Credit Nick Simms, Director, Cornwood Risk Management Ltd
What information should the Business Continuity Plan of the future contain?
The Business Continuity Plan of the past was usually predicated on the loss of the building and that only a certain percentage of the staff – usually 20-25% of the total – could be accommodated at a recovery site. The remaining 75-80% of staff were usually told to go home and wait for further instructions. The Business Continuity Plan, therefore, tended to focus on who would go where and what their priorities and key tasks would be when they got there. Anything that was generic, such as muster points following an evacuation, would usually be contained in a Crisis Management Plan or on a wallet card given to all staff.
Now, largely as a result of COVID-19 (although things were moving in this direction anyway), most people who were formerly office-based can, at least theoretically, work from home – caring responsibilities, space and compliance allowing.
What, then, are the implications for the Business Continuity Plan, particularly for those organisations that have decided that Work From Home (WFH) will be the default response to a loss of building? You may still need departmental-level plans for high staff absence, technology outages, data losses, and disruption to third party services but what will be in your de facto standard? Evacuation plans can still be explained in a Crisis Management Plan or a wallet card.
Should the focus now be on the department should do in the event of the loss of technology (i.e. what do you do while the technology is out and then, what do you do when the technology is restored before resuming normal operations)? Isn’t this likely to already exist in actual or imagined Standard Operating Procedure (SOP) manuals? The same is possibly true for disruption to third party services. Strategies for dealing with data loss or corruption are, perhaps, better initiated from the centre when the nature of the problem is identified.
There is something else to consider too, especially for those who are thinking about Operational Resilience in its wider sense and not just about Business Continuity. Should plans of the future be end-to-end along the whole process crossing departmental boundaries? Those who have tried this in the past have, by and large, failed miserably as, although the process as a whole becomes affected as a result of a disruption, the operational response often needs to be at a location or individual departmental level and a downstream activity doesn’t need to know the minutiae of what the upstream team is doing to restore the process, just that the process is being restored and that it will take x amount of time and may lead to certain challenges or risks that can and should be determined and understood ahead of time.
Your thoughts would be welcome.
You liked what you read ? Leave a comment.