Phil Thompson, head of BPIF Business, says insurance companies are looking for more rigorous risk management plans following the winter floods. Here’s his business continuity health check.
We have seen how unpredictable the weather can be and some print companies have been affected enormously. However, it is not only those that suffered from the floods that are having to face up to the consequences; insurance companies are now increasingly looking for more rigorous business management plans to ensure that if a company is impacted by either natural disaster or human error, they could manage the situation effectively and quickly.
So a business disaster recovery plan should be high on your agenda, even if the floods left your business physically unscathed.
It is easy to say: “Nothing major will happen to us,” but the statistics and recent experience suggest otherwise. Fire is identified by most people as a ‘risk’, but it’s only one risk among many hundreds. It’s not the most likely risk to impact your business either. “We’ll be okay whatever happens,” you might think, but actually a high proportion of companies fail within two years of a major disruption – despite having an insurance policy.
You should plan for disaster continuity and for recovery. Both aspects play an integral part in any effective business continuity management (BCM) plan. What is important, however, is that you should plan for specific actions, not just create a document that sits in a drawer.
If you want to get started down the BCM route, you first need commitment - this programme has to start with the top management and be communicated down. And BCM should become an agenda item at any board meeting, just like health and safety.
Planning from understanding
You can only start planning when understand your business processes in the context of BCM. So:
- First analyse what kind of continuity all your stakeholders would expect if there was an interruption to your business. Clients are clearly key stakeholders, but you should also consider employees, suppliers, shareholders, etc.
- Then carry out a business impact analysis by identifying key products and services that if disrupted would have the greatest impact on your business. Focus on these first. You will need to consider the role of other parties as well, such as suppliers.
- You need to consider the maximum amount of time your stakeholders could manage without these key products or services. You also need to set a realistic recovery target time (RTO) for them. These timings will need to vary according to different times of the day, month or year.
- Now do some process mapping. What are the processes and resources necessary to deliver and recover the key products and services? Don’t make any presumptions.
To give an example of why it is important to get this right, employees are stakeholders who expect to be paid whatever the circumstances. Monthly payroll is critical and at month end it may be necessary to have an RTO of being to pay them within 12 hours of a major disruption. Your ICT recovery plan may not deliver to this RTO, but you could easily develop an alternative plan that does.
Having carried out such a consultation, you might well find you need to take action to make the plan work or work better. These actions form part of your continuous improvement objectives.
In addition to specific recovery plans, your BCM plan should also include:
- Clearly defined responsibilities.
- Details of how the plan will be made available - and to who.
- Vital information that must be immediately accessible as part of the plan, such as contact details for clients. You shouldn’t rely on your ICT recovery plans to retrieve this information.
- An escalation process for invoking the plan, and a ‘stand-down’ process.
- Communication strategies, particularly those that relate to stakeholders, including the media.
- Alternative temporary locations for recovery processes and production.
Developing a BCM plan should be seen as just a start. Training is essential for any plan to be effective. Those with responsibilities within the BCM plan must be fully appraised of their role and equipped with all they need to deliver it. And finally, like any management system, formal review of the BCM system is important.