Your Business Survived the Crisis - Now What?

The Auditor General’s Report into Local Government published on May 27^th highlights how important business continuity activity will be to local Councils for the remainder of 2021. The Report concluded that Council’s plans need to be updated to reflect lessons learnt from the disasters of recent years. The Audit Office will be conducting a performance audit of business continuity planning in the coming months.

Amongst all the doom and uncertainty associated with Covid-19, there was one tangible benefit that emerged for most organisations. That was that they were compelled to review the currency and efficacy of their Business Continuity Management (BCM) framework and implement (in real-time) their Business Continuity Plan (BCP).

While the vast majority may not have included such a significant pandemic event in their BCP, the better-managed organisations were able to quickly address this anomaly, confront the prevailing challenges and are now recovering in a ‘new normal’ operating environment.

While we all certainly hope we don’t face an event like Covid-19 again any time soon, it has shown us the importance of having the appropriate preparations and frameworks in place in case of business disruption. Ensuring you’re aware of the components of a robust and dynamic BCM framework – and that these components are actively reviewed and fit for purpose – has maybe never been more important.

What is Business Continuity?

A BCP gives your organisation a structured approach to respond to unexpected business disruptions, such as fires, floods or severe weather events, IT outages, cyber incidents, outbreaks of pandemics or supply chain outages.

When it comes to ensuring your organisation can survive these kinds of incidents, maintain its operations and protect its reputation, brand and shareholder value, there is certainly truth in the 16th Century saying, “forewarned, is forearmed”. Industry research by the USA Federal Emergency Management Agency (FEMA) shows that “40% of businesses that have no plan do not reopen following a disaster and an additional 25% will fail within one year.”

Business Continuity Benefits

In some industries, Business Continuity Management is mandatory or even regulated (such as financial services). In others, such as the media industry, it’s not even on the radar. Regardless of whether you are mandated to implement BCM or not, there are many benefits for doing so, including:

• Business priorities, roles and responsibilities, resources and expectations are predefined so that in the event of an incident, a structured response is in place
• Business Continuity Plans can be tested and exercised via simulation incidents to improve their effectiveness in a real incident and also raise organisational awareness of what to do should disaster strike
• There are marketing benefits to having business continuity in place; it enables you to demonstrate to the outside world (i.e. customers, suppliers and other stakeholders) that your business is robust
• Above all, it is simply good business practice to know that you have a plan in place to deal with unforeseen incidents or disasters

Of course, some say that the time and cost to implement and maintain business continuity management is not worthwhile. They’d prefer to simply deal with an incident or disaster if and when it arises or hope that all business risks will just ‘go away’. But with the frequency, severity and impact of all types of incidents and disasters on the rise (including cyber incidents, climate-change related natural disasters and the current pandemic), there is an increasing demand for organisations to increase their business resilience and continuity capabilities.

Business Continuity Methodology

There are numerous local and international standards for business continuity management, as well as those from the likes of the Disaster Recovery Institute .

Regardless of which methodology you adopt, there is consensus that BC projects should be broken into several project stages or phases, as demonstrated in this diagram and detailed below.

• Stage 1 – Understanding your Business. This stage, often referred to as a Business Impact Assessment, assesses the business strategy, structure, functions and processes, in addition to prioritising possible operational risks and their potential business impact. Deliverable: BC Requirements
• Stage 2 – Business Continuity Strategy Options. Response strategy options for various incidents and impacts, often including business case and expected financial expenditure. Deliverable: BC Strategy Options
• Stage 3 – Develop & Implement Plans. Specific BC Plans for each Business Unit, Location and Executive Team(s). Deliverable: BC Plans
• Stage 4 – Training & Awareness. Training and awareness materials for internal staff and external stakeholders. Deliverable: BC Training Plan, BC Training Materials
• Stage 5 – Test and Exercise. Test and Exercise work-specific Scenario Incidents to stress test and prove the BC Plans. Deliverable: BC Exercise Plan, Incident Scenarios and BC Exercise Outcomes Reports
• Stage 6 – Maintain, Govern and Audit. Maintenance plans for ongoing review and update of risks, business impacts and response plans, along with governance and audit schedules and plans to keep plans up-to-date. Deliverable: BC Maintenance Plan, BC Audit and Governance Plan

Business Continuity Plan Structure & Content

While a BCP format varies widely depending on the audience and intended use, a mature Plan will include quick reference ‘aid-memoires’, handbooks, business unit or location-specific plans, and executive focused Command Team’ plans. Increasingly, BCPs are made available online via specialist business continuity software packages, intranet sites and smartphone applications.

When deciding on BC Plan structure, format and content, no one size fits all. Whether you opt for 100+ page documents, BC Summary Handbooks or 1-page Quick Reference Guides, the considerations include:

• Design with the audience in mind. Will your executive team happily read though a lengthy document when their building is on fire? Or is a Quick Reference Guide, with high-level principles, more appropriate?
• Compliance Requirements. When operating in a regulated industry, there may be a specific format and/or content dictated to you. Ensure you check regulatory requirements before starting BC plan development.
• Certification to Standards. If you want formal certification to international standards such as ISO22301, review them carefully to understand any specific requirements they may have.

Ultimately, a combination of various continuity plans may be needed to meet all of your organisations’ stakeholder requirements.

Business Continuity Governance and Maintenance

Perhaps the most important aspect of Business Continuity Management is that it is viewed as a “process, not a project”. Point-in-time risk assessments, business impact analysis, business continuity strategies and plans can quickly become out of date, given today’s dynamic nature of business. Changes in business location, structure, staffing, processes, IT infrastructure and applications are all aspects of organisational change that impact continuity strategies and plans. And with out-of-date business continuity plans providing a false sense of security, relying on them can be fatal to business survival.

Therefore, a clear plan of governance and maintenance activities is critical to the ongoing success of business continuity management. This should map out the timing and responsibilities for all activities: risk business impact assessment reviews, business continuity plan updates, revision of education and training for staff and continuity team members and testing and exercising activities.

Industry good practice recommends annual governance and maintenance. The timing of these actions is dependent on many factors (such as company size, industry, regulatory requirements, budget availability and risk appetite). However, in our experience, relying on an annual review is fraught with danger and ideally continuous, or at a minimum quarterly, activities maintenance program should be put in place.

How can Centium help you?

Centium has partnered with a specialist Business Continuity service provider who can carry out all aspects of business continuity planning for your organisation. With over 20 years in business, over 140 clients, and over 450 consultancy projects, our accredited BCM partner can quickly and efficiently develop solutions tailored to your specific needs. Further, they offer an outsourced ‘managed service’ to ensure your plan is actively maintained, is current and always fit-for-purpose.

Combined with Centium’s in-house expertise in resilience, cyber and risk management services, we can provide our State and Local Government clients with a comprehensive and robust business continuity management service. This service is further enhanced by a tailored knowledge sharing and training program, which in turn enhances the effectiveness and timeliness of any identified corrective actions.

Contact our Director Risk & Assurance for a no-obligation discussion on penelope.corkill@centium.com.au or 0409 251 011