There is a popular saying that is often attributed to Benjamin Franklin: “Failing to plan is planning to fail.” This adage goes to the crux of the reason behind business continuity management.

Business continuity is about planning for potential future crises, emergencies or incidents. It will ensure your organisation can continue to operate in these circumstances. Given this, there is some overlap with emergency management (which addresses the immediate aftermath), crisis management (which is primarily characterised by incidents with serious reputational consequences), and ICT disaster recovery (which gets the critical ICT systems back online). We’ll delve more into those in a future blog post.

Common issues we’ve encountered in business continuity

Firstly, it can be easy to mix up important business functions with time-critical ones. Strategic planning is a classic example where it’s essential for the success of any organisation, but not time-critical to deal with after an incident.

Secondly, some people don’t always see the value in developing a Business Continuity Plan (BCP) because it’s “common sense” and “we’ll figure it out if something happens.” There is some validity behind this. A BCP is not rocket science and that it is possible to figure out what to do after an incident or event happens.

But having a BCP in place will save time and minimise the risk of missing something. If your financial systems are down, nobody wants to run around trying to figure out what the backup processes are when you’ve got staff who need to be paid. It’s much easier to identify what these are ahead of time and make sure they’re written down in a place that is easily accessible: aka a BCP!

How to improve your BCP

Given the importance of BCPs, the following list provides some suggested ways to improve them based on our experience of common flaws:

  • Be specific in contingency plans: Where relevant, this includes identifying step-by-step backup processes, alternative contacts, etc., to ensure that the process or function continues to operate.
  • Include escalation criteria: Without specific criteria on what counts as something that would ‘trigger’ the BCP, anything and everything can become a business continuity incident. Usually the trigger points would be linked to your Recovery Time Objective and Maximum Tolerable Period of Outage, but there may be additional triggering events that you wish to cover.
  • Include a checklist: Often during and after an incident, it can be easy to forget what needs to be done. A checklist for managing a business continuity incident can help your response team run through the key actions smoothly.
  • Exercise the BCP annually: We recommend running a scenario-based workshop each year with all key stakeholders to test if the BCP is effective or not. This will help you identify gaps and areas for improvement, including if there needs to be additional training for the response team!
  • Keep it upto-date: This is particularly important for the response team and their contact details, but also relevant if there are any significant strategic changes in your organisation that might affect which functions and processes are time critical.

Scenario-based exercise

As mentioned above, we recommend running a scenario-based workshop each year on your BCP. There are lots of options for your workshop and you’d pick a different approach depending on your organisation’s level of business continuity maturity.

For example: if your organisation is very mature in business continuity management and you have a higher risk for potential incidents, you may wish to run an end-to-end exercise in real time. However, if this is the first time you’re running an exercise, you’d be better off going with a tabletop discussion. If your response team is not familiar with the BCP, then a “plan walkthrough”, which is where the team is divided into groups to discuss specific issues, may be more useful.

Some considerations for your BCP exercise include:

  • Getting the right facilitator. You want somebody who is experienced with business continuity exercises, has excellent presentation skills, knows your organisation and knows your BCP. However, the person shouldn’t be part of your business continuity response team – as they need to participate in the exercise!
  • Developing the right scenario. The right facilitator will help you get to the right scenario, but it is important to ensure it focuses on critical risks for the organisation. It is also useful to build in additional elements to the scenario, as incidents will often evolve over time as more information becomes available. A good facilitator will usually have additional parts to the scenario in their back pocket, if needed.
  • Schedule in an immediate debrief. It is crucial to have an immediate verbal debrief on what went right and lessons learned. Leaving it by even a day may mean that participants could forget critical points. This will help you shape and improve your BCP.

But most importantly, as part of the exercise, acknowledge that your BCP is a planning and reference document. It isn’t going to cover every potential scenario and if there is an incident, you will need to be adaptable. However, having one will maximise the possibility that you’ll be able to keep your essential functions running during an incident.

How we can help you

At Callida, we have extensive experience with undertaking Business Impact Analyses, building Business Continuity Plans and running scenario-based exercises of Business Continuity Plans with multiple organisations including with the federal and ACT governments. We can help your organisation strengthen its business continuity so that you minimise the risk of being caught off guard during an incident.

Get in contact with us to discuss how we can help you:

(02) 6162 3339

info@callida.com.au

If you have any suggestions on future topics for this series, please contact the author on Dannya.Hu@callida.com.au or via LinkedIn

Share article

Talk to us about your challenge

Contact us

Callida © 2019 all rights reserved