What is a Business Continuity Plan?

Although headline disasters capture the attention, businesses need to be aware that other more specific or mundane events are just a likely to threaten their organisation. For example, a recent Chartered Management Institute survey revealed that 10% of those questioned had suffered an IT-related disruption in the last 12-months that was serious enough their Business Continuity Plan.

Disasters can and do happen and will cause healthy businesses to fail. Disasters create missed opportunities, cash flow problems and can often result in bad publicity. All this can lead to a loss of client confidence and your competitors will take advantage. Planning makes a substantial difference to the possibility of surviving an incident. While it may seem an extra burden to prepare a plan, challenging situations place severe pressure on individuals to make decisions and take action under stressful conditions. Experience proves that it is easier to consider all the issues surrounding a potential crisis objectively beforehand.

Insurance has a vital role to play in supporting your recovery, but it makes sense to have a plan as well. This should give you the opportunity to reduce the risk of some incidents occurring and to know what immediate measures to take to minimise the initial impact.

Remember, a Business Continuity Plan doesn’t need to be complicated and doesn't need to deal with every scenario. If your plan enables you to cope with the worst case scenario, it will also help you to deal more easily with less serious incidents.

Select your team

Developing a plan and implementing a plan are best done as team activities but keep numbers low. Two people may be enough for some small businesses. People to consider include accountants, IT and other staff with specialist knowledge. Consider a deputy for each of your team members.

Analyse the threats

The team should begin by listing all the activities of the business and then list the likely incidents that could affect these activities. This might include storm, flood, theft, fire, machinery breakdown, power failure, computer virus, telecommunications failure, strikes and problems with suppliers.  For each of the threats you have identified you should:

• Decide how likely they are to happen
• Cost the immediate effects of these threats on your business
• Consider the long term effects on your business

The most serious threat should emerge from these considerations. Remember that if you plan for the worst case scenario, your plan should also be effective in dealing with less serious incidents.

Prevention and reduction measures

When you have analysed the threats to the business you should then decide if the level of threat is acceptable to the business. After all, protecting the business is also protecting the livelihood of everybody working in the business. As with most things in life, prevention is better than cure and you need to ensure that chances of a disaster happening are minimised as far as possible and the impact of the disaster is a low as possible. Your Insurer may be able to offer assistance and recommend products that offer the best value.

Emergency planning

You now need to plan the immediate actions that the Team will have to implement. This will include how the business will deal with issues such as:

• Personnel
• Immediate damage limitation
• Site security
• Damage assessment and salvage
• Invoke emergency arrangements (IT recovery contracts, workplace recovery contracts)
• Maintain a “Disaster Recovery Log” to record details of their actions, losses identified and expenses incurred
• Communicate with press, stakeholders, suppliers and important customers
• Redirect telephone lines and post if necessary
• Decide which member of the team will be responsible for which actions
• Decide where the team will meet as your own premises may be damaged or you may be denied access to your premises, e.g. in the event of an incident at a neighbouring premises.

Supporting documentation

You should prepare contact lists with names, addresses, telephone numbers, email addresses and mobiles for the people the Team will need to contact, either to inform them of the situation or to ask for their help. This will include:

• Staff
• Material suppliers
• Machinery, IT and office equipment suppliers
• Customers
• Bank contacts
• Insurance contacts
• Utility suppliers
• Tradesmen who can assist
• Asset register
• Local Authorities and enforcement bodies

Additionally you should prepare action lists itemising the tasks and who is responsible for them, completion of which will ensure an acceptable response is delivered.

Recovery planning

If the worst case scenario results in a longer term interruption to your business you will need to consider alternative working practices that will allow you to continue trading with your customers during the sometimes lengthy period when the physical damage is reinstated. Measures to consider include:

• Using temporary premises such as short term leased premises, serviced offices and temporary or mobile structures
• Availability of replacement equipment, materials and stock
• Have you considered alternative suppliers, hiring machinery and second-hand machinery
• Have you considered subcontracting
• Having telephone calls diverted to alternate locations, possibly run by a specialist contractor
• Diversion of mail to pre-designated premises

A special note about computers and data

Most businesses, regardless of their size, are becoming increasingly reliant on computers and electronic data. A minor incident affecting your computer systems and data can manifest itself into a major interruption to your business if you have not properly prepared how to deal with it. You will need to consider protection against virus threats as well as protection against the more visible physical threats. Remember it is important to ensure that an up to date copy of all your data is kept offsite at all times. You might want to consider temporary manual systems of working to allow the business to continue. If this is not possible you should consider using a specialist IT continuity provider. Depending on the company they can offer an end-to-end service from consultancy and planning to the provision of alternative IT equipment and premises.

Exercising and maintaining the plan

The plan does not belong on a shelf gathering dust. It is important that each member of the team has a copy of the plan, and that they keep a copy of the plan away from the business as you never know when disaster might strike. The best thing to do is to exercise your plan to be sure that it will work if disaster strikes. You could simulate a disaster with a desktop exercise, or you could try out a simulated “mini-disaster”. Change the plan accordingly from what you learn from these exercises. It is important to keep the plan up to date. Make sure the supporting documentation is updated regularly and review the entire plan each time there a changes in organisational structure or there is a major change to the business. Make sure that all copies of the plan are up to date and destroy all out of date copies.

Key Action Steps in Continuity Planning

1. Select your team
2. Analyse the Threats
3. List possible steps to prevent threats
4. Plan how to cope if 'it' happens
5. Supporting Documents - prepare contact lists and action lists
6. Special Attention to Computer and Data
7. Try the plan out and keep it up to date

Should you have any queries or need more information on this topic, please do not hesitate to contact Chris Tebbit (Broking Director) on 0207 330 8738.