Business Continuity, Preparedness and Disaster Recovery

When unexpected and challenging events arise that disrupt operations, there can be severe impacts to an organisation. Such situations can result in lost revenue, higher expenses, a hit to brand reputation, loss of customers or even affect the safety and wellbeing of employees.

A focus on Business Continuity

In a time of crisis, there are business continuity strategies that can improve organisational resilience. This planning can assist throughout all stages of a crisis, including prevention, preparation, responsiveness and recovery.  

Regardless of the size of an organisation, or the industry they operate in, every business should dedicate the resources to thoroughly prepare for a variety of unexpected events. Preparedness is not something to take lightly. The more prepared, the higher the chance of returning to normal business operations in a shorter time frame. 

Using the right Standards can provide guidance and a framework to develop and implement strategies to build resilience to disruptions and prepare a business for a variety of scenarios.

What is a Business Continuity Plan (BCP)? 

A business continuity plan are the processes, policies and strategies put in place in order to prevent and recover from disruptions. It is a documented, best practice approach that guides an organisation to be proactive and recover or resume usual operations.  

A BCP aims to increase the resilience of an organisation to help protect the business, employees and assets. A proactive plan can ensure a business reacts effectively to a variety of threats. 

What is Business Continuity Management (BCM)? 

Business continuity management is the process of analysing threats and maintaining plans and procedures in response to company disruptions. ISO 22301:2019 specifies the requirements of a business continuity management system, from implementing, maintaining or improving a system, in order to deal with a crisis at any stage.  

This process can expose threats, internally and externally, identify the possibility of the event occurring as well as the potential impact on the business. These can include natural disasters and human or technological challenges including terrorism attacks, data loss or security threats, floods, internal fires or even employee illness.  

What is a Disaster Recovery Plan (DRP)? 

A disaster recovery plan is one aspect of a BCP and focuses on the steps to be taken regarding critical systems and applications to enable a business to resume operations in disruptive times. A DRP considers the overall ability to recover or access data, platforms, applications and systems to provide enough access and support to continue work. 

ISO/IEC 27031:2011 is the international Standard that provides a framework of the methods and processes to identify aspects for improving an organisation's information and communication technology (ICT) readiness, such as the performance criteria and design. ISO/IEC 27031:2011 also defines the concepts and principles of ICT readiness for business continuity.

A holistic business continuity strategy 

A comprehensive continuity strategy will ensure a business is prepared for a wide range of scenarios. Preparedness is key when implementing and actioning a plan that endeavors to continue to meet business objectives and resume normal operations in a short time frame.  

The steps of a Business Continuity Plan 

A BCP should be taken seriously and requires certain steps in order to be thorough and effective, should the plan need to take effect. Here are 5 steps to assist implementation: 

1. Assess the risks and scope out the plan.

The first stage of an effective plan is a risk assessment. This stage considers threats to the company, their likeliness and potential impact. These can usually be categorised into one of the following:

            1. Equipment or resources 

            2. People or employees 

            3. Building 

            4. Data or IT. 

The international Standard ISO 31000:2018 can provide principles and processes that can be implemented in any organisation to help identify risks, opportunities and allocate resources when facing a threat.

2. Understand the impact on the business. 

Next is conducting a Business Impact Analysis (BIA). A BIA can predict the effects and consequences of a disruption to the business. The analysis should include operational and financial impacts, critical staff, succession planning, required resources and recovery assumptions. The data collected is used to develop strategies that suit the needs of a business, depending on the type of threat and its impact.  

ISO TS 22317:2015 is the international Standard for business continuity management systems with guidelines for business impact analysis. This Standard can provide the guidance to help establish, implement and maintain a formal and documented BIA process. 

3. Develop the business continuity plan. 

Once the risk assessment and BIA are complete, this data forms the basis of your plan. The development phase must include a selection of polices and processes to help maintain critical business functions. It considers strategies to help prevent, respond and recovery from disruptions.  
 
A formal document is written where approval, mainly from senior management, must review and approve the plan to enter the next step.

4. Test and implement the plan. 

Before implementing the plan, testing must be conducted to know it can meet the set expectations of the business in various challenging environments. Management must be notified of the strategies and suggestions, where endorsement can greatly assist if the plan needs to be actioned efficiently.

5. Modify the plan and monitor threats. 

After the BCP is developed and implemented, it should not be considered a set-and-forget strategy. Setting regular reviews, such as annually or bi-annually, can ensure the plan is likely to consistently meet business objectives when faced with a crisis. 
 
A business also needs to know when to call the plan into action, plus threats should always stay on your radar and be monitored. 

What to consider when implementing a Business Continuity Plan 

An effective plan can only work if all critical aspects are considered and a holistic approach is taken. While some BCPs may only consider changes to immediate operations in the business, the effects to your supply chain should also be discussed and addressed. As disruption to the work of the supply chain can affect your business and vice versa.   

The plan should also consider the input of a range of stakeholders within the organisation, creating an engaged team who understand their responsibilities. Roles should be defined, and all staff trained to be prepared for the range of challenging situations and understand potential impacts on their work. 

Different teams and stakeholders may need a different means of communication. Those in charge of delivering the right information must be responsible for notifying the right people in a timely manner. This also includes defining rules when talking to external stakeholders, agencies, the government and the media.

Being prepared for the unexpected 

Business continuity plans are in place to best prepare a business for unexpected circumstances. While the business landscape can be unpredictable, accounting for majority of disruptions can ensure an organisation swiftly address challenges in order to resume usual operations.  

Business continuity planning may seem daunting and time consuming, however an informed approach means the ability to prepare for sudden shocks. 

Understanding the importance of risk management to identify potential threats and analyse their impact can assist with planning prevention measures, appropriate responses and recovery strategies. A focus on business continuity before disaster strikes, is the best plan to make.