Business Continuity Management
Be prepared, and have a Business Continuity plan
New Government legislation called the Civil Contingencies Act 2004, has given Local
Authorities the duty to provide businesses and voluntary organisations with advice on Business Continuity Management. This duty aims to ensure our local businesses are able to quickly recover from disruptions. A resilient business community creates a resilient County.
What is Business Continuity?
Business Continuity is a management process that provides a framework to ensure the resilience of your business to any eventuality, to help ensure continuity of service to your key customers and the protection of your brand and reputation. It provides a basis for planning to ensure your long-term survivability following a disruptive event. Business Continuity Plans need to be clear, concise and tailored to the needs of the business. Unplanned events can have catastrophic effects and the disruptive incidents can come from accidents, criminal activity or natural disasters.
Business Continuity should become part of the way you perform business. It is better to plan for incidents, which may affect your business, rather than having to "catch up" when a problem occurs.
Business Continuity needs to be considered by small companies as well as larger corporations. If you are a smaller business, not all of this leaflet will apply. However, the key principles are the same for multi-nationals and small traders. There are five steps to the Business Continuity Management process. See below for more information.
Step 1 - Understand the vulnerabilities of your business
What are the key activities of your business?
What are the activities in your organisation that, if they were to be stopped for any reason, would cause the greatest impact upon your business?
Impacts may be on cash flow, reputation, and meeting legal and statutory requirements.
How are these activities delivered by your organisation? What processes are in place and what resources are used to support them? Resources may be:
• People
• Plant and Machinery
• Premises and Furniture
• Computing and Telecommunications
• Data and Information
• Suppliers and Distributors
Some key questions to ask are:
• Who in the organisation is essential?
• What equipment, IT, telecoms and other systems, does the organisation need to be able to function appropriately?
• Who does the organisation depend on to carry out key activities?
• Who depends on the organisation?
• Are there any service level agreements, legal or regulatory obligations on the organisation?
• Do disaster recovery, business continuity and emergency plans already exist and do they cover the key activities?
• Are there any natural fluctuations of operational activity e.g. Month-end for payroll, or end of year for accounts?
How long can your business manage without key activities?
It may be that the impact would be felt immediately, after several days or it could escalate over time. Understanding the time it would take for the organisation to feel the pain from the impact is important as this will dictate what you need to concentrate on first.
Consider for each of your Departments
How essential is the department's work to the overall performance of the business on a day-to-day basis?
Risks
Having identified the resources needed to deliver your key activities it is important to consider the likelihood that these resources would be lost, i.e. what are the risks to these resources?
Always try to consider the worst-case scenario when carrying out your risk assessment. This will mean that less serious incidents will be easier to manage. To identify risk you must look at the vulnerable resources of your business, as well as considering some of the more generic "what if?" scenarios.
For example - "What if the power failed?" "What if a virus wiped out our IT system?" Look for single points of failure in your organisation.
The essential part of a Risk Assessment is that you ask two simple questions for each risk that you identify:
1. How likely is it to happen?
2. What factors can reduce the likelihood or effect or mitigate the risk entirely?
Step 2 - Define your business continuity strategy
Once your key activities and resources have been identified together with the associated risks, it is now important to determine how you will manage these risks.
The following lists of strategies are those that are more commonly applied:
• Accept the risks and change nothing
• Attempt to reduce the risks
• Attempt to reduce the risks and make plans to restore key activities as soon as possible
• Cease the activity altogether
All of these approaches will need a detailed plan outlining the arrangements for the incident.
You should also consider how quickly recovery would need to take place for the strategic areas of your business or various departments.
It may be useful to draw a chart of the timescales involved in re-establishing certain functions.
One essential decision is how you respond to risks that cannot be reduced.
Step 3 - Develop your plan
Your business continuity plan should contain the key areas as listed below. This is not an exhaustive list and you may find other key pieces of information that may be required as part of your strategy.
Roles and responsibilities
• Identify who needs to take responsibility for each action, including deputies to cover key roles.
• Identify a Recovery Team and a coordinator.
Incident checklists for key staff
• Use checklists that readers can easily follow.
Initial stage
• Include clear, direct instructions or a checklist for the crucial first hour following an incident.
Following stages
• Include a checklist of things that can wait until after the first hour.
Document review
• Agree how often, when & how you will check your plan to make sure it is current.
• Update your plan to reflect changes in your organisation and in the risks you might face.
Remember, always plan for worst-case scenarios.
If your plan covers how to get back in business if a flood destroys your building, it will also work if only one floor is flooded.
Information from outside your business
Consider getting specialist information on the roles of other organisations that may be involved in the emergency such as:
• Landlord
If you rent your business space, find out what plans and assistance your landlord or management company may be able to provide
• Neighbouring businesses
What are the activities carried out by your neighbours?
Could an incident at their site impact on your operations?
• Utility companies
Telephone, electricity, water, gas.
Find out what they will need to know and what their emergency supply procedures and targets are.
• Your insurance company
What information do they need from you?
Do you need their permission to replace damaged critical equipment immediately?
Will the existence of a Plan reduce your premiums?
They may also be able to give you advice.
• Suppliers and customers
How will you contact them to tell them you have been affected by an incident, and what their critical timescales are?
They will be affected by your decisions, so involve them if you can and they may be reassured by your planning process.
Do critical suppliers have business continuity plans in place to ensure they can supply you if they are disrupted for any reason?
• Emergency Planning Officer
Find out what your local authority would do in response to a major incident.
• Emergency services
What information will the emergency services require from you.
How can you help them by ensuring access routes, and providing information (key holders etc)?
Points to remember
• Make your plan usable
• Do not include information that will be irrelevant or can be accessed in other places.
• Use existing organizational roles and responsibilities and build on them in the plan.
• Specify the escalation of the plan.
• Who decides when to invoke the special arrangements and who manages the process?
• How will the stand-down process be managed?
Step 4 - Cultural Change
It is essential to have the active support of the senior team in your organisation. It is possible that during your planning you will have the opportunity to convince your staff of the importance of Business Continuity Management and promote the concept internally and externally.
With this approach Business Continuity becomes the normal process of day-to-day activity.
Business Continuity must be included in the preparation of new contracts, partnerships and business processes.
It is every manager's responsibility to ensure Business Continuity is an integral part of their normal business activity.
Step 5 - Rehearse your plan
Testing and rehearsing your plan is one of the fundamental parts of contingency planning. It gives you an opportunity to test the arrangements and principles of the plan in a "safe" environment, without risk to the business. There are various levels of rehearsal or evaluation that can be used. They will obviously vary with cost and value, however, a planning lifecycle should allow for periodic tests of different types.
Table Top exercise
Test your plan using a 'what if?' written scenario.
New pieces of information can be added as the scenario unfolds, in the same way that more details would become clear in a real incident.
Communications Test
With or without warning, a test message is sent out to everyone at the top of the call cascade lists in the plan(s).
An audit can then determine how well the information was communicated through your organisation.
Full rehearsal
A full rehearsal will show you how well different elements in your plan work together, which may not have become clear when you tested the individual parts.
However, this can be an expensive way to test your plan.
What have you got to lose?
If you do not have a Business Continuity Plan, you may be at risk of
• losing work to competitors,
• being exposed to failures in your supply chain,
• suffering loss of reputation and
• higher insurance premiums.
Business Continuity affects everyone
• customers,
• staff,
• the community,
• the economy.
www.businesscontinuity.com
Tidak ada komentar:
Posting Komentar