have these been reviewed and tested?
-
When the recovery time is uncertain, what is the point in time by which the decision must be made to invoke the business continuity plan if the disruption cannot be resolved within recovery point objective timelines?
-
Has the disruption occurred at a critical time of the month or year, and what is the worst case scenario?
-
How long does it take to have any standby facilities ready to allow work to continue?
-
What are the recovery priorities and are they based on achievable recovery times?
Organisations will also need to consider when to return to ‘business as usual’ and call an end to business continuity arrangements being in place.
​
Conclusion
By way of conclusion, it is worth remembering what was said by two people who knew a thing or two on this subject:
-
The first is attributed to Sir Winston Churchill: “He who fails to plan is planning to fail.”
-
The second is attributed to Lord Baden Powell, the founder of the Boy Scouts movement: ‘Be Prepared’.
What is certain is that by conducting rigorous business continuity management planning, an organisation is following the time and tested advice from these two great leaders, thereby ensuring that your organisation will be a resilient as it can be in the face of uncertainty.
​
In addition, the likelihood of achieving a more positive outcome from the effects of the interruption event that could otherwise have been catastrophic, will have increased significantly.
Further advice can be found in a range of standards and guides that deal with business continuity, a summary of which are here:
-
ISO 22301:2019 - Security and resilience. Business continuity management systems - requirements.
-
ISO 22332:2021 - Security and resilience - Business continuity management systems - Guidelines for developing business continuity plans and procedures.
-
ISO 27031:2011 - Information technology. Security techniques. Guidelines for information and communication technology readiness for business continuity.
-
BS 12999:2015 - Damage management. Code of practice for the organisation and management of the stabilisation, mitigation and restoration of properties, contents, facilities and assets following incident damage.
-
The Business Continuity Institute Good Practice Guide 2018 Edition.
A well-developed, structured and rehearsed business continuity plan (BCP) will assist your business in recovering from an incident as quickly as possible when faced with a risk.
​
Get in touch with to see how you can harness our extensive experience in risk and business continuity management to support your business.
​