Many people think that business continuity planning is a well-defined process that can be followed with a “tick the box” approach. The reality is very different. Although there are several key steps involved in the development of a business continuity plan, the development process should be thought of as a framework for creating capabilities rather than a highly detailed process that produces a document.
Step 1: Understand your organisation’s priorities
The first step is to consider the operational priorities of your organisation, how these priorities would be impacted by a range of disruptions (loss of IT systems, loss of workplace, loss of staff availability etc.) and how quickly the organisation would need to recover before those exposures would become unacceptable (i.e. before the situation developed into a full-blown crisis). A business continuity practitioner normally refers to this step as “business impact assessment).
Step 2: Understand your current capabilities & available resources
This step is essentially a gap analysis – having understood what you need to be able to do, you then need to establish whether your organisation has the intrinsic capabilities to achieve it. This will answer questions like:
Could we continue to work is our normal place of work was unavailable for a period?
Can we recover our IT systems in sufficient time to mitigate financial losses, meet contractual obligations and maintain customer goodwill?
Do we have sufficient flexibility within our workforce to respond to situations that could cause significant unavailability of staff
Do we have the resources to accommodate alternative working practices
Step 3: Develop Response & Recovery Plans
One thing to avoid at this is stage is the development of “document heavy” plans – which never tend to get used
For most organisations detailed plans are only required for critical functions within the organisation (that is those areas that are directly responsible for supporting the operational priorities mentioned earlier) and those people who will be directly involved with the overall incident management. The majority just need to know what to do and where to get information during a major incident.
Plans should not be written in narrative form – they should be written as guidance of key activities to be undertaken in exceptional circumstances, Checklists and visual aids are much easier to use in pressurised situations that large narrative-based documents.
Step 4: Build the Business Continuity organisation
There are two main aspects of the organisation at a business continuity planning level.
The establishment of a business continuity steering group to ensure that business continuity capabilities remain relevant to the organisation’s requirements and can be relied upon if activated.
The individuals who will collectively respond when an incident occurs and adopt specific roles to manage the incident
Step 5 Oversight & Assurance
Oversight and assurances processes ensure that the detailed processes and capabilities can be relied upon in a major incident. Oversight and assurance activities should include:
- Periodically capabilities and available resources to confirm that these arrangements are still in line with recovery needs
- A change management process was adopted for critical activities to enable a more in-depth consideration of any changes to operating models
- IT Failover tests to ensure that IT systems can be recovered within the required timeframes and to gain assurance that these capabilities are still working correctly
- Regularly sending staff to at work area recovery facilities to ensure that systems and applications could be operated normally
- Remote working “stress” tests to ensure that the remote access capabilities are capable of supporting a large number of users.
These five steps are the key stages in establishing business continuity capability for any organisation. The objective of business continuity management is not the production of a weighty document – it is an ongoing activity with an overall objective of building and maintaining resilience and recoverability into an organisation.
If you need help in putting together a business continuity plan, we can help. We have experience supporting hundreds of organisations with their business continuity requirements.