How To Frame A Business Continuity Plan
Nuffield Group has established an emergency and crisis management capability – an Integrated Emergency Management Response & Recovery (IEMR) team – tasked to address the ‘before, during, and after’ phases of an emergency scenario. Our team of highly credentialed experts uses a holistic approach to the services it provides across risk management, emergency management planning, training, exercising, and coaching.
We provide expertise and advisory services to support an organisation, individuals and teams tasked with executing emergency management plans. This includes not only compliance before but execution during any major emergency.
We have re-imagined traditional approaches to provide more contemporary thinking in the area of emergency and crisis management. There is ample evidence on the value of investing in thinking and planning management strategies for emergency scenarios; And if nothing else, COVID-19 has taught us the value of having a plan that is not only tested but which considers a range of hazards and scenarios in order to help prevent or manage business disruption.
When framing a Business Continuity Plan, the first building block is an accountability matrix that identifies who is responsible, who is accountable, who needs to be consulted and who needs to be informed. Many organisations refer to it as the RACI model (Responsible, Accountable, Consulted and Informed). Bottom line is – if people are unclear on their roles then successful management of an emergency or disruption will be difficult, resulting in a poor performance.
There are generally four tiers of ownership and oversight of a Business Continuity Plan:
- The Board
- Audit and Risk Committees
- Executive Teams
- and Business Unit Managers
These four groups can be supported by internal and external audit teams. It needs to be acknowledged that this is the ideal model and many businesses may have flatter structures. However, the principle of having particular people accountable for particular responsibilities is a foundational piece and the RACI model is a great tool for a cohesive and integrated approach supported by strong leadership.
Once clear accountabilities and responsibilities, and interdependencies vertically and horizontally across an organisation are established, an assessment of the critical products and services an organisation produces or delivers needs to be conducted. What are the tolerance thresholds an organisation can absorb if these goods and services are not being delivered?
A Business Impact Analysis should be conducted to identify the key facilities, equipment, materials, business systems and people (internal and external) involved in producing these goods and services. Conversations with suppliers and customers are critical to ensure a complete assessment and all impacts are fully understood. An investment in this process will enable an organisation to be creative and innovative in adopting solutions to address any identified (and emerging) problems. A focus on Business Impact Analysis outcomes will assist an organisation to develop its mitigation strategies and recovery objectives.
Following on from this organisations must document and adopt a Business Continuity Plan. The plan must be regularly updated, particularly following any disruption, so any lessons learned can be added to a review of the plan. Further, the importance of regularly testing and exercising the Business Continuity Plan cannot be overstated. Exercises must involve all business units to avoid a siloed outcome from occurring. The best results for business continuity are when an organisation works up, down, and across departments, and involves other key stakeholders. Internal and external auditors should be involved but the final document must be real and owned by the organisation. It is critical key leadership groups champion and invest in this aspect of the business.
Testing can occur on an annual basis but it would prove even more prudent to test and exercise when there are changes to business operations. This will build the skill, capability, and agility of an organisation to manage any future challenges.
A key driver of business success is Information Technology continuity services. It is important to ensure processes are in place to address the recovery of IT systems, infrastructure, and data. There is an ever-increasing amount of cybercrime and cyber-attacks on business systems – making it even more compelling to ensure these systems are resilient. Developing standards around service level continuity makes great sense, as does regular testing and reporting across the organisation.
Business Continuity is a function that has to be owned and valued by an organisation. It has to be part of the organisational way of life. It has to be owned by all and it needs to be inclusive; that is it cannot be owned by one person or one business unit. It must flow through the organisation’s attitude, DNA and temperament.
Clearly, Business Continuity Planning is the best form of insurance an organisation can invest in as the world we live in becomes more challenging, uncertain, complex, and ambiguous. It needs to be seen as part of everyday business and valued as something that will enable an organisation to flourish during testing times.
Nuffield Group’s IEMR team is ready to assist your business in developing well considered and sustainable business continuity plans.
Can we help you?
Call 1300 308 257 or +61 404 852 062
Or email us direct at nuffield@nuffieldgroup.com