Escape from disaster?

Despite the number of potentially harmful events of recent times, many businesses have still to develop and implement effective business continuity management plans. Helen Morris of Marsh offers a potentially timely reminder

Having effective business continuity/disaster recovery plans in place can make the difference between a business surviving or failing following a major incident, such as a fire or a flood, according to a joint survey by the British Insurance Brokers’ Association (BIBA) and the Cabinet Office.

Events triggering business continuity arrangements are not as uncommon as you might think. In the last two years we have seen riots in many UK towns and cities, the impact of volcanic ash clouds, and the threat of swine flu, in addition to more common threats such as fire and flood.

Of those respondents to the BIBA survey who had suffered a disaster, the majority stated that having a business continuity plan in place was essential to their ability to keep trading, or reduced the cost of the disruption significantly. Sixty two per cent also said that having a business continuity plan provided benefits in terms of premium discounts, reduced excesses and doors opening to new insurance markets.

All of which makes having a business continuity plan seem very attractive, doesn’t it? Yet many organisations still choose not to develop a robust business continuity plan. The underlying reasons for this can be many and varied, of course, not least the organisation’s overall attitude to and appetite for risk, but surely it makes sense, particularly during difficult economic circumstances, to establish effective recovery arrangements should the worst happen?

So why the reluctance to develop and implement effective business continuity? As previously mentioned, the organisation’s stance on risk plays a part: “If it ain’t broke, don’t fix it”; or “We’d just roll up our sleeves and get on with it if we had a fire – we’ve done it before!” are both expressions used as reasons for not developing business continuity arrangements. There can also be a tendency to imagine that incidents leading to protracted business disruptions will never happen, although a casual glance through the newspapers often provides evidence of the contrary. It is also a question of time pressures and perceived priorities.

We are not suggesting that all organisations should suddenly embark on a lengthy, possibly costly and time-consuming programme of business continuity management. Rather, the aim is to provide a few helpful ideas as to how to develop and implement effective (and cost-effective) BCM.

There are a number of factors to consider when starting out on this particular journey, for example:

• Is there anything already in place?
• What should the end result look like?
• Does the person or group tasked with implementing BCM have any experience or training in it?

That last point isn’t supposed to be a facetious one. It might be useful to gain at least some basic knowledge before starting out. Talking to others (both inside and outside the organisation), attending a BCM training course, and finding out how others have approached this can help. It’s easy to become overwhelmed with detail, so try and make the distinction between what’s important and what isn’t.

When implementing BCM for the first time, it can be difficult to determine what “good” should look like. It will have little value if it is simply a paper exercise achieving a rubber-stamped BCM, but neither do you want it to become a project that never ends.

Too little detail and the plan can look over-simplified; too much detail and people’s eyes may start glazing over. In neither case are you likely to achieve an effective feasible solution in case of an actual incident. The ideal end result falls somewhere between the two.

The Business Continuity Institute’s Good Practice Guidelines provide an excellent starting point. When designing plans, it’s important to think carefully about their structure.

• Should this be a suite of documents or a single booklet?
• Should it be formatted in Word or Excel, or any other software package?
• Will flow charts and diagrams be included?
• How will it be kept up to date?
• Who will keep it up to date?

At this stage, thinking about the look and feel of a plan can underpin exactly what information is included.

In order to make plans more robust, it’s important to include some sort of “incident response” section. If such plans already exist, they could be linked to the BCP.

Possibly the most important aspect of any plan is in documenting who should be communicated with, during and following an incident. For example, at the time the incident occurs, it may not be immediately necessary to talk to clients, but it might be imperative to find a quick way to let employees know what’s happened.

The key is in determining who should be communicated with at each stage of an incident’s life span. Document this simply somewhere in the plan. This could be done in chart form, using a simple spider diagram, or even by capturing this data and holding it separately, electronically.

Perhaps the most complex aspect of building a robust plan is in developing an effective recovery. This is often the point at which many planners get a little stuck. There seems to be a perception that it’s a lot of work for very little return – after all, the incident might never happen. However, if a thorough business impact analysis has been undertaken, the key points of this, or at least a brief overview, can be included in the recovery section of the plan.

The important thing is that everyone understands just how much effort is going to be required to recover interrupted activities following an incident. This is something outside “business as usual”, and it’s probable that lots of extra time, effort and resources are going to be needed. For example – should the recovery strategy be to build a duplicate office in five days, or would it make more sense to have reciprocal emergency arrangements with another firm, have working from home arrangements for colleagues, and/or hire serviced office accommodation and move salvaged files and equipment there?

Think carefully about what makes sense for the organisation – and do not forget internal administration functions. If it’s important to have the finance department sitting with the payroll department, then make sure that’s written into the recovery section.

Some of the most effective plans (and the shortest!) don’t actually provide this detail in the plan itself; they simply refer to it, sometimes by stating where the documents are held or by including a hyperlink. Most emergency response/incident response plans are usually well rehearsed, so it might reduce effort and duplication by simply referencing these plans. If no plans of this nature currently exist, it’s a good idea to undertake some sort of risk assessment to determine what the most likely or probable physical threats or scenarios might be, and plan the response accordingly.

Having developed plans, it’s important that they are owned, managed and maintained by either a central department or pre-determined individuals. It’s sometimes difficult to decide who this should be. It’s not always the case that the person who wrote the plan is the correct person to maintain the plan, so it’s worth thinking about who would be most appropriate to do this. It will depend very much on the organisation’s size, geographical reach and culture.

The main point is that the plan should remain very much a living document, something current, that everyone knows about, understands and is familiar with, to the point of being able to use it should an incident occur. Consider having a link to it on the firm’s intranet, or briefing colleagues at team briefings. Some organisations have added business continuity to their induction process, so every new starter understands its importance and their role.

Log on

Complete the CPD quiz accompanying this article (providing 0.5 units CPD) on Marsh’s new website for Scottish solicitors: www.marsh.co.uk/scotlaw