While you can never have 100% of the details and permutations worked out ahead of time you can have a framework available for dealing with crisis events, a plan for the essential business functions, and contractual arrangements in place for critical requirements for your business, at the very least.
When most people think of Business Continuity Planning1, they consider that if their Information Technology Department has a plan for disaster recovery then they have addressed business continuity. While for many businesses these days IT plays an essential role in supporting the business, your business’ actual requirements for continuity are usually much more than just IT.
The recent events in April and May 2010 in Bangkok meant that many businesses, their staff, their customers and the general public experienced disruptions which many had not experienced before.
In reality, only certain physical locations of Bangkok were directly affected, while the vast majority of people in the rest of Bangkok and the country tried to continue with their lives and businesses. However, many found that as Silom and Sathorn were directly affected some businesses in those areas virtually shut down for a 2-3 week period, with some for longer than this. As the business district, the affects of the disruption on these businesses were felt much wider.
For example, one of the smaller retail bank’s head office is in the one of the areas most affected by the events of April/May and for security reasons the physical access to the building was very restricted. This meant that their staff could not get access to their office and documents. While the bank’s branch IT systems were operating, some business functions such as loans were adversely affected. I am aware of a couple who had to put their house sale on hold for 2 weeks as the loan officer of this retail bank could not get access to the loan documentation he needed in the head office. The purchaser and the purchaser’s bank were not affected and were ready to go ahead with the sale and purchase. The delay ended up costing the couple 2 weeks extra in interest because the bank could not complete the transaction on time. The couple is bitter about this bank’s lack of business continuity planning regarding access to the head office and the bank’s total disregard of the couple’s position by charging them interest on the loan for that period, while clearly it was the bank at fault.
So in this example, the bank’s IT systems were not affected but the inability to gain physical access to the office and a hard copy of documents meant that certain business functions could not continue. When you undertake a business continuity planning project, the business needs to identify the essential business functions and the period of time before a disruption has a detrimental affect on the business. Usually this high level discussion takes place with the stakeholders and senior executives, who are more aware of the impact of certain consequences, such bad publicity, public embarrassment, lack of communication or no clear communication, legal or regulatory compliance default, etc. Generally these consequences are sometimes hard to quantify into monetary terms but can have a greater effect on the business and its reputation.
In my experience, businesses do not clearly identify their essential business functions, then walkthrough these functions to determine what the requirements to support them are. This is mainly because this takes time and requires very busy senior executives to be involved in the discussions and decision making process. Many businesses are looking for a quick fix to their business continuity issues. The more diverse your business or complex your functions interactions with other parties (i.e. internal and external to the organisation), the more time the business should spent contemplating the business impact analysis2 (BIA) before putting a plan in place.
A number of people have suggested a business continuity plan is like insurance. If you have it, it gives you peace of mind. But you do not really need to use it until you have a crisis and by then it is too late. And if you need to use the plan, it better be up to date and achieve what you want, otherwise it will give you false hope.
I have seen businesses copy another business continuity plan and basically only change the cover, or buy a software application tool which takes a couple hours to produce a business continuity plan. In both of these cases, the plan did not bear close scrutiny from an experienced business continuity professional but were superficial in appearance to get a “tick” from the auditors. However, generally the auditors these days will also ask, “when was the last time you properly tested your business continuity plan?” But the key point is the plan would not have achieved what the business required in a crisis and the impact to the business would not have been minimised.
So a few of my suggestions are:
– to make sure you have a business continuity plan which has been based on a recent business impact analysis
– to check when the last time your business continuity plan was updated. Most plans need some revision each year and should take into account any significant changes in the business, organisational structure, systems, customer services, etc
– to ensure that you have a copy of the business continuity plan in an offsite location should you be unable to enter your primary office location
– to ask when was the last time the business continuity plan or parts of it, such as the disaster recovery plan (DRP3), tested. There should be testing performed at least each year as this helps
familiarise your staff with what is needed to be done and what to expect, and generally also identifies changes that need to be made to the plan which tend to go otherwise unnoticed
– to check whether your plan is comprehensive enough. Most business continuity plans are made up of several plans or sections. For example, you will usually have a plan for crisis management, and health and safety, i.e. dealing with an event, how to assess the crisis, who should be involved, and how to make sure everyone is accounted for and safe. Out of a crisis assessment, it may be decided to invoke the business continuity plan, such as moving to an alterative business location. – An example of this, was that one of my clients had a call centre in a building. An office two floors above had a fire and everyone was evacuated from the building. An immediate crisis assessment determined that it was going to take most of the day for the fire department to extinguish the fire and declare the building safe to reoccupy. Also given the location of the fire, the fire department mentioned potential water damage to the offices of floors directly below. So they determined very quickly to invoke their business continuity plan which included rerouting incoming customer calls to the alternative switch board and sending essential staff to the alternative office location. All other staff were asked to go home and work from home, if required. All key performance indicators (KPIs) for the business were still met. Fortunately the water damage was not that extensive and they were back in the primary location by the end of the following day.
– if you really want peace of mind, then you should ask an experienced business continuity professional to review your business and business continuity plan. It generally takes a third party who is experienced enough to ask the key questions and identify the shortfalls in your plan.
Are you feeling confident that you are prepared? Or should you take some action to prepare before a crisis event?
1. Business continuity plan or BCP is usually a set of plans which as a minimum address the business requirements for essential business functions in a crisis or disaster situation and the recovery of the functions back to business as usual. The objective being that if the business continues to operate its essential business functions for a definite period under a BCP the impact on the business is minimised and any effects will be tolerable.
2. Business impact analysis (BIA) or sometimes referred to as a business impact assessment, is the exercise of determining how much “pain” or adverse impact can the business sustain and for what period of time; what are the essential business functions; what are the requirements of the essential business functions to keep operating; and when does the business need to be back to operating as business as usual.
3. Disaster recovery plan or DRP is usually a term used for the plan for dealing with a disaster and recovery of IT systems and services. The plan is usually very comprehensive, such as addressing the method of backup and the offsite storage of backup electronic files; storage of key hard copy documents; the recovery of operating systems and supporting software, application software, and data; and covering contractual arrangements, hardware, network, and communications, people, support services and secondary operating site (if applicable).