Business continuity strategy is an organisation’s structured response to the concerns that keep the chief executive awake at night. Whatever form disruption takes – from IT failure, fire or flood to supply chain disruption or cyberattack – an organisation needs a strategy to mitigate its effects and rapidly restore operations.
As UK businesses reflect on a year of pandemic-driven upheaval, business continuity is a hot topic. Whether as a large multinational corporation or a small charitable organisation, the need to plan for the unexpected and make the organisation resilient to disruptive events has never been more apparent.
Organisations must also bear in mind that there is no guarantee that a crisis will happen in isolation. Recent history has shown us instances of devastating wildfires, followed closely by catastrophic floods and the onset of a pandemic. When disasters like this strike, how a business respond is critical to its survival. The Business Continuity Institute estimates that one–quarter of organisations that are hit by a disaster never recover.
Yet, despite the high stakes, many business leaders do not know how long it would take to recover the products, services, processes and systems on which their company depends, or whether this can be achieved before the existence of the business itself is put in jeopardy. A business continuity strategy helps organisations answer these questions to identify, analyse the impact of, and respond to disruptive events.
Business Continuity Compliance and Best Practice
For some sectors, having a business continuity strategy is not just a good idea; it is a regulatory requirement. For example, any organisation governed by the Financial Conduct Authority is obliged to design, maintain and regularly validate a robust business continuity strategy.
Similarly, any organisation designated as a category one responder under the Civil Contingencies Act 2004 is required under law to have a business continuity management programme meet ace to respond to ensure they can continue to provide their services in the face of disruption.
The UK Corporate Governance Code specifies risk management as a central duty of the boards of listed companies. Therefore, directors are responsible for ensuring a plan is in place and can help meet ace to respond to risks that become a reality.
There is no regulatory requirement for private companies and third-party sector organisations to have a business continuity strategy in place. As recent experience has demonstrated, it is strongly advised.
In terms of what best practice looks like, the International Standards Organisation Business Continuity Standard ISO22301:2019 sets out the “requirements for a management system to protect against, reduce the likelihood of, and ensure your business recovers from disruptive incidents”. Achieving this standard is a valuable target for larger organisations. It can help meet the demands of legislation such as GDPR, which stipulates a timely response to information security incidents.
While the achievement of the full standard may be beyond the resources of smaller businesses, its principles can be a useful template to inform a proportionate approach.
Business Continuity Planning Frameworks
The International Standard tells an organisation what it must do, but it does not prescribe how the business should go about doing it. Moreover, there are no “one-size-fits-all” business continuity strategy; every organisation is unique, with different risks and potential threats to address.
This is evident when we look at the uneven impact the pandemic has had in the UK. For some sectors, it has been a case of adapting to employees working from home or sourcing PPE to continue operating. Others, such as the hospitality and beauty industries, have been shut down entirely. Clearly, different sectors – and even different companies within the same sector – face varying exposure to disruptive threats and must plan accordingly.
That said, while each organisation must adapt the strategy for its own situation, there are recognised frameworks and guidelines that can help shape an effective principles-based approach. The Business Continuity Institute provides a set of good practice guidelines to assist organisations in following the key steps of the business continuity management lifecycle. Additionally, in acknowledging the differences in scale and scope between large organisations and SMEs, the Institute also provides a “lite” version for smaller organisations and those taking their first steps into business continuity management.
The Business Continuity Management Lifecycle
Developing a business continuity strategy is not a one-time, isolated activity. The environment in which organisations operate changes all the time, meaning the strategy must evolve to remain relevant. Therefore, business continuity management is an iterative lifecycle with two management practices and four technical practices:
The Analysis phase comprises of the Business Impact Analysis and Risk Assessment. The Business Impact Analysis (BIA) is the foundation of an organisation’s business continuity strategy; if it is not done accurately, the final business continuity plan may not be fit for purpose. As the Business Continuity Institute explains, the BIA “identifies the urgency of each business activity undertaken by the organisation by assessing the impact over time of an interruption to this activity on the delivery of products and services.”
The BIA aims to arm the business to understand how long it can withstand a disruption to its various products and services. The processes and activities that enable their delivery before their ability to recover are irrevocably compromised. This is the Maximum Tolerable Period of Disruption (MPTD). Using this information, the business can determine which of those products, services, processes and activities must be prioritised for recovery should they become disrupted. A business must also consider low-priority items that the company can manage without should a crisis hit.
Additionally, the BIA must be objective. When asked how important their operations are to the business, every department is likely to say that their domain is mission-critical. Still, ultimately, a hierarchy of importance dictates the urgency of response when disruption strikes. The BIA helps businesses understand the speed and order in which different elements need to be recovered when disruption strikes. This informs the financial resources needed to implement the business continuity strategy. The more elements that must be recovered rapidly, the more expensive the solution is likely to be.
The BIA is followed by the Risk Assessment, which analyses the potential causes of disruption to an organisation and the likelihood that they might take place. These range widely from site-specific threats, such as the flooding of a factory located close to a river, to generic threats like industrial disputes, cyberattacks and human error. It is also useful to study crises that competitors in the same sector have faced and learn from their recovery experience.
As well as the organisation and sector-specific threats, businesses should assimilate broader information on general threats to business continuity. The UK National Risk Register is maintained by the government and analyses the UK’s relevant threats and the likelihood of them occurring. This includes climate emergencies/extreme weather events, terrorist activity, supply chain failure and mass health events, such as COVID-19.
Another useful resource is the BCI’s annual Horizon Scan report, which documents incident trends experienced by organisations and looks ahead to those anticipating it in the coming year.
Based on the Analysis phase outcomes, the organisation must design a strategy describing how it will protect the business from the identified risks. The BIA will have identified the key individuals and departments that have roles to play in response to various disruptive scenarios; these must be involved in strategy design to ensure it is viable.
The design may identify where investment is needed in contingency planning to cover threat scenarios such as ICT disaster recovery, pandemics, alternative site provision and/or work-from-home support for displaced employees. The design phase may also identify where the business needs to diversify its supply chain to avoid unacceptable fragility.
Alongside the operational elements, strategy design should also include a plan for communications in the event of a disruption. This will incorporate both internal and external audiences, the channels that will be used – including back up channels for senior personnel communications if ordinary channels are disrupted – and a chain of command for message delivery. The aim is to deliver clear, accurate information to the audiences that need it in a timely way.
Once designed, the business continuity plan is created. This is where step-by-step contingency plans to address specific incidents are prepared, and required investment is undertaken. Examples might include:
- Plans to recover from a civil disturbance.
- A major fire in a headquarters building.
- A cyberattack.
- The effects of extreme weather events.
Organisations will have contingency plans to deal with the broad range of events that could affect their operations.
4) Validation – How Do I Know That My Business Continuity Strategy is Successful?
The only way to truly know that a business continuity strategy will work when the organisation faces a live disruptive incident is to validate it. This can be achieved by executing a programme of tests, exercises, and rehearsals. The last thing a business wants to discover is that a critical element has been overlooked when facing a crisis. To avoid this, regular validation is vital, but it is an area where organisations typically fall down when executing their business continuity management strategy.
“One of the oldest axioms within the field of business continuity planning is that a plan that is not tested or maintained is of little value, or in some cases worse than no plan at all.”
– Armit, 2007, p. 323
Validation exercises aim to find out whether plans are fit or purpose and uncover gaps or weaknesses. While it is not advisable to test all aspects of a business continuity plan simultaneously, regular testing of different scenarios also helps to engage the individuals and teams involved when a live incident occurs. These may be individuals from different departments who don’t typically work closely together but who need to form a working relationship that they can rely upon when the pressure of a crisis strikes. By taking part in validation exercises, they begin to build confidence and corporate memory.
Validation exercises can be as simple as a tabletop exercise where plans are scrutinised or more sophisticated, involving larger groups in workshops with “live” inputs such as news updates that mimic an incident’s unfolding.
There is an important caveat to any testing that has the potential to disrupt a live environment: organisations must consult their commercial insurance providers before they undertake an exercise, as policies may not cover incidents that arise through deliberate disruptive testing. Immediately following a validation exercise, all participants should be consulted about what went well, what didn’t work and what could be improved. This could be as simple – but critical – as realising that the only person with the key to the backup server facility was on holiday on the day of the test, or no one knew the code to disable the burglar alarm.
Validation exercises are an opportunity for teams to rehearse what to do in the event of a disruption, so their ability and confidence grow in preparation for when it happens for real. They are enormously valuable and fundamental to the business continuity management lifecycle. These four technical practices are supported by two management practices: ‘Policy and Programme Management’ and ‘Embedding the BCM Culture in an organisation’.
Who Should Be Involved in Business Continuity Management Strategy?
It is vital that business continuity has a board level sponsor to ensure it receives the necessary profile in the organisation. Beyond this, larger businesses should have a designated management lead. For smaller organisations, business continuity management may be part of a wider role, but it must be given clear focus within the responsible person’s job description; it should never be simply “tacked on” to another role.
All parts of the organisation may have roles to play in business recovery – depending on the nature of the disruption. For a long time, the focus had been on IT systems. Still, organisations are now far more aware of the human factors and wider business issues – such as supply chain disruption – that are contingent on recovery following an incident.
The business impact analysis will have generated a list of departments and operations that are a priority in a disruptive scenario. All the key figures in those departments need to know what will be expected of them in the event that the business continuity plan is activated and, as mentioned above, they should be regularly engaged in validation exercises.
How Often Should Business Continuity Strategy Be Reviewed?
If the strategy is to stay fit for purpose, it needs to adapt to changing circumstances. That means whenever there is a material change to the organisation, such as a merger or acquisition, the launch of new products or services, or a change in key suppliers, the BIA should be re-examined to identify whether the changes have introduced new concerns. That is why maintaining your BCP is essential.
Business continuity experts recommend that, even in an environment where there has been no major change, the BIA should be reviewed annually; the outside world continues to change, and new challenges are constantly emerging. If, as a consequence, changes to the BIA are found to be necessary, or new risks are identified, the BCM Strategy and plans may need to be updated.
The organisation’s business continuity policy statement, which confirms the adoption of a business continuity strategy and sets out its approach, can be reviewed less frequently. However, if there is a significant change in approach or the content of the strategy, this must be reflected in the business continuity statement.
In today’s complex and uncertain environment, business continuity strategy is now getting the level of attention it deserves across all sizes and organisation types. By adopting a structured approach and incorporating the business continuity lifecycle into planning and management, organisations can increase their resilience to disruptive events and put themselves in a better place to survive and serve customers, partners and employees.
Interested to read more about business continuity? Discover the business continuity best practices for UK organisations in 2021 or find out what role the board plays in business continuity planning.
The author and Diligent would like to thank Robert A. Clark, business continuity expert, for his support and advice during this article’s research. Clark is the author of several publications on Business Continuity, including Business Continuity and the Pandemic Threat, published in 2016. He is a Fellow of the Institute of Business Continuity Management, a Fellow of the British Computer Society and a Fellow of the Institute of Strategic Risk Management. For more information, please visit his website.